Another week, another revelation of a massive breach with potentially far-reaching consequences. Well, two of those this week, actually. First, Symantec revealed that hackers—probably based in Russia, although the security firm didn’t go so far as to name names—had hacked more than 20 power companies in North America and Europe, and in a handful of cases, had direct access to their control systems. And then Equifax confessed it had been the target of a breach that stole 143 million Americans’ data, one of the worst data spills ever, and one that raises questions about data centralization, particularly for Social Security Numbers.
Megabreaches aside, Facebook admitted that a Russian troll farm had spent $100,000 on influence ads during last year’s election. Google patched a flaw in Android that would allow a nasty “toast overlay” attack to take control of devices. WIRED dug into the long-running series of scams and theft plaguing new currencies in the cryptocoin economy. And we spoke to the Democratic National Committee’s chief technology officer about how he hopes to prevent the next attack aimed at disemboweling the party.
And there’s more. As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories.
Researchers Uncover Serious Holes in Germany’s Voting Software
After hackers believed to be Russian meddled in both the US and French elections, Germany is likely next on the target list. And this week the Chaos Computer Club, a German collective of hackers and security researchers, exposed the results of their unsolicited audit of the country’s voting infrastructure. They found that a program called PC-Wahl, used for recording, counting, displaying, and analyzing votes in German elections from the local level to the national government. The hackers found they could corrupt the updates from the server controlling that software to re-tabulate votes at will, with potentially disastrous consequences for the country’s October parliamentary election. The CCC says that VOTE-IT, the company behind the software, privately fixed the security flaws the group exposed while publicly refusing to acknowledge the vulnerabilities.
Ultrasonic Voice Commands Can Hijack Siri and Amazon Echos
These days, it’s not just politicians who can use “dog-whistles” to send messages intended only for a very particular audience. So can hackers. Researchers at the University of Zhejiang have shown that they can send ultrasonic signals to voice assistants like your iPhone’s Siri, Amazon’s Echo, Google Now, and even the voice command systems of an Audi car that are inaudible to humans, but nonetheless picked up and obeyed by those systems. Their technique, which they call DolphinAttack, can be achieved with just a few dollars of equipment like an ultrasonic transducer and a battery, as well as a smartphone, and could allow hackers to silently “speak” to nearby devices and cause them to visit malware-infected websites, make calls that stream audio for surveillance purposes, or other mischief. And since the attack takes advantage of physical properties of the microphone that cause it to pick up commands from ultrasonic waves, there’s no easy fix for the problem.
Critical Bug in Open-Source Framework Could Endanger Corporate DataA bug announced this week in the Apache Struts web application software could allow attackers to take over servers running applications built with the framework, enabling the intruders to steal or manipulate sensitive data. The bug is now patched, but is significant because many organizations and Fortune 100 companies run and rely on affected applications. The vulnerability specifically impacts an Apache Struts plugin called REST that has been around since 2008. Vulnerable systems are everywhere, from public-facing platforms for banking and reservations to back-end software within a company, and researchers say exploiting the bug is simple using a web browser. They hadn’t seen evidence that the bug was exploited before their announcement, but stressed how important it is for organizations to patch and monitor their systems.
Resumes of Military and Intelligence Personnel Discovered in Unsecured S3 BucketRoughly 9,400 sensitive resumes, many from US veterans, were found accessible and exposed in a recruiting firm’s Amazon Web Services server, according to Chris Vickery and other researchers at the UpGuard security firm. The resumes date back to 2008 and were from applicants applying to work for the private security group TigerSwan, which contracted with the third party TalentPen until February. Some of the applicants claimed in their resumes to have US government top secret clearance, and many detailed sensitive military and intelligence work. The documents also naturally included personal information like email addresses, phone numbers, home addresses, and even passport numbers and partial social security numbers. Some of the submissions were from Iraqi and Afghan nationals who worked with US organizations. “While criminals could use the deep knowledge of work experience and personal details … the value of this database to foreign intelligence agencies if they were to access it is not insignificant,” UpGuard noted.
Widespread Protests Criticizing Togolese Government Prompt Telecommunications BlackoutsBeginning on Tuesday, internet users in Togo began reporting slow or inaccessible internet and wireless connections, and lost access to communication platforms like WhatsApp, Facebook, and even SMS text messaging over cell networks. The country was experiencing widespread blackouts by Thursday, and some residents traveled to Togo’s borders looking for connectivity leaking in from neighboring countries. The West African NGO Internet Without Borders and the internet infrastructure company Dyn both confirmed local reports. The blackouts are in response to extensive protests demanding Togolese President Faure Gnassingbé’s resignation. Governments in countries like Gabon and Cameroon have used similar repression tactics to attempt to quiet dissent.