Select Page
Kaspersky Says New Zero-Day Malware Hit iPhones—Including Its Own

Kaspersky Says New Zero-Day Malware Hit iPhones—Including Its Own

“The security of iOS, once breached, makes it really challenging to detect these attacks,” says Wardle, who was formerly an NSA staffer. At the same time, he adds that attackers would need to assume any brazen campaign to target Kaspersky would eventually be discovered. “In my opinion, this would be sloppy for an NSA attack,” he says. “But it shows that either hacking Kaspersky was incredibly valuable for the attacker or that whoever this was likely has other iOS zero days as well. If you only have one exploit, you’re not going to risk your only iOS remote attack to hack Kaspersky.”

The NSA declined WIRED’s request for comment on either the FSB announcement or Kaspersky’s findings.

With the release of iOS 16 in September 2022, Apple introduced a special security setting for the mobile operating system known as Lockdown Mode that intentionally restricts usability and access to features that can be porous within services like iMessage and Apple’s WebKit. It is not known whether Lockdown Mode would have prevented the attacks Kaspersky observed.

The Russian government’s purported discovery of Apple’s collusion with US intelligence “testifies to the close cooperation of the American company Apple with the national intelligence community, in particular the US NSA, and confirms that the declared policy of ensuring the confidentiality of personal data of users of Apple devices is not true,” claims an FSB statement, which adds that it would allow the NSA and “partners in anti-Russian activities” to target “any person of interest to the White House,” as well as US citizens.

The FSB statement wasn’t accompanied by any technical details of the described NSA spy campaign, or any evidence that Apple colluded in it.

Apple has historically resisted pressure to provide a “backdoor” or other vulnerability to US law enforcement or intelligence agencies. That stance was demonstrated most publicly in Apple’s high-profile 2016 showdown with the FBI over the bureau’s demand that Apple assist in the decryption of an iPhone used by San Bernadino mass shooter Syed Rizwan Farook. The standoff only ended when the FBI found its own method of accessing the iPhone’s storage with the help of Australian cybersecurity firm Azimuth.

Despite its announcement coming on the same day as the FSB’s claims, Kaspersky has so far made no claims that the Operation Triangulation hackers who targeted the company were working on behalf of the NSA. Nor has the cybersecurity firm attributed the hacking to the Equation Group, Kaspersky’s name for the state-sponsored hackers it has previously tied to highly sophisticated malware, including Stuxnet and Duqu, tools widely believed to have been created and deployed by the NSA and US allies.

Kaspersky did say in a statement to WIRED that, “Given the sophistication of the cyberespionage campaign and the complexity of analysis of the iOS platform, further research will surely reveal more details on the matter.”

US intelligence agencies and US allies would, of course, have plenty of reason to want to look over Kaspersky’s shoulder. Aside from years of warnings from the US government that Kaspersky has ties to the Russian government, the company’s researchers have long demonstrated their willingness to track and expose hacking campaigns conducted by Western governments that Western cybersecurity firms don’t. In 2015, in fact, Kaspersky revealed that its own network had been breached by hackers who used a variant of the Duqu malware, suggesting a link to the Equation Group—and thus potentially the NSA.

That history, combined with the sophistication of the malware that targeted Kaspersky, suggests that as wild as the FSB’s claims may be, there’s good reason to imagine that Kaspersky’s intruders could have ties to a government. But if you hack one of the world’s most prolific trackers of state-sponsored hackers—even with seamless, tough-to-detect iPhone malware—you can expect, sooner or later, to get caught.

Bcrypt, a Popular Password Hashing Algorithm, Starts Its Long Goodbye

Bcrypt, a Popular Password Hashing Algorithm, Starts Its Long Goodbye

When data breaches went from being an occasional threat to a persistent fact of life during the early 2010s, one question would come up again and again as victim organizations, cybersecurity researchers, law enforcement, and regular people assessed the fallout from each incident: Which password hashing algorithm had the target used to protect its users’ passwords? 

If the answer was a faulty cryptographic function like SHA-1—not to mention the nightmare of passwords stored in plaintext with no encryption scrambling at all—the victim had more to worry about because it meant that it would be easier for whoever stole the data to crack the passwords, directly access users’ accounts, and try those passwords elsewhere to see if people had reused them. If the answer was the algorithm known as bcrypt, though, there was at least one less thing to panic about.

Bcrypt turns 25 this year, and Niels Provos, one of its coinventors, says that looking back, the algorithm has always had good energy, thanks to its open source availability and the technical characteristics that have fueled its longevity. Provos spoke to WIRED about a retrospective on the algorithm that he published this week in Usenix ;login:. Like so many digital workhorses, though, there are now more robust and secure alternatives to bcrypt, including the hashing algorithms known as scrypt and Argon2. Provos himself says that the quarter-century milestone is plenty for bcrypt and that he hopes it will lose popularity before celebrating another major birthday.

A version of bcrypt first shipped with the open source operating system OpenBSD 2.1 in June 1997. At the time, the United States still imposed stringent export limits on cryptography. But Provos, who grew up in Germany, worked on its development while he was still living and studying there.  

“One thing I found so surprising was how popular it became,” he says. “I think in part it’s probably because it was actually solving a problem that was real, but also because it was open source and not encumbered by any export restrictions. And then everybody ended up doing their own implementations in all these other languages. So these days, if you are faced with wanting to do password hashing, bcrypt is going to be available in every language that you could possibly operate in. But the other thing that I find interesting is that it’s even still relevant 25 years later. That is just crazy.”

Provos developed bcrypt with David Mazieres, a systems security professor at Stanford University who was studying at the Massachusetts Institute of Technology when he and Provos collaborated on bcrypt. The two met through the open source community and were working on OpenBSD.

Hashed passwords are put through an algorithm to be cryptographically transformed from something that’s readable into an unintelligible scramble. These algorithms are “one-way functions” that are easy to run but very difficult to decode or “crack,” even by the person who created the hash. In the case of login security, the idea is that you choose a password, the platform you’re using makes a hash of it, and then when you sign in to your account in the future, the system takes the password you input, hashes it, and then compares the result to the password hash on file for your account. If the hashes match, the login will be successful. This way, the service is only collecting hashes for comparison, not passwords themselves.   

Intel Let Google Cloud Hack Its New Secure Chips and Found 10 Bugs

Intel Let Google Cloud Hack Its New Secure Chips and Found 10 Bugs

Google Cloud and Intel released results today from a nine-month audit of Intel’s new hardware security product: Trust Domain Extensions (TDX). The analysis revealed 10 confirmed vulnerabilities, including two that researchers at both companies flagged as significant, as well as five findings that led to proactive changes to further harden TDX’s defenses. The review and fixes were all completed before the production of Intel’s fourth-generation Intel Xeon processors, known as “Sapphire Rapids,” which incorporate TDX. 

Security researchers from Google Cloud Security and Google’s Project Zero bug-hunting team collaborated with Intel engineers on the assessment, which initially turned up 81 potential security issues that the group investigated more deeply. The project is part of Google Cloud’s Confidential Computing initiative, a set of technical capabilities to keep customers’ data encrypted at all times and ensure that they have full access controls.

The security stakes are incredibly high for massive cloud providers that run much of the world’s digital infrastructure. And while they can refine the systems they build, cloud companies still rely on proprietary hardware from chip manufacturers for their underlying computing power. To get deeper insight into the processors they’re depending on, Google Cloud worked with AMD on a similar audit last year and leaned on the longtime trusted relationship between Intel and Google to launch the initiative for TDX. The goal is to help chipmakers find and fix vulnerabilities before they create potential exposure for Google Cloud customers or anyone else.

“It’s not trivial because companies, we all have our own intellectual property. And in particular, Intel had a lot of IP in the technologies that they were bringing to this,” says Nelly Porter, group product manager of Google Cloud. “For us to be able to be incredibly open and trusting each other is valuable. The research that we’re doing will help everybody because Intel Trusted Domain Extension technology is going to be used not only in Google, but everywhere else as well.”

Researchers and hackers can always work on attacking hardware and online systems from the outside—and these exercises are valuable because they simulate the conditions under which attackers would typically be looking for weaknesses to exploit. But collaborations like the one between Google Cloud and Intel have the advantage of allowing outside researchers to conduct black box testing and then collaborate with engineers who have deep knowledge about how a product is designed to potentially uncover even more about how a product could be better secured.

After years of scrambling to remediate the security fallout from design flaws in the processor feature known as “speculative execution,” chipmakers have invested more in advanced security testing. For TDX, Intel’s in-house hackers conducted their own audits, and the company also put TDX through its security paces by inviting researchers to vet the hardware as part of Intel’s bug bounty program.

Anil Rao, Intel’s vice president and general manager of systems architecture and engineering, says the opportunity for Intel and Google engineers to work as a team was particularly fruitful. The group had regular meetings, collaborated to track findings jointly, and developed a camaraderie that motivated them to bore even deeper into TDX.

How a Catholic Group Doxed Gay Priests

How a Catholic Group Doxed Gay Priests

In a statement released a day before the investigation’s release, Jayd Henricks, the group’s president, said, “It isn’t about straight or gay priests and seminarians. It’s about behavior that harms everyone involved, at some level and in some way, and is a witness against the ministry of the church.”

No national US data privacy laws prohibit the sale of this kind of data.

On Wednesday, the District of Columbia’s health insurance exchange confirmed that it was working with law enforcement to investigate an alleged leak after a database containing personal information of about 170,000 individuals was offered for sale on a hacker forum popular with cybercriminals. The reported breach in DC Health Link, as the exchange is known, could expose sensitive personal data of lawmakers, their employees, and their families. Thousands of the exchange’s participants work in the US House and Senate, and a sample of the stolen data set reviewed by CyberScoop indicates that the victims of the breach also range from lobbyists to coffee shop employees. 

According to a letter to the head of the DC Health Benefit Exchange Authority from House Speaker Kevin McCarthy and Minority Leader Hakeem Jeffries, the FBI has apparently purchased some of the stolen data from the dark web. While the FBI had not yet determined the extent of the breach, according to the letter, “the size and scope of impacted House customers could be extraordinary.”

A report by Politico published March 7 details how Ring, Amazon’s home-surveillance company, handed law enforcement videos captured by an Ohio man’s 20 Ring cameras against his will. In December, the Hamilton Police Department sought a warrant for camera footage—including from inside the man’s house—while investigating his neighbor. According to the report, after he willingly providing video to the police that showed the street outside his home, police used the courts to access more footage against his will.

While law enforcement often seeks warrants for digital data, those warrants typically pertain to the subject of a particular investigation. However, as networked home surveillance cameras have become increasingly popular, sometimes blanketing city blocks, law enforcement is increasingly turning to individuals who are completely unaffiliated with a case to provide data. According to Politico, the lack of legal controls on what police can ask for opens the door for a bystander’s indoor home footage to be lawfully acquired by police.

Following Politico’s story, Gizmodo reported that a customer service agent for Ring told a concerned customer that the Politico story was a “hoax” perpetrated by a competitor. In response, an Amazon spokesperson told Gizmodo that the company does not in fact think the story was a hoax and the statement was the result of a misunderstanding on the part of the customer support agent. “We will ensure the agent receives the appropriate coaching,” the spokesperson said.

A former roommate of noted fabulist George Santos told federal authorities that the US congressman from Long Island, New York, had orchestrated a credit card skimming operation in Seattle in 2017. In a declaration submitted to authorities and obtained by Politico, the Brazilian man—convicted of credit card fraud and deported from the US—told the FBI, “Santos taught me how to skim card information and how to clone cards. He gave me all the materials and taught me how to put skimming devices and cameras on ATM machines.” 

According to the declaration, Gustavo Ribeiro Trelha met Santos in 2016 when he rented a room from him in his Florida apartment. There Santos reportedly taught Trelha how to use credit card cloning equipment and eventually flew him to Seattle to begin stealing financial information. “My deal with Santos was 50 percent for him, 50 percent for me,” Trelha wrote. 

