Security, Spoken

Walking the enormous exhibition halls at the recent RSA security conference in San Francisco, you could have easily gotten the impression that digital defense was a solved problem. Amidst branded t-shirts and water bottles, each booth hawked software and hardware that promised impenetrable defenses and peace of mind. Learn about your ad choices: dovetail.prx.org/ad-choices

WIRED tackled the big questions in security this week, starting with maybe the biggest: Why do so many people use "dragon" as their password? The answer actually says a lot about the psychology of passwords, and how those popular password lists are made in the first place. And there's a whole lot more. Another surprising discovery? Why it makes at least some sense that Atlanta paid $2.6 million to recover from a ransomware attack that had demanded only $52,000. Learn about your ad choices: dovetail.prx.org/ad-choices

This week, MSNBC host Joy Reid has found herself embroiled in a familiar controversy. Twitter user @Jamie_Maz—for the second time—surfaced a number of homophobic posts, from the early aughts, on Reid's now defunct blog, the Reid Report. In response, Reid has turned to a recognizable scapegoat: hackers. Reid isn't the first public figure to blame hackers for her alleged misdeeds online. Learn about your ad choices: dovetail.prx.org/ad-choices

In February, the ACLU of Massachusetts released a damning report detailing prejudice in social media surveillance efforts by the Boston Police Department (BPD). The report revealed that between 2014 and 2016, the BPD had tracked keywords on Facebook and Twitter in an effort to identify potential terrorist threats. Learn about your ad choices: dovetail.prx.org/ad-choices

If you haven't read this month's WIRED cover story about teen hackers who went too deep into Microsoft Xbox's systems, make that your first stop. In more current news, the White House sent mixed messages on cybersecurity policy this week, calling out Russian hackers for compromising popular routers and firewalls—a problematic, but unsurprising and even popular type of attack. Meanwhile, the White House is also losing its well-regarded cybersecurity coordinator Rob Joyce to the NSA. Learn about your ad choices: dovetail.prx.org/ad-choices

It's important not to overstate the security risks of the Amazon Echo and other so-called smart speakers. They're useful, fun, and generally have well thought-out privacy protections. Then again, putting a mic in your home naturally invites questions over whether it can be used for eavesdropping—which is why researchers at the security firm Checkmarx started fiddling with Alexa, to see if they could turn it into a spy device. They did, with no intensive meddling required. Learn about your ad choices: dovetail.prx.org/ad-choices

In 2003, Finnish security researcher Tomi Tuominen was attending a security conference in Berlin when a friend's laptop, containing sensitive data, was stolen from his hotel room. The theft was a mystery: The staff of the upscale Alexanderplatz Radisson had no clues to offer, the door showed no signs of forced entry, and the electronic log of the door's keycard lock—a common RFID card reader sold by Vingcard—had recorded no entries other than the hotel staff. Learn about your ad choices: dovetail.prx.org/ad-choices

On December 2, 2015, a man named Syed Rizwan Farook and his wife, Tashfeen Malik, opened fire on employees of the Department of Public Health in San Bernardino, California, killing 14 people and injuring 22 during what was supposed to be a staff meeting and holiday celebration. The shooters were tracked down and killed later in the day, and FBI agents wasted no time trying to understand the motivations of Farook and to get the fullest possible sense of his contacts and his network. Learn about your ad choices: dovetail.prx.org/ad-choices

The City of Atlanta spent more than $2.6 million on emergency efforts to respond to a ransomware attack that destabilized municipal operations last month. Attackers, who infected the city's systems with the pernicious SamSam malware, asked for a ransom of roughly $50,000 worth of bitcoin. (The exact value has fluctuated due to bitcoin's volatility. Learn about your ad choices: dovetail.prx.org/ad-choices

On Tuesday, about 250 people gathered in the event space of Cloudflare's San Francisco headquarters for an unusual security conference—or, perhaps more accurately, one that aimed to modernize the longstanding tradition in security of creating alternative, transgressive gatherings. Learn about your ad choices: dovetail.prx.org/ad-choices

The Democratic National Committee Friday filed a lawsuit against a broad slate of people and entities allegedly responsible for the 2016 hack of its email, phone calls, and more. But while the suit claims involvement from a host of headliners—Wikileaks, Julian Assange, Donald Trump, Jr., and Russia among them—its immediate importance lies in the previously unreported timeline it lays out. Learn about your ad choices: dovetail.prx.org/ad-choices

Each year since 2011, the security firm SplashData has released a list of the most commonly used passwords, based on caches of leaked account credentials. The annual list, intended as a reminder of humanity’s poor password practices, always includes predictable entries like “abc123,” “123456,” and “letmein.” But one entry, finishing in the top 20 every year, has stood out since the beginning: "dragon. Learn about your ad choices: dovetail.prx.org/ad-choices

