Researchers found a vulnerability in a Kia web portal that allowed them to track millions of cars, unlock doors, honk horns and even start engines in seconds, just by reading the car’s license plate. The findings are the latest in a series of web bugs that have hit dozens of automakers. Meanwhile, a handful of Tesla Cybertrucks have been kitted out for war and are literally being battle-tested by Chechen forces fighting in Ukraine as part of the ongoing Russian invasion.
As Israel intensifies its attacks on Lebanon, civilians on both sides of the conflict have been receiving ominous text messages, with authorities in each country accusing the other of psychological warfare. The US government has increasingly condemned Russian-backed media outlets such as RT for working closely with Russian intelligence, and many digital platforms have removed or banned their content. But they remain influential and reliable alternative sources of information in many parts of the world.
And there is more. Each week, we round up the privacy and security news that we didn’t cover in depth. Click on the headlines to read the full stories. And stay safe out there.
A new draft of the “Digital Identity Guidelines” from the U.S. National Institute of Standards and Technology finally takes steps to eliminate reviled password management practices that have been shown to do more harm than good. The recommendations, which will be mandatory for U.S. federal government entities and serve as guidelines for all others, prohibit the practice of requiring users to periodically change their account passwords, often every 90 days.
The policy of periodically changing passwords arose from a desire to ensure that people did not choose passwords that were easy to guess or reuse; but in practice, it makes people choose simple or formulaic passwords so that they are easier to keep track of. The new recommendations also prohibit “composition rules,” such as requiring a certain number or combination of capital letters, numbers and punctuation marks in each password. NIST writes in the draft that the goal of the Digital Identity Guidelines is to provide “fundamental risk management processes and requirements that enable the implementation of secure, private, equitable, and accessible identity systems.”
The US Department of Justice on Friday revealed charges against three Iranian men who allegedly compromised Donald Trump’s presidential campaign and leaked stolen data to the media. Microsoft and Google warned last month that an Iranian state-sponsored hacking group known as APT42 had attacked the presidential campaigns of Joe Biden and Donald Trump, and had successfully breached Trump’s campaign. The Justice Department says the hackers compromised a dozen people as part of their operation, including a journalist, a human rights advocate and several former US officials. More broadly, the US government has said in recent weeks that Iran is trying to interfere in the 2024 elections.
“The defendants’ own words made clear that they were attempting to undermine former President Trump’s campaign ahead of the 2024 U.S. presidential election,” said Attorney General Merrick Garland. saying at a news conference on Friday. “We know that Iran continues its brazen efforts to stoke discord, erode confidence in the American electoral process, and promote its malign activities.”
The Irish Data Protection Commission fined Meta 91 million euros, or about $101 million, on Friday for a password storage flaw in 2019 that violated the European Union’s General Data Protection Regulation. Following a Krebs report on securityThe company acknowledged in March 2019 that a bug in its password management systems had caused hundreds of millions of Facebook, Facebook Lite and Instagram passwords to be stored unprotected in plain text on an internal platform. Ireland’s privacy watchdog began its investigation into the incident in April 2019.
“It is widely accepted that user passwords should not be stored in plain text, considering the risks of abuse that arise when people access such data,” Irish DPC deputy commissioner Graham Doyle said in a statement. “It must be taken into account that the passwords, object of consideration in this case, are particularly sensitive, as they would allow access to users’ social media accounts.”
Digital anonymity nonprofit the Tor Project is merging with privacy and anonymity-focused Linux-based operating system Tails. Pavel Zoneff, director of communications for the Tor Project, wrote in a blog post on Thursday that the move will facilitate collaboration and reduce costs, while expanding the reach of both groups. “Tor and Tails provide essential tools to help people around the world stay safe online,” he wrote. “By joining forces, these two privacy advocates will pool their resources to focus on what matters most: ensuring that activists, journalists and other everyday and at-risk users have access to enhanced digital security tools.”