A Cut Cable Knocked Out Virginia’s Voter Registration Site

This week the New York Post published a story centered on information stolen from a laptop that purportedly belonged to Hunter Biden, and that has a high likelihood of being part a disinformation operation. Not great! But the way the rest of the media handled the situation was a marked improvement over 2016, when leaks of John Podesta’s hacked emails kicked off a frenzy that played right into Russia’s hands. Here’s to modest progress.

Take it where you can get it. The rest of the security outlook was a little more discouraging. United States Cyber Command mounted an offensive against Trickbot, one of the most dangerous botnets in the world. It didn’t accomplish much, but did set a new precedent of US hackers taking on criminals rather than their military counterparts. That’s all part of the long-term strategy of general Paul Nakasone, leader of both Cybercom and the National Security Agency, whom we profiled at length for the most recent issue of the magazine.

We also took a look at how internet freedom has suffered during Covid-19, as dozens of countries have used used the pandemic as an excuse to increase surveillance and tamp down on digital rights. Speaking of surveillance, Amazon’s latest high-profile product announcements have been pushing the boundaries of data collection in discomfiting ways. (Yes, that includes the drone that flies around your house.)

Researchers have figured out how to make a Tesla Model X hit the brakes by flashing just a few frames of a stop sign image for less than half a second. It’s maybe not the most practical attack, but on the other hand it could do a fair bit of damage on the highway it timed just right. And DDoS extortion is on the rise, including some criminals who have been posing as nation state hackers like Fancy Bear and Lazarus Group to increase the intimidation factor.

And there’s more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there.

The registration deadline for the state of Virginia was Tuesday, which is why it’s especially unfortunate that an accidentally cut cable knocked Virginia’s voter portal offline for several hours Tuesday morning. Utility workers hit a Verizon fiber line, which was enough to take out the entire system until deep into the afternoon. A judge extended the registration deadline by 48 hours to make up for it, so everyone should still have been able to get their name in. But the incident is an important reminder that for all the concern over hackers disrupting the 2020 election, creaky infrastructure—whether it’s a cut cable or a confusing interface on a decades-old voting machine—poses a more realistic threat to Election Day.

Look, data breaches happen. After the Equifax hack, there’s a good chance that a big chunk of your personal information has already been compromised. The more important question to ask when a major company like Barnes and Noble gets hacked—which it did, according to an email sent to customers this week—is how much the hackers actually got away with. In this case, it seems at least for now like the damage isn’t terrible. The company said purchase histories, email addresses, and shipping information were potentially exposed, which isn’t ideal. But passwords and financial information appear not to have been impacted, according to Barnes and Noble. Sometimes breaches turn out to be worse than first reported—looking at you again, Equifax—but at least for now, it seems like the fallout is about as minimal as you could hope.

The months-long Zoom encryption saga is nearing a resolution. After misrepresenting the level of security its video chat services offered—and then waffling on whom it would make end-to-end encryption available for—Zoom next week will roll out the feature to both free and paid users next week for a 30-day technical preview. Zoom chats with end-to-end encryption can accommodate up to 200 users, an impressive feat especially given the time frame. You have to opt-in to use the feature, and will give up features like live transcription and cloud recording. But if your privacy needs are that pronounced, odds are you wouldn’t want those enabled in the first place.

Ransomware gangs have increasingly taken to posting companies’ data online if they don’t pay up. The latest apparent victims include gaming companies Ubisoft and Crytek, which a gang called Egregor says it has successfully compromised and published apparent files from on a dark web site. None of this is unique, but it’s worth keeping an eye on—especially since the group has threatened to leak the much higher-stakes source code for Ubisoft’s upcoming Watch Dogs: Legion and the company’s game engine.


More Great WIRED Stories

Read More

Twitter’s ‘Hacked Materials’ Rule Tries to Thread an Impossible Needle

Twitter for years functioned as an unrestricted mouthpiece for hackers of all stripes, from freewheeling hacktivists like Anonymous to the Kremlin-created cutouts like Guccifer 2.0. But as the company tries to crack down on hackers’ use of its platform to distribute their stolen information, it’s finding that that’s not a simple decision. And now, less than three weeks before Election Day, Twitter has put itself in an impossible position: flip-flopping on its policy while trying to navigate between those who condemn it for enabling data thieves and foreign spies, and those who condemn it for heavy-handed censorship.

