The week in security news began much as you’d expect: still trying to make sense of the redacted Mueller report, which was released to congress late last week. Garrett M. Graff’s takeaways? The report makes clear that Trump was worse than a “useful idiot,” along with 14 other insights you may have missed.
After a horrific string of bombings left more than 300 people dead in Sri Lanka over the weekend, the government there blocked US tech platforms in order to quell the spread of misinformation. Civil rights experts warned that despite the harmful role social media has played in spreading violence and propaganda, this was the wrong move.
Things quickly swerved away from the geopolitical and toward the familiar domain of terrifying hacks, including two that almost sound like hackers are actually reading minds (they’re not). First, a blockchain bandit is guessing people’s private keys and making off with the funds; and next, hackers can tell exactly which Netflix Bandersnatch choices you make. Hackers have also sneaked malware into videogames via their supply chain, which ain’t good. But GoDaddy took down 15,000 spammy domains, which is good. And in even better news, there’s a pretty good fix for the ever-escalating SIM card swap attack—but why isn’t the US using it?
If you haven’t already, do yourself a favor this weekend and read the jaw-dropping tale of bitcoins and murder.
But that’s not all! Every Saturday we round up security news we didn’t break or report on in depth. As usual, click on the headlines to read the full articles. And be safe out there.
Motherboard reports that a hacker going by the name L&M claims to have hacked into 7,000 iTrack and 20,000 ProTrack accounts—GPS tracking tools—and from there gained access to some vehicles internal systems. The hacker says he could turn off cars’ engines as they drove under 12 miles an hour or were stopped. On all the vehicles, he was able to track the cars as they drove. He got in by realizing that all users of those apps had been given the same default password. After bruteforcing millions of usernames, he was in. Motherboard confirmed the breach with four people whose information L&M listed in a sample of the breached data he shared with the website. L&M says he did this to show the companies how compromised their security was, and that he has never remotely turned off a car engine. So I guess that’s some comfort?
A new report suggests yet another reason to worry about filling your home with internet of things devices that listen, watch, and wait to get hacked: their peer-to-peer technology isn’t always secure. According to security journalist Brian Krebs, the iLnkP2P software made by Shenzhen Yunni Technology is inside millions of different IoT devices, like doorbells, cameras, and baby monitors. It’s got a weakness that security researcher Paul Marrapese found and shared with Krebs. The software is supposed to make it easier for people to log in remotely to their IoT devices using just a barcode to log in. Marrapese found that the software offers no encryption or authentication, and makes it very easy for hackers to connect directly with these devices. He told Krebs he found more than 2 million devices vulnerable to this kind of attack. He suggests people can protect themselves by setting up a firewall that blocks traffic to the peer-to-peer port, but Krebs has an easier suggestion: “Avoid purchasing or using IoT devices that advertise any P2P capabilities.”
Despite backlash from privacy advocates across the world, the EU this week voted to do the damned thing. That thing being to merge a bunch of different biometric tracking databases for immigration, crime, and and border patrol into a single shared database that border and law enforcement agents can use to access biometric information for people. Once assembled, the database will be one of the biggest “people-tracking databases in the world,” according to ZDNet, containing the records of more than 350 million people. Those records will include both biometrics such as fingerprints and facial scans as well as identification information like passport numbers, names and dates of birth.