Twitch’s First Transparency Report Is Here—and Long Overdue

Twitch today released its first-ever transparency report, detailing its efforts to safeguard the 26 million people who visit its site daily. When it comes to transparency, the decade-old, Amazon-owned service had a lot of catching up to do.

Twitch benefitted from a 40 percent increase in channels between early and late 2020, buoyed by the popularity of both livestreaming technology and video gaming throughout the pandemic. That explosive growth, however, is also the company’s greatest challenge when it comes to stomping out harassment and hate. Unlike recorded videos, live content is often spontaneous and ephemeral. Things just happen, in front of live audiences of thousands or tens of thousands. That can include anything from 11-year-olds going live playing Minecraftexposing them to potential predators—to now-banned gaming celebrity Guy “Dr Disrespect” Beahm streaming from a public bathroom at E3.

In its new transparency report Twitch acknowledges this difficulty and for the first time offers specific details about how well it moderates its platform. While the findings are encouraging, what Twitch historically has not been transparent about speaks just as loudly.

Twitch early on earned a reputation as a hotbed for toxicity. Women and minorities streaming on the platform received targeted hate from audiences hostile to people whom they believed deviated from gamer stereotypes. Twitch’s vague guidelines around so-called “sexually suggestive” content served as fuel for self-appointed anti-boob police to mass-report female Twitch streamers. Volunteer moderators watched over Twitch’s fast-moving chat to pluck out harassment. And for problematic streamers, Twitch relied on user reports.

In 2016, Twitch introduced an AutoMod tool, now enabled by default for all accounts, that blocks what its AI deems inappropriate messages from viewers. Like other large platforms, Twitch also relies on machine learning to flag potentially problematic content for human review. Twitch has invested in human moderators to review flagged content, too. Still, a 2019 study by the Anti-Defamation League found that nearly half of Twitch users surveyed reported facing harassment. And a 2020 GamesIndustry.Biz report quoted several Twitch employees describing how executives at the company didn’t prioritize safety tools and were dismissive of hate speech concerns.

Throughout this time, Twitch didn’t have a transparency report to make its policies and inner workings clear to a user base suffering abuse. In an interview with WIRED, Twitch’s new head of trust and safety, Angela Hession, says that, in 2020, safety was Twitch’s “number one investment.”

Over the years, Twitch has learned that bad-faith harassers can weaponize its vague community standards, and in 2020 released updated versions of its “Nudity and Attire,” “Terrorism and Extreme Violence” and “Harassment and Hateful Conduct” guidelines. Last year, Twitch appointed an eight-person Safety Advisory Council, consisting of streamers, anti-bullying experts, and social media researchers, that would draft policies aimed at improving safety and moderation and healthy streaming habits.

Last fall Twitch brought on Hession, previously the head of safety at Xbox. Under Hession, Twitch finally banned depictions of the confederate flag and blackface. Twitch is on fire, she says, and there’s a big opportunity for her to envision what safety looks like there. “Twitch is a service that was built to encourage users to feel comfortable expressing themselves and entertain one another,” she says, “but we also want our community to always be and feel safe.” Hession says that Twitch has increased its content moderators by four times over the last year.

Twitch’s transparency report serves as a victory lap for its recent moderation efforts. AutoMod or active moderators touched over 95 percent of Twitch content throughout the second half of 2020, the company reports. People reporting that they received harassment via Twitch direct message decreased by 70 percent in that same period. Enforcement actions increased by 788,000 early 2020 to 1.1 million late 2020, which Twitch says reflects its increase in users. User reports increased during this time, too, from 5.9 million to 7.4 million, which Twitch again attributes to its growth. The same for its channel bans, which increased from 2.3 million to 3.9 million.

Read More

What Life Is Like Under Myanmar’s Internet Shutdown

Rumors of a coup were spreading before the military acted. Sophie*, an American software developer, was at home with her young son and her husband Aung*, a union worker and Myanmar national, when Myanmar’s military took control in the early hours of February 1.

As the nation’s military leaders arrested Aung San Suu Kyi, president Win Myint, and other senior government figures, they also deployed a blunt tool of censorship: turning off the internet. Sophie, who was up early with their son, could still access the internet at home, as only phone data had been limited. The first she heard of the coup came from a New York Times article shared by a friend.

In the weeks since Myanmar’s military took control, internet shutdowns have become common, as documented by internet monitoring group NetBlocks. As protests have grown there have been total internet shutdowns and limits placed on individual services such as Facebook and its Messenger app. For most people in Myanmar, Facebook is the internet and is the main way people access news and chat with friends.