On Thursday evening, Twitter’s head of trust and safety, Vijaya Gadde, posted a thread of tweets explaining a new policy on hacked materials, in response to the firestorm of criticism it received—largely from the political right and President Donald Trump—for its decision to block the sharing of a New York Post story based on alleged private data and communications of presidential candidate Joe Biden’s son, Hunter Biden. Gadde wrote that the company was taking a step back on its “Hacked Materials Policy.” The company will now no longer remove tweets that contain or link to hacked content “unless it is directly shared by hackers or those acting in concert with them,” Gadde wrote. Instead, the company will “label Tweets to provide context.”

Despite that new rule, links to the Post article initially remained blocked, because it also violated Twitter’s policy on sharing private personal information, another spokesperson for Twitter posted last night. But Twitter ultimately backed down from that stance too, allowing the story to circulate as it broadly rethought its treatment of posts about hacked information.1 “Why the changes?” Gadde wrote. “We want to address the concerns that there could be many unintended consequences to journalists, whistleblowers, and others in ways that are contrary to Twitter’s purpose of serving the public conversation.”

Rather than solve Twitter’s hacked data dilemma, though, Twitter’s backpedaling on its policy has only highlighted just how stuck it is between impossible options, says Clint Watts, a disinformation-focused senior fellow at the Center for Cyber and Homeland Security at George Washington University and author of the book Messing With the Enemy. And it may also leave Twitter open to exploitation by a well-crafted hack-and-leak operation, just as Russian hackers carried out in 2016.

Read More

illustration of 2020 in red and blue

“It’s a super difficult problem to thread,” Watts says. “If they didn’t take that down, and it turns out to be a foreign op, and it changes the course of the election, they’re going to be right back testifying in front of Congress, hammered with regulation and fines.” After all, Twitter faced widespread criticism for allowing itself to be exploited ahead of the 2016 election by Kremlin hackers who distributed information stolen from the Democratic National Committee and the Clinton campaign, as well as by disinformation trolls working for the Kremlin-backed Internet Research Agency.

In response to those incidents, Twitter implemented its rule against the “distribution of hacked materials” in 2018, which banned posting hacked content directly or linking to other sites that hosted it. Critics of the policy, however, argued that it also risked blocking legitimate news stories in the public interest if they are based on information released without authorization.

“There’s incredible journalism that starts with hacked materials,” says Lorax B. Horne, editor in chief of the whistle-blowing “leaks” group known as Distributed Denial of Secrets, or DDoSecrets.2 DDoSecrets published a massive collection of internal memos, financial records, and other data stolen from 200-plus police organizations in June, and told WIRED that the information had been given to them by a transparency-focused hacker affiliated with Anonymous. Journalists dug through the material and found revealing stories about police misperceptions of antifa and Homeland Security surveillance practices, including those focused on Black Lives Matter protestors.

Read More

A Trickbot Assault Shows US Military Hackers’ Growing Reach

For more than two years, General Paul Nakasone has promised that, under his leadership, United States Cyber Command would “defend forward,” finding adversaries and preemptively disrupting their operations. Now that offensive strategy has taken an unexpected form: an operation designed to disable or take down Trickbot, the world’s largest botnet, believed to be controlled by Russian cybercriminals. In doing so, Cyber Command set a new, very public, and potentially messy precedent for how US hackers will strike out against foreign actors—even those working as non-state criminals.

Over the past weeks, Cyber Command has carried out a campaign to disrupt the Trickbot gang’s million-plus collection of computers hijacked with malware. It hacked the botnet’s command-and-control servers to cut off infected machines from Trickbot’s owners, and even injected junk data into the collection of passwords and financial details that the hackers had stolen from victim machines, in an attempt to render the information useless. The operations were first reported by The Washington Post and Krebs on Security. By most measures, those tactics—as well as a subsequent effort to disrupt Trickbot by private companies including Microsoft, ESET, Symantec, and Lumen Technologies—have had little effect on Trickbot’s long-term operations. Security researchers say the botnet, which hackers have used to plant ransomware in countless victim networks, including hospitals and medical research facilities, has already recovered.

