Friday security roundup: Secret Service laptop bungle, hackers win prizes, websites leak
And light shed on WikiLeaks' CIA tools handover
Updated Friday is usually a good day to bury bad news and there are a number of stories bubbling under before we all head out for the weekend.
US Secret Service lost a laptop
The US Secret Service has admitted that one of its agents' cars had been broken into by persons unknown, and a laptop was stolen, along with other items. The laptop reportedly contained floor plans for Trump's New York home, and details of the FBI's Clinton email server probe, but the Secret Service said that there was nothing to worry about – no classified information was allowed on the machine.
"Secret Service-issued laptops contain multiple layers of security including full disk encryption and are not permitted to contain classified information," the agency said.
"An investigation is ongoing and the Secret Service is withholding additional comment until the facts are gathered."
Hackers rewarded at Pwn2Own
That might be true for now, but over at the CanSecWest security conference in Vancouver the hackers were winning big in its annual three-day Pwn2Own competition. On Thursday, hackers cracked Ubuntu, Adobe Reader, and Safari and netted themselves $233,000.
On Day Two of the competition, another $340,000 was scooped in prize money by hackers taking down Flash, Microsoft's Edge and Windows operating system, macOS, Firefox, and Apple's Safari. As part of the competition, software houses get the vulnerabilities, so hopefully the Secret Service has a good update policy.
Popular websites hacked
Finally there were a couple of reported security issues – nothing on the level of JP Morgan, but annoying nevertheless. Social media app Wishbone, which lets people generate their own polls, has been cracked by people unknown and 2,326,452 full names, 2,247,314 unique email addresses and 287,502 cellphone numbers were leaked online.
If you're concerned that you may be one of the people, you can check online. The database has been added to the excellent Have I been pwned? website, and if you have registered with Wishbone it's a good idea to change your password anyway.
The makers of the Soundwave app has also had bad news for customers. The app maker, which was bought by popular Spotify last January, reports that if you were an early adopter of the app then you may have some problems.
It appears that a server containing production customer information was used on a test bed system, and that suffered a security breach. User names, email addresses, gender, date of birth and MD5 hashed passwords were exposed, but unless you receive a notification from Soundwave then you're probably OK.
WikiLeaks 'demands' truth revealed
Finally, an update on WikiLeaks handing over the "Vault 7" CIA hacking tools it managed to get its hands on to technology companies. WikiLeaks promised to supply the exploits to organizations like Microsoft and Google so their software and hardware can be patched to protect people from anyone abusing the vulnerabilities used by the CIA to snoop on targets.
A couple of reports surfaced just before the weekend that WikiLeaks had given the tech giants various mystery demands before it would hand over the goods. That seemed strangely familiar because we could have sworn we wrote at the start of the week that WikiLeaks and vendors were locked in talks, and that no code or other material had been handed over yet.
The discussions between WikiLeaks and various outfits center on how long the companies have got to patch their gear before the Julian Assange-run website leaks the tools in full – WikiLeaks wants to give organizations 90 days, just like Google mostly does. There's also the little hitch that these tools are classified US government property, and the tech giants are uneasy with handling this material, especially since they do lucrative contract work for Uncle Sam and have rules in place on who, internally, can and can't access sensitive reports and blueprints.
According to WikiLeaks on Friday, negotiations are at a standstill due to this sticking point on the classified nature of the software, although there is positive movement with Mozilla and some other corporations. Assange has threatened to draw up a "league table" of companies, rating how they're attempting, or not, to patch the CIA vulnerabilities.
Have a great weekend and stay safe. ®