Security News This Week: Oh Look, LinkedIn Also Has a 500M User Data Leak

WIRED

A week into the revelation that Facebook leaked the data of 500 million users—including phone numbers and other potentially sensitive info—and the company still hasn’t given a full account of what happened. But we’ve managed to figure out both that the root of the problem was Facebook’s “contact import” feature, and that Facebook had plenty of opportunities to fix that issue before it resulted in attackers scraping half a billion people’s data.

On Thursday, federal agents arrested a 28-year-old Texas man for allegedly plotting to blow up an Amazon data center in Virginia. According to court documents, he had made alarming posts on the forums at MyMilitia.com, which someone then reported to the FBI. While it’s a concerning incident, domestic terror experts say there are no signs that Big Tech is a more pronounced target than in years past despite the heightened rhetoric from the far-right around supposed censorship.

Encrypted messaging app Signal announced this week that it would begin integrating the relatively new cryptocurrency MobileCoin. While a payments feature helps Signal keep up with its more full-featured competitors, the move raised questions as to whether Signal was inviting regulator interest and overly complicating a product lauded for its simplicity and ease of use.

Full article

The Peculiar Ransomware Piggybacking Off of China’s Big Hack

WIRED

When Microsoft revealed earlier this month that Chinese spies had gone on a historic hacking spree, observers reasonably feared that other criminals would soon ride that group’s coattails. In fact, it didn’t take long: A new strain of ransomware called DearCry attacked Exchange servers using the same vulnerabilities as early as March 9. While DearCry was first on the scene, on closer inspection it has turned out to be a bit of an odd cybercrime duck.

It’s not that DearCry is uniquely sophisticated. In fact, compared to the slick operations that permeate the world of ransomware today, it’s practically crude. It’s bare-bones, for one, eschewing a command-and-control server and automated countdown timers in favor of direct human interaction. It lacks basic obfuscation techniques that would make it harder for network defenders to spot and preemptively block. It also encrypts certain file types that make it harder for a victim to operate their computer at all, even to pay the ransom.

Full article

Security News This Week: Hackers Accessed Security Cameras Inside Tesla and Beyond

WIRED

Widespread hacking continued to be on everyone’s minds this week, as countless companies and organizations continued to struggle with a slew of major hacks. Now that Microsoft’s patches have been out for awhile, an array of nation state and criminal actors are getting more aggressive about exploiting a set of Microsoft Exchange Server bugs that were already under active attack by the Chinese group Hafnium. Meanwhile, the White House is mulling a response to Russia’s recent, high-profile SolarWinds espionage campaign that compromised data at numerous United States government agencies and private companies around the world. For the Biden administration, the risk is that too strong a retaliation could erode norms and be seen as hypocritical given that the US and virtually every government engages in digital espionage.

Full article

Security News This Week: A Billion-Dollar Dark Web Crime Lord Calls It Quits

WIRED

Photograph: Alamy

Just over a week ago, an employee at a water treatment treatment plant in Oldsmar, Florida noticed that the mouse on his screen started moving seemingly on its own. Soon it was clicking through controls, raising the supply of lye in the water supply from 100 parts per million to 1,100ppm, enough to cause serious damage to human tissue. Fortunately, the employee moved quickly to revert things to normal levels. It’s still unclear who was behind this dramatic hack, and a sober reminder of how exposed so many industrial systems remain despite years of warnings.

Facebook also seems to have ignored of warnings about the proliferation of Covid-19 scams on its platform; researchers this week exposed multiple scams they found on both the social media network and the messaging service Telegram.

Cyberpunk 2077 developer CD Projekt Red had already been battered by players frustrated with the game’s rampant bugs and poor gameplay on legacy consoles. This week it disclosed that ransomware was recently added to its list of woes, as a hacker group claimed to have stolen internal documents as well as source code for its most popular games. CD Projekt Red said it would not pay the ransom.