But even despite its limited results, Cyber Command’s Trickbot targeting shows the growing reach of US military hackers, say cyberpolicy observers and former officials. And it represents more than one “first,” says Jason Healey, a former Bush White House staffer and current cyberconflict researcher at Columbia University. Not only is this the first publicly confirmed case of Cyber Command attacking non-state cybercriminals—albeit ones whose resources have grown to the level that they represent a national security risk—it’s actually the first confirmed case in which Cyber Command has attacked another country’s hackers to disable them, period.

“It’s certainly precedent-setting,” says Healey. “It’s the first public, obvious operation to stop someone’s cyber capability before it could be used against us to cause even greater harm.”

Security researchers have observed strange happenings in Trickbot’s massive collection of hacked computers for weeks, actions that would only be recently revealed as the work of US Cyber Command. The botnet went largely offline on September 22 when, rather than connect back to command-and-control servers to receive new instructions, computers with Trickbot infections received new configuration files that told them to receive commands instead from an incorrect IP address that cut them off from the botmasters, according to security firm Intel 471. When the hackers recovered from that initial disruption, the same trick was used again just over a week later. Not long after, a group of private tech and security firms led by Microsoft attempted to cut off all connections to Trickbot’s US-based command-and-control servers, using court orders to ask Internet service providers to cease routing traffic to them.

But none of those actions have prevented Trickbot from adding new command-and-control servers, rebuilding its infrastructure within days or even hours of the takedown attempts. Researchers at Intel 471 used their own emulations of the Trickbot malware to track commands sent between the command-and-control servers and infected computers, and found that, after each attempt, traffic quickly returned.

“The short answer is, they’re completely back up and running,” says one researcher working in a group focused on the tech-industry takedown efforts, who asked not to be identified. “We knew this wasn’t going to solve the long-term problem. This was more about seeing what could be done via paths x-y-z and seeing the response.”

Even so, Cyber Command’s involvement in those operations represents a new kind of targeting for Fort Meade’s military hackers. In past operations, Cyber Command has knocked out ISIS communications platforms, wiped servers used by the Kremlin-linked disinformation-focused Internet Research Agency, and disrupted systems used by Iran’s Revolutionary Guard to track and target ships. (WIRED reported this week that under Nakasone, Cyber Command has carried out at least two other hacking campaigns since the fall of 2019 that have yet to be publicly revealed.) But in contrast to those asymmetric efforts to disable enemy communication and surveillance systems, Cyber Command’s Trickbot attack represents its first known “force-on-force” operation, notes Jason Healey—a cyberattack meant to disable the means for an enemy cyberattack.

Read More

Researchers Found 55 Flaws in Apple’s Corporate Network

For months, Apple’s corporate network was at risk of hacks that could have stolen sensitive data from potentially millions of its customers and executed malicious code on their phones and computers, a security researcher said on Thursday.

ARS TECHNICA

This story originally appeared on Ars Technica, a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED’s parent company, Condé Nast.

Sam Curry, a 20-year-old researcher who specializes in website security, said that, in total, he and his team found 55 vulnerabilities. He rated 11 of them critical because they allowed him to take control of core Apple infrastructure and from there steal private emails, iCloud data, and other private information.

The 11 critical bugs were:

  • Remote Code Execution via Authorization and Authentication Bypass
  • Authentication Bypass via Misconfigured Permissions allows Global Administrator Access
  • Command Injection via Unsanitized Filename Argument
  • Remote Code Execution via Leaked Secret and Exposed Administrator Tool
  • Memory Leak leads to Employee and User Account Compromise allowing access to various internal applications
  • Vertica SQL Injection via Unsanitized Input Parameter
  • Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
  • Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
  • Full Response SSRF allows Attacker to Read Internal Source Code and Access Protected Resources
  • Blind XSS allows Attacker to Access Internal Support Portal for Customer and Employee Issue Tracking
  • Server-Side PhantomJS Execution allows attacker to Access Internal Resources and Retrieve AWS IAM Keys

Apple promptly fixed the vulnerabilities after Curry reported them over a three-month span, often within hours of his initial advisory. The company has so far processed about half of the vulnerabilities and committed to paying $288,500 for them. Once Apple processes the remainder, Curry said, the total payout might surpass $500,000.