Facebook profiles have become the de-facto identities of people across the internet. This is thanks, in large part, to Login With Facebook, the social network's universal login API, which allows users to carry their profile information to other apps and websites. You've probably used it to log in to services like Spotify, Airbnb, and Tinder. Learn about your ad choices: dovetail.prx.org/ad-choices

Less than an hour into a Tinder date in a Moscow restaurant last year, Patrick Wardle began to wonder about the laptop he'd left in his hotel room. Wardle had come to the city for a security conference; as a former NSA staffer who'd worked on the elite hacking unit known as Tailored Access Operations, he was paranoid enough to bring only a "burner" PC on his trip, carefully stripped of any sensitive information. Learn about your ad choices: dovetail.prx.org/ad-choices

For its first year in office, the Trump administration seemed soft on Russia's hyper-aggressive hackers, reluctant even to point out they'd brazenly meddled in the US election. Then, just two months ago, the White House suddenly came out swinging, calling out Russia for its massively disruptive NotPetya malware and intrusions into the US power grid, and imposing new sanctions in response. Learn about your ad choices: dovetail.prx.org/ad-choices

In September, security researchers at Cisco Talos and Morphisec made a worst nightmare-type disclosure: the ubiquitous computer cleanup tool CCleaner had been compromised by hackers for more than a month. The software updates users were downloading from CCleaner owner Avast—a security company itself—had been tainted with a malware backdoor. Learn about your ad choices: dovetail.prx.org/ad-choices

Have you used a friend's laptop to charge your iPhone and gotten a prompt that says, "Trust This Computer?" Say yes, and the computer will be able to access your phone settings and data while they're connected. And while it doesn't feel like your answer really matters—your phone will charge either way—researchers from Symantec warn that this seemingly minor decision has much higher stakes than you'd think. Learn about your ad choices: dovetail.prx.org/ad-choices

The bulk of major corporate hacks follow time-tested strategies, like phishing emails that trick employees into giving up their credentials, or hackers exploiting a bug in a web portal. While effective, these strategies also open an attacker to early detection. So increasingly, hackers have taken the scenic route—through the Internet of Things. Learn about your ad choices: dovetail.prx.org/ad-choices

The adult website Pornhub has of late taken pride in being something of a pioneer. A year ago, it implemented HTTPS encryption, making it safer for users to click without being snooped on. Last fall, it introduced a suite of accessibility features for its blind and visually impaired users. And Tuesday, it began accepting Verge, a privacy-focused cryptocurrency Pornhub is not by any stretch the first adult site to accept cryptocurrency. Learn about your ad choices: dovetail.prx.org/ad-choices

Today, the White House confirmed that cybersecurity coordinator Rob Joyce will head back to the National Security Agency, where he previously ran the nation’s top hacking team. His departure comes just a week after Tom Bossert, Trump’s cybersecurity czar and Joyce’s boss, was forced out—and leaves the administration without two trusted voices on one of the most important challenges the US faces going forward. Learn about your ad choices: dovetail.prx.org/ad-choices

When Young Mie Kim began studying political ads on Facebook in August of 2016—while Hillary Clinton was still leading the polls— few people had ever heard of the Russian propaganda group, Internet Research Agency. Not even Facebook itself understood how the group was manipulating the platform's users to influence the election. Learn about your ad choices: dovetail.prx.org/ad-choices

It was the week of Zuck. As Facebook founder and CEO Mark Zuckerberg slogged through more than 10 hours of testimony in front of two different Congressional committees, privacy and security advocates were listening for anything they could glean about how Facebook manages data, implements privacy protections, and helps users make informed choices—or doesn't. Learn about your ad choices: dovetail.prx.org/ad-choices

The internet infrastructure company Cloudflare is adding an Internet of Things security service to its already long list of offerings. And though it that may seem unrelated to the free DDoS mitigation or expanded web browsing protections the company already provides, it's another incremental step that helps reveal a clearer picture of the company's overall approach to security. Learn about your ad choices: dovetail.prx.org/ad-choices

The data consulting firm Cambridge Analytica, which harvested as many as 87 million Facebook users' personal data, also could have accessed the private inbox messages of some of those affected. Facebook slipped this previously undisclosed detail into the notifications that began appearing at the top of News Feeds on Monday. Learn about your ad choices: dovetail.prx.org/ad-choices

Over the last two days, Facebook CEO Mark Zuckerberg was questioned for more than 10 hours by two different Congressional committees. There was granular focus on privacy definitions and data collection, and quick footwork by Zuckerberg—backed by a phalanx of lawyers, consultants, and coaches—to craft a narrative that users “control” their data. (They don’t. Learn about your ad choices: dovetail.prx.org/ad-choices