Full article

Security News This Week: Update Your iPhone and iPad Now If You Haven’t Recently

WIRED

Photograph: Anusak Laowilas/NurPhoto/Getty Images

Believe it or not, GameStop stock wasn’t the world’s only story this week. The last few days have been tumultuous for cybersecurity as well, especially after revelations that North Korean hackers targeted security pros with a campaign of convincing DMs. Lots of folks shared screenshots of how they dodged the bullet, but it’s still unclear how many more fell for the ruse.

Speaking of falling, an international team-up of law enforcement agencies took down the notorious Emotet botnet this week, arresting two alleged members of the gang behind it and seizing servers in the process. Ransomware operators and other bad actors who used Emotet to spread their wares will likely move on to other means of distribution, but at least the “most dangerous malware in the world,” as Europol called it, has been extinguished for now.

These things do have a tendency to persist, after all. Take Flash, the software that launched a thousand vulnerabilities. While Adobe killed it dead-dead last week (for real this time) it will continue to persist and cause problems on some systems for years to come. Another potential problem-causer: Telegram, the messaging app that has exploded in popularity as users have fled WhatsApp over privacy concerns and Parler over its current state of nonexistence. While Telegram does offer end-to-end encryption, it’s not on by default and not available at all for group chats, which may lead some users to expose themselves more than they might assume.

Full article

Flash Is Dead—but Not Gone

WIRED

On January 12, just after 8:15 am local time, computers started to malfunction at the Dalian Train Operation Depot in northeast China. The dispatcher’s browsers weren’t loading train schedule details. Six hours later, dispatchers also lost the ability to print train data from the web app. According to the depot’s account on Weibo and WeChat, and a follow up post a couple of days later, the system flickered on and off for 20 hours before IT staff finally stabilized it. The culprit appears to have been a seismic, but not unforeseen, shift on the internet: the death of Adobe Flash Player.

As 2020 came to a close, Adobe fully ended support for its infamous yet nostalgia-laced multimedia platform. On January 12, Adobe took things a step further, triggering a kill switch it had been distributing in Flash updates for months that blocks content from running in the player—essentially rendering the software inoperable. The company had warned about the transition for years, while browsers like Chrome and Firefox gradually nudged users toward other standards. Apple spent a full decade attempting to wean web developers off of Flash. But organizations like the Dalian Depot didn’t get the memo. Frantic staffers ended up pirating old versions of the software, even modifying them to run on all different versions of Windows to stabilize the system.

Twenty-plus hours of fight. No one complained. No one gave up. In solving the Flash problem, we turned the glimpse of hope into the fuel for advancement, officials wrote in a post mortem, as translated by journalist Tony Lin. 

The Dalian Depot incident speaks to the reality that Flash is not really dead yet, and will persist untouched—and sometimes unbeknownst to anyone—in networks around the world. Mainland China is the only region of the world where Flash will still be officially available through a distributor that Adobe partnered with in 2018. But some users have complained about problems with the dedicated Chinese version of the program and have found workarounds to keep using the regular edition.

After decades of abuse by hackers, particularly those running “malvertising” ad schemes, Flash installations—whether forgotten or intentionally maintained—could expose networks for years to come. Versions of the software that haven’t been updated recently don’t have the kill switch inside, after all. And because Adobe isn’t supporting the software anymore, there won’t be security patches for any new Flash vulnerabilities that come to light.

Full article

Parler Finds a Reprieve in Russia—but Not a Solution

WIRED

Illustration: WIRED Staff; Getty Images

In the wake of the Capitol riots two weeks ago, a number of large tech companies pulled support for Parler, a Twitter-like social network that Donald Trump’s supporters have increasingly favored since its launch in 2018. Apple and Google removed the Parler app from their digital stores, and Amazon Web Services cut the platform’s hosting services. After more than a week offline, the site is now partially back up, in the form of a landing page that promises a full return. To get even this far, Parler has hired DDoS-Guard, a Russian digital infrastructure company, to defend it against the endless barrage of attacks that virtually all sites face online—particularly those as controversial as Parler.

