Reality Winner, Insider Trading, and More Security News This Week
The biggest news in America this week struck like two timed missiles minutes apart on Tuesday afternoon. Though they appear at first blush unrelated to Russia’s hacking of the 2016 US election, they are likely to explode right in the heart of Robert Mueller’s investigation. First. Trump’s former lawyer Michael Cohen pleaded guilty to two felonies–implicating the president in both crimes in court–and then Trump’s former campaign chairman Paul Manafort was found guilty of eight criminal charges. Robert Mueller expert Garrett Graff explains what this means for the Russia investigation, and spells out the six biggest questions now facing the administration, Congress, and the American people.
WIRED’s latest cover story details the most devastating cyberattack in history. Andy Greenberg spent the better part of a year getting the full story of the NotPetya code, which took down the world’s cyber infrastructure in 2017. Greenberg reveals previously untold details about the devastation NotPetya caused, particularly at shipping giant Maersk, in breathtaking detail.
Of course there was more news in the security world. The Democratic National Committee thought a phishing test was a real attack. Researchers discovered the ultrasonic sound monitors make can reveal what’s on your screen. We explained how to protect yourself from a SIM swap attack. Facebook and Twitter thwarted suspicious activity coming from Iran, and Microsoft seized six domains owned by Russian hacking group Fancy Bear—both of which were attempting to influence the midterm elections. With tech companies seemingly on the front lines of defending democracy from foreign aggressors, we wonder, why isn’t the government doing more? Should it really be up to Silicon Valley to defend US democracy?
Plus, there’s more. As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.
Apple’s been a quest this summer to force all apps in its App Store to conform to stricter privacy rules. Unsurprisingly, Facebook’s so-called security app Onavo failed and was subsequently booted. Onavo is a virtual private network app that lets you access the internet on your phone through a private Facebook server. While that makes it harder for third parties or hackers to spy on your phone activity, it gives Facebook full access to it. Not ideal. And while Facebook removed Onavo from the App Store, if you downloaded it already—or if you have it on Android—it’s still there, logging all your data. You need to delete the app manually. And if you’re still not convinced it’s a bad idea to let Facebook spy on all your phone activity even when it has nothing to do with the social media site, we wrote you this explainer about all Onavo’s problems a few months. Read it, then get deleting.
[The Crazy Insider Trading Scheme That Made Hackers $100 Million on Stolen Press Releases] (https://www.theverge.com/2018/8/22/17716622/sec-business-wire-hack-stolen-press-release-fraud-ukraine)
This story is bananas. In possibly the biggest security fraud case in US history, according to law enforcement, stock traders on Wall Street were paying hackers to break into business newswire websites to steal embargoed press releases that would allow the traders to make preemptive stock buys. The Verge this week traced the whole scheme back to three Russian hackers, who were embroiled in a turf war over access to the press release sites. The story is a classic saga of greed, but with a modern twist: with the internet, insider trading becomes a whole new thing. As reporter Isobel Koshiw writes, “Traders no longer need someone inside a company to obtain inside information. Instead, they can turn to hackers, who can take their pick of security weaknesses.”
[1,464 Aussie Lawmakers Had the Same Password: Password123] (https://www.washingtonpost.com/technology/2018/08/22/western-australian-government-officials-used-password-their-password-cool-cool/?noredirect=on&utm_term=.6c86d5a9349d)
Australia has a lot going for it: weird animals, lots of sun, and great accents. But apparently internet security isn’t a strong suit. At least, not in Western Australia, where a recent security audit of government agencies found that more than a quarter of government officials had seriously weak passwords. Five thousand of them has the word “password” in their password. Luckily, this was revealed by a government-ordered audit, so there’s time for these officials to process the shame of their poor passwords and come up with something stronger. If they need some tips, they can start here.
Only three days after Washington’s Dulles Airport switched on its new biometric facial recognition tech, the system caught an imposter trying to enter the US from Brazil on a fake passport. This is the first time this implementation has caught an identity scammer, according to authorities. They said it was likely human passport agents would have allowed the man to enter because he looked much like the picture on the passport. The facial recognition system, however, flagged him. Authorities later found the man’s real ID hidden in his shoe, arrested him, and sent back to Brazil.
On Thursday, a US District Court Judge in Georgia sentenced former NSA contractor Reality Winner to 63 months in prison for violating the Federal Espionage Act. Winner had pled guilty earlier this summer to leaking a confidential NSA report on Russian election hacking to the website The Intercept. The Intercept faced criticism after it published an article based on Winner’s leak, because in the process of reporting it inadvertently clued officials into Winner’s identity based on printer marks on the leaked document.
If you have no idea what Struts 2 is, you should stop reading, go outside, and enjoy your weekend, hopeful that the people who do know keep reading and update theirs immediately. Threat Post reports that the Apache Software Foundation found a vulnerability in open-source developer framework Struts 2, used for coding in Java, that could be more dangerous than a similar vulnerability that led to the massive Equifax breach last year. “The vulnerability is caused by insufficient validation of untrusted user data in the core of the Struts framework,” Threat Post reports. Apache is urging all developers to update. If you use Struts 2.3, update to 2.3.35. If you use 2.5, update to 2.5.17. Got that? Great. Thanks for updating and keeping us all safe!