Select Page
You Need to Update Google Chrome or Whatever Browser You Use

You Need to Update Google Chrome or Whatever Browser You Use

China-linked hackers are increasingly moving beyond espionage and into the disturbing world of power grid attacks. Threat researchers at security software firm Symantec this week released new evidence that the Chinese hacking group known as APT41 infiltrated the power grid of an Asian nation. Some details of the latest intrusion echo a 2021 attack on India’s power grid, suggesting the same hackers are responsible.

In Argentina, a scandal is playing out over the use of facial recognition software in Buenos Aires. Despite laws that require authorities to limit searches to known fugitives, an investigation by a judge found that the system was used to look up people not wanted for any crimes. In other cases, errors led police to arrest or question the wrong people. While Buenos Aires is attempting to get the system back online after legal rulings ordered it turned off, the debacle shows how dangerous facial recognition can be even when laws are in place to limit it.

Facial recognition isn’t the only artificial-intelligence-powered system governments are using in new and upsetting ways. Like everyone else, state and local governments around the United States have begun to play with generative AI tools like ChatGPT. And so far, there’s no consensus on how to use the technology. Some US states, like Maine, have temporarily banned its use altogether, fearing cybersecurity concerns, while others are using it to craft speeches and social media posts.

Meanwhile, the US Senate is in the midst of getting an AI education. Around 60 senators attended a closed-door briefing this week, where they heard from major tech CEOs, including Elon Musk, Mark Zuckerberg, and Sam Altman, as well as civil liberties advocates and AI ethics experts. The Senate has been learning about AI and its myriad issues for much of the year, and another forum on AI innovation is scheduled for later this year. Despite these cramming sessions, some lawmakers question whether they’re any closer to tackling AI responsibly.

Finally, the cyberattack against MGM casinos continues to cause havoc for guests of its resorts nearly a week after the attack began. While an attack on a major casino company is inevitably high-profile, the group behind the breach, known as Alphv, has a long history of targeting schools and hospitals—attacks that are far more consequential.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

Unless you updated your browser in the past few days, it likely contains a critical flaw. The recently disclosed vulnerability exists in the WebP code library known as libwebp, which encodes and decodes images in the widely used WebP format. Known generally as a “heap buffer overflow,” the flaw can be exploited using a specially crafted malicious image, allowing an attacker to run malicious code on a targeted device. Google says the bug has already been exploited in the wild.

Initially identified early this week as a zero-day vulnerability in Google’s Chrome browser, the libwebp bug impacts browsers built using Chromium, which means Chrome, Mozilla’s Firefox, Microsoft Edge, Opera, Brave, and more. It also affects apps like Telegram, 1Password, Thunderbird, and Gimp. Patches for the flaw are rolling out now, so keep your eyes peeled for updates.

Malicious online ads—also known as “malvertising”—have been around for years. Now, they’re going pro. Several Israeli companies are developing exploits that take advantage of weaknesses in the technical mechanisms that bombard you with ads online, Haaretz reports, allowing attackers to track people and hack their devices. The exploit takes advantage of the online advertising bidding process, in which bots are competing for specific ad slots on web pages in real time. Taking advantage of the fraction of a second before an ad slot is filled, these companies have figured out how to show you an ad that reportedly contains “advanced spyware.” While there’s no quick fix for stopping the spread of this malware, there is something simple you can do to protect yourself: Use an ad blocker.

European data regulators fined TikTok €345 million ($368 million) this week for breaking laws related to the privacy of underage users. The Irish Data Protection Commission (DPC) said the company violated GDPR by failing to make the accounts of child users private by default. The DPC also says TikTok’s “family pairing” feature, which enables an adult to take control of a child’s account settings, did not ensure that the adult with access to the feature was a parent or guardian. TikTok says it opposes the fine because it had updated its settings to make the accounts of anyone under 16 years old private by default before the investigation began.

Turns out, secretly interfering in the battle plans of a United States ally doesn’t go over well in Washington. The US Senate Armed Services Committee has launched an inquiry into Elon Musk’s decision to not enable Starlink satellite communications in Crimea ahead of a Ukrainian military attack on Russian forces. The move, first revealed in author Walter Isaacson’s new biography on Musk, also prompted several Democratic senators to send a letter to the US defense secretary, Lloyd Austin, asking him to explain what actions the Department of Defense (DOD) has taken, or plans to take, to “prevent further dangerous meddling” by Musk.

