Julian Assange, a Big Yahoo Fine, and More Security News This Week
Credit to Author: Caitlin Kelly| Date: Sat, 13 Apr 2019 13:00:00 +0000
It was another busy week in the security world, and perhaps the biggest story was the arrest of Julian Assange in London on Thursday. The WikiLeaks founder is facing criminal charges in the US over allegations that he conspired to help Chelsea Manning hack into Pentagon computer networks nine years ago. It’s hardly an open-and-shut case, which Andy Greenberg broke down shortly after the indictment was unsealed. But it was enough for London police to forcibly remove Assange from the Ecuadorian Embassy where he had been holed up since 2012.
Involuntary ejections of another sort were taking place across the pond, as President Trump instigated a dramatic purge of Department of Homeland Security leadership over a number of days. With Kirstjen Nielsen out as secretary, and more hardline immigration hawks running the show, some former government officials worry that the leadership vacuum means policy chaos around issues like cybersecurity and infrastructure security. Elsewhere in Washington DC, Attorney General William Barr told Congress that the Mueller Report is coming. And the Senate held a hearing about robocalls, but as Lily Hay Newman explained earlier in the week, this scourge isn’t going away anytime soon.
The Kaspersky Security Analyst Summit took place in Singapore this week. Researchers discovered a new spyware framework, called TajMahal, and new schemes to hack ATMs. They detailed the custom toolkits used by Triton hackers, arguably the most dangerous malware in recent history. It turns out the Exodus spyware comes in an iOS flavor, in addition to Android. Want to read something more positive? Check out this heartwarming tale of how Android’s security team defeated the epic Chamois botnet.
Elsewhere on the web, Bloomberg reported that Amazon employs a team of thousands who work to improve Alexa by listening to conversations captured by the company’s Echo devices. If that creeps you out, your surest bet is to make your house a smart-speaker-free zone. But if you’ve grown too attached to your Echo, or Dot, or Blob, or whatever, Lily has some tips for making your smart speaker as private as possible.
And there's more! Each week we round up all the news WIRED didn’t cover in depth. Click on the headlines to read the full stories. And stay safe out there.
Motherboard reports that a UK court has sentenced the leader of Silk Road 2 to over five years in jail for crimes he committed in part while running the dark web marketplace. Dread Pirate Roberts 2, as he was of course known, is now revealed to be Thomas White, a technologist and privacy activist. As Motherboard points out, WIRED included Dread Pirate Roberts 2 on a list of Dark Web drug lords who got away in 2015, but it turns out that he was arrested in November 2014; the case just didn't attract notice because UK media law prevented reporting on it before its conclusion.
The WPA3 Wi-Fi security protocol, which officially launched last fall, has lots of improvements that make security easier for the average user. It also, though, came with a handful of vulnerabilities that researchers disclosed this week, including some that would allow a hacker to steal Wi-Fi passwords. The good news is that WPA3 isn't all that common yet, and software patches have been issued. The bad news is that once again, nothing ever works exactly as advertised.
NoScript has been a popular Firefox extension for well over a decade, helping people block unwanted JavaScript code from running on their machines. Now you can install it on Chrome, as well, although developer Giorgio Maone acknowledged that he had to drop NoScript's XSS filter because of Chromium's restrictions. Still, if you're looking to quash junk code before it starts, you've now got a solid option on the world's most popular browser.
In 2016, Yahoo announced that a billion user accounts had been compromised in a 2013 breach. Ten months later, the company revised that number upward a bit, to three billion users—a.k.a., every single user the company had at the time. Now Yahoo is trying to reach a class-action settlement over the debacle, and the process has been fittingly messy. The original settlement, valued at $50 million, was rejected by the judge for not being “fundamentally fair, adequate and reasonable.” Now Yahoo has more than doubled the amount. The amended settlement is still awaiting approval, but if it goes through, according to the plaintiffs lawyer it will be the “biggest common fund ever obtained in a data breach case.”