“If the issues were used by an attacker, Apple would’ve faced massive information disclosure and integrity loss,” Curry said in an online chat a few hours after posting a 9,200-word writeup titled We Hacked Apple for 3 Months: Here’s What We Found. “For instance, attackers would have access to the internal tools used for managing user information and additionally be able to change the systems around to work as the hackers intend.”

Curry said the hacking project was a joint venture that also included fellow researchers: Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes.

Among the most serious risks were those posed by a stored cross-site scripting vulnerability (typically abbreviated as XSS) in JavaScript parser that’s used by the servers at www.iCloud.com. Because iCloud provides service to Apple Mail, the flaw could be exploited by sending someone with an iCloud.com or Mac.com address an email that included malicious characters.

The target need only open the email to be hacked. Once that happened, a script hidden inside the malicious email allowed the hacker to carry out any actions the target could when accessing iCloud in the browser. Here is a video showing a proof-of-concept exploit that sent all of the target’s photos and contacts to the attacker.

Curry said the stored XSS vulnerability was wormable, meaning it could spread from user to user when they did nothing more than open the malicious email. Such a worm would have worked by including a script that sent a similarly crafted email to every iCloud.com or Mac.com address in the victims’ contact list.

A separate vulnerability, in a site reserved for Apple Distinguished Educators, was the result of it assigning a default password—“###INvALID#%!3” (not including the quotation marks)—when someone submitted an application that included a username, first and last name, email address, and employer.

Read More

The Law Comes for John McAfee

In a week that Covid-19 continued its invasion of the White House, the biggest security questions continue to center on Donald Trump himself. With just a few weeks remaining until the election, the president continues to question the integrity of the process, which in turn threatens to undermine faith in the democratic process. But don’t worry, we also have stories about hacking and such!

Apple’s T2 chip exists to add an extra layer of security to the company’s Mac line. Which is why it’s especially unfortunate that it has an unfixable flaw that leaves it vulnerable to hackers. There are serious limitations on what attackers could actually do and how they could do it, but still, not ideal! Also not ideal: A Chinese-speaking hacker group has been caught repurposing an especially sneaky tool that was first disclosed years ago as part of a leak of the Italy-based Hacking Team spyware company. That’s a lot of information to process for one sentence, but suffice it to say you don’t want UEFI exploits landing in criminal hands, which appears to have happened here.

In better news, we took a look at how Google keeps its “Smart Replies” feature safe now that it’s been added to Android’s ubiquitous Gboard keyboard. And while Android ransomware has picked up some alarming new tricks, it’s still not a major threat—unless you’re downloading outside of the official Play Store for some reason. (Don’t do that.)

The central figure in an alleged poker cheating scandal that WIRED wrote about in the October issue has filed a defamation lawsuit against a dozen named defendants. Poker pro Mike Postle is seeking $330 million in damages.

And there’s more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there.

John McAfee is no stranger to exotic forms of trouble. This week, the authorities finally caught up with the antivirus pioneer, arresting him in Spain in connection with tax-evasion charges. His extradition remains pending. The Securities and Exchange Commission has also sued McAfee, alleging that he promoted initial coin offerings on Twitter without disclosing that he’d been paid $23 million to do so. And yes, the SEC complaint does reference McAfee’s infamous 2017 pledge that he would “eat [his] own dick on national television” if the price of bitcoin didn’t hit $500,000 in three years. (He later revised the target to a million dollars.)

Not everything needs to connect to the internet, particularly not chastity-promoting devices like the Qiui Cellmate. Researchers this week came public with a bug that could have allowed a hacker to permanently lock the devices from anywhere in the world. The company eventually released a new API that solved the problem for new users, but taking the old API offline would lock any current users in the device forever, barring some delicate bolt-cutter work. Which means longtime Cellmate owners are still in a bit of a pickle.

For all the focus that Russia’s hacking and disinformation efforts get in the US, it’s important to remember that other countries have stepped up their game as well. Iran stands out among them, particularly after a recent takedown of disinformation-spreading domains included four sites that officials say targeted the US. The sites posed as domestic news outlets and focused on sharing pro-Iran stories. The rest of the sites followed a similar rubric, focusing instead on Western Europe, the Middle East, and Southeast Asia.

