Security News This Week: Telegram Says China Is Behind DDoS
Credit to Author: Emily Dreyfuss| Date: Sat, 15 Jun 2019 13:00:00 +0000
It’s mid June, and according to tradition, the news cycle is supposed to be lethargic, cooling off in a hammock somewhere and taking it easy. Not so much this week.
It started off well enough: On Sunday we explained how to actually, finally stop all those robocalls—or at least slow them down.
But then Monday hit, and the US government confirmed that hackers had stolen a border agency database full of traveler photos. The incident proves that as the government has rushed to embrace biometrics, it hasn’t bothered to worry enough about securing that sensitive data.
Things didn’t slow down from there. Tuesday, a much more fun cache of data leaked online: 18 hours of previously unreleased music from Radiohead. And who leaked it? None other than Radiohead themselves, who did it to undercut someone trying to extort the band for $150,000 to keep the songs offline. Hail to the thief, indeed.
Google continues to swear it is not trying to kill ad blockers, despite what ad blockers say, Lily Hay Newman reported Wednesday. And Symantec VP Darren Shou explained why the next big hurdle for AI is teaching it to forget.
Thursday we brought you three big stories: we went inside Cloudflare’s five-year project to protect nonprofits; reported that Google is actually trying to close the major loophole in web encryption; and had the exclusive—and insane!—story of how Alphabet-owned Jigsaw bought a disinformation campaign in Russia for the low, low price of $250.
Wanting to end the week on a terrifying note, Andy Greenberg reported on Friday that the dangerous hacking group known as Triton has been probing the US power grid. Oh, and then that Cellebrite, an Israeli data extraction company that contracts with the US government, says it now has a tool that can unlock any iPhone.
Of course, there was more. Every Saturday we round up the security and privacy stories we didn’t break or report on in depth, but which we think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.
As protests erupted in the streets of Hong Kong this week, over a proposed law that would allow criminal suspects to be extradited to mainland China, the secure messaging app Telegram was hit with a massive DDoS attack. The company tweeted on Wednesday that it was under attack. Then the app’s founder and CEO Pavel Durov followed up and suggested the culprits were Chinese state actors. He tweeted that the IP addresses for the attackers were coming from China. “Historically, all state actor-sized DDoS (200-400 Gb/s of junk) we experienced coincided in time with protests in Hong Kong (coordinated on @telegram). This case was not an exception,” he added. As Reuters notes, Telegram was DDoSed during protests in China in 2015, as well. Hong Kong does not face the strict internet censorship that exists in mainland China, although activists have expressed concern about increased pressure from Beijing on the region.
After years of criticism that its voting machines contained flawed and insecure software, major voting machine supplier Election System and Software announced this week that it will stop selling machines that have no paper ballot—as the primary machines in any given jurisdiction, at least. Voting security experts have long warned about ES&S’s machines in particular, and advised that paper ballots are always more secure because they provide an auditable backup. Ars Technica explains the move comes after 18 months of increased scrutiny from lawmakers and outside experts, and a wave of states embracing paper ballots ahead of the 2020 presidential election.
It’s the end of an era, folks. For six years, the website Have I Been Pwned has helped internet denizens understand just that: Put in your email address and, voila, the site would tell you not only if your email was on any breached lists, but which ones and why. Want to know if you were affected in the great Target hack of 2013? Check Have I Been Pwned. Same for the Experian breach, and literally any since security researcher Troy Hunt first created the site in December 2013. But now Hunt is ready for the site “to grow up.” Writing in a blog post, Hunt said, “It’s time to go from that one guy doing what he can in his available time to a better-resourced and better-funded structure that's able to do way more than what I ever could on my own.” Hunt needs to be careful, though. Since Have I Been Pwned itself is now a massive repository of sensitive information, people won’t take kindly to it being sold to a corporate overlord who may not be as responsible a steward of their privacy as Hunt has been.
https://www.wired.com/category/security/feed/