As you emerge from your turkey-induced coma, take a moment to reflect on the past week in security, which despite the holiday was chock-full of wonderments. From Uber shadiness to Android location-tracking, it was quite the whirlwind.
Uber made headlines midweek when it came out that the company had not only been breached a year ago—coughing up the personal info of 57 million users—but paid the hackers $100,000 to keep it quiet. The failure to disclose a security breach is not only ethically dubious, it’s also outright illegal in many states, which means we could see some serious fallout.
One person who likely won’t get his comeuppance? The Iranian hacker who allegedly invaded HBO and released Game of Thrones spoilers and full, unaired episodes of a handful of shows. The FBI thinks they’ve got their man, but acknowledge that actually arresting him will be tricky, given the lack of an extradition agreement with Iran. Justice may come sooner for robocall victims, thanks to a slew of enforcement measures that have finally started to take shape.
If you’re looking for panic-worthy news, Intel conceded that its Management Engine was riddled with vulnerabilities that would allow for the complete takeover of millions of PCs, as well as most recent servers and IoT devices with Intel inside. Since hardware manufacturers need to push out the fixes, it could take a while to clean up. And we took a look at the ‘administrative incompetence’ that has hamstrung the Global Engagement Center’s fight against Russian propaganda at a time when the US can least afford it. Also: Count “spotting missile sites hundreds of times faster than humans” among AI’s increasing number of talents.
And who’s a good dog? These are good dogs. Maybe the best dogs.
And there’s more. As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.
Google Tracks Android Location Even When You Tell It Not To
In a perplexing violation of privacy norms, Android phones collect the location of nearby cell towers even if you’ve turned off location services. The company confirmed the practice to Quartz, saying that the feature was in place to improve push notifications and messages. It also said it would stop doing so by the end of November.
In many ways, the headline sounds scarier than what it means in practice. Google encrypts the data in transit, and says it doesn’t store any of it. It’s also distinct from the location data that it provides app developers and advertisers. Someone could conceivably use the location data for ill if they’ve compromised an Android device, but by that point they’d likey have access to the phone’s location—and even more sensitive information—already.
None of which excuses Google! It’s still an extremely bad look to collect location info on people who are unaware, especially given the many, many situations where a person has reason to fear for their safety if their location at any given moment were widely known. At best, Google’s overreach was incredibly tone deaf and intrusive. At worst, it could have had serious real-world consequences.
Cryptocurrency values keep skyrocketing, but the thefts haven’t slowed down either. The latest victim: Tether, a cryptocurrency pegged to the dollar. Its operators say that an “external attacker” stole over $30 million worth earlier this week. The company says it was taking steps to freeze the funds. More details are scare—and Tether ended up deleting its initial blog post on the matter—but let it serve as yet another in a long series of warning about locking down your cryptocurrency, or maybe even, just a thought, sticking with traditional money until the security situation calms down.
While major outbreaks like WannaCry and NotPetya grab the headlines, ransomware is a daily disturbance, taking in more than $2 billion in 2017 alone, according to security firm Bitdefender. That doubles last year’s payout of a billion dollars, thanks in part to a major spike in the average demand, which hit $1,000—over 250 percent higher than in 2016. As if that’s not bad enough, it also doesn’t take into account the ancillary costs, like the hundreds of millions of dollars that Maersk lost dealing with NotPetya. There are some ways you can protect yourself, but most of the standard malware advice applies: Don’t click on or download anything you don’t trust, and make sure you keep a backup of all of your stuff just in case.
Cyberthreats will only escalate from here on out, so the Air Force Research Lab will hand over nearly $50 million to Ball Aerospace & Technologies to investigate ways to keep analog weapons safe from digital intrusion.