“SpaceX is a prime contractor and a critical industry partner for the [DOD] and the recipient of billions of dollars in taxpayer funding,” the letter reads. “We are deeply concerned with the ability and willingness of SpaceX to interrupt their service at Mr. Musk’s whim and for the purpose of handcuffing a sovereign country’s self-defense, effectively defending Russian interests.”

Even if you have a spotless record, passing a background check can be one of the most stressful parts of landing a new job or an apartment. We have bad news: It’s possible the information used to assess your eligibility might not be accurate. The US Federal Trade Commission (FTC) this week announced a $5.8 million fine against background check providers TruthFinder and Instant Checkmate for “failing to ensure the maximum possible accuracy of their consumer reports,” a violation of the Fair Credit Reporting Act. The FTC alleges that the companies “made millions” by selling subscriptions that would alert people when a “criminal record” was found in their background check, “when the record was merely a traffic ticket.” The company also displayed “Remove” and “Flag as Inaccurate” buttons that the FTC says “did not work as advertised.”

The regulatory ding against TruthFinder and Instant Checkmate comes several months after the companies confirmed a data breach. In January, hackers leaked the personal information of millions of customers by leaking an April 2019 database backup stolen from the companies.

Top US Spies Meet With Privacy Experts Over Surveillance ‘Crown Jewel’

Top US Spies Meet With Privacy Experts Over Surveillance ‘Crown Jewel’

Senior United States intelligence officials met privately in Virginia yesterday with over a dozen civil liberties groups to field concerns about domestic surveillance operations that have drawn intense scrutiny this summer among an unlikely coalition of Democratic and Republican lawmakers in the US Congress.

The closed-door session, convened at the Liberty Crossing Intelligence Campus—a sprawling complex housing the bulk of the nation’s counterterrorism infrastructure—comes amid a backdrop of political furor over past misuses of a powerful surveillance tool by, principally, the Federal Bureau of Investigation (FBI). Republican lawmakers, who remain aggrieved over the FBI’s botched operation to surveil a former Trump campaign aide amid its 2016 Russia investigation, have formed an extraordinary alliance with Democratic rivals who’ve long been critical of the FBI’s power to warrantlessly access information about Americans “incidentally” collected by spies in the process of monitoring foreign threats.

The meeting, organized by the director of national intelligence, Avril Haines, was attended by top officials from the National Security Agency (NSA), US Department of Justice (DOJ), and Central Intelligence Agency (CIA), among others. General Paul Nakasone, the NSA director, is believed to have attended, though neither the IC, nor any source at the meeting, would confirm or deny his presence. (All sources spoke with WIRED on background citing rules established ahead of the gathering.)

Privacy and civil liberties advocates in attendance Thursday say one of their chief objectives was putting the intelligence community (IC) on notice: Without significant privacy reforms, any effort to reauthorize the use of its most powerful surveillance weapon—Section 702 of the Foreign Intelligence Surveillance Act—will be a doomed undertaking. The 9/11-era program, occasionally referred to as the “crown jewel” of US intelligence, is set to expire at the end of the year. Sources in Congress with knowledge of ongoing negotiations over the program say Biden administration officials have privately encouraged lawmakers to pass a “clean bill” this winter, airing fears that any potential lapse in surveillance would pose a national security threat. Targets of the 702 program have expanded in the past decade beyond terrorists in the Middle East, and today include foreign cybersecurity threats linked to Iran, Russia, and China, as well as drug traffickers involved in the production of fentanyl, a dangerous opioid flooding US streets.

The fate of the 702 program hangs by a precarious thread, with lawmakers on both sides of the aisle increasingly scrutinous of the FBI’s ability to tap into data that the intelligence community has long claimed is only unintentionally collected on Americans—a byproduct of casting a wide surveillance net over the communications of tens of thousands of individuals each year believed or assumed to be agents of hostile foreign powers. Restricting the bureau’s access to this data for domestic criminal investigation without first obtaining a court order remains one of the top reforms sought after by IC’s bipartisan critics.

Sources at the meeting say the conversation was largely one-sided, with Haines and other intelligence officials framing the event as purely an opportunity to bear witness to the concerns of civil rights advocates. While none expected a true back-and-forth discussion, some advocates nevertheless expressed frustration over the lack of reciprocity, with one describing it bluntly as “stonewalling.” A spokesperson for the IC said such “listening sessions,” in which top officials gather to bear witness to the concerns of relevant civil society stakeholders, are commonplace, and that, generally speaking, the IC does not disclose the nature of its conversations with members of Congress.

