This week, more than 70 people were arrested in a takedown of the online criminal marketplace Darkcode in the FBI’s Operation Shrouded Horizon. The rallying cry to uninstall Flash came through loud and clear after a third zero day exploit was revealed in the hacked Hacking Team cache of files. Anonymity project Proxyham staged its own disappearing act. A security researcher was awarded a million United airline miles after disclosing a remote-code execution flaw on the airline’s website. And the public comment period for the proposed enforcement of the Wassenaar Arrangement comes to a close on the 20th. And that’s just the beginning.
Those were the big stories, but every weekend, WIRED rounds up the security vulnerabilities and privacy updates that didn’t quite rise to our level for in-depth reporting yet deserve your attention nonetheless. As always, to read the full story linked in each post, click on the headlines. And be safe out there!
In a victory for advocates of judicial oversight for surveillance, the UK’s High Court struck down the “emergency” Data Retention and Investigatory Powers Act (DIRPA), which was fast tracked through Parliament last year. The legislation would have handed security officials greater surveillance power by allowing it to access private phone and email data without proper oversight. The court found that two sections of the legislation were illegal for two reasons. First, access to data wasn’t authorized by a court or other independent body, and second, the legislation failed to provide clear and precise rules ensuring data would only be accessed to detect and prevent serious offenses (or to conduct criminal prosecutions related to these offenses). The government has until March of next year to draft new legislation.
Journalist and filmmaker Laura Poitras, who won an Academy Award for Best Documentary for her film about whistleblower Edward Snowden, states that she was repeatedly searched, interrogated, and detained at both U.S. and foreign airports between 2006 and 2012. Her notebooks, laptop, cell phone, and other personal items have been seized, and she was told that the Department of Homeland Security had assigned her the highest possible threat rating. Poitras filed a Freedom of Information Act request in 2013 seeking information on why she was being targeted by federal agencies, but it has gone unanswered. Now she’s suing the Department of Justice, the Department of Homeland Security, and the Office of the Director of National Intelligence to find out what happened. Here’s hoping she gets some answers.
An appellate court ruled that the NSA’s bulk collection of American phone data was illegal last May, and now the ACLU is suing the government for temporarily reinstating the program. “The government says it will wind down this unconstitutional program eventually, but the Constitution doesn’t have a grace period,” ACLU Staff Attorney Alex Abdo said in a statement. The lawsuit, filed Monday, asks the appellate court to overrule the secret surveillance court that allowed for the program to be reinstated even after its temporary lapse.
Hieu Minh Ngo, who sold access to Social Security numbers and other personal information through an identity theft service he ran, got sentenced to 13 years in the clinker. Ngo, who admitted to accessing databases from some of the world’s largest data brokers from his home in Vietnam, had over 1300 customers. Many of them filed fraudulent tax refunds with the IRS. The government said he made close to $2 million from the scheme. Ngo’s sentence was lightened because he assisted investigators in arresting some of his U.S.-based customers.
Cyprus apparently has strict laws against surveillance---so strict that when the Hacking Team cache showed that the island had purchased attack vectors from the surveillance firm, Cyprus Intelligence Service head Andreas Pentaras resigned.
Hacker group Pawn Storm (aka APT28) used a Java 8 exploit to target “a NATO country and a U.S. defense organization,” security software company Trend Micro disclosed. The hacker group has targeted both defense contractors and media organizations. A patch was released early this week.
Encrypted web and WiFi connections can be cracked, thanks to an attack on an aging cryptographic cipher known as RC4, computer scientists at the University of Leuven warn. That’s because RC4 has statistical biases that make it possible to predict the pseudo-random bytes it uses to encrypt messages. While it takes anywhere from 52 to 75 hours to crack HTTPS-protected websites--for now--the same attack took about 2000 hours in 2013. And a similar attack against networks protected by the Wi-Fi Protected Access Temporal Key Integrity Protocol (WPA-TKIP) would only take about an hour. Attackers would need to be able to monitor the connection between a target and the HTTPS-protected site or WPA-TKIP network. About 30 percent of encrypted HTTPS web connections use RC4. The researchers recommend halting use of the RC4 cipher altogether.
