If you need a break from the 24-hour news cycle, delve into the story of a crypto-anarchist who put his digital life on hold to fight with rebels in Syria in an all too real-world revolution.
But if you don’t need a break from the 24-hour news cycle…
Just about every week these days are “Startling Intelligence Revelations” themed, and for this edition House Permanent Select Committee on Intelligence chair Devin Nunes spent the last few days defending against accusations that the investigation he’s leading into Russian election meddling is deeply flawed. Take a look at this timeline if you’ve been having trouble keeping up with all the commotion (who hasn’t?). Meanwhile, on Thursday the Senate Intelligence Committee had a public hearing about its own Russian election interference investigation, and Senator Marco Rubio alleged in testimony that in addition to Hillary Clinton’s campaign, his staffers were also the target of Russian hacking during his 2016 bid for president.
In other news, the hunt for a nonlethal gun is heating up, Pornhub and sister site YouPorn are both taking the important step of implementing HTTPS encryption, while hackers are still threatening to breach millions of iCloud accounts and even remotely wipe iPhones connected to those accounts. It’s probably bunk, but change your password and enable Apple’s two-factor authentication just in case. Some organizations still struggle to minimally secure their online databases, endangering millions of people’s personal data. And if you’re worried that your internet service provider will sell your online browsing history (you should be, it is) it might be time to consider setting up a VPN.
And there’s more. Each Saturday we round up the news stories that we didn’t break or cover in depth but that still deserve your attention. As always, click on the headlines to read the full story in each link posted. And stay safe out there.
Last weekend a German security researcher discovered a vulnerability in the internet-connected Miele Professional PG 8528 dishwasher, an industrial “washer-disinfector,” used in facilities like restaurants and hospitals. The bug allows an attacker to access the device, plant malware on it, and potentially use it as a jumping off point to compromise other devices on the dishwasher’s network. Perfectly exemplifying the larger problem with internet of things insecurity, a successful hack of the dishwasher could end up causing problems in a restaurant or have severe consequences in a medical settings. “An unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks,” researcher Jens Regel wrote. There is currently no patch for the bug.
An app that sends users push notifications for every new drone strike mentioned in the news has been rejected by Apple’s App Store 13 times. It was approved once before in 2014 after five attempts, and remained live for about a year before Apple pulled it again. Creator Josh Begley (who is also the research editor at The Intercept) reported on Tuesday that the app had finally won approval again—only to be taken down again several hours later.
Google researcher Tavis Ormandy discovered a major vulnerability in the password manager LastPass this week that would allow an attacker to access user passwords and even spread malware. Ormandy hasn’t publicly disclosed how the exploit works, but says he found a way to execute code within the LastPass browser extension in all major browsers and on Windows and Linux (it may work on macOS as well). “We are now actively addressing the vulnerability. This attack is unique and highly sophisticated,” LastPass said in a blog post. While LastPass resolves the issue, the company suggests mitigation strategies like launching websites through the LastPass Vault, and enabling two-factor authentication on as many accounts as possible. Ormandy discovered another vulnerability in LastPass two weeks ago, and the service has also been breached in the past. Password managers are naturally subject to extensive scrutiny by researchers and attackers alike, but so many flaws in LastPass, even when addressed quickly, could become a problem for the company.
On Tuesday, Apple released patches for a bug in iOS and macOS that allowed remote code execution in the web server authentication function of the two operating systems. The vulnerability, disclosed by researchers at Cisco’s Talos Intelligence Group, could have allowed an attacker to use malicious certificates to dupe the validation system that checks whether web servers a user is trying to connect to are identifiable and trusted. This could have endangered web browsing, email server connections, and could have allowed an attacker to plant a malicious certificate in a user’s macOS keychain.