Many, many security researchers warned that the so-called ZeroLogon vulnerability was very extremely not good, and that you should patch as soon as possible so that hackers don’t wreak havoc on your systems. If you didn’t heed that warning, well, good luck out there! Microsoft has already spotted an Iranian hacker group exploiting ZeroLogon in active campaigns.

Sam’s Club, the Walmart-owned spin on Costco, has begun requiring its customers to reset their passwords, after the company detected a credential-stuffing attack in September. This doesn’t mean that Sam’s Club itself was breached, but rather that attackers were looking for opportunities to take advantage of anyone reusing a password that had been exposed at some point from some other company’s breach. If you’re a Sam’s Club member, reset that password. If you’re a human on the internet, start using a password manager asap.


More Great WIRED Stories

Read More

Android Ransomware Has Picked Up Some Foreboding New Tricks

Though ransomware has been around for years, it poses an ever-increasing threat to hospitals, municipal governments, and basically any institution that can’t tolerate downtime. But along with the various types of PC malware that are typically used in these attacks, there’s another burgeoning platform for ransomware as well: Android phones. And new research from Microsoft shows that criminal hackers are investing time and resources in refining their mobile ransomware tools—a sign that their attacks are generating payouts.

Released on Thursday, the findings, which were detected using Microsoft Defender on mobile, look at a variant of a known Android ransomware family that has added some clever tricks. That includes a new ransom note delivery mechanism, improved techniques to avoid detection, and even a machine learning component that could be used to fine-tune the attack for different victims’ devices. While mobile ransomware has been around since at least 2014 and still isn’t a ubiquitous threat, it could be poised to take a bigger leap.

“It’s important for all users out there to be aware that ransomware is everywhere, and it’s not just for your laptops but for any device that you use and connect to the internet,” says Tanmay Ganacharya, who leads the Microsoft Defender research team. “The effort that attackers put in to compromise a user’s device—their intent is to profit from it. They go wherever they believe they can make the most money.”

Mobile ransomware can encrypt files on a device the way PC ransomware does, but it often uses a different method. Many attacks simply involve plastering your entire screen with a ransomware note that blocks you from doing anything else on your phone, even after you restart it. Attackers have typically abused an Android permission called “SYSTEM_ALERT_WINDOW” to create an overlay window that you couldn’t dismiss or circumvent. Security scanners started to detect and flag apps that could produce this behavior, though, and Google added protections against it last year in Android 10. As an alternative to the old approach, Android ransomware can still abuse accessibility features or use mapping techniques to draw and redraw overlay windows.

The ransomware Microsoft observed, which it calls AndroidOS/MalLocker.B, has a different strategy. It invokes and manipulates notifications intended for use when you’re receiving a phone call. But the scheme overrides the typical flow of a call eventually going to voicemail or simply ending—since there is no actual call—and instead distorts the notifications into a ransom note overlay that you can’t avoid and that the system prioritizes in perpetuity.

The researchers also discovered a machine learning module in the malware samples they analyzed that could be used to automatically size and zoom a ransom note based on the size of a victim’s device display. Given the diversity of Android handsets in use around the world, such a feature would be useful to attackers for ensuring that the ransom note displayed cleanly and legibly. Microsoft found, though, that this ML component wasn’t actually activated within the ransomware and may still be in testing for future use.

In an attempt to evade detection by Google’s own security systems or other mobile scanners, the Microsoft researchers found that the ransomware was designed to mask its functions and purpose. Every Android app must include a “manifest file,” that contains names and details of its software components, like a ship’s manifest that lists all passengers, crew, and cargo. But aberrations in a manifest file are often an indicator of malware, and the ransomware developers managed to leave out code for numerous parts of theirs. Instead, they encrypted that code to make it even harder to assess and hid it in a different folder, so the ransomware could still run but wouldn’t immediately reveal its malicious intent. The hackers also used other techniques, including what Microsoft calls “name mangling,” to mislabel and conceal the malware’s components.