Google has long struggled with how best to get dozens of Android smartphone manufacturers—and hundreds of carriers—to regularly push out security-focused software updates. Learn about your ad choices: dovetail.prx.org/ad-choices

Since it’s not summer 2017 anymore, you probably haven’t watched the music video for Luis Fonsi and Daddy Yankee’s hit “Despacito” recently. And that may be just as well. The reigning most-viewed YouTube video was vandalized and then taken off the platform for a few hours on Tuesday morning after hackers infiltrated the account that hosted it. Learn about your ad choices: dovetail.prx.org/ad-choices

Mark Zuckerberg appeared before Congress Tuesday, and for five hours, senators who appeared to have halting grasp of the company’s intricacies questioned the Facebook CEO on topics ranging from Russia to artificial intelligence. Zuckerberg for the most part gave considered answers to their questions—except when it came to the specifics of how users can control their privacy. That Zuckerberg would dodge uncomfortable questions is a disappointment, though maybe no surprise. Learn about your ad choices: dovetail.prx.org/ad-choices

You know by now that Internet of Things devices like your router are often vulnerable to attack, the industry-wide lack of investment in security leaving the door open to a host of abuses. Worse still, known weaknesses and flaws can hang around for years after their initial discovery. Even decades. Learn about your ad choices: dovetail.prx.org/ad-choices

The relationship between platforms and their users has never been more fraught. To see the evidence, look no further than Congress today, where Facebook CEO Mark Zuckerberg will testify about how his company reportedly mishandled data belonging to up to 87 million people by allowing it to get into the hands of the Trump-affiliated data firm Cambridge Analytica. Learn about your ad choices: dovetail.prx.org/ad-choices

Bots have become a great scourge of the internet. Recently, they've flooded government comment systems with fake activism, distorted the national discourse on guns, and launched malicious attacks against the Justice Department. And a new study suggests they're behind the majority of links shared on Twitter, too. A Pew Research report released Monday finds that a whole two-thirds of links to popular sites shared on Twitter come from automated accounts. Learn about your ad choices: dovetail.prx.org/ad-choices

Next week, Facebook CEO Mark Zuckerberg will testify before Congress about his company's failure to prevent the data firm Cambridge Analytica from siphoning off information belonging to up to 87 million people, the majority of whom are believed to be Americans. In the lead-up to the hearings, the social network has scrambled to respond to increased scrutiny from journalists and the public over its privacy practices. Steps like overhauling its entire privacy settings menu are a clear benefit. Learn about your ad choices: dovetail.prx.org/ad-choices

Last week, the Department of Homeland Security confirmed for the first time that it is aware of unauthorized cell-site simulators, the surveillance tools often called stingrays or IMSI Catchers, in various parts of Washington DC. Learn about your ad choices: dovetail.prx.org/ad-choices

In the aftermath of the Equifax data breach last year that exposed personal information of more than 145 million people, analysis firm Property Claim Services estimated that cyberinsurance would cover roughly $125 million of Equifax’s losses from the incident. It’s uncertain whether Equifax will actually receive that much money; insurance claims can take a long time to investigate, process, and pay out. Learn about your ad choices: dovetail.prx.org/ad-choices

Bitcoin's blockchain provides inalterable evidence, stored on thousands of computers, of every Bitcoin transaction that's ever taken place. Many of the transactions recorded on that distributed ledger are crimes: Billions of dollars in stolen funds, contraband deals, and paid ransoms sitting in plain sight, yet obscured by unidentifiable Bitcoin addresses and, in many cases, tangles of money laundering. Learn about your ad choices: dovetail.prx.org/ad-choices

This week, Saks Fifth Avenue, Saks Off 5th, and Lord & Taylor department stores—all owned by The Hudson’s Bay Company—acknowledged a data breach impacting more than five million credit and debit card numbers. The culprits? The same group that's spent the last few years pulling off data heists from Omni Hotels & Resorts, Trump Hotels, Jason’s Deli, Whole Foods, Chipotle: A mysterious group known as Fin7. Learn about your ad choices: dovetail.prx.org/ad-choices

It's been about six months since cryptojacking exploded, and in that short time the approach has evolved and adapted to initiate illicit cryptocurrency mining in all different ways. Now, Google's taking a stand, announcing Monday that it would begin blocking any Chrome extension submitted to the Web Store that mines cryptocurrency. In July, it will remove existing extensions that currently contain mining functionality. Learn about your ad choices: dovetail.prx.org/ad-choices

After sailing through two friendly Senate hearings—one so uncontroversial that only six senators tops bothered to even show up at any given point in the hour—Lieutenant General Paul Nakasone seems set to for confirmation as the next director of the National Security Agency. That means he'll soon lead not just one agency, but two: the world's most powerful spying operation, the NSA, and the world's most powerful military hacker force, US Cyber Command. Learn about your ad choices: dovetail.prx.org/ad-choices

