Security News This Week: 9 Out of 10 Websites Leak Your Data to Third Parties

This week, hackers won a million dollar bounty for discovering a long-sought iOS zero-day. Federal lawmakers introduced the Stingray Privacy Act, a new bill that would require state and local lawmakers to get a warrant before using the invasive surveillance devices. The world got its first look at the full text of the Trans-Pacific Partnership trade pact. We found out the UK’s TalkTalk telecom hack may not be as bad as it looked. Android users can finally use Open Whisper Systems’ RedPhone app and TextSecure messaging app in one app, called Signal. And Crackas With Attitude, the teens who hacked CIA Director John Brennan, are back with a new hack.

But that’s not all. Each Saturday we round up the news stories that we didn’t break or cover in depth at wired, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there!

Turns Out 90 Percent of the Internet’s Top Sites Leak Your Data to Third Parties

It’s no secret that websites typically send user data to third parties (typically without their knowledge or consent), but now new peer-reviewed research published by University of Pennsylvania privacy researcher and doctoral student Tim Libert shows that the scale of this is enormous—nine out of ten sites are leaking user data to an average of nine external domains. That means that a single site you visit will send your data to nine outside websites. Tim Libert cites Google as the worst culprit, but gives Twitter props for respecting browsers’ Do Not Track setting. He also points out that the NSA has leveraged commercial tracking tools in order to monitor users. For added privacy, using Tor is your best bet, Libert told Motherboard, so long as you don’t log into any accounts (Gmail, Facebook, etc.) while you’re on it.

The Pentagon Outsourced Its Coding to Russia (What Could Go Wrong?)

A four-year federal investigation revealed this week that the Pentagon has outsourced work writing software for sensitive US military communication systems to Russian programmers. Contractor John C. Kingsley discovered the Russian-contracted software had built-in holes that left the Pentagon’s communication system vulnerable to viruses. The two firms involved, Massachusetts-based NetCracker Technology Corporation and Virginia-based Computer Sciences Corporation (which had subcontracted the work), agreed to pay fines of $11.4 million and $1.35 million, respectively. Outsourcing work on classified systems to anyone who’s not a US citizen with approved security clearance violates federal regulations, as well as the company’s contract.

Iran Hacks Obama Administration Officials

Iran’s Revolutionary Guard Corps recently hacked email and social media accounts of Obama administration officials, including ones working at the State Department’s Office of Iranian Affairs and its Bureau of Near Eastern Affairs. The surge of attacks, particularly targeting US officials working on Iran policy, coincided with the arrest of Iranian-American energy industry exec Siamak Namazi in Tehran last month. Namazi is an energy industry executive and business consultant who has pushed for stronger diplomatic and economic ties between the US and Iran. The IRGC’s intelligence arm confiscated Namazi’s computer and ransacked his family’s home, according to his friends and business associates. However, it’s also possible the attacks were connected to other geopolitical issues, such as the nuclear deal with Iran.

The UK Wants to Force Companies to Retain Users Web Histories for a Whole Year

The UK’s home secretary Theresa May is trying to pass the Investigatory Powers Bill, a law that would require UK-based internet companies to retain the web browsing history of everyone in Britain for a year. The bill would also allow police and intelligence officers to see which sites people have visited—without a warrant. Although it doesn’t go so far as banning internet and social media companies from offering encryption they themselves can’t bypass, a move that UK Prime Minister David Cameron recently suggested, the bill would require these companies “to take reasonable steps” to respond to warrants “in an unencrypted form,” leading to concerns that internet and social media companies would be forbidden from offering encryption they can’t bypass. The bill also gives GCHQ permission to essentially hack into any computer in the world.

MI5 Secretly Collected Phone Data for More Than 10 Years

The UK’s MI5 has been secretly collecting data from phone calls, texts, and emails of British citizens for the past decade—and apparently most of the UK cabinet didn’t know about it. This mass surveillance began after the 9/11 attacks in 2001, and MI5 ratcheted it up in 2005. The information emerged when Home Secretary Theresa May revealed a draft of the privacy-invading Investigatory Powers Bill that would empower Britain to spy on its citizens’ web-browsing histories.

Firefox Now Does a Better Job Protecting Your Web Browsing From Tracking

Mozilla has added a new Tracking Protection feature available to Firefox’s Private Browsing mode. Similar to plugins such as Privacy Badger and Ghostery, this mode blocks trackers (including ads that track you). This offers more protection than Google Chrome’s Incognito mode but less than Tor. EFF staff technologist Noah Swartz points out that Mozilla could provide even more protection by turning on Tracking Protection for users who have enabled the Do Not Track setting even when they’re not in private browsing mode.

Paying Ransom Didn’t Help ProtonMail When It Got Hit With DDoS Attacks

The encrypted email service ProtonMail caved to demands for a ransom after a group of hackers hit it with DDoS attacks—first with a brief 15-minute attack, which was followed by a massive attack that took down its ISP, routers, and data center. But paying up didn’t solve the problem. ProtonMail believes that the second attack that took it offline seemed to come from a second group that it says exhibited capabilities possessed by state-sponsored actors. The site was offline for 24 hours, and hackers hit it again on Friday morning. ProtonMail has launched a fundraising campaign to raise money to defend against future attacks of this scale.

The Economist’s Ad Blocking Circumvention Tool Exposed Its Users to Malware

PageFair is an analytics service that allows news publishers to circumvent ad blockers on their websites. But then PageFair was hacked on Halloween, and 501 publishers were affected by the breach. The Economist was one of them, and hundreds of its users running Windows OS may have downloaded malware disguised as an Adobe update. The Economist learned that the malware is a keylogger, which allows it to record user keystrokes and obtain passwords, bank details, and other personal data. The site has warned customers about the risk. Luckily, The Economist’s own systems have not been compromised.