Read More

How Google’s Android Keyboard Keeps ‘Smart Replies’ Private

Google has infused its so-called Smart Reply feature, which uses machine learning to suggest words and sentences you may want to type next, into various email products for the last several years. But with Android 11, those contextual nudges—including emojis and stickers—are built directly into Gboard, Google’s popular keyboard app. They can follow you everywhere you type. The real trick? Figuring out how to keep the AI that powers all of this from becoming a privacy nightmare.

First, some basics. Google has been adamant for years that Gboard doesn’t retain or send any data about your keystrokes. The only time the company knows what you’re typing on Gboard is when you use the app to submit a Google search or input other data to the company’s services that it would see from any keyboard. But offering reply recommendations has broader potential privacy implications, since the feature relies on real-time analysis of everything that’s going on in your mobile life to make useful suggestions.

“Within Gboard we want to be smart, we want to give you the right emoji prediction and the right text prediction,” says Xu Liu, Gboard’s director of engineering. “But we don’t want to log anything you type and there’s no text or content going to any server at all. So that’s a big challenge, but privacy is our number one engineering focus.”

To achieve that privacy, Google is running all of the necessary algorithms locally on your device. It doesn’t see your data, or send it anywhere. And there’s another thing: Google isn’t trusting the Gboard app itself to do any of that processing.

“It’s great to see advanced machine learning research work its way into practical use for strictly on-device applications,” says Kenn White, a security engineer and founder of the Open Crypto Audit Project.

Even with the precaution of keeping all the AI magic on the device, giving a keyboard app access to the content that feeds those calculations would be high risk. Malicious apps, for example, could try to attack the keyboard app to access data they shouldn’t be able to see. So the Gboard team had an idea: Why not box Gboard out of the equation entirely and have the Android operating system itself run the machine learning analyses to determine response recommendations? Android already runs all of your apps and services, meaning you’ve already entrusted it with your data. And any malware that’s sophisticated enough to take control of your smartphone’s operating system can ransack the whole thing anyway. Even in a worst-case scenario, the reasoning goes, letting Android oversee predictive replies doesn’t create an additional avenue for attack.

So when Gboard pops up three suggestions of what to type next in Android 11, you’re actually not looking at the Gboard app when you scan those options. Instead, you’re experiencing a sort of composite of Gboard and the Android platform itself.

“It’s a seamless experience, but we have two layers,” Google’s Liu says. “One is the keyboard layer and the other is the operating system layer, but it’s transparent.”

Gboard is the default keyboard on stock Android, but it’s also available on iOS. These new features aren’t available for iPhone and iPad owners, but because Android is open source, Google can offer the same predictive feature it’s using in Gboard for any other third-party keyboard to incorporate into its app. This way, alternative keyboards don’t have to do anything sneaky or try to work around Android’s permission limits for apps to offer predictive replies. And the whole system is powered by Google’s “federated learning” techniques, a way of building machine learning models off of data sets that come from all different sources and are never combined—like using data from everyone’s phones to refine prediction algorithms without ever moving the data off their devices.

Read More

Paying Evil Corp Ransomware Might Land You a Big Federal Fine

Where to start! The biggest news of the week by far is that Donald Trump has tested positive for Covid-19, which is a security story in the sense that it’s an everything story. As of Friday evening, Trump had been transported to Walter Reed Medical Center for treatment. While the situation has countless ripple effects, the deployment of the US Navy’s so-called doomsday planes was not, contrary to at least one viral tweet, one of them. That happens all the time.

Believe it or not, the first presidential debate of the season was just a few days ago. Trump closed out the proceedings with an extended run of voting misinformation, managing an impressive 11 lies in a span of eight minutes. His performance also underscored the limits of focusing on how platforms moderate content, given that Trump will say pretty much whatever on a national stage. And speaking of, well, all of that, we also reviewed Where Law Ends, a new book by former Mueller probe prosecutor Andrew Weissmann about where the investigation went wrong.

In other government news, Russia’s Fancy Bear hackers appear to have been behind a hack of a US federal agency that the government recently announced. It’s not clear which agency, though, or what data they grabbed. And we took a look at a quirk in Georgia law that could push the Senate election results into 2021. And we took a closer look at the election threats that US intelligence officials are actually worried about.

Hackers managed to break into Facebook accounts and steal $4 million dollars that they spent on ads. Researchers figured out how to put ransomware on a coffee maker. And a ransomware attack hobbled a major US hospital chain.