Its guests on Thursday included privacy and national security experts from the American Civil Liberties Union, Brennan Center for Justice at NYU School of Law, Electronic Information Privacy Center, and Demand Progress, among a dozen other groups. The largely progressive coalition further included conservative nonprofits such as FreedomWorks and Americans for Prosperity. Bob Goodlatte, a former Republican chair of the House Judiciary Committee who now serves as a senior advisor to the nonprofit Project for Privacy and Surveillance Accountability, also attended.

The Weird, Big-Money World of Cybercrime Writing Contests

The Weird, Big-Money World of Cybercrime Writing Contests

The criminal contests have their own rules to reduce the chance of cheating, Budd says. On Exploit, the rules say the entries “must not have been published elsewhere,” should be “meaningful and voluminous,” they should include technical details such as code or algorithms, and be “at least 5,000 characters (excluding spaces).” That equals out to around 1,000 words, or the rough length of this WIRED article. The rules on XSS are similar—“copy-paste = expulsion from the contest, in disgrace”—but they require articles to be longer (at least 7,000 characters) and say there should be “proper formatting, spelling, and punctuation.”

However, scammers are going to scam. In their most recent contests, Exploit had 35 entries and XSS had 38 entries. But XSS disqualified 10 of them. The winners of the competitions are decided by forum members voting on the entries, but the sites’ admins can also pick the winners, and there have been complaints of vote rigging, according to Sophos.

These competitions have evolved and grown over time, Budd says. Previous research from cybersecurity firm Digital Shadows, which has since been acquired by ReliaQuest, shows that contests on cybercrime forums started around 2006. Roman Faithfull, a cyber-threat intelligence analyst at ReliaQuest, says these earliest competitions were very simple. “At the start, they were quite low-key,” Faithfull says. “They weren’t always organized by forum administrators.”

Some of the earliest competitions, he says, asked forum members to design logos or even offered a small monetary prize to the commenter on a forum thread who had the longest account history on the site. “As forums became more sophisticated, the contests in general became more sophisticated,” Faithfull says.

Since around 2015, the contests, most of which are held annually, have focused on writing and submitting articles and code, the ReliaQuest researcher says. “There’s a lot of focus on stuff that will make people money,” he adds. As this has happened, the prize pots have increased too: On XSS, the total prize pot was $1,000 in 2018 and rose to $40,000 with $14,000 for the winner in 2021. “No one is going to put out their absolute best stuff into this unless they’re in a really hard spot and need some quick cash,” Faithfull says. “You’re unlikely to see a ransomware group, or really, someone really high up.”

The content of the entries to the most recent two contests is reasonably broad, the Sophos research found. Some were more innovative, while others were essentially repeating information found elsewhere. The winning entry in Exploit’s 2021 crypto competition was the creation of the cloned website, with Sophos saying it is “relatively simplistic” overall. “A cloned site like this would typically be used like any other phishing or credential-harvesting site,” the research says.

Other winning entries or those getting honorable mentions in the Exploit competition focused on targeting initial coin offerings, a guide to creating a phishing site to steal people’s cryptocurrency account details, and a tutorial on creating a cryptocurrency from scratch. However, it is worth noting that there have been free and publicly available tutorials on how to do this for several years,” the Sophos research says.

The Cheap Radio Hack That Disrupted Poland’s Railway System

The Cheap Radio Hack That Disrupted Poland’s Railway System

Since war first broke out between Ukraine and Russia in 2014, Russian hackers have at times used some of the most sophisticated hacking techniques ever seen in the wild to destroy Ukrainian networks, disrupt the country’s satellite communications, and even trigger blackouts for hundreds of thousands of Ukrainian citizens. But the mysterious saboteurs who have, over the last two days, disrupted Poland’s railway system—a major piece of transit infrastructure for NATO’s support of Ukraine—appear to have used a far less impressive form of technical mischief: Spoof a simple radio command to the trains that triggers their emergency stop function.

On Friday and Saturday, more than 20 of Poland’s trains carrying both freight and passengers were brought to a halt across the country through what Polish media and the BBC have described as a “cyberattack.” Polish intelligence services are investigating the sabotage incidents, which appear to have been carried out in support of Russia. The saboteurs reportedly interspersed the commands they used to stop the trains with the Russian national anthem and parts of a speech by Russian president Vladimir Putin.