When Under Armour announced that its nutrition app MyFitnessPal had suffered a data breach impacting the information of roughly 150 million users, things actually didn't seem so bad. Of course, it's never good when personal data ends up online, much less that of so many people, but it seemed like Under Armour had at least taken reasonable precautions. But it turns out Under Armour only sort of got things right. Learn about your ad choices: dovetail.prx.org/ad-choices

Most of the traffic on the web is encrypted. And more websites are adopting basic encryption measures every day. That means that, in theory, eavesdroppers have a hard time seeing whom you're writing to on Gmail or what you're looking up on Wikipedia. But there's a catch. Big sites like Google and Facebook can see what links you click from their services, and use tracking cookies to follow you around the web. Learn about your ad choices: dovetail.prx.org/ad-choices

After weeks of unrelenting chaos, the cybersecurity world took a little bit of a breather. Well, relatively, anyway. There was still one of the bigger data breaches in recent memory, compliments of UnderArmour. The sportswear company's MyFitnessPal apps suffered a breach of 150 million users' data, including names and passwords. Learn about your ad choices: dovetail.prx.org/ad-choices

For over a week, the City of Atlanta has battled a ransomware attack that has caused serious digital disruptions in five of the city's 13 local government departments. The attack has had far-reaching impacts—crippling the court system, keeping residents from paying their water bills, limiting vital communications like sewer infrastructure requests, and pushing the Atlanta Police Department to file paper reports for days. Learn about your ad choices: dovetail.prx.org/ad-choices

Nearly three years after a Russian propaganda group infiltrated Facebook and other tech platforms in hopes of seeding chaos in the 2016 US election, Facebook has more fully detailed its plan to protect elections around the world. In a call with reporters Thursday, Facebook executives elaborated on their use of human moderators, third-party fact checkers, and automation to catch fake accounts, foreign interference, fake news, and to increase transparency in political ads. Learn about your ad choices: dovetail.prx.org/ad-choices

ISIS has long taken full advantage of secure communication tools, and utilized mainstream communication platforms in unexpected ways. Extremist groups even develop their own software at times to tailor things like encrypted messaging to their specific needs. One such project is the clandestine, unfortunately named communication tool MuslimCrypt, which uses an encryption technique called steganography to spread secret messages. Learn about your ad choices: dovetail.prx.org/ad-choices

In its latest drumbeat against the cyber activities of Iran, the US government Friday charged nine Iranian hackers with a massive three-year campaign to penetrate and steal more than 31 terabytes of information—totaling more than $3 billion in intellectual property—from more than 300 American and foreign universities. Learn about your ad choices: dovetail.prx.org/ad-choices

As discerning dark web drug dealers and pseudonymous hackers have figured that Bitcoin is not magically private money, many have turned to Monero, a digital coin that promises a far higher degree of anonymity and untraceability baked into its design. But one group of researchers has found that Monero's privacy protections, while better than Bitcoin's, still aren’t the cloak of invisibility they might seem. Learn about your ad choices: dovetail.prx.org/ad-choices

Wrangling your Facebook privacy settings—fine-tuning what data friends, advertisers, and apps can access—is a slog. The menus are labyrinthine, the wording obtuse. And it turns out that one of them is completely pointless. In fact, it hasn’t worked in years. To be clear: This is not a case of Facebook sneaking one past you, at least not the way you might think. Learn about your ad choices: dovetail.prx.org/ad-choices

After months of silence, Tumblr Friday released a list of 84 usernames and their aliases that it says were connected to "state-sponsored disinformation and propaganda campaigns." It's the first time the company has publicly acknowledged what journalists and researchers have known now for months: Russian trolls also used Tumblr to spread their divisive memes and gifs, reportedly to the tune of hundreds of thousands of interactions. Learn about your ad choices: dovetail.prx.org/ad-choices

On Thursday, a report from the Daily Beast alleged that the Guccifer 2.0 hacking persona—famous for leaking data stolen from the Democratic National Committee in 2016—has been linked to a GRU Russian intelligence agent. What appears to have given Guccifer away: The hacker once failed activate a VPN before logging into a social media account. This slip eventually allowed US investigators to link the persona to a Moscow IP address. In fact, they traced it directly to GRU headquarters. Learn about your ad choices: dovetail.prx.org/ad-choices

Hard as it is to believe, it was only a week ago that reports first broke—in The Guardian and The Observer, along with The New York Times—that Trump-affiliated data company Cambridge Analytica harvested the data of 50 million unwitting Facebook users to create so-called psychographic political ads. Learn about your ad choices: dovetail.prx.org/ad-choices