Googling for Software Downloads Is Extra Risky Right Now

Googling for Software Downloads Is Extra Risky Right Now

If you heard rumblings this week that Netflix is finally cracking down on password sharing in the United States and other markets, you heard wrong—but only for now. The company told WIRED that while it plans to make an announcement in the next few weeks about limiting account sharing, nothing has happened yet. Meanwhile, lawmakers in Congress are eager to overhaul systems for dealing with secret US government data as classified documents keep turning up in the wrong places.

We did a deep dive this week into a ransomware attack that crippled the digital infrastructure of London’s Hackney Council. The assault happened more than two years ago, but it was so impactful that the local authority is still working to recover. A project that’s looking far into the future, meanwhile, is developing prototype pursuit satellites for real-world testing that could someday be used in space battles.

In other military news from the skies, we examined the situation with the apparent Chinese spy balloon over the US and the pros and cons of using balloons as espionage tools. And if you want to improve your personal digital security this weekend, we’ve got a roundup of the most important software updates to install right away, including fixes for Android and Firefox vulnerabilities.

Plus, there’s more. Each week we round up the stories we didn’t cover in-depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

If you’re looking for legit software downloads by searching Google, your clicks just got riskier. The spam- and malware-tracking nonprofit Spamhaus says it has detected a “massive spike” in malware spread via Google Ads in the past two months. This includes “malvertizing” that appears to be authentic downloads of tools like Slack, Mozilla’s Thunderbird email client, and the Tor Browser. Security firm SentinelOne further identified a handful of malicious loaders spread through Google Ads, which researchers collectively dubbed MalVirt. They say MalVirt loaders are used to distribute malware like XLoader, which an attacker can use to steal data from an infected machine. Google told Ars Technica in a statement that it is aware of the malvertizing uptick. “Addressing it is a critical priority, and we are working to resolve these incidents as quickly as possible,” the company said.

The Federal Trade Commission this week issued its first-ever fine under the Health Breach Notification Rule (HBNR). Online pharmacy GoodRx was ordered to pay a $1.5 million fine for allegedly sharing its users’ medication data with third parties like Meta and Google without informing those users of the “unauthorized disclosures,” as is required under the HBNR. The FTC’s enforcement action follows investigations by Consumer Reports and Gizmodo into GoodRx’s data-sharing practices. In addition to violating the HBNR, GoodRx misrepresented its claims of HIPAA compliance, the FTC alleges. GoodRx claims it fixed the issues at the heart of the FTC’s complaint years ago and rejects any admission of guilt. “We do not agree with the FTC’s allegations and we admit no wrongdoing,” a spokesperson told Gizmodo. “Entering into the settlement allows us to avoid the time and expense of protracted litigation.” 

Microsoft this week announced that it had disabled accounts of threat actors who managed to get verified under the Microsoft Cloud Partner Program. Posing as legitimate businesses, the threat actors used their verified account status to create malicious OAuth applications. “The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting permissions to the fraudulent apps,” Microsoft said in a blog detailing the issue. “This phishing campaign targeted a subset of customers primarily based in the UK and Ireland.” The company says the people behind the phishing attacks likely used their access to steal emails and that it has notified all victims.

Researchers at the security firm Saiflow this week exposed two vulnerabilities in versions of the open source protocol used in the operation of many electric-vehicle charging stations, called the Open Charge Point Protocol (OCPP). By exploiting vulnerable instances of the OCPP standard, which is used to communicate between chargers and management software, an attacker could take over a charger, disable groups of chargers, or siphon off electricity from a charger for their own use. Saiflow says it’s working with EV charger companies to mitigate the risks of the vulnerabilities.

The 37 million customers exposed by the most recent T-Mobile hack may not be the only people impacted by the breach. Google this week informed customers of the Google Fi mobile service that hackers had obtained “limited” account information, including phone numbers, SIM serial numbers, and information about their accounts. The hackers did not access payment information, passwords, or the contents of communications, like text messages. Still, it’s possible the information could have been used for SIM swap attacks. TechCrunch reports that the intrusion was detected by Google Fi’s “primary network provider,” which noticed “suspicious activity relating to a third-party support system.” The timing of the hack, which comes two weeks after the latest T-Mobile breach, suggests the two are related.