Poland’s railway system, after all, has served as a key source of Western weapons and other aid flowing into Ukraine as NATO attempts to bolster the country’s defense against Russia’s invasion. “We know that for some months there have been attempts to destabilize the Polish state,” Stanislaw Zaryn, a senior security official, told the Polish Press Agency. “For the moment, we are ruling nothing out.”

But as disruptive as the railway sabotage has been, on closer inspection, the “cyberattack” doesn’t seem to have involved any “cyber” at all, according to Lukasz Olejnik, a Polish-speaking independent cybersecurity researcher and consultant and author of the forthcoming book Philosophy of Cybersecurity. In fact, the saboteurs appear to have sent simple so-called “radio-stop” commands via radio frequency to the trains they targeted. Because the trains use a radio system that lacks encryption or authentication for those commands, Olejnik says, anyone with as little as $30 of off-the-shelf radio equipment can broadcast the command to a Polish train—sending a series of three acoustic tones at a 150.100 megahertz frequency—and trigger their emergency stop function.

“It is three tonal messages sent consecutively. Once the radio equipment receives it, the locomotive goes to a halt,” Olejnik says, pointing to a document outlining trains’ different technical standards in the European Union that describes the “radio-stop” command used in the Polish system. In fact, Olejnik says that the ability to send the command has been described in Polish radio and train forums and on YouTube for years. “Everybody could do this. Even teenagers trolling. The frequencies are known. The tones are known. The equipment is cheap.”

Poland’s national transportation agency has stated its intention to upgrade Poland’s railway systems by 2025 to use almost exclusively GSM cellular radios, which do have encryption and authentication. But until then, it will continue to use the relatively unprotected VHF 150 MHz system that allows the “radio-stop” commands to be spoofed.

The Internet Is Turning Into a Data Black Box. An ‘Inspectability API’ Could Crack It Open

The Internet Is Turning Into a Data Black Box. An ‘Inspectability API’ Could Crack It Open

In today’s digital world, injustice lurks in the shadows of the Facebook post that’s delivered to certain groups of people at the exclusion of others, the hidden algorithm used to profile candidates during job interviews, and the risk-assessment algorithms used for criminal sentencing and welfare fraud detention. As algorithmic systems are integrated into every aspect of society, regulatory mechanisms struggle to keep up.

Over the past decade, researchers and journalists have found ways to unveil and scrutinize these discriminatory systems, developing their own data collection tools. As the internet has moved from browsers to mobile apps, however, this crucial transparency is quickly disappearing.

Third-party analysis of digital systems has largely been made possible by two seemingly banal tools that are commonly used to inspect what’s happening on a webpage: browser add-ons and browser developer tools.

Browser add-ons are small programs that can be installed directly onto a web browser, allowing users to augment how they interact with a given website. While add-ons are commonly used to operate tools like password managers and ad-blockers, they are also incredibly useful for enabling people to collect their own data within a tech platform’s walled garden.

Similarly, browser developer tools were made to allow web developers to test and debug their websites’ user interfaces. As the internet evolved and websites became more complex, these tools evolved too, adding features like the ability to inspect and change source code, monitor network activity, and even detect when a website is accessing your location or microphone. These are powerful mechanisms for investigating how companies track, profile, and target their users.

I have put these tools to use as a data journalist to show how a marketing company logged users’ personal data even before they clicked “submit” on a form and, more recently, how the Meta Pixel tool (formerly the Facebook Pixel tool) tracks users without their explicit knowledge in sensitive places such as hospital websites, federal student loan applications, and the websites of tax-filing tools.

In addition to exposing surveillance, browser inspection tools provide a powerful way to crowdsource data to study discrimination, the spread of misinformation, and other types of harms tech companies cause or facilitate. But in spite of these tools’ powerful capabilities, their reach is limited. In 2023, Kepios reported that 92 percent of global users accessed the internet through their smartphones, whereas only 65 percent of global users did so using a desktop or laptop computer.

Though the vast majority of internet traffic has moved to smartphones, we don’t have tools for the smartphone ecosystem that afford the same level of “inspectability” as browser add-ons and developer tools. This is because web browsers are implicitly transparent, while mobile phone operating systems are not.

If you want to view a website in your web browser, the server has to send you the source code. Mobile apps, on the other hand, are compiled, executable files that you usually download from places such as Apple’s iOS App Store or Google Play. App developers don’t need to publish the source code for people to use them.