Security News This Week: Oh Good, the Weaponized Police Drones Are Here – YAEL GRAUER. 29.15. 08.2 AM

Getty Images

We’re still feeling the ripple effect from the Ashley Madison hack this week. Not only is its parent company, Avid Life Media, offering a $500K CDN reward for info on the hackers, and not only are the lawsuits rolling in, but on Friday CEO Noel Bidermen stepped down. The world’s biggest online drug marketplace Agora is on hiatus following suspicious activity that its moderators think was intended to deanonymize the site.  The UN’s newly appointed privacy chief described the UK’s digital surveillance as worse than 1984. Meanwhile, a U.S. appellate court ruled that the Federal Trade Commission can regulate and fine companies for getting hacked, so long as they engaged in unfair or deceptive business practices, such as publishing a privacy policy and failing to make good on it.

But there’s more. Each week we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted, and stay safe out there!

Militarized Drones Are Now Legal In North Dakota

Police in North Dakota can now legally fly militarized drones armed with tasers, tear gas, rubber bullets, pepper spray, or sound cannons, thanks to the passage of House Bill 1328. The bill was originally meant to require police officers to obtain a search warrant in order to use the drones for criminal evidence, and would have banned the use of all weapons on drones (not just the lethal ones), but then a lobbyist made some changes. A compliance committee is supposed to track and review police use of drones and keep it in check, but the group has no legal authority—and its members aren’t exactly unbiased. “Of the committee’s 18 members, six are from UND, which has a vested interest in promoting drone use. Three are members of local government, including the city planner and an assistant state’s attorney. And the rest are either current or former members of law enforcement and emergency services,” the Daily Beast’s Justin Glawe writes.

Article continues:

Court Says the FTC Can Slap Companies for Getting Hacked – ANDY GREENBERG 08.24.15. 4:51 PM

Guests look out from inside their rooms in the Wyndham Hotel in Pittsburg. STEPHANIE STRASBURG/TRIBUNE REVIEW/AP

For companies like the dating site Ashley Madison or the health insurer Anthem, financial loss, customer anger and professional embarrassment aren’t the only consequences of getting massively gutted by hackers. Now a court has confirmed that there’s a three-letter agency that can dish out punishment, too.

In a decision published Monday, a U.S. appellate court ruled that the Federal Trade Commission has the authority to sue Wyndham Hotels for allowing hackers to steal more than 600,000 customers’ data from its computer systems in 2008 and 2009, leading to more than $10 million in fraudulent charges. The ruling more widely cements the agency’s power to regulate and fine firms that lose consumer data to hackers, if the companies engaged in what the FTC deems “unfair” or “deceptive” business practices. At a time when ever-more-private data is constantly getting breached, the decision affirms the FTC’s role as a digital watchdog with actual teeth.

‘This Is a Major Deal’

The FTC originally sued Wyndham in 2012 over the lack of security that led to its massive hack. But before the case proceeded, Wyndham appealed to a higher court to dismiss it, arguing that the FTC didn’t have the authority to punish the hotel chain for its breach. The third circuit court’s new decision spells out that Wyndham’s breach is exactly the sort of “unfair or deceptive business practice” the FTC is empowered to stop, sending Wyndham back to face the FTC’s lawsuit in a lower court.

“A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business,” reads the court’s ruling.

Article continues:

Hackers Release Ashley Madison User Data, Frenzy to Check for Famous People Ensues – By Lily Hay Newman AUG. 19 2015 11:02 AM

The secret is out. -- Screencap of Ashley Madison

The secret is out. —
Screencap of Ashley Madison

Welp, here we are. Thirty days days after a group called Impact Team breached the infidelity site Ashley Madison and threatened to reveal its users, the hackers appear to have made good on their promise. On Tuesday evening the group posted a 9.7-gigabyte file on the dark Web that looks like it contains names, login information, and personal details for more than 30 million Ashley Madison users.

The inevitable next step is for everyone to start looking up their significant others, family members, and friends. For those who know they will be on the list, it’s damage-control time. An email address for former United Kingdom Prime Minister Tony Blair is in the data dump, and CSO reports that there are 15,019 accounts linked to .mil and .gov email addresses in the data. Gawker reporter Sam Biddle came forward right away about his presence in the data.

it’s definitely real, I made an account on AM once when I was covering online dating stuff for gizmodo and my email is in there

— Sam Biddle (@samfbiddle) August 19, 2015

As Brian Krebs, of Krebs on Security, and others pointed out, though, Ashley Madison didn’t verify email addresses, so anyone could sign up with any address or sign people up as a joke. (Maybe it’s OK, Cherie Blair!) People may also have intentionally faked the “personal information” on their accounts to cover their tracks long before the breach. On the question of whether the leaked data set is valid and actually came from Ashley Madison’s servers, Krebs wrote, “I’m sure there are millions of AshleyMadison users who wish it weren’t so, but there is every indication this dump is the real deal.” He cited sources who showed up in the leak with accurate credit card information, as well as the 30-days-later timing as some of the reasons he believes the the leak is legit.

In a statement, Avid Life Media Inc., which owns Ashley Madison, was vague about whether the released user data is real. The company wrote:

We have now learned that the individual or individuals responsible for this attack claim to have released more of the stolen data. We are actively monitoring and investigating this situation to determine the validity of any information posted online and will continue to devote significant resources to this effort. Furthermore, we will continue to put forth substantial efforts into removing any information unlawfully released to the public, as well as continuing to operate our business.

Article continues: