SECURITY NEWS THIS WEEK: A DECADE-OLD BLUETOOTH FLAW LEAVES COUNTLESS DEVICES EXPOSED
THIS WEEK MARKS the one-year anniversary of Equifax's very terrible, no good data breach that impacted 147 million Americans. We took an inside look at all the steps the company has taken since then to shore up its defenses—and whether it could possibly be enough, given the scope of the damage. And speaking of damage, we explained how to minimize yours by setting up better two-factor authentication on all of your online accounts.
What else, you ask? Plenty! Google finally implemented its name-and-shame strategy for Chrome, labeling all sites that use unencrypted HTTP connections—instead of secure HTTPS—as "Not Secure." Twitter instituted a cleanup of its own, banning scores of malicious apps from its platform.
There was some news from Donald Trump's orbit as well, no surprise. We took a look at why the president talks about former campaign aide Carter Page so often—and why the way he does is so misleading. In another political corner, a recent ACLU study showed that Amazon's Rekognition facial-recognition technology—the same already in use by police departments—mistook 28 members of Congress for mugshots. Facial recognition's bias has been known for some time; hopefully this got the attention of people who can restrict its use.
There's more! As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.
Russian Hackers Are Even Deeper Into Critical Infrastructure That Suspected
Last fall, security firm Symantec revealed troubling news: Russian hackers were sitting on US power grid controls, a position that would allow them to cause large-scale blackouts on a whim. The Wall Street Journal reports this week that the scale of that operation appears larger than previously thought, claiming hundreds of victims. Some companies may still be unaware that they've been compromised. To be clear, this has been a major concern all along, but if for some reason you weren't quite scared enough, here's your reminder.
A Decade-Old Bluetooth Flaw Leaves Countless Devices Exposed
Bluetooth has had its share of problems lately, but maybe none are quite this long in the tooth. Researchers from security firm Trail of Bits this week detailed what's called an "invalid curve attack" that takes advantage of a flaw in the Bluetooth protocol that nobody noticed for more than 10 years. Attackers can exploit the flaw to perform a man-in-the-middle attack, intercepting Bluetooth traffic between paired devices. Apple devices have been patched, but Windows remains exposed, along with countless Bluetooth dongles and headphones and so on that rarely get software updates.
Google Makes a Two-Factor Security Key Now
Google has credited physical, two-factor security keys for the lack of successful phishing attempts against the company. And this week, it introduced its own, called the Titan Security Key, and made it available to its cloud customers. (It looks quite a bit like the Feitian key that Google recommends for its super-safe Google Advanced Protection account security.) Industry leader Yubico, which makes the Yubikey security key (disclosure: you get a free Yubikey 4 when you subscribe to WIRED) argues that its solution is more secure, but the important thing is that there are more, safer two-factor options available for everyone.
LifeLock Exposes Millions of Customer Email Addresses
LifeLock is a company that helps people keep their identity safe online. So there's some small irony in the company having a vulnerability on its website that would allow a spammer or phishing attacker to grab the email addresses of its customers. Symantec, which owns LifeLock, says the problem has been fixed, and there's no indication that a bad actor actually took advantage of the flaw. But it's a good reminder to be cautious, even (or especially) with services designed to put your mind at ease.