by crissly | Jan 22, 2022 | Uncategorized
As Russia continues to teeter on the brink of invading Ukraine, IT administrators in the beleaguered country and researchers have discovered destructive data wiping malware posing as ransomware and lurking in a number of Ukrainian networks. The situation evokes past devastating Russian malware campaigns against Ukraine—including the infamous NotPetya attack in 2017.
Elsewhere on the continent, Austria’s data regulator recently concluded that using Google Analytics is a breach of the European Union’s GDPR privacy regulations. The decision could set the tone in other countries and for other analytics services, and could send ripples throughout the entire cloud.
A pair of vulnerabilities in Zoom, now patched, could have exposed the ubiquitous video conferencing service and its users to zero-click, or interactionless, malware attacks. And a flaw in iOS 15 that Apple has known about since November has been exposing users’ web browsing activity. On the other hand, though, Apple’s new iCloud Private Relay feature, that can shield your browsing activity from prying eyes, is in beta and you can try it now.
And there’s more. Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories.
The massive international cryptocurrency exchange Crypto.com finally confirmed this week that a hacker made off with $30 million-worth of cryptocurrency stolen from 483 users’ digital wallets. The company initially called the situation “an incident” and said that “no customer funds were lost.” Hackers stole 4,836.26 ETH, roughly $13 million, 443.93 BTC, roughly $16 million, and about $66,200-worth of other currencies. The exchange said that in most cases it “prevented the unauthorized withdrawal,” and added that in the other cases it reimbursed customers for their losses. Crypto.com says it has implemented additional security protections and has called in third-party auditors to further assess its security. The company did not provide specific details about the improvements.
The Israeli business and technology news site Calcalist published an investigation this week alleging that Israeli law enforcement used NSO Group’s Pegasus spyware to surveil citizens including prominent members of a protest movement opposed to former Israeli Prime Minister Benjamin Netanyahu, former government employees, and mayors. The police broadly denied the report, but on Thursday, Israeli attorney general Avichai Mandelblit told the chief of police that he is launching an investigation into the claims. “It is difficult to overstate the severity of the alleged harm to basic rights” if Calcalist’s conclusions are found to be true, Mandelblit wrote to Israel Police Commissioner Kobi Shabtai.
Interpol announced this week that Nigerian law enforcement arrested 11 suspected business email compromise scammers in mid-December. Some are allegedly members of the notorious SilverTerrier BEC group. BEC is a dominant type of online scamming in which attackers use lookalike email accounts, fake personas, and phishing to trick businesses into sending money to the wrong places. Often this is done by compromising an email account within a target organization to make a ruse look more legitimate. Interpol said this week that after evaluating the devices of the 11 suspects, it has linked them to scams that victimized more than 50,000 targets. One suspect alone allegedly possessed more than 800,000 potential victim website credentials, Interpol said, while had access inside 16 companies that were actively sending money to SilverTerrier-linked accounts.
President Joseph Biden signed a memorandum this week to broaden the National Security Agency’s responsibilities for defending United States government computer networks. The directive particularly focused on sensitive federal IT infrastructure among the Department of Defense, intelligence agencies, and their contractors. The measure mandates security best practices like implementing encryption, supporting two-factor authentication, adding network detection capabilities, and using other cloud defense mechanisms. The memo essentially syncs requirements for national security agencies with an executive order from May that set security standards for civilian agencies.
More Great WIRED Stories
by crissly | Jan 18, 2022 | Uncategorized
Most hacks require the victim to click on the wrong link or open the wrong attachment. But as so-called zero-click vulnerabilities—in which the target does nothing at all—are exploited more and more, Natalie Silvanovich of Google’s Project Zero bug-hunting team has worked to find new examples and get them fixed before attackers can use them. Her list now includes Zoom, which until recently had two alarming, interactionless flaws lurking inside.
