This week, Excellus Blue Cross Blue Shieldwas hacked, and anywhere from 10 to 10.5 million people’s personal records were exposed. Lockpicking expertsposted 3-D printable master luggage key files on Github.  Apple fought back against a government request for data in the courtroom. Russian-speaking spy gang Turla hijacked satellite IP addresses from other users to steal data. And that’s not all. Each Saturday we round up the news stories that we didn’t cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted, and stay safe out there!

The Department of Homeland Security Pressures a Small Town Library to Turn Off Its Tor Relay

Kilton Public Library, located in the small town of Lebanon, New Hampshire, became the first library in the country to allow Tor users around the world to mask their locations by bouncing their traffic through the library’s middle relay. This effort came to a screeching halt when the Department of Homeland Security contacted the police department, and both city officials and local law enforcement officers expressed concern that Tor could be used by criminals. Which…yes, but Tor is also used by journalists, domestic violence survivors, human rights activists, privacy advocates, and even law enforcement officers themselves. The library agreed to turn off the relay temporarily. Its board of trustees meet on September 15, when they will vote on whether to resume running the anonymous web browsing service. The EFF started a petition to show support for Tor in public libraries, if you’re so inclined. 

Russia Tried and Failed to Hack the Tor Browser

The Russian Interior Ministry is also reportedly out to get Tor, apparently hiring the Central Scientific Institute for Economics, IT and Management Systems (CSI EIM) to identify users of the Tor network. However, it looks like their attempts to compromise the anonymous browser have failed. Perhaps that is why CSI EIM plans to terminate its contract with the state without actually finishing the job.

City of Boston’s License Plate Reader Database Was Just Sitting Around Online, Waiting to Be Found

As if using automated license plate readers to track vehicle locations—and then lying about it—isn’t bad enough, the Boston Transportation Department’s license plate reader system, run by Genetec, actually stored all of its records unencrypted and within public view, on an online server maintained by a Xerox subsidiary. Motor vehicle records, home addresses of anyone with a Boston parking permit, and other sensitive data was available to anyone who found the correct URL, until two weeks after Digboston reporter Kenneth Lipp alerted authorities to the fact, that is.

The US Department of Energy Got Pwned More Than 150 Times Between 2010 and 2014, Federal Records Show

US Department of Energy (DoE) computer systems were compromised a whopping total 159 times between 2010 and 2014, federal records obtained by USA Today show. To make matters worse, attackers gained administrative privileges to Department of Energy computer systems in 53 of the 159 successful intrusions. There were 1131 attempts over the four-year period. All of that is a little disconcerting, considering that DoE data could give away information about the nation’s power grid, stockpile of nuclear weapons, and other critical details. In an audit report released almost a year ago, the Inspector General noted that 41 DoE servers and 14 DoE workstations had either default passwords or easily guessable ones. D’oh.

The Deep Web Gets Official Recognition From Internet Regulators

The Internet Assigned Numbers Authority and Internet Engineering Task Force have designated .onion domains, hosted on the Tor network, as “Special Use Domains.” The change, originally proposed by security researcher Jacob Appelbaum and security engineer Alec Muffett, enhances the security of .onion sites by allowing them get security certificates and enable encryption on their sites.

This Android Ransomware, Disguised as a Porn App, Changes PINs and Locks Users Out of Their Devices

Even if you like viewing adult videos on your Android, it’s best to avoid the “Porn Droid” app, since it’s actually a LockerPin Trojan in disguise. Clicking through the installation for the app and downloading and installing an update gives it device administrator privileges, which lets it lock the device and reset the PIN. This is followed by a notice to pay $500, but since the new PIN is randomly chosen after reset, paying the ransom won’t actually help you.  Luckily, there is a way to remove the PIN lock screen even without a factory reset in some circumstances.

Take That, FBI and NSA! FTC Commissioner Terrell McSweeny Sings the Praises of Strong Crypto

In a post for the Huffington Post, FTC Commissioner Terrell McSweeny called for strong encryption to both thwart thieves and protect sensitive data. Although in strong contrast to statements from the FBI and NSA, McSweeny’s comments are similar to those of FTC Chief Technologist Ashkan Soltani.

LinkedIn SockPuppet Accounts Disguised as Recruiters Are Targeting Security Researchers

Fake recruiters on LinkedIn are targeting security researchers in what may be an effort to map their social graphs. The “recruiter”sockpuppet accounts are each focused on particular types of security specialists, and this is their m.o.: each “recruiter” approaches their prey by “scouting” people for jobs for about a week before removing their profile pic, changing their name, and eventually removing their account altogether.

The Department of Justice Wants Access to Every Email From US-Based Providers in the World (With a Warrant)

The battle between the US government and Microsoft over whether the Department of Justice can access a single Hotmail email account stored on a Microsoft server in Ireland continued on Wednesday in the second circuit court of appeals. The government considers the private emails to be Microsoft’s business records, accessible via a search warrant, while Microsoft contends that they are the customers’ personal documents. Microsoft has lost twice in court. A ruling in this case could come anytime between October and February 2016.