NetBlocks reports that for the past 12 nights the internet has been turned off like clockwork from 1 to 9 am. Civil rights group Access Now says the periodic shutdowns “facilitates abuse by, and impunity for, the military junta.” The shutdowns have been condemned internationally and make Myanmar the latest of more than 30 countries to turn off the internet in an attempt to assert control.

People in Myanmar also fear the internet shutdowns are being used to cover up nighttime arrests and violent crackdowns on protestors. When the shutdowns started the Myanmar division of telecoms operator Telenor started publishing orders it received but now says “it is not possible.”

The shutdowns have stopped friends and families from communicating and made it hard for people to work. But, more perniciously than that, it has added to the sense of fear in Myanmar. Sophie has recently returned to the US with her son while the coup is continuing, while Aung has remained in central Yangon and has been attending protests with thousands of others. With the nightly internet shutdowns and time difference with the US, their conversations are limited and difficult. Here they explain the reality of living through the shutdowns. The conversations have been edited for context and clarity.

The Coup and First Shutdown

Sophie: We were in our condo when the coup happened. I woke up early to look after my son and one of my friends from the US had messaged me a New York Times article about Aung San Suu Kyi being arrested. I had warned someone ahead of time that if they don’t hear from me that I’m fine. Everyone was really afraid and stayed inside.

Aung: I have a lot of union workers on my Facebook. They were all offline—the family I was talking to 20 minutes before were offline too. I couldn’t see anything on the internet, I couldn’t communicate from my phone. So I have to go out to my balcony to see what’s going on on the street. I could see my neighbor watching cable TV—we don’t own one—so I shouted across asking what was happening.

Sophie: You’re completely in the dark. There’s nothing to do because you’re so reliant on your phone, but you start to talk to your neighbors. That first weekend it was completely shut off. Nobody had the internet, nobody had a cell phone connection and we would hear protesters going down the side streets or the main streets. The ATMs and the banks were down and it had a huge impact because there’s no way to access money.

Read More

The SolarWinds Body Count Now Includes NASA and the FAA

Some blasts from the past surfaced this week, including revelations that a Russia-linked hacking group has repeatedly targeted the US electrical grid, along with oil and gas utilities and other industrial firms. Notably, the group has ties to the notorious industrial-control GRU hacking group Sandworm. Meanwhile, researchers revealed evidence this week that an elite NSA hacking tool for Microsoft Windows, known as EpMe, fell into the hands of Chinese hackers in 2014, years before that same tool then leaked in the notorious Shadow Brokers dump of NSA tools.

WIRED got an inside look at how the video game hacker Empress has become so powerful and skilled at cracking the digital rights management software that lets video game makers, ebook publishers, and others control the content you buy from them. And the increasingly popular, but still invite-only, audio-based social media platform Clubhouse continues to struggle with security and privacy missteps.

If you want something relaxing to take your mind off all of this complicated and concerning news, though, check out the new generation of Opte, an art piece that depicts the evolution and growth of the internet from 1997 to today.

And there’s more. Each week we round up all the news we didn’t cover in depth. Click on the headlines to read the full stories. And stay safe out there.

In addition to infiltrating the unclassified networks of seven other US government agencies, the suspected Russian hackers who compromised the IT services firm SolarWinds as a jumping off point also penetrated NASA and the Federal Aviation Administration. Researchers and officials testified before the Senate Intelligence Committee on Tuesday about the scope and scale of the attack. The Washington Post reported ahead of the hearing that the Biden administration is preparing sanction against Russia related to the SolarWinds espionage operation and other recent incidents of aggression. The seven other breached agencies are the Departments of Commerce, Homeland Security, Energy, and State, the US Treasury, the National Institutes of Health, and the Justice Department. The White House said earlier this month that hackers also compromised 100 companies in the spree. “This is the largest and most sophisticated sort of operation that we have seen,” Microsoft president Brad Smith said during Tuesday’s hearing.

The New York City Police Department has a robot dog called “Digidog,” and the AI canine is already being deployed for real police work, like investigating a recent Bronx home invasion. For those concerned that police around the country might someday turn Digidog on a crowd of peaceful protesters or law abiding citizens, though, people are already trying to figure out how to disable the robot pups. Ideas include finding a way to flip the dog over, grab the hatch for the battery pack, and remove the doggo’s lithium-ion power. There are also power and “motor lockout” buttons on the dogs’ butts where you can deactivate them. Not quite as friendly as a wagging tail, but good to know if you’re ever in a bind.