Finally, we ticked through all of the new privacy and security settings in Android 11 that are worth checking out right now.

And there’s more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there.

The US Treasury Department has sanctioned multiple alleged ransomware hackers in recent years, most notably the Russian sports car fanatics behind the aptly named Evil Corp. This week, it made clear to US companies that paying millions of dollars of ransoms to those groups, which also include various North Korean and Iranian actors, will invite hefty fines from the federal government. That puts companies like Garmin, an Evil Corp victim this summer, in a bit of a bind. If they don’t pay up, they may not be able to recover their systems, or the hackers might leak their sensitive customer data. If they do, even through a third-party mediator, they could find themselves in deep trouble stateside.

Account takeover bugs are never ideal, but they’re especially troubling when they’re found in a dating app like Grindr. Adding to the concern is that it was a relatively trivial bug to exploit; Grindr’s password reset page leaked password reset tokens, which would ultimately have made it pretty simple for an attacker to break into any account they knew the associated email address for. Grindr has since patched the bug.

Joker malware is a family of tainted apps that sign you up for pricey subscriptions and can snoop on your texts and contact lists. It’s not a new threat; it’s been around for at least four years. Which is why it’s maybe all the more surprising that it still haunts Android to this day, sneaking into apps that have have been downloaded from the Google Play Store hundreds of thousands of times in the last few months alone. One reason they’re able to get past Android’s defenses: The malicious code is only added hours or days after you download the app, so it can go through Google’s initial scans clean.

OK, well, it’s no Threat Level Midnight. But the FBI has made a short film of its very own, for some reason. The Nevernight Connection is a fictionalized account of former CIA officer Kevin Mallory, who in 2019 was sentenced to 20 years in prison for spying on behalf of the Chinese government. It offers a valuable lesson in the consequences of both espionage and modest production values.

[embedded content]


More Great WIRED Stories

Read More

When Coffee Machines Demand Ransom, You Know IoT Is Screwed

With the name Smarter, you might expect a maker of network-connected kitchen appliances to be, well, smarter than companies selling conventional appliances. But in the case of the Smarter’s internet-of-things coffee maker, you’d be wrong.

ARS TECHNICA

This story originally appeared on Ars Technica, a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED’s parent company, Condé Nast.

Security problems with Smarter products first came to light in 2015, when researchers at London-based security firm Pen Test partners found that they could recover a Wi-Fi encryption key used in the first version of the Smarter iKettle. The same researchers found that version 2 of the iKettle and the then-current version of the Smarter coffee maker had additional problems, including no firmware signing and no trusted enclave inside the ESP8266, the chipset that formed the brains of the devices. The result: The researchers showed that a hacker could probably replace the factory firmware with a malicious one. The researcher EvilSocket also performed a complete reverse engineering of the device protocol, allowing remote control of the device.

Two years ago, Smarter released the iKettle version 3 and the Coffee Maker version 2, said Ken Munro, a researcher who worked for Pen Test Partners at the time. The updated products used a new chipset that fixed the problems. He said that Smarter never issued a CVE vulnerability designation, and it didn’t publicly warn customers not to use the old one. Data from the Wigle network search engine shows the older coffee makers are still in use.

As a thought experiment, Martin Hron, a researcher at security company Avast, reverse engineered one of the older coffee makers to see what kinds of hacks he could do with it. After just a week of effort, the unqualified answer was: quite a lot. Specifically, he could trigger the coffee maker to turn on the burner, dispense water, spin the bean grinder, and display a ransom message, all while beeping repeatedly. Oh, and by the way, the only way to stop the chaos was to unplug the power cord. You can see it for yourself here.

“It’s possible,” Hron said in an interview. “It was done to point out that this did happen and could happen to other IoT devices. This is a good example of an out-of-the-box problem. You don’t have to configure anything. Usually, the vendors don’t think about this.”

When Hron first plugged in his Smarter coffee maker, he discovered that it immediately acted as a Wi-Fi access point that used an unsecured connection to communicate with a smartphone app. The app, in turn, is used to configure the device and, should the user choose, connect it to a home Wi-Fi network. With no encryption, the researcher had no problem learning how the phone controlled the coffee maker and, since there was no authentication either, how a rogue phone app might do the same thing.
That capability still left Hron with only a small menu of commands, none of them especially harmful. So he then examined the mechanism the coffee maker used to receive firmware updates. It turned out they were received from the phone with—you guessed it—no encryption, no authentication, and no code signing.