Though fixed now, the two vulnerabilities could have been exploited without any user involvement to take over a victim’s device or even compromise a Zoom server that processes many users’ communications in addition to those of the original victim. Zoom users have the option to turn on end-to-end encryption for their calls on the platform, which would keep an attacker with that server access from surveilling their communications. But a hacker could still have used the access to intercept calls in which users didn’t enable that protection.
“This project took me months, and I didn’t even get all the way there in terms of carrying out the full attack, so I think this would only be available to very well-funded attackers,” Silvanovich says. “But I wouldn’t be surprised if this is something that attackers are trying to do.”
Silvanovich has found zero-click vulnerabilities and other flaws in a number of communication platforms, including Facebook Messenger, Signal, Apple’s FaceTime, Google Duo, and Apple’s iMessage. She says she had never given much thought to evaluating Zoom because the company has added so many pop-up notifications and other protections over the years to ensure users aren’t unintentionally joining calls. But she says she was inspired to investigate the platform after a pair of researchers demonstrated a Zoom zero-click vulnerability at the 2021 Pwn2Own hacking competition in April.
Silvanovich, who originally disclosed her findings to Zoom at the beginning of October, says the company was extremely responsive and supportive of her work. Zoom fixed the server-side flaw and released updates for users’ devices on November 24. The company has released a security bulletin and told WIRED that users should download the latest version of Zoom.
Most mainstream video conferencing services are based at least in part on open source standards, Silvanovich says, making it easier for security researchers to vet them. But Apple’s FaceTime and Zoom are both fully proprietary, which makes it much harder to examine their inner workings and potentially find flaws.
“The barrier to doing this research on Zoom was quite high,” she says. “But I found serious bugs, and sometimes I wonder if part of the reason I found them and others didn’t is that huge barrier to entry.”
You likely join Zoom calls by receiving a link to a meeting and clicking it. But Silvanovich noticed that Zoom actually offers a much more expansive platform in which people can mutually agree to become “Zoom Contacts” and then message or call each other through Zoom the same way you would call or text someone’s phone number. The two vulnerabilities Silvanovich found could only be exploited for interactionless attacks when two accounts have each other in their Zoom Contacts. This means that the prime targets for these attacks would be people who are active Zoom users, either individually or through their organizations, and are used to interacting with Zoom Contacts.
by crissly | Jan 8, 2022 | Uncategorized
This week, we reported that Signal has gone forward with its controversial cryptocurrency integration. All of the encrypted messaging app’s users now have access to MobileCoin, a privacy-focused cryptocurrency that US exchanges still don’t offer. The intent is to give monetary transactions the same protection from surveillance that Signal brought to messaging. But skeptics worry that introducing a financial element will bring unwanted complexity and regulatory scrutiny to Signal, an app that millions of people have come to rely on.
In hacking news, a criminal campaign has struck thousands of victims in over a hundred countries—which in itself isn’t all that unusual. Microsoft fixed the vulnerability the attackers are exploiting, though, nearly a decade ago. The problem: The patch is optional, and most users wouldn’t know where to get it even if they wanted to. If anything, it’s surprising that it took this long for someone to take advantage.
It’s a new year, which means it’s a great time for a couple of refreshers on how to stay safe online. We looked at how to send messages that automatically vanish on various chat apps. And we walked you through a few ways to delete yourself from the internet altogether, should the occasion call for it.
As part of this year’s virtual WIRED HQ at CES, we had a wide-ranging conversation with former congressman Will Hurd about the future of cybersecurity, cryptocurrency, the metaverse, and much more.
And that’s not all! Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories.
Norton, what are you doing! Several months ago the antivirus giant snuck a cryptominer into its consumer software, as noted by author and digital rights activist Cory Doctorow earlier this week. The pitch is that you can opt in to letting Norton mine cryptocurrency on your computer while you’re not using it; the software will even set up a secure wallet for you, all for a mere 15 percent cut of the proceeds. To be clear, you should absolutely not do this. Not only is cryptomining a drain on the environment, it introduces complexity and potential security issues to users who likely don’t know what they’re getting into. Some Norton customers have also reported issues with turning the feature off after they opted in.
