On January 12, just after 8:15 am local time, computers started to malfunction at the Dalian Train Operation Depot in northeast China. The dispatcher’s browsers weren’t loading train schedule details. Six hours later, dispatchers also lost the ability to print train data from the web app. According to the depot’s account on Weibo and WeChat, and a follow up post a couple of days later, the system flickered on and off for 20 hours before IT staff finally stabilized it. The culprit appears to have been a seismic, but not unforeseen, shift on the internet: the death of Adobe Flash Player.
As 2020 came to a close, Adobe fully ended support for its infamous yet nostalgia-laced multimedia platform. On January 12, Adobe took things a step further, triggering a kill switch it had been distributing in Flash updates for months that blocks content from running in the player—essentially rendering the software inoperable. The company had warned about the transition for years, while browsers like Chrome and Firefox gradually nudged users toward other standards. Apple spent a full decade attempting to wean web developers off of Flash. But organizations like the Dalian Depot didn’t get the memo. Frantic staffers ended up pirating old versions of the software, even modifying them to run on all different versions of Windows to stabilize the system.
Twenty-plus hours of fight. No one complained. No one gave up. In solving the Flash problem, we turned the glimpse of hope into the fuel for advancement, officials wrote in a post mortem, as translated by journalist Tony Lin.
The Dalian Depot incident speaks to the reality that Flash is not really dead yet, and will persist untouched—and sometimes unbeknownst to anyone—in networks around the world. Mainland China is the only region of the world where Flash will still be officially available through a distributor that Adobe partnered with in 2018. But some users have complained about problems with the dedicated Chinese version of the program and have found workarounds to keep using the regular edition.
After decades of abuse by hackers, particularly those running “malvertising” ad schemes, Flash installations—whether forgotten or intentionally maintained—could expose networks for years to come. Versions of the software that haven’t been updated recently don’t have the kill switch inside, after all. And because Adobe isn’t supporting the software anymore, there won’t be security patches for any new Flash vulnerabilities that come to light.
In the wake of the Capitol riots two weeks ago, a number of large tech companies pulled support for Parler, a Twitter-like social network that Donald Trump’s supporters have increasingly favored since its launch in 2018. Apple and Google removed the Parler app from their digital stores, and Amazon Web Services cut the platform’s hosting services. After more than a week offline, the site is now partially back up, in the form of a landing page that promises a full return. To get even this far, Parler has hired DDoS-Guard, a Russian digital infrastructure company, to defend it against the endless barrage of attacks that virtually all sites face online—particularly those as controversial as Parler.
DDoS-Guard told WIRED it is only providing defense against denial-of-service attacks, not hosting Parler’s site. But even that level of support requires access to all the traffic that flows through Parler, so that it can “scrub” out malicious traffic aimed at overwhelming the site. Given the Russian government’s active efforts to isolate the country’s internet and gain access to all data, Parler could expose its users to Russian surveillance if the site someday does relaunch in full with DDoS-Guard.
“Now seems like the right time to remind you all—both lovers and haters—why we started this platform,” Parler’s homepage currently proclaims. “We believe privacy is paramount and free speech essential … We will resolve any challenge before us and plan to welcome all of you back soon.”
In September of 2016, on a Hofstra University debate stage, journalist Lester Holt asked presidential candidates Hillary Clinton and Donald Trump how they’d improve American cybersecurity. When it came Trump’s turn to answer, he let loose a torrent of barely connected ideas about “the cyber.” The stream of consciousness started with how many admirals had endorsed him, reiterated his long-running theme that no one could prove Russia had hacked the Democratic National Committee, noted cryptically that “we came in with an internet, we came up with the internet,” touched on ISIS “beating us at our own game,” and finally ended with these words:
“I have a son. He’s 10 years old. He has computers. He is so good with these computers, it’s unbelievable. The security aspect of cyber is very, very tough. And maybe it’s hardly do-able. But I will say, we are not doing the job we should be doing.”
In that moment, it became clear to cybersecurity professionals around the world that, should this man obtain the most powerful office in America, the next several years of politics were going to be very painful to listen to.
Indeed, while Trump has gained a deserved reputation as the most dishonest president in American history on a multitude of topics, few have inspired as much disinformation from him as “the cyber.” And no other issue, perhaps, has provided the confluence of factors to produce facepalming Trumpisms at such a high rate: complexity, ignorance of technical issues, and blatant conflicts of interest.
As Trump’s term—and his Twitter feed—come to a close, these are the abysmal cybersecurity assertions and quotes that will resonate for years to come.
In the aftermath of destructive riots that trashed the United States Capitol on Wednesday, the nation is grappling with questions about the stability and trajectory of US democracy. But inside the Capitol building itself, congressional support staff is dealing with more immediate logistics like cleanup and repairs. A crucial part of that: the process of securing the offices and digital systems after hundreds of people had unprecedented access to them.
Physical access to a location can have serious cybersecurity ramifications. Rioters could have bugged congressional offices, exfiltrated data from unlocked computers, or installed malware on exposed devices. In the rush to evacuate the Capitol, some computers were left unlocked and remained accessible by the time rioters arrived. And at least some equipment was stolen; Oregon senator Jeff Merkley said in a video late Wednesday that intruders took one of his office’s laptops off a conference table.
The House of Representatives and Senate each have a Sergeant-at-Arms office that oversees security. On the Senate side this body also supervises cybersecurity, whereas in the House that responsibility lies with the Office of the Chief Administrative Officer. On Thursday, speaker of the house Nancy Pelosi said that sergeant-at-arms Paul Irving would resign over Wednesday’s breach of the Capitol. Senate majority leader Chuck Schumer said he would remove that chamber’s Sergeant-at-Arms, Mike Stenger, if he does not resign.
