So many hacks, so few days in the week to write alarming stories about every one.
The biggest security news this week actually wasn't about a hack at all. Silk Road creator Ross Ulbricht got a sentence of life in prison without the possibility of parole. The US reportedly tried to use a Stuxnet-like worm against the nuclear program of North Korea, but failed. And perhaps the biggest story of the week is as-yet unresolved: tomorrow, the senate will meet in a special session to vote on extending certain provisions of the Patriot Act, which are set to expire to Monday. The outcome o that vote will have massive repercussions on the NSA's ability to surveil us. Check WIRED tomorrow for the news as it hits and analysis of the fallout.
But there was a lot of other news this week, big and small. Every weekend, WIRED Security rounds up the security vulnerabilities and privacy updates that didn’t quite rise to our level for in-depth reporting this week, but deserve your attention nonetheless.
To read the full story linked in each summarized post below, click on the headlines. And be safe out there!
Oh, great. As if Facebook wasn’t creepy enough, Harvard computer science and mathematics student Aran Khanna created a Chrome extension to help users stalk their friends. Called Marauders Map [sic], the extension scrapes user’s location data and plots it on a map. Location data is stunningly precise: the latitude and longitude coordinates can pinpoint individual locations to less than a meter. Khanna, who noticed that Facebook Messenger’s mobile app defaults to including a location with all messages, happily shared that he could track the weekly schedule of friends---or even people in group chats who he wasn’t Facebook friends with—to predict future movements. Khanna, who disclosed that he’ll be interning in a different department at Facebook in June, deactivated the API key associated with the app upon Facebook’s request, but the code is still up on GitHub...until Facebook disables it, that is.
You probably realize that the Bluetooth Low Energy signals sent out by your devices are constantly transmitting data. Researchers at Context Information Security found that they can also be used to track your location up to 100 meters in open air or 800 meters (about a half mile) with a high-gain antenna. RaMBLE, Context IS’ proof of concept application available in Google Play, allows Android users to scan, log, and map iBeacons, fitness trackers, and other Bluetooth Low Energy devices. Unfortunately, relatively few BLE devices support authentication and implement encryption in favor of simplicity of use and prolonged battery life, and this tradeoff is yet another way user privacy continues to be compromised.
Security breaches lead to millions of dollars in damages to big businesses, and the South African security firm Thinkst may have solution. Canary, its network appliance coupled with an online monitoring system, lures hackers with a juicy honeypot, and then alerts companies to their intrusion. It’s not foolproof, since sophisticated intruders may avoid the honeypots in favor of what they’re actually looking for, but the Canary box can detect what’s referred to as lateral movement, where hackers poke around systems and computers on a target network—often for weeks—looking for documents, testing passwords on network devices, and so forth. Canary is easy to configure, relatively inexpensive ($5000/year for two devices and management through the online management console), and apparently less noisy and prone to false alarms than its competitors.
A February draft of the Trade in Services Agreement (TISA) was leaked last week, the Electronic Frontier Foundation reports. The secret international treaty had been leaked in the past, but the recent version is more extensive. Much like the Trans-Pacific Partnership and Trans-Atlantic Trade and Investment Partnership, TISA is a trade agreement secretly making rules for the internet, and is in danger of passing under legislative Fast Track. TISA, which focuses on services rather than goods, could prohibit countries from enacting a variety of mandates, including those requiring service providers to host data locally, setting source code disclosure provisions. It could also force countries to introduce anti-spam laws, which can be ineffective and even harmful. The treaty would circumvent the transparency and accountability inherent in a public debate and lock in international law that could have harmful consequences.
In November 2013, four MIT students worked on Tidbit, an innovative project that
hoped to eliminate website advertising---and the privacy violations inherent within---by allowing users to pay for content by installing a plugin that would use their spare processing power to mine Bitcoin. Tidbit won an innovation award at the Node Knockout Hackathon, and then student developer Jeremy Rubin was rewarded with a subpoena from the state of New Jersey. It’s never been clear why the New Jersey Attorney General alleged that two downloads of a proof-of-concept project incapable of actually mining Bitcoin might be in violation of the state's Computer Related Offenses Act and Consumer Fraud Act, since the code was only operational for two days and was never fully functional. In any case, Rubin entered into a written agreement in which he admitted no wrongdoing to resolve the investigation. The consent order states that Rubin does not have to pay the $25,000 fine unless he violates New Jersey law with the Tidbit code (and subsequently fails to comply within 30 days after notification), which, as Rubin points out, was probably how New Jersey should have dealt with Tidbit in the first place. MIT is working toward creating legal resources for students around the freedom to innovate.
Three provisions under Section 215 of the Patriot Act are set to expire on June 1, and the doomsday predictions have filled newspaper pages all week. According to Senator Lindsey Graham, “anybody who neuters the program is going to be partially responsible for the next attack.” This in spite of the fact that the program is unconstitutional, has been largely ineffective, and “would provide the illusion of triumph even while leaving much of the machinery of surveillance intact,” as Cato Institute’s Julian Sanchez points out. But who needs facts? Luckily, the national security fearmongers are no match for the visionaries of Twitter, who have channeled their collective mockery to colorfully illustrate what we can expect in the pending apocalypse under the hashtag IfThePatriotActExpires. Make sure you’ve stocked up on food and supplies, for the end is nigh.
If you’ve ever used the free version of the Israeli-based VPN Hola, your bandwidth has been sold to Luminati VPN Network, and it’s even possible that your computer has been used in illegal or abusive activity. That’s because using the free version of the service, as people often do to bypass geoblocking, means that you become an exit node or endpoint of Luminati’s private network. This allows others to exit through your internet connection with your IP address. That’s a troubling thought for users who want to cloak their IP address, but instead expose their address associated with other people’s traffic. Hola has updated its FAQ to make this more clear after 8chan message board operator Fredrick Brennan stated that Hola users’ computers were unwittingly used to attack his site.
