After first being revealed months ago, a vulnerability in St. Jude Medical heart implants finally has a fix—it just might take a while to roll out. Otherwise? This week in security was dominated by Donald Trump, his cabinet nominees, and one bombshell report.
In the relatively lighter side of this week’s news, the Senate held confirmation hearings for three of Trump’s security-related positions: John Kelly for DHS, James Mattis for Secretary of Defense, and Mike Pompeo for CIA Director. There were no real curveballs during the proceedings, which is probably for the best.
There was a curveball, though, in the form of an extensive dossier compiled by a former British intelligence officer that implicates Trump in all sorts of unsavory things. Former spy agency analysts and officials, though, urge caution reading it, noting that it doesn’t seem to discern what’s real and what’s, well, probably made-up. Meanwhile, despite Trump’s insistence that the RNC was not hacked, intelligence officials confirmed that it was. And while Trump says he’s going to have a “hacking defense” plan in 90 days, he’d be better off just using the one Obama wrote.
The NSA this week also loosened its privacy rules, making it easier to share more information with other agencies. And while that sounds like a civil liberties loss, some experts say the move actually helps prevent an even more serious erosion under the next administration. Similarly, the Inspector General will investigate James Comey’s actions leading up to the election, which sounds like a big deal, but may not yield much of a tangible result.
Lastly, here’s some dumb gear that’ll probably get hacked this year. Enjoy!
And there’s more. Each Saturday we round up the news stories that we didn’t break or cover in depth but that still deserve your attention. As always, click on the headlines to read the full story in each link posted. And stay safe out there.
Implantable heart devices from St. Jude Medical were revealed this week to have a serious cybersecurity flaw that left users vulnerable to remote takeover. Of, you know, their pacemaker. The company sells an accompanying transmitter that shuttles performance information about the implant to a website, so that a physician can monitor it. That device can be hacked, though, enabling bad actors to take over the defibrillator or pacemaker and either run out its battery or cause it to shock the owner’s heart. A patch will roll out over the next several months.
The Israeli company Cellebrite, known for sells hacking tools that can mobile phone data, has been hacked itself, with 900GB of data stolen. Motherboard reported on Thursday that an anonymous source had provided it with the data trove. Motherboard took steps to validate the data, and Cellebrite confirmed the breach on Thursday. The company said in a statement that it is, “working with relevant authorities regarding this illegal action.” Cellebrite counts nation states and law enforcement agencies as clients, so much of its work involves sensitive data. The leaked trove includes databases, customer details, databases, and technical information about Cellebrite tools.
The E-Sports Entertainment Association this week confirmed that its database of player profiles had been hacked last December, resulting in the exposure of personal information from well over a million users. The records include the usual smattering of email addresses, usernames, and hashed passwords, along with dates of birth, phone numbers, and Xbox, Steam, and PSN IDs. (There are 90 fields in all for players to fill in, though most are optional.) The assailants also grabbed infrastructural info, like game server IPs and hardware specifications. ESEA says that the hacker had demanded $100,000 in exchange for keeping the leak quiet.
A group called the Shadow Brokers has spent the last several months leaking some of the NSA’s secret tools out into the world. Now, after not receiving the $8 million payday they had hoped to get for their full cache, the group has apparently called it quits. “It always being about bitcoins for TheShadowBrokers,” [sic] the group said in its farewell note. No bitcoins, no leaks. As a parting gift, they dumped dozens of files that malware experts believe may have also originated with the NSA.