These glaring omissions created just the opportunity Hron needed. Since the latest firmware version was stored inside the Android app, he could pull it onto a computer and reverse engineer it using IDA, a software analyzer, debugger, and disassembler that’s one of a reverse engineer’s best friends. Almost immediately, he found human-readable strings.

“From this, we could deduce there is no encryption, and the firmware is probably a ‘plaintext’ image that is uploaded directly into the FLASH memory of the coffee maker,” he wrote in this detailed blog outlining the hack.

To actually disassemble the firmware—that is, to transform the binary code into the underlying assembly language that communicates with the hardware, Hron had to know what CPU the coffee maker used. That required him to take apart the device internals, find the circuit board, and identify the chips.

With the ability to disassemble the firmware, the pieces started to come together. Hron was able to reverse the most important functions, including the ones that check if a carafe is on the burner, cause the device to beep, and—most importantly—install an update.

Read More

A Ransomware Attack Has Struck a Major US Hospital Chain

Universal Health Services, a hospital and health care network with more than 400 facilities across the United States, Puerto Rico, and United Kingdom, suffered a ransomware attack early Sunday morning that has taken down its digital networks at locations around the US. As the situation has spiraled, some patients have reportedly been rerouted to other emergency rooms and facilities and had appointments and test results delayed as a result of the attack.

An emergency room technician at one UHS-owned facility tells WIRED that their hospital has moved to all-paper systems as a result of the attack. Bleeping Computer, which first reported the news, spoke to UHS employees who said the ransomware has the hallmarks of Ryuk, which first appeared in 2018 and is widely linked to Russian cybercriminals. Ryuk is typically used in so-called “big-game hunting” attacks in which hackers attempt to extort large ransoms from corporate victims. UHS says it has 90,000 employees and treats about 3.5 million patients each year, making it one of the US’ largest hospital and health care networks.

“We are using paper for everything. All computers are completely shut down,” the UHS employee told WIRED. “Paper is workable, there is just a lot more documentation to be done so things don’t get lost—orders, meds, etc. Patient care is about the same still in the ER, since we are where the patient enters the hospital and the visit gets started. There is concern for patients who were already on the floors when this happened, but everyone is stepping up their game big time.”

“Our facilities are using their established back-up processes, including offline documentation methods,” UHS said in a statement. The company did not return a request for further comment from WIRED and would not confirm that it is a ransomware attack. The company’s statement did confirm that the “IT network across Universal Health Services facilities is currently offline, due to an IT security issue,” and that patient and employee data appear not to have been compromised in the attack.

Ransomware attacks on large organizations have been prevalent since the mid-2010s, but the pace of assaults seems to have increased in recent months. Hospitals, in particular, have long been a favorite target, because patient safety hangs in the balance when a hospital’s network goes down. In addition to UHS, the Ashtabula County Medical Center in Ohio and Nebraska Medicine have both suffered ransomware attacks in recent days that caused system outages and threatened patient services.

And earlier this month, a patient with a life-threatening condition died in Düsseldorf, Germany, after a ransomware attack at a nearby hospital forced her to be taken to a more distant facility. The episode may have been the first example of a patient who died because of the fallout from a ransomware attack.

“These incidents are hugely concerning; they could have fatal consequences,” says Brett Callow, a threat analyst at the antivirus company Emsisoft. “I would say things are as bad as they’ve ever been—worse, in fact.”

Ryuk ransomware was attributed to North Korean actors when it first emerged, but many researchers now link it instead to Russian cybercriminals. It’s often preceded by a phishing attack that infects a target with a trojan, then exfiltrates the victim’s data and triggers a Ryuk infection. The ransomware seems to be used by a few splinter groups in addition to its originators, though, making it difficult to trace and correlate activity from the presence of the malware alone. The actor that first used it throughout 2018 and 2019 seemed to go dark in April, but has recently reappeared.

Read More
Page 1 of 1112345»10...Last »