Nicole Perlroth

The scope of a hack engineered by one of Russia’s premier intelligence agencies became clearer when some Trump administration officials acknowledged that other federal agencies — the State Department, the Department of Homeland Security, and parts of the Pentagon — had been compromised. Investigators were struggling to determine the extent to which the military, intelligence community, and nuclear laboratories were affected by the highly sophisticated attack.

Sophisticated surveillance, once the domain of world powers, is increasingly available on the private market. Smaller countries are seizing on the tools — sometimes for darker purposes.

The Los Angeles Times says an unusual cyberattack that disrupted its printing operations and those at newspapers in San Diego and Florida the weekend of Dec 28 came from outside the United States, but it stopped short of accusing a specific foreign government. Computer malware attacks on infrastructure, while relatively rare, are hardly new: Russia has been credibly accused of shutting down power grids in Ukraine and a petrochemical plant in Saudi Arabia, Iran crippled a casino in Las Vegas, and the United States and Israel attacked a nuclear enrichment plant in Iran.

A cyberattack caused the internet disruptions during the Winter Olympics’ opening ceremony on Feb 9, Olympic officials and security experts said.  Jihye Lee, a spokesman for the Pyeongchang Organizing Committee, confirmed Sunday that “the technology issues experienced Friday night were caused by a cyberattack.” Lee did not elaborate on the cause but said that the attack had been quickly addressed and that systems had been stabilized by Feb 11.

A serial leak of the National Security Agency’s cyberweapons has damaged morale, slowed intelligence operations and resulted in hacking attacks on businesses and civilians worldwide.

NSO Group and the dozens of other commercial spyware outfits that have cropped up around the globe over the past decade operate in a largely unregulated market. Spyware makers like NSO Group, Hacking Team in Italy and Gamma Group in Britain insist they sell tools only to governments for criminal and terrorism investigations. But it is left to government agents to decide whom they will and will not hack with spying tools that can trace a target’s every phone call, text message, email, keystroke, location, sound and sight. The discovery of NSO’s spyware on the phones of Mexican nutrition policy makers, activists and even government employees raises new questions about whether NSO’s tools are being used to advance the soda industry’s commercial interests in Mexico.

It has been six months since the Justice Department backed off on demands that Apple help the FBI break the security of a locked iPhone. But the government has not given up the fight with the tech industry. Open Whisper Systems, a maker of a widely used encryption app called Signal, received a subpoena in the first half of 2016 for subscriber information and other details associated with two phone numbers that came up in a federal grand jury investigation in Virginia. The subpoena arrived with a court order that said Open Whisper Systems was not allowed to tell anyone about the information request for one year.

Technology companies contend that court-imposed gag orders are being used too often by law enforcement and that they violate the Bill of Rights. The companies also complain that law enforcement officials are casting a wide net over online communications — often too wide — in their investigations. Justice Department officials, for their part, argue that these gag orders are necessary to protect developing cases and to avoid tipping off potential targets. The officials say that they are simply following leads where they take them.

A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion username and password combinations and more than 500 million email addresses, security researchers say.

The records, discovered by Hold Security include confidential material gathered from 420,000 websites, ranging from household names to small Internet sites.

When the Heartbleed bug was disclosed, the attention focused on the fallout for major Internet companies like Yahoo and Amazon. But security experts said the potential for harm could extend much further, to the guts of the Internet and the many devices that connect to it.

Some of the companies that make those devices began revealing whether they had been affected. Cisco Systems, the dominant provider of gear to move traffic through the Internet, said its big routers and servers, as well as its online servers -- a big business -- were not affected. If they had been, that would have had a significant impact on virtually every major company that connects to the Internet.

Certain products the company makes were affected, it said -- some kinds of phones that connect to the Internet, a kind of server that helps people conduct online meetings, and another kind of device used for office communications. Cisco also posted a list of products it had examined for the vulnerability, which it was updating as it continued inspecting its equipment.

The tiny padlock icon that sits next to many web addresses, suggesting protection of users’ most sensitive information -- like passwords, stored files, bank details, even Social Security numbers -- is broken.

A flaw has been discovered in one of the Internet’s key encryption methods, potentially forcing a wide swath of websites to swap out the virtual keys that generate private connections between the sites and their customers.

Many organizations have been heeding the warning. Companies like Lastpass, the password manager, and Tumblr, the social network owned by Yahoo, said they had issued fixes and warned users to immediately swap out their usernames and passwords.

The vulnerability involves a serious bug in OpenSSL, the technology that powers encryption for two-thirds of web servers. It was revealed by a team of Finnish security researchers who work for Codenomicon, a security company in Saratoga (CA), and two security engineers at Google. Researchers are calling the bug “Heartbleed” because it affects the “heartbeat” portion of the OpenSSL protocol, which pings messages back and forth. It can and has been exploited by attackers. The bug allows attackers to access the memory on any web server running OpenSSL and take information like customer usernames and passwords, sensitive banking details, trade secrets and the private encryption keys that organizations use to communicate privately with their customers.

“It’s a serious bug in that it doesn’t leave any trace,” said David Chartier, the chief executive at Codenomicon. “Bad guys can access the memory on a machine and take encryption keys, usernames, passwords, valuable intellectual property, and there’s no trace they’ve been there.”