Security This Week: Employers Are Paying Data Firms to Predict Your Health Risks

 

The big news this week is that Apple and the FBI are going to war after a magistrate ordered Apple to help the FBI hack an iPhone used by a shooter in the San Bernardino attack, and Apple is publicly  fighting the order. Also this week: The president’s NSA advisory board finally got itself a respected technical expert who actually understands how surveillance tech works. We explained why the US considers both a power plant and motion picture studio like Sony to be a part of its critical infrastructure, which is something hackers are increasingly targeting. Instagram added two-factor authentication to its app. And hackers held an LA hospital’s computers hostage with ransomware.
But that’s not all. Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there!

Employee Wellness Firms Use Data to Predict Worker Health Issues

Well this sounds a little creepy. Employee wellness firms and insurers are working with companies to mine sensitive health data about workers like you: such as which prescription drugs you use, whether you vote, how you shop—all in order to predict your health needs and risks. For example, if one of these firms thought you were at risk for diabetes, it might send you personalized messages about seeing a doctor or signing up for a weight-loss program. If that isn’t unsettling enough for you, one wellness firm can predict impending pregnancies by looking at when a woman fills—or stops filling—her birth control prescriptions, her age, and the age of any children she already has. Although employers don’t get access to which individuals are flagged by data mining, they do receive aggregated data on the number of workers at risk for each condition.

“Locky” Ransomware Uses Word Document Macro to Encrypt Files

Security researchers Lawrence Abrams and Kevin Beaumont discovered ransomware that installs itself after the user opens a Word document they are emailed, and enables macros (if they’re not already on). The malicious script encrypts victims’ files and asks for half of a bitcoin as payment for the key. The malware, called Locky, has infected hundreds of computers in the US, Europe, Russia, Mali, and Pakistan. Updated anti-virus software will protect against the malware.

Researchers Stole Crypto Keys from an Air-gapped Laptop in Another Room

Researchers from Tel Aviv University and Technion have apparently found a way to gain access to private encryption keys from air-gapped computers while their equipment is in the other room. It’s not cheap—about $3000—and is unwieldy, but extracts secret decryption keys by measuring electromagnetic emanations. Similar research has been carried out before, but not on PCs using elliptic curve cryptography. The developers of GnuPG, the implementation of OpenPGP that this side-channel attack targeted, have released countermeasures to resist this method.

Google CEO Sides With Apple in FBI Battle

Google CEO Sundar Pichai has picked a side in the ongoing brawl between the FBI and Apple over whether the government can compel the company to build and sign spyware used to unlock its own devices. He’s siding with Apple. Pichai tweeted that “forcing companies to enable hacking could compromise users’ privacy,” and that requiring companies to enable hacking of customer data and devices “could be a troubling precedent.”

Data Intelligence Company Gathers Intel on Iowa Caucus-Goers

Data intelligence company Distillery matched about 16,000 Iowa caucus-goers’ mobile device IDs–those unique identifiers accessed by apps to identify a mobile device, often to determine whether an ad has been served to a specific user– with their online profiles. It did this by getting information from people’s phones via ad networks, when users grant apps or devices access to their location data, and associated those IDs. Although the data doesn’t personally identify individual users, it allowed Distillery to surmise that people who loved to grill or do lawn work in Iowa were far more likely to have voted for Trump, for example.

Sensitive Data on Millions of California Students Released to Non-Profit

Concerned Parents Association, a nonprofit community organization, has won a case against the California Department of Education. A federal district court granted it access to millions of public school students’ personal information and school records, including names, social security numbers, addresses, mental health and medical information, behavior and discipline record, progress reports, and more. The nonprofit says it needs all of this data to determine whether California schools are violating laws including the Individuals with Disabilities Education Act. Luckily, parents can opt out before April 1 by visiting a website and filling out a form (pdf).

Twitter Fixes a Password Recovery Bug

Twitter fixed a password recovery bug that had the potential of exposing nearly 10,000 Twitter accounts’ email addresses and phone numbers. The microblogging platform recommended following good security hygiene, such as creating a strong password, using Twitter’s login verification tool, and revoking access privileges of third party applications you don’t recognize. It also says it will permanently suspend any user who exploited the bug to access another account.

Philadelphia Union Deploys Surveillance Drones to Help its Workers

In an unexpected case, surveillance drones are being used to protect worker’s rights. The International Brotherhood of Electrical Workers union local in Philadelphia is using three camera-equipped drones to document rule violations at construction sites, and to fly over protests in order to prove that union members aren’t violating rules.