It was a week full of revelations in the security world. A New York Times Uber story revealed that the company got in trouble with Apple over "fingerprinting" iPhones even after users deleted the app. It's a common enough practice, but Uber took it a few steps too far. And speaking of common practices, here's how to check which services have access to your Gmail and Facebook accounts---you might be surprised at how many do.
We took a look also at an app vulnerability that leaves tens of millions of Android devices exposed, along with a new Amazon product that could know more about you than you think. Also, it only takes about $22 of gear now to unlock and start a car. Crime might not pay, but it sure comes cheap.
Elsewhere we profiled a group of college friends who happen to be hackers, and a missile defense system that happens to be contentious for China. And the Internet of Things still isn't secure, but Cloudflare has a plan to make it a little better.
And there’s more. Each Saturday we round up the news stories that we didn’t break or cover in depth but that still deserve your attention. As always, click on the headlines to read the full story in each link posted. And stay safe out there.
Remember way back a few weeks ago, when the US announced that it was sending the USS Carl Vinson steaming toward North Korea as a show of strength? And then a week later, when the US announced that whoops, sorry, actually the Vinson had been heading the opposite direction? That was something! Especially now that Navy Times has filled in the timeline between that first announcement and its confusing, corrective follow-up. As you might imagine, it’s a tale full of miscommunication---and a few missed opportunities to explain what was really going on. Hopefully everyone learned a lesson before a similar misstep sparks a serious incident.
According to a report from Fortune, a Lithuanian man in 2013 tricked Google and Facebook into sending him over $100 million of the course of two years, by digitally impersonating Quanta Computer, a Taiwanese supplier for both. The companies have apparently recouped their money, but it’s a useful reminder that on the internet, nobody knows you’re a dog, or a cybercriminal with a whole lot of time on his hands.
Popular work messaging app Hipchat disclosed this week that a “security incident” may have let hackers access user names, email addresses, and hashed passwords. Fortunately, Hipchat says it uses bcrypt with a random salt for its hashing, which is about as good a protection as you could expect, but still, change those passwords. Potentially more troublingly, depending on how loose you are with gossip and smack talk, Hipchat says in .05 percent of instances, messages and content in rooms may have been accessed as well. Which mostly sounds like a dodged bullet, but just remember the next time you Hipchat or Slack or anything, really, that one day some hacker is going to set all the logs free, and it’s going to be mortifying.
Several months ago, the Google Chrome security team announced that it would take on one of the web’s major security challenges. When people went to HTTP sites, rather than encrypted HTTPS connections, it would give a prominent visual cue that the site was not secure. Starting in October, Chrome will take its warnings a step further, adding them to all HTTP pages visited in incognito mode, as well as any HTTP page that asks you to enter any kind of data. (Currently, the warning shows up on HTTP pages that ask for your password or credit card number.) It’s all part of a broader push by Google to make the web safer—and one of the less controversial methods.
