As we approach the July 4 holiday, the security world had no shortage of fireworks—starting with a hacker group, likely from China, that has spent years breaking into carriers in an effort to hoover up metadata from prime targets. Russia gets most of the attention lately, but never count out China’s sophistication and verve.
Also never count out Excel as a popular target for hackers. We took a look at not one but two different methods of attack against the venerable spreadsheet software, both of which use the program’s features as intended to wreak havoc. We also checked out a bug that a security research told Apple about months ago that hasn’t yet gotten a fix—and hackers have taken notice. And cybersecurity pro Dan Salmon has a warning for you about Venmo: All that public data makes it child’s play for a bad guy to spearphish you.
Zeynep Tufekci wrote about how the endless assault of falsehoods online has turned us all into dupes and cynics. And we looked about how the so-called Border Gateway Protocol is behind so many of the internet’s more practical woes, like outages and espionage.
Lastly, you really should spend some time with this feature from our July/August issue about about a hacker who harassed girls in a small New Hampshire town—until they fought back.
Of course, that’s not all that happened in the privacy and security world this week. Every Saturday we round up the stories we didn’t break or report on in-depth, but which you should know about nonetheless. Click on the headlines to read the full articles, and be safe out there.
Motherboard reports week that in the golden age of Myspace, employees had access too and abused an administrative tool called Overlord. Former Myspace workers said that colleagues used this “entire backdoor to the Myspace platform” to snoop on unsuspecting users—including exes. This happened a decade ago, before the value of personal data gained mainstream awareness. Which in no way excuses the behavior of the employees in question; it doesn’t take a Cambridge Analytica news cycle to realize that spying on people is wrong. Most platforms have a tool like this—Uber notably called its version “God View,” and had similar privacy issues—but also strictly limit access to it. If you don’t want your employees to misuse a tool that grants access to the private messages, passwords, and other user data on your social network, maybe also don’t give it such an ominous name.
Hopefully by now you’ve read Robert Mueller’s report on Russian interference in the 2016 election, and Donald Trump’s many flirtations with obstructing justice. If not, please do it now. Look, we’ll even put it right here for you. Take your time!
Apologies for the insistence. But it’s important that you read it for yourself, because it lays things out as clearly as they’ll ever be. While Mueller will testify before Congress on July 17, he has made abundantly clear that he’s not going to go beyond what he already put in his report. And frankly, he shouldn’t have to; the picture it paints speaks loudly, regardless of how attorney general William Barr chose to frame it.
Microsoft’s OneDrive doesn’t get as much attention as Dropbox or Google Drive for storage needs, but if you have data that needs an extra layer of protection, its new Personal Vault feature merits a closer look. It lets you put whatever data you choose behind a strong password and second-factor authentication, which can be either a numerical code or a biometric option. And mostly, please take this as a reminder to use strong multifactor authentication on everything, all the time! You’re worth it!
We talk a lot about vulnerable IoT devices, but it never seems to get much better. In fact, this week it got considerably worse. A new malware called Silex went on a tear, bricking 2,000 exposed devices by using widely known default credentials. The hacker, who claims to be a 14-year-old, has hit pause on his crusade after receiving attention from security researchers at Akamai and reporters at ZDNet. Which doesn’t, of course, the Internet of Things any less vulnerable. It just has a temporary reprieve.