For years, the publishing world has been roiled by a sophisticated spearphishing spree that has resulted in the theft of hundreds of unpublished book manuscripts. This week, the FBI made an arrest in the case, charging 29-year-old Filippo Bernardini with wire fraud and aggravated identity theft. Bernardini himself worked as a rights coordinator for publishing giant Simon & Schuster UK, a role that gave him insider knowledge which allegedly helped him craft more convincing phishing emails.
Nearly a thousand schools were hit by ransomware attacks in 2021 alone. But 2022 kicked off with 5,000 school websites going down, after ransomware operators hit third-party website provider FinalSite. The company took many of those sites offline preemptively to prevent the spread of the malware, and losing access to an online portal for a few days isn’t nearly as bad as having to cough up ransomware money directly. Still, it’s yet another reminder of how much damage ransomware gangs can inflict when they hit widely used software-as-a-service companies rather than individual targets.
A wave of NFT thefts has underscored a tension in decentralized marketplaces. Platforms like OpenSea can help victims in some cases, but only through mechanisms that show how centralized things really are. In other words, the promises of web3 aren’t really panning out as advertised, which Signal founder Moxie Marlinspike articulates better than anyone has yet right here. Long story short: Meet the new web, same as the old web.
More Great WIRED Stories
by crissly | Dec 18, 2021 | Uncategorized
It feels like the world has a lot of Pandora’s boxes open at once right now. Last week another crisis came into view with disclosure of a vulnerability in the widely used open source Apache logging library Log4j. Since then, system administrators, incident responders, and governments have been scrambling to install patches and reduce the threat. The bug is simple for attackers to exploit and can lead to full server takeover. Patching is on the rise, but Apache has had to release additional fixes that now must be installed. After some preliminary probing and exploitation from attackers around the world, defenders are bracing for a brutal next wave. And they say that vulnerable systems will lurk in networks for years, just waiting to be discovered and exploited.
Meanwhile, researchers put the surveillance-for-hire industry on blast this week as Meta took down infrastructure on its platforms from seven companies that had targeted more than 50,000 of the company’s users and others. And Google’s Project Zero did a deep technical analysis of NSO Group’s ForcedEntry iOS exploit, underscoring just how sophisticated a private organization’s hacking tools can be. WIRED also took a look at growth tactics of the world’s largest deepfake abuse site that uses AI to generate false nude images.
With all of this targeted hacking and misinformation floating around, check out WIRED’s guide to defending yourself against “smishing” or SMS phishing attacks deployed by everyone from the most elite hackers down to run of the mill spammers.
And there’s more. Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an emergency directive on Friday that all federal civilian agencies must assess their systems and apply patches and other mitigations related to the Log4j vulnerability by December 23. The order also requires the agencies to provide CISA with an accounting by December 28 of the names and versions of all their affected systems and details about the protections they’ve put in place for each application.
“CISA has determined that this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,” CISA wrote in the directive. “This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.”
The Patent and Trademark Office took external access to its systems offline for 12 hours beginning on Wednesday night as a precaution in response to the Log4j vulnerability. CISA says there are no confirmed Log4j compromises of federal civilian networks and that so far no other agencies have done shutdowns like the Patent Office’s. But the temporary takedown reflects the extreme risk and urgency of patching the flaw. Homeland Security Secretary Alejandro Mayorkas said on Thursday that he is “extraordinarily concerned” about the vulnerability.
After an investigation last month by Reveal from The Center for Investigative Reporting and WIRED, lawmakers have called for both a Federal Trade Commission investigation of Amazon’s shoddy data protection and for a federal privacy law. WIRED and Reveal’s report showed that Amazon had let many internal employees look up customer orders at will, and that a data company in China likely obtained access to the personal data of millions of customers, among other lapses. Amazon has said that those incidents don’t reflect current practices. But senators Ron Wyden (D-OR) and Jon Tester (D-MT), along with several representatives, have pointed to the series of failures as proof that US companies need to do more to protect their customers’ data.
