Security News This Week: The Government Wants to Listen In on Your Smart Home

The Internet of Things is connecting your home via gadgets that are always listening. This week the government admits it wants in.
497965472
Getty Images

This week was jam-packed with security news. A new worldwide survey of crypto products shows that encryption is international, so a ban makes no sense. Researchers found a way to hack power grids by remotely manipulating air conditioners. Obama covered the basics in a new cybersecurity plan, perhaps in an attempt to secure his legacy. FBI and DHS employees got hacked. Google announced the phasing out of Flash in banner ads. India banned Facebook’s Basics app to support net neutrality. We celebrated the 20-year anniversary of John Perry Barlow’s “Declaration of Independence of Cyberspace” manifesto, and looked at how you can donate your old USB drive to fight North Korean brainwashing. A new Malware Museum was born. And someone finally wrote a good encryption bill to preempt states from trying to implement their own anti-crypto policies at a state level.

But that’s not all. Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there!

### US Intelligence Chief James Clapper: The Government Could Use the Internet of Things to Spy on You
US Director of National Intelligence James Clapper said in a congressional testimony that intelligence services could use the increasingly interconnected smart household devices for surveillance. “In the future, intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials,” he said.

### After Losing Copyright Lawsuit, Site Offering Access to Academic Papers For Free Emerges on the Deep Web
Alexandra Elbakyan, a university student in Kazakhstan, developed the Sci-Hub website to allow users to download paywalled academic papers for free by tapping into university networks to access the subscription-only papers. Unfortunately, the site was shut down after a copyright lawsuit on behalf of Elsevier, and its domain was shut down. But Sci-Hub popped back up againunder a different domain, and is also available on the deep web. (Just download the Tor browser and head over to here for that.)

### More Than A Third of Leaked Police Contracts Contain Guarantees To Keep Disciplinary Records Secret, Destroy Civilian Complaint Records
How’s this for accountability? Leaked police contracts contain guarantees blocking public access to disciplinary records, formal complaints against officers, and internal investigation documents. Some contracts even had clauses allowing for complaints and disciplinary records to be destroyed after a negotiated amount of time. The documents became publicly accessible when hackers breached the Fraternal Order of Police website and posted its files online.

### Proposed Utah Law Punishes Doxing With Up to Six Months in Jail—But its Language is Overly Broad
Utah State Representative David Lifferth has written a bill that would make doxing a crime punishable by up to six months in jail. However, the bill’s language is overly broad, to the point where it could make holding public officials accountable for their actions a crime. “The bill as drafted is clearly unconstitutional,” Electronic Frontier Foundation staff attorney Nate Cardozo told Ars Technica, pointing out that publishing a person’s name “with the intent to annoy” could be a crime under the proposal draft. Lifferth told Ars Technica that he is revising the bill to address these concerns.

### Hacked Toy Company Updates Terms of Service to Shunt Responsibility for Future Hacks
VTech, the toy company that reopened last week after a data breach exposed the personal data of more than 6 million children, is now back online. The bad news is that its terms and conditions include a new statement requiring users to acknowledge that any information they send or receive while using the site could be insecure or at risk of unauthorized interception. Although the clause may not be valid legally, it could be an attempt by the site to restrict liability for future hacks.

### Many Mac Apps Vulnerable to Hijacking
A large number of apps using a third party updater over HTTP are vulnerable to man-in-the-middle attacks, due to a bug in the third-party software framework Sparkle, which apps including Camtasia, uTorrent, and others use to receive updates.

Although Sparkle has provided a fix for two vulnerabilities found, developers need to update the Sparkle framework inside their apps, which can be a difficult process. In addition, it isn’t easy for users to know which of their apps are vulnerable.

### FBI Can’t Unlock Encrypted Phone Used by San Bernardino Killers
FBI Director James Comey told the Senate Intelligence Committee that FBI technicians have been unable to unlock encrypted data on the phone belonging to either Syed Rizwan Farook or Tashfeen Malik, the terrorists who killed 14 people in San Bernardino in December. Comey didn’t specify the cellphone model, nor did he indicate whether it belonged to Farook or Malik.

### Site Hosting Hacked FBI Database Went Dark
Cryptobin, an anonymous site that hosts text files submitted by users, was taken offline this week two days after a hacker used it to publish the personal details of 22,000 FBI employees. The site is still available by its IP address, however, and the data has since been mirrored by at least two websites.

### Google Improves Gmail Security
On Safer Internet Day this past Tuesday, Google announced that Gmail messages sent to or from a service that doesn’t support TLS encryption will be flagged with a broken lock icon in the message. Emails that can’t be authenticated will also be flagged with a question mark in place of the sender’s avatar (or logo, or photo). This update will allow users to take extra care before responding to these messages--or clicking on links.

### NYPD Has Used Stingrays More Than 1,000 Times Since 2008
In response to a public records request submitted by the NYCLU, the NYPD has disclosed that it not only owns and operates Stingrays, but that it’s done so more than a thousand times between May 2008 and May 2015. Further, it does so without any sort of written policy, and primarily through the use of pen register, a lower standard than an actual warrant, which would require probable cause. Last year, the Department of Justice began using warrants rather than pen registers for using the cell site simulators barring exceptional/emergency circumstances.