Chinese spies got a hold of NSA hacking tools, and “repurposed them in 2016 to attack American allies and private companies in Europe and Asia,” reports the NYT. How'd they get those cyberweapons? Symantec researchers “believe the Chinese did not steal the code but captured it from an N.S.A. attack on their own computers — like a gunslinger who grabs an enemy’s rifle and starts blasting away.” Read the rest

On Tuesday, the CEO of UK certificate reseller Trustico decided to settle an argument with Digicert executive VP Jeremy Rowley by emailing him the private keys for 23,000 TLS certificates that had been issued by Symantec's disgraced Certificate Authority, to prove they had been compromised. Read the rest

Hacker takeovers of power infrastructure have been seen in Ukraine (where they are reliably attributed to Russian state actors), but now the US power-grid has been compromised by hackers of unknown origin, who have "switch-flipping" control -- that is, they can just turn it all off. Read the rest

In 2012, Google rolled out Certificate Transparency, a clever system to spot corrupt "Certificate Authorities," the entities who hand out the cryptographic certificates that secure the web. If Certificate Authorities fail to do their jobs, they put the entire electronic realm in danger -- bad certificates could allow anything from eavesdropping on financial transactions to spoofing industrial control systems into accepting malicious software updates. Read the rest

If you're one of those people who tend to lose their phone shortly after putting it down, then you'll want to read this. According to a new study, if you lose your smartphone, you have a 50/50 chance of getting it back. But chances are much higher -- nearly 100 percent -- that whoever retrieves it will try to access your private information and apps.

According to a study by Symantec, 96 percent of people who picked up the lost phones tried to access personal or business data on the device. In 45 percent of cases, people tried to access the corporate email client on the device.

"This finding demonstrates the high risks posed by an unmanaged, lost smartphone to sensitive corporate information," according to the report. "It demonstrates the need for proper security policies and device/data management."

Symantec called the study the "Honey Stick Project." In this case the honey on a stick consisted of 50 smartphones that were intentionally left in New York, Los Angeles, Washington, D.C., San Francisco and Ottowa, Canada. The phones were deposited in spots that were easy to see, and where it would be plausible for someone to forget them, including food courts and public restrooms.

None of the phones had security features, like passwords, to block access. Each was loaded with dummy apps and files that contained no real information, but which had names like "Social Networking" and "Corporate Email" that made it easy for the person who found it to understand what each app did. Read the rest