So many hacks, so few days in the week to write alarming stories about every one. Every weekend, WIRED Security rounds up the security vulnerabilities and privacy updates that didn’t quite rise to our level for in-depth reporting this week, but deserve your attention nonetheless.
First the big stories: The FBI has a secret fleet of planes spying on you, and they are not alone. United Airlines grounded all its planes on Monday because false flight plans were being uploaded to the flight decks. The US Senate finally passed some NSA surveillance reform in the form of the USA Freedom Act–the first of its kind since Edward Snowden revealed the extent of the Big Brother nightmare that is domestic counter-terrorism in the 21st century. Facebook decided that revealing your location in Messenger isn’t a bug; it’s a feature! A feature you can now, thankfully, opt out of. And our own Andy Greenberg demonstrated that the front lines of the gun control debate are moving closer to home, as it’s now incredibly easily to build your own untraceable guns.
But there was a lot of other news this week, summarized below. To read the full story linked in each post, click on the headlines. And be safe out there!
Another month, another massive breach of a federal agency revealed. Hackers based in China accessed the records of four million federal workers when they hacked the Office of Payroll Management (OPM) in an attack first discovered in April. Despite the agency’s focus on payroll, it’s not clear if any data was stolen that could lead to financial fraud; no direct deposit information was accessed, according to the Washington Post. Instead, the attackers may have been seeking data useful for identifying government staffers with security clearances, potentially to target them in future “spear phishing” attacks. The Department of Homeland Security has taken credit for identifying the attack with its EINSTEIN intrusion detection system. But critics are questioning why that years-in-development system couldn’t have caught the attack earlier. The Chinese government, per usual, has denied any involvement. The OPM intrusion marks the second major federal breach revealed this year, following news that Russian hackers accessed unclassified White House networks as well as those of the State Department. — Andy Greenberg
Another small victory for opponents of the all-pervasive morass of electronic surveillance, at least in one state: the California senate unanimously passed the California Electronic Communications Privacy Act, a bill requiring law enforcement to obtain a search warrant or wiretap order prior to searching smartphones, laptops, or electronic devices, or accessing information stored on remote servers. The bill will be heard by the State Assembly this summer. — Yael Grauer
It only took Skype 24 hours to fix the bug, but for a moment, messaging “http://:” (without the quotes) in chat not only made Skype crash in Windows, Android, and iOS, but would immediately crash it again after restarting when Skype downloaded chat history for the server, meaning that clearing the chat history didn’t resolve the issue. This bug trailed on the heels of the iOS glitch discovered last week that caused iPhones to crash when sent a string of characters, though users are far more likely to type in http://: by accident than they are to text the complicated string of Arabic and English characters required to crash iOS devices. Before the fix was in, Skype users could get around the bug by installing an older version of Skype, or having the sender delete the offending message. — Yael Grauer
Macs shipped prior to mid-2014 are vulnerable to an exploit that would allow an attacker to permanently control the machine, even if you reinstall OS X or reformat the drive. The vulnerability, discovered by security researcher Pedro Vilaca, allows attackers to install malicious firmware that essentially overwrites the firmware that boots up the machine right after older Macs awake from sleep. The code is installed via one of the many security vulnerabilities found in web browsers such as Safari. One way to avoid this hack is to change your computer’s default setting to deactivate sleep mode. You can also download software to detect whether an attack has taken place, though the software won’t prevent it from happening. — Yael Grauer