Mozilla launched a new version of its browser on Tuesday, Firefox 85, that includes an expanded anti-tracking feature called Total Cookie Protection. It uses a technique known as “cache partitioning” to make it more difficult for third parties to track you as you browse the web. Cookies are assigned to individual sites, but if companies embed elements (like “iframes” and scripts) from each others’ infrastructure on their own sites, they can all start to build a picture of users’ browsing. By siloing the cookies your browser saves from each other, it’s more difficult for companies to use this technique.

After a week of revelations about major security shortcomings, Jamaica took down its JamCOVID website and app late Thursday. The platform is used to post statistics about Covid-19 infections and process travelers. It also has a self-reporting feature for virus symptoms. The platform exposed quarantine orders for more than half a million travelers who entered Jamaica back to March 2020. The orders include travelers’ names and their addresses while quarantining in Jamaica. The local news outlet Jamaica Gleaner first reported the exposure. Last week, TechCrunch found that Amber Group, the contractor that developed the platform, had an exposed Amazon Web Services cloud server that contained more than 70,000 negative Covid-19 test results and more than 425,000 immigration documents from travelers entering Jamaica.

More Great WIRED Stories

Read More

The Woman Bulldozing Video Games’ Toughest DRM

Recently, she cracked Anno 1800, which layered three types of protection, Denuvo on top. “No one else does this because it requires insane amount of focus, dedication and endless passion. I was able to achieve this only in several months of research. it was HELL to say the least.”

“There is little to no competition in the cracking scene when it comes to that particular DRM,” says OverkillLabs, who used to run the gaming-piracy-focused CrackWatch subreddit. OverkillLabs says they know of just three groups that have broken it, and none with the sense of mission Empress has.

Although OverkillLabs can’t quite pin down when her rise to fame began, as she keeps her history intentionally opaque, Empress first came on their radar when she shared her crack of SoulCalibur VI in March 2020. Unlike the insular Warez groups, Empress posted polls asking what gamers wanted next, shared her philosophy, delineated principles, named her enemies. The text files accompanying her games (long, white ASCII columns supporting her name) stuck with him: “The reason why Ubisoft, EA and such companies never remove denuvo from their games is only because they LOVE feeling *superior* and ENJOY seeing you the customer as PIG under their control or worse.” OverkillLabs also noticed that, unlike other groups, which were motivated by kudos and upvotes, Empress accepts donations. Cryptocurrency, specifically.

“People are used to scene groups that do it all for free and ask for nothing in return,” says OverkillLabs.

Empress has big “fuck you, pay me” energy. “I have an outside job, ofc,” she says. “How much time I spend in it depends on the amount of donations I receive.” She’ll skip work and take runs against a game for as long as she can afford it, but is steadfast in the idea that her work should be compensated. In a September 2020 post titled “I will need your help moving forward,” Empress bragged that she cracked Planet Zoo in one week. Total War Three Kingdoms in four days. It was time for her to tackle Denuvo version 9, integrated with Death Stranding and Resident Evil 3. She just needed some Bitcoin. “I’m just a little confused,” replied one commenter on Reddit. “People aren’t willing to pay money for games but they’re willing to pay money to get games illegally? :S.”

“the entire ‘Scene’ rules that accept ‘no money/donations’ is 1 of the biggest problems which always push the crackers back, instead of forward,” says Empress. “if you’re going to do such INSANE EFFORT, you wouldn’t just do it for and from ‘nothing.’” A hobbyist couldn’t push through, she says, “to reach something with a bigger meaning than a quick boost of ego, which is very hollow and can be shattered very easily.”

On October 22, 2020, Empress released a liberated Red Dead Redemption 2 along with another cracker who goes by Mr_Goldberg, who wrote an emulator for the game’s launcher that allowed the DRM-free version to work. It landed on the front page of Reddit with over 23,000 upvotes.

“It took only 2 days for Empress to crack the RDR2 drm and denuvo is very difficult to crack,” says Mr_Goldberg. “never know when someone else might appear out of nowhere but right now empress is the number 1 in cracking ability.” Empress says she hates Red Dead Redemption 2. She just cracked it for “the people.”

On Sunday, Empress posted her crack of Immortals Fenyx Rising, protected by Denuvo and released December 3, 2020. Commenters on CrackWatch, a site that tracks game cracks, went wild, calling her a “goddess.” A cult of worship has attended