Security News This Week: Snapchat Employees Reportedly Spied on Private Snaps
The Memorial Day weekend begins on a dire note for constitutional protections. On Thursday, the US government indicted Wikileaks founder Julian Assange for violating the Espionage Act. This is the first time in modern history that the US has charged the publisher of sensitive materials rather than the person who leaked it. The charges stunned even Assange’s harshest critics, who argued that whether you think he’s a journalist or not, the precedent set by his conviction could threaten the First Amendment itself.
In other dire news, facial recognition technology is scaring people so much that both Democrats and Republicans say something needs to be done. At a hearing before the House Committee on Oversight and Reform, lawmakers on both sides agreed that the US needs to regulate the technology, fast.
Meanwhile in Washington, despite the 2020 presidential election ramping up and the looming threat of election tampering, both major political parties still have bad cybersecurity practices. And despite Elizabeth Warren’s call for a “Right to Repair” law, we’re all currently tenants on the devices we thought we owned.
Bluetooth is officially so complex that it’s a security risk. In fact, Google will replace its Titan Security Keys because of a flaw in their Bluetooth Low Energy protocol. That’s good. Not so good for Google? The company got caught storing passwords in plaintext for, uh, 14 years!
And there’s more! Each week we round up the news that we didn’t break or cover in depth but that you should know about. As always, click on the headlines to read the full stories. And stay safe out there.
Some Snapchat Employees Apparently Spied on User Accounts
At Snap, like so many other consumer-focused platforms before it, the spying was coming from inside the house. Motherboard reports that according to former and current employees, Snapchat developed a tool called SnapLion to allow the company to access user accounts in order to comply with legitimate legal requests from law enforcement. According to two former employees, some of the platform's employees abused the SnapLion tool ago to inappropriately access user information. Before you completely panic: Motherboard also emphasizes that Snapchat has since cracked down on who can access SnapLion—though it has also expanded what SnapLion can do and how it is used—and has since introduced end-to-end encryption. The other thing to note is that insider spying is always a threat at companies like this, and though it’s alarming to learn that Snapchat has a tool that gives a near-godlike-view of all user data, it’s not out of the norm, and in fact is something the company needed to have in order to comply with court orders. Additionally, despite a trove of emails that show deep concern among employees at Snap over the years about the risk of insider spying, the former employees reported that the wrongdoing only happened a “handful of times,” but was carried out by multiple people.
Baltimore Still Crippled by Ransomware Attack After Weeks
At the beginning of May, hackers used sophisticated ransomware known as RobinHood to take control of Baltimore’s city servers, on which much of the city’s essential services are processed. The mayor refused to pay the bitcoin ransom—worth roughly $100,000—so the city has been at a bit of a standstill. It can’t process payments to city agencies, government workers can’t access their email, and no real estate transactions can be completed in the city at all. There have been at least 20 other cyberattacks on cities and towns in the US in 2019, according to NPR. Baltimore has reportedly reached out to city officials in Atlanta for advise, to learn how how that city coped with its own ransomware attack in 2018. The city is also working with federal law enforcement and private security experts, though there are fears the deadlock could last a lot longer, given the sophistication of RobinHood.
President Trump’s Golf Score Got Hacked, Because 2019 Is Outdoing Itself
Imagine if you’d gone into a coma in the ‘90s and woke up to read the above headline. Ah, 2019, the year absurdity reigns. And the year in which golfing magazines have published multiple scoops about the president of the United States of America cheating at the game. The latest Golf news isn’t about cheating, though; it’s about the president’s scores being hacked. According to Golf Week, a hacker uploaded false scores to Trump’s official United States Golf Association’s Golf Handicap Information Network site, which is a place golfers can post scores and calculate their handicaps. The scores were not good, making the president look bad, and were posted on a day he wasn’t playing golf. The USGA confirmed that “it appears someone has erroneously posted a number of scores on behalf of the GHIN user” but it’s not clear if it was a prank or an accident.
Leading License Plate Reader Surveillance Company Hacked
The US government uses license plate readers at borders, on highways, in cities, and all over the plate to spy on citizens, immigrants and visitors alike. One Tennessee-based company provides the government with almost all of these readers, and runs the servers and back-end that stores and process the images. And that company, Perceptics, was just hacked. In a statement to the UK newspaper The Register, the company confirmed it had been breached. A hacker calling themselves Boris sent the newspaper stolen files from Perceptics, which included image, among many other file types. According to The Register, the files had names that suggested an association with specific US government agencies, such as Immigrant and Customs Enforcement. Though The Register confirmed the breach, it apparently didn’t check what the files contained, writing at one point that “many of the image files, we're guessing, are license plate captures.”