GOOD NEWS, BAD news. A security firm says that the US Election Assistance Commission, which exists in part to help keep voting machines secure, was hacked, with 100 login credentials for sale on the black market. The good, or at least better, news is that the hack doesn’t appear to have had any impact on the voting machines themselves, or to have affected the election in any material way. Phew?
In other security news, we took a look at the growing rift between President-elect Donald Trump and the intelligence community—and what that might portend. We also explored some wicked ransomware that gives you the choice of infecting two friends rather than pay up, along with a vulnerability in several popular Netgear routers that’s probably going to stay vulnerable. And speaking of vulnerable: Yahoo announced yet another large-scale hack, this time of a billion accounts. This one took place in 2013, so if you had a Yahoo account then, time to change some passwords.
Finally, the Freedom of the Press Foundation had a busy week. It organized a letter signed by 150 documentarians asking camera makers like Nikon and Canon to sell encrypted cameras to help protect sensitive footage, and also began grading media sites on their HTTPS compliance, to show just how secure your news browsing is (and hopefully prod some companies toward encrypting their communications soon). Full discloser: WIRED scored a B+.
And there’s more. Each Saturday we round up the news stories that we didn’t break or cover in depth but that still deserve your attention. As always, click on the headlines to read the full story in each link posted. And stay safe out there.
The US Election Safeguard Got Hacked Itself
There’s no indication that actual US voting machines were compromised in the most recent election, but security company Recorded Future has made public evidence that login information from the US Election Assistance Commission was compromised this year. The hackers reportedly attempted to sell the 100 stolen credentials to a government broker in the Middle East, but aren’t currently suspected of being state actors themselves.
Report Says Some Uber Employees Tracked User Data With Little Oversight
A recent report by Reveal from the Center of Investigative Reporting cites several former Uber security staffers who say that employees of the car-sharing company could look up anyone’s ride history on a whim. Uber responded that it had in fact fired “fewer than 10” people for doing so, but even if that is the extent of the unauthorized snooping it’s an unsettling revelation. It also builds on the company’s “God View” incidents of two years ago, in which executives tracked customers in real-time before a privacy policy change supposedly the practice.
A Facebook Vulnerability Left Private Messages Exposed
A vulnerability in Facebook’s messaging platform left private chat logs exposed, according to cybersecurity firms BugSec and Cynet. Facebook has since fixed the vulnerability, which left users one bad click away from letting attackers read their chat history in a remote browser window. It’s unknown whether any bad actors actually used this attack, but given that Facebook Messenger has over a billion active users, it’s nice to know that it’s been patched up with haste.
Twitter Turns Off Dataminr’s Fire Hose For Law Enforcement Data Collection Centers
Following pressure from the ACLU, Twitter this week told Dataminr, a company that receives the full fire hose of Twitter public user data to generate breaking news alerts, to stop providing its services to so-called “fusion centers” around the country. Fusion centers are data collection points where federal, state, and local officials share relevant law enforcement information. Dataminr had previously shut off direct access to US spy agencies at Twitter’s behest earlier this year; the latest move is in keeping with the social network’s stance that “the use of Twitter data for surveillance is strictly prohibited,” as it told the ACLU.
[Source:-Wired]
