It may be the end of August, that time when a sticky malaise settles in, but hackers can wreak havoc even during summer vacation. Which is why WIRED’s security writers keep covering the news.
Like this story of how Iran set up a global propaganda campaign targeting social media. Issie Lapowski lays out everything we know about the country's 2018 propaganda machine, like how they used fake profile photos to catfish targets, and they had a real thing for Bernie Sanders.
Our writer Louise Matsakis discovered a weird bug in Facebook’s two-factor authentication that made her think she’d been hacked (she hadn’t, but something was definitely wrong).
Also, Lily Hay Newman found out that using your phone number as means for account verification across the internet is a really, really bad idea. Newman reported on how a T-Mobile data breach last week exposed personal information, like phone numbers, and why that matters so much.
Another major security story this week came out of California, which is trying to pass a comprehensive digital privacy law to give residents control over their data. But the tech industry is fighting back—hard. Hackers are exploiting a decades-old-phone technology—AT commands, invented in the 1980s, way before smartphones—to break into Android devices.
Finally, there was more movement in the 3-D gun arena. Despite a judge’s injunction against sharing 3-D gun blueprints online, Defense Distributed’s Cody Wilson is now selling the plans on flash drives that he mails to whoever wants them. To actually ban 3-D-printed guns, the legislature would need to take action.
Plus, there's more. As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.
The Oatmeal Hit With DDoS Attack
Internet comic website The Oatmeal, run by webcomic Matthew Inman, was offline for hours on Wednesday, thanks to an apparent DDoS attack. Inman tweeted that his website administrator emailed to say he’d had to take the site offline because of the attack. Before the attack, the most recent comics on Inman’s beloved site were about how dumb bees constantly chase humans they mistake for flowers and how babies are cute. Controversial stuff! After a few hours, Inman said he received an email requesting a whopping $300 worth of Monero cryptocurrency. Though some crypto news outlets reported the DDoS was a ransomware attack, Inman never paid the money and actually fixed the problem by adding a firewall layer to his hosting site. He suspects the extortion attempt was a from an unrelated person trying to capitalize on the DDoS attack. It’s unclear who did any of this, or why. If The Oatmeal isn’t sacred online, is anything?
How Did a GOP Super PAC Get an Ex-Spy’s Security Clearance Application?
A former CIA agent who is now a Democratic congressional candidate in Virginia says a a GOP-aligned super PAC illegally accessed her security clearance application to use against her. The New York Times reports that Abigail Spanberger sent a cease and desist letter to the executive director of the fund, demanding they destroy all copies of the application and stop using the information within it for political purposes. She figured out they had the information when a reporter from the AP showed her a copy they had been given by the PAC. The PAC said they got it through a Freedom of Information Act request, but security experts and Spanberger say a FOIA would not allow such a document to released unredacted. Security clearance applications contain the most intimate of details about a person’s life. Many such applications were accessed by alleged Chinese hackers in the massive 2015 breach of the Office of Personnel Management.
Air Canada’s Phone App Leaked Passport Numbers
The passport details of 20,000 Air Canada customers may have been leaked in a data breach the airline reported Wednesday. According to ZDNet, the airline said the week previously it detected “unusual login behavior” and tried to fix the compromised system right away. But it wasn’t fast enough to protect approximately one percent of its total customers from having their email, name, Known Traveler numbers, and passport numbers potentially stolen.
Telegram Says It’ll Hand Over IP Addresses of Terror Suspects
Telegram recently updated its privacy policy to say it would hand over phone numbers and IP addresses to law enforcement if it received a court order showing they were terror suspects. Though obviously helping to fight terrorism is important–and terrorists are known to use encrypted messaging apps to elude governments—security experts worry that the definition of “terrorist” is a slippery one that can mean different things to different governments. Particularly concerning is that this move appears to be motivated by Russia banning Telegram—and the country said it would likely allow it back now that it had made this change. Though Telegram has been fighting Russia’s attempt to breach its encryption, this policy change is a sign that the pressure may be too much for it handle.
Yahoo Is Selling Your Email Data to Advertisers
Look, Yahoo has to stay on the cutting edge somehow, right? So while the rest of the tech industry considers scanning your email for info to sell to advertisers a verboten strategy, the old dolphin Yahoo Mail is going for it. And making lots of money. The Wall Street Journal reports that Yahoo Mail parent company Verizon Communications has been pitching advertisers on its ability to scan 200 million inboxes—including AOL email address—for clues to what customers want to buy. Google used to do this, but stopped last year.