Hackers Discovered Only After Maxing Out Victim’s Cloud Storage
Credit to Author: Lily Hay Newman| Date: Sat, 16 Nov 2019 14:00:00 +0000
A border privacy win, a suspect Army app, and more of the week's top security news.
Move fast and break things was in full effect this week, as researchers revealed that Intel took a full year to release a fix for a chip flaw the company had been repeatedly warned about. Over in a different digital ecosystem, researchers from the security firm Kryptowire dropped 146 vulnerabilities found in handsets made by 29 Android smartphone makers—the result of preinstalled software from vendors and carriers alike.
Analysts are still turning up worrying privacy and security flaws in the 5G standard, with time running out to fix them before 5G networks reach consumers. The privacy-focused Brave browser has a scheme to pay its users for browsing the web—and it's coming to iOS.
A notorious Russian hacker, who ran the online criminal marketplace CardPlanet, is facing charges in the United States despite Russian efforts to stop his extradition. And WIRED mapped out the evidence, including new details, that all links some of the most major hacks of the last five years to one hacking group: Sandworm.
At our WIRED25 event last week, we spoke with NSA cybersecurity chief Anne Neuberger about killer drone swarms, and Cloudflare CEO Matthew Prince about the inevitability of his company pulling the plug on controversial sites in the future.
And there's more. Every Saturday we round up the security and privacy stories that we didn’t break or report on in-depth but which we think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.
The United States Federal Trade Commission is suing the Utah-based IT provider InfoTrax Systems for failing to detect a massive breach of its systems that exposed the personal data of over a million consumers. The breach, which the complaint alleges was really about 20 intrusions over a 22-month period, allegedly began in May 2014 and persisted until March 7, 2016. The FTC contends that InfoTrax Systems only realized something was amiss when it started receiving alerts that one of its servers was out of storage space. Across multiple campaigns, hackers exfiltrated an assortment of data including victims' full names, Social Security numbers, addresses, email addresses, and phone numbers, plus usernames and some plaintext passwords for InfoTrax accounts, and some credit and debit card numbers including associated names, expiration dates, and CVVs.
A United States federal court in Boston said Tuesday that it is unconstitutional for Department of Homeland Security border agents (typically from Customs and Border Protection or Immigration and Customs Enforcement) to search the digital devices of international travelers without individualized suspicion. ICE and particularly CBP have been ramping up searches of devices like smartphones and laptops at the border, demanding to review travelers' social media accounts or even hand over passwords. Privacy activists have increasingly sounded the alarm that the searches were happening without adequate oversight or regulation. District judge Denise J. Casper found that such searches are a Fourth Amendment violation. The American Civil Liberties Union, Electronic Frontier Foundation, and ACLU of Massachusetts filed the lawsuit—Alasaad v. McAleenan—on behalf of 11 travelers who faced invasive digital searches at the border. Ten are US citizens and one is a lawful permanent resident.
Army intelligence soldiers with top-secret clearances downloaded a logistics and information app at the request of their commander at the end of October only to discover that the app's terms of service revealed troubling potential exposure. The developer has international ties and the app reserves the right to collect significant personal data. The Washington Post, which first reported the incident, says the commander who recommended the app is Army colonol Deitra L. Trotter, commander of Fort Hood’s 504th Military Intelligence Brigade. Trotter told the soldiers to download the app to their personal smartphones, but they worried that it could expose their sensitive, classified work if it were backdoored or hacked.