DDoS-Guard told WIRED it is only providing defense against denial-of-service attacks, not hosting Parler’s site. But even that level of support requires access to all the traffic that flows through Parler, so that it can “scrub” out malicious traffic aimed at overwhelming the site. Given the Russian government’s active efforts to isolate the country’s internet and gain access to all data, Parler could expose its users to Russian surveillance if the site someday does relaunch in full with DDoS-Guard. 

“Now seems like the right time to remind you all—both lovers and haters—why we started this platform,” Parler’s homepage currently proclaims. “We believe privacy is paramount and free speech essential … We will resolve any challenge before us and plan to welcome all of you back soon.”

Full article

Trump’s Worst, Most Bizarre Statements About ‘the Cyber’

WIRED

In September of 2016, on a Hofstra University debate stage, journalist Lester Holt asked presidential candidates Hillary Clinton and Donald Trump how they’d improve American cybersecurity. When it came Trump’s turn to answer, he let loose a torrent of barely connected ideas about “the cyber.” The stream of consciousness started with how many admirals had endorsed him, reiterated his long-running theme that no one could prove Russia had hacked the Democratic National Committee, noted cryptically that “we came in with an internet, we came up with the internet,” touched on ISIS “beating us at our own game,” and finally ended with these words:

“I have a son. He’s 10 years old. He has computers. He is so good with these computers, it’s unbelievable. The security aspect of cyber is very, very tough. And maybe it’s hardly do-able. But I will say, we are not doing the job we should be doing.”

In that moment, it became clear to cybersecurity professionals around the world that, should this man obtain the most powerful office in America, the next several years of politics were going to be very painful to listen to.

Indeed, while Trump has gained a deserved reputation as the most dishonest president in American history on a multitude of topics, few have inspired as much disinformation from him as “the cyber.” And no other issue, perhaps, has provided the confluence of factors to produce facepalming Trumpisms at such a high rate: complexity, ignorance of technical issues, and blatant conflicts of interest.

As Trump’s term—and his Twitter feed—come to a close, these are the abysmal cybersecurity assertions and quotes that will resonate for years to come.

Full article

Post-Riot, the Capitol Hill IT Staff Faces a Security Mess

WIRED

Photograph: Samuel Corum/Getty Images

In the aftermath of destructive riots that trashed the United States Capitol on Wednesday, the nation is grappling with questions about the stability and trajectory of US democracy. But inside the Capitol building itself, congressional support staff is dealing with more immediate logistics like cleanup and repairs. A crucial part of that: the process of securing the offices and digital systems after hundreds of people had unprecedented access to them.

Physical access to a location can have serious cybersecurity ramifications. Rioters could have bugged congressional offices, exfiltrated data from unlocked computers, or installed malware on exposed devices. In the rush to evacuate the Capitol, some computers were left unlocked and remained accessible by the time rioters arrived. And at least some equipment was stolen; Oregon senator Jeff Merkley said in a video late Wednesday that intruders took one of his office’s laptops off a conference table.

The House of Representatives and Senate each have a Sergeant-at-Arms office that oversees security. On the Senate side this body also supervises cybersecurity, whereas in the House that responsibility lies with the Office of the Chief Administrative Officer. On Thursday, speaker of the house Nancy Pelosi said that sergeant-at-arms Paul Irving would resign over Wednesday’s breach of the Capitol. Senate majority leader Chuck Schumer said he would remove that chamber’s Sergeant-at-Arms, Mike Stenger, if he does not resign.

Full article

The Race to Preserve the DC Mob’s Digital Traces

WIRED

Photograph: SAUL LOEB/Getty Images

Some people in the pro-Trump mob that descended upon the US Capitol on Wednesday wore MAGA hats. Others waved Confederate flags, or bedecked themselves in Army surplus gear. An especially memorable member of the insurrection went shirtless, but wore a large Viking hat covered in fur and horns. One accessory was near-ubiquitous: a raised smartphone. An astounding number of the attackers openly documented themselves and their peers, taking selfies in the rotunda, gleefully livestreaming their forced entry into the building, and smiling for cheeky photos on their way out, sometimes with trophies pilfered from Congressional offices.

Full article