Some people in the pro-Trump mob that descended upon the US Capitol on Wednesday wore MAGA hats. Others waved Confederate flags, or bedecked themselves in Army surplus gear. An especially memorable member of the insurrection went shirtless, but wore a large Viking hat covered in fur and horns. One accessory was near-ubiquitous: a raised smartphone. An astounding number of the attackers openly documented themselves and their peers, taking selfies in the rotunda, gleefully livestreaming their forced entry into the building, and smiling for cheeky photos on their way out, sometimes with trophies pilfered from Congressional offices.
Since Wikileaks began releasing massive troves of US military and State Department secrets more than 10 years ago, Julian Assange has maintained that the American government would eventually seek to put him in a US prison. In a surprise twist, he may escape that fate—not because his organization’s leaks are protected by free speech rights, but instead due to Assange’s mental health, and a court’s ruling that subjecting him to US incarceration could increase the risk of suicide.
In a London courtroom Monday morning, UK judge Vanessa Baraitser ruled that the US cannot extradite Assange to stand trial for criminal charges of hacking conspiracy and violations of the Espionage Act, which the US Department of Justice first leveled against Assange in 2019. Baraitser argued in her ruling that extradition would be unacceptably “oppressive” due to Assange’s mental state—including diagnoses of Asperger syndrome, autism, and suicidal thoughts—and the risk that Assange would in fact kill himself if those conditions were exacerbated by the state of isolation he’d likely face in the US justice system.
In her statement, Baraitser compared the “special administrative measures” that Espionage Act convicts often face in prisons like ADX Florence, the Colorado prison where Assange would be likely be incarcerated in the US, to those in the UK’s Belmarsh prison where he’s been housed since his arrest. She detailed how he’d be allowed only two non-legal phone calls a month, denied contact with other inmates at the prison, and granted two hours of solo recreation time daily in a “cage,” as she described it.
For many of us, 2020 has been a very dangerous year. Alongside the usual headline grabbers like wars, violent crime, and terrorism, we also faced more insidious, creeping threats: a pandemic that has claimed more than 300,000 American lives, and the lives of 1.5 million people worldwide, thanks in part to waves of viral lies dismissing Covid-19’s deathly serious effects. Hackers who have spied on, attacked, and extorted countless companies and government institutions—including even hospitals—during a global health crisis. And a US president who has sought to fundamentally undermine both the response to the Covid-19 pandemic and democracy itself with nakedly self-serving, corrosive misinformation.
In a locked-down and socially distanced year that for many of us was spent more online than off, the presence of those dangers on the internet has never felt more real. Digital threats and information warfare were, in 2020, some of the most harmful forces in our society. Every year, WIRED assembles a list of the most dangerous people on the internet. In some respects, the actions of this year’s candidates resemble those of years past, from destructive hacking to sowing disinformation. But in a year where human society seemed more fragile than ever, the consequences of those actions have never been more grave.
What a Way to kick off a new decade. 2020 showcased all of the digital risks and cybersecurity woes you’ve come to expect in the modern era, but this year was unique in the ways Covid-19 radically and tragically transformed life around the world. The pandemic also created unprecedented conditions in cyberspace, reshaping networks by pushing people to work from home en masse, creating a scramble to access vaccine research by any means, generating new fodder for criminals to launch extortion attempts and scams, and producing novel opportunities for nation-state espionage.
Here’s WIRED’s look back at this strange year and the breaches, data exposures, ransomware attacks, state-sponsored campaigns, and digital madness that shaped it. Stay safe out there in 2021.
Researchers from IBM Trusteer say they’ve uncovered a massive fraud operation that used a network of mobile device emulators to drain millions of dollars from online bank accounts in a matter of days.
The scale of the operation was unlike anything the researchers have seen before. In one case, crooks used about 20 emulators to mimic more than 16,000 phones belonging to customers whose mobile bank accounts had been compromised. In a separate case, a single emulator was able to spoof more than 8,100 devices.
The thieves then entered usernames and passwords into banking apps running on the emulators and initiated fraudulent money orders that siphoned funds out of the compromised accounts. Emulators are used by legitimate developers and researchers to test how apps run on a variety of different mobile devices.
To bypass protections banks use to block such attacks, the crooks used device identifiers corresponding to each compromised account holder and spoofed GPS locations the device was known to use. The device IDs were likely obtained from the holders’ hacked devices, although in some cases, the fraudsters gave the appearance that they were customers who were accessing their accounts from new phones. The attackers were also able to bypass multi-factor authentication by accessing SMS messages.
Normally we use this space to round up the biggest stories from all reaches of the cybersecurity world. This week, we’re making an exception, because there’s really only one story: how Russia pulled off the biggest espionage hack on record.
Russia’s hack of IT management company SolarWinds began as far back as March, and it only came to light when the perpetrators used that access to break into the cybersecurity firm FireEye, which first disclosed a breach on December 9. Since then, a cascading number of victims have been identified, including the US Departments of Sate, Homeland Security, Commerce, and the Treasury, as well as the National Institutes of Health. The nature of the attack—and the tremendous care taken by the hackers—means it could be months or longer before the extent of the damage is known. The impact is already devastating, though, and it underscores just how ill-prepared the US was to defend against a known threat—and to respond. It’s also ongoing.
And there’s so much more. Below we’ve rounded up the most important SolarWinds stories so far from around the internet. Click on the headlines to read them, and stay safe out there.