A Costly CIA Mistake, a Campaign Hack, and More Security News This Week
Credit to Author: Lily Hay Newman| Date: Sat, 18 Aug 2018 13:00:00 +0000
There's no such thing as summer vacation in security, and researchers started off this week by disclosing a problematic flaw in Intel processors that undermines the company's so-called secure enclave offering, and potentially other capabilities like virtual machines. A different group of analysts realized that they could potentially take a power grid down by conscripting air conditioners, water heaters, and other devices into a botnet and coordinating a massive power draw. And yet another research team exposed risks in how developers manage app storage on Android. Plus, an analysis of five body camera models found that the devices are deeply insecure and vulnerable to an array of attacks, including the troubling potential for footage manipulation.
Activists in Syria are establishing a sensor network to give civilians advanced warning about airstrikes, invisible mouse clicks (called "synthetic clicks") could let malware onto macOS devices, and vulnerabilities in fax machines are putting lots of corporate networks at risk—even in 2018. Meanwhile, WIRED analyzed seven Fortnite imposter apps and found all the malware and general sketchy junk you'd expect, and researchers are developing methods for tracking and identifying hackers through behavioral patterns.
At the Voting Machine Hacking Village during DefCon in Las Vegas, election officials from numerous states made a concerted plea for more election infrastructure funding. Researchers have found a tough, but clever way to turn Amazon Echoes into surveillance devices. And if you saw that AP investigation into Google's persistent user location tracking, or if you didn't, here's how to opt out on an even deeper level.
Plus, there's more. As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.
Beginning in late 2010, the Chinese government spent roughly two years infiltrating the pool of CIA agents in China and executing many of them—possibly 30 people in all. It has been unclear how the Chinese government knew who to target, but US officials told Foreign Policy this week that Chinese operatives compromised the CIA spy network thanks to flaws in what was supposed to be a secure communication system. FP reports that the CIA used a clandestine comms system developed in the Middle East in China as well, thinking that it was foolproof. But the agency severely underestimated China's surveillance prowess and ability to identify and expose covert digital traffic. The mistake not only disrupted US intelligence-gathering in China, but also reportedly got many agents killed.
President Trump signed an order this week to relax classified Obama-era rules on the use of cyberweapons against US adversaries. The old rules, known as Presidential Policy Directive 20, defined a complicated interagency process for initiating cyberattacks. Trump's new approach will reduce friction and potentially encourage offensive action. The decision comes as the Trump administration has been criticized for lax response to Russian hacking and probing, particularly infrastructure and election meddling. The new rules may act as a deterrent against foreign adversary hacking, but it is unclear specifically what the new policy says.
Over the next few months, officials say that the Los Angeles subway system will deploy portable body scanners meant to check passengers for weapons and explosives. The devices will be able to do full-body screenings of 2,000 riders per hour without requiring them to stop for the check. The LA subway provided more than 112 million rides last year. The scanners can work from up to 30 feet away from a subject and the city purchased them from the UK-based firm Thruvision. LA officials say the devices are necessary to manage safety threats and the city is considering purchasing other types of body scanners as well. Such screening would be the first in any US city subway.
Over the last year, the FBI investigated a rash of cyberattacks against Hans Keirstead, a biomedical researcher who ran for Congress against longtime Republican incumbent Dana Rohrabacher. Keirstead narrowly lost a primary in June, but emails and other records obtained by Rolling Stone show that his campaign was plagued by hacking attempts from unknown attackers. The news comes as Microsoft officials said last month that three congressional campaigns have faced phishing attacks and other hacking attempts so far in the 2018 midterm campaign season. One of those campaigns was Claire McCaskill, who is defending her senate seat against strong Republican opposition.