Former defense contractor John Murray Rowe Jr. was arrested on Wednesday over espionage charges after the Department of Justice says he allegedly “attempted to provide classified national defense information to the Russian government.” Rowe, 63, faces a maximum sentence of life in prison if convicted. He reportedly worked as a test engineer for multiple defense contractors over a 40 year career and held various security clearances throughout that time from “Secret” up to “Top Secret” and “Sensitive Compartmented Information.” Among other things, Rowe worked on aerospace technology for the Air Force. A series of security violations that showed a potential allegiance to Russia led officials to identify Rowe as an insider threat and terminate him as a contractor in 2018. From there the FBI began an investigation and in March 2020, Rowe allegedly met with an undercover FBI employee pretending to be a Russian government official. Prosecutors say that he and the undercover agent corresponded in over 300 emails during which Rowe revealed that he would be willing to work for the Russian government to discuss his prior work and steal US secrets.
French police arrested an unidentified man from southeast France for allegedly laundering ransomware payments amounting to more than $21.4 million. Authorities also did not name the ransomware gang or gangs he is accused of collaborating with. The action comes on the heels of a concerted global effort to deter ransomware attacks and hold perpetrators accountable.
More Great WIRED Stories
by crissly | Dec 10, 2021 | Uncategorized
A vulnerability in a widely used logging library has become a full-blown security meltdown, affecting digital systems across the internet. Hackers are already attempting to exploit it, but even as fixes emerge, researchers warn that the flaw could have serious repercussions worldwide.
The problem lies in Log4j, a ubiquitous, open source Apache logging framework that developers use to keep a record of activity within an application. Security responders are scrambling to patch the bug, which can be easily exploited to take control of vulnerable systems remotely. At the same time, hackers are actively scanning the internet for affected systems. Some have already developed tools that automatically attempt to exploit the bug, as well as worms that can spread independently from one vulnerable system to another under the right conditions.
Log4j is a Java library, and while the programming language is less popular with consumers these days, it’s still in very broad use in enterprise systems and web apps. Researchers told WIRED on Friday that they expect many mainstream services will be affected.
For example, Microsoft-owned Minecraft on Friday posted detailed instructions for how players of the game’s Java version should patch their systems. “This exploit affects many services—including Minecraft Java Edition,” the post reads. “This vulnerability poses a potential risk of your computer being compromised.” Cloudflare CEO Matthew Prince tweeted Friday that the issue was “so bad” that the internet infrastructure company would try to roll out a least some protection even for customers on its free tier of service.
All an attacker has to do to exploit the flaw is strategically send a malicious code string that eventually gets logged by Log4j version 2.0 or higher. The exploit lets an attacker load arbitrary Java code on a server, allowing them to take control.
“It’s a design failure of catastrophic proportions,” says Free Wortley, CEO of the open source data security platform LunaSec. Researchers at the company published a warning and initial assessment of the Log4j vulnerability on Thursday.
Minecraft screenshots circulating on forums appear to show players exploiting the vulnerability from the Minecraft chat function. On Friday, some Twitter users began changing their display names to code strings that could trigger the exploit. Another user changed his iPhone name to do the same and submitted the finding to Apple. Researchers told WIRED that the approach could also potentially work using email.
The United States Cybersecurity and Infrastructure Security Agency issued an alert about the vulnerability on Friday, as did Australia’s CERT. New Zealand’s government cybersecurity organization alert noted that the vulnerability is reportedly being actively exploited.
“It’s pretty dang bad,” says Wortley. “So many people are vulnerable, and this is so easy to exploit. There are some mitigating factors, but this being the real world there will be many companies that are not on current releases that are scrambling to fix this.”
Apache rates the vulnerability at “critical” severity and published patches and mitigations on Friday. The organization says that Chen Zhaojun of Alibaba Cloud Security Team first disclosed the vulnerability.
