SO MANY HACKS, so few days in the week to write alarming stories about every one. With this post, we’re introducing WIRED Security’s new weekly roundup of the security vulnerabilities and privacy updates that didn’t quite rise to our level for in-depth reporting, but deserve your attention nonetheless.
Starbucks App Reportedly Hacked; Starbucks Denies It
Hackers have reportedly been drawing funds from bank accounts attached to refillable Starbucks accounts. In breaking the story, Bob Sullivan reported that thieves were getting in by way of Starbucks mobile app. Starbucks has said in response that its app wasn’t hacked. Instead it suggested in a statement that hackers were obtaining the login credentials to customer mobile accounts through other means and compromising each account individually.
Venom Vulnerability Was Not Bigger Than Heartbleed, but Still Important
When first reported Wednesday, an 11-year-old datacenter vulnerability was dubbed “bigger than Heartbleed,” but then cooler heads quickly pointed out that wasn’t quite the case. The now-patched zero-day vulnerability infected systems using certain brands of virtual machine software by exploiting code for a legacy component that still exists in some of them: a virtual floppy disk. The hole could allow hackers with administrative access to one virtual system to jump from there to other virtual systems in, say, a datacenter and obtain valuable data from them.
FDA Finally Releases Alert about Security Holes in Hospira Drug Pumps
A month after WIRED reported on troubling vulnerabilities in certain widely-used drug-delivery pumps made by Hospira, the FDA has finally issued a warning about them. The vulnerabilities would allow an attacker with physical or remote access to Hospira LifeCare PCA3 and PCA5 modify the drug dosage they deliver “which could lead to over- or under-infusion of critical therapies.” Security researcher Billy Rios who reported the vulnerabilities to Hospice and the FDA, did so a year ago, but it took until now for the FDA to issue an alert.
Turns Out the Apple Watch Is Super Vulnerable to Theft
iPhones and iPads have an Activation Lock that makes it hard for jerks who steal the devices to wipe and resell them. Apple’s latest fancy, new toy does not. All the Apple Watch is a password, which you can bypass with a simple reset. For what amounts to a status symbol that will likely already be a hot target for pickpockets, this appears to be a major oversight by Apple.
Washington Becomes First State to Require Warrant to Use Stingrays
While law enforcement agencies around the country have been secretly using stingrays, or cell site simulators, to track people, Washington became the first state to pass a law prohibiting their use without a warrant. Stingrays, also known as IMSI-catchers, mimic a legitimate cell phone tower in order to trick mobile phones and other devices into connecting to them and revealing their location. Law enforcement agencies have been using them for years either without obtaining a warrant at all or using false pretenses to get one by misleading judges about the technology. But Washington’s governor put an end to that in signing the new law this week. The statute was passed after it was discovered that police in Tacoma, Washington, had been using a cell site simulator for six years without judges knowing about it.
New York Claims It Has No Records Related to Stingrays
The same week Washington state enacted a law to ensure law enforcement agencies are more transparent about their use of stingrays, the New York State Police struck a blow to transparency by asserting that it possesses no records at all about its use of stingrays. The response came after the American Civil Liberties Union of New York filed a public records request seeking information about when and how often the devices are used, any policies or guidelines around their use as well as copies of court orders authorizing their use. The state definitely has stingrays; it has spent more than $640,000 to purchase them. But apparently there are no records—not even an errant email—discussing their use.
Starbucks App Reportedly Hacked; Starbucks Denies It
Hackers have reportedly been drawing funds from bank accounts attached to refillable Starbucks accounts. In breaking the story, Bob Sullivan reported that thieves were getting in by way of Starbucks mobile app. Starbucks has said in response that its app wasn’t hacked. Instead it suggested in a statement that hackers were obtaining the login credentials to customer mobile accounts through other means and compromising each account individually.
Venom Vulnerability Was Not Bigger Than Heartbleed, but Still Important
When first reported Wednesday, an 11-year-old datacenter vulnerability was dubbed “bigger than Heartbleed,” but then cooler heads quickly pointed out that wasn’t quite the case. The now-patched zero-day vulnerability infected systems using certain brands of virtual machine software by exploiting code for a legacy component that still exists in some of them: a virtual floppy disk. The hole could allow hackers with administrative access to one virtual system to jump from there to other virtual systems in, say, a datacenter and obtain valuable data from them.
FDA Finally Releases Alert about Security Holes in Hospira Drug Pumps
A month after WIRED reported on troubling vulnerabilities in certain widely-used drug-delivery pumps made by Hospira, the FDA has finally issued a warning about them. The vulnerabilities would allow an attacker with physical or remote access to Hospira LifeCare PCA3 and PCA5 modify the drug dosage they deliver “which could lead to over- or under-infusion of critical therapies.” Security researcher Billy Rios who reported the vulnerabilities to Hospice and the FDA, did so a year ago, but it took until now for the FDA to issue an alert.
Turns Out the Apple Watch Is Super Vulnerable to Theft
iPhones and iPads have an Activation Lock that makes it hard for jerks who steal the devices to wipe and resell them. Apple’s latest fancy, new toy does not. All the Apple Watch is a password, which you can bypass with a simple reset. For what amounts to a status symbol that will likely already be a hot target for pickpockets, this appears to be a major oversight by Apple.
Washington Becomes First State to Require Warrant to Use Stingrays
While law enforcement agencies around the country have been secretly using stingrays, or cell site simulators, to track people, Washington became the first state to pass a law prohibiting their use without a warrant. Stingrays, also known as IMSI-catchers, mimic a legitimate cell phone tower in order to trick mobile phones and other devices into connecting to them and revealing their location. Law enforcement agencies have been using them for years either without obtaining a warrant at all or using false pretenses to get one by misleading judges about the technology. But Washington’s governor put an end to that in signing the new law this week. The statute was passed after it was discovered that police in Tacoma, Washington, had been using a cell site simulator for six years without judges knowing about it.
New York Claims It Has No Records Related to Stingrays
The same week Washington state enacted a law to ensure law enforcement agencies are more transparent about their use of stingrays, the New York State Police struck a blow to transparency by asserting that it possesses no records at all about its use of stingrays. The response came after the American Civil Liberties Union of New York filed a public records request seeking information about when and how often the devices are used, any policies or guidelines around their use as well as copies of court orders authorizing their use. The state definitely has stingrays; it has spent more than $640,000 to purchase them. But apparently there are no records—not even an errant email—discussing their use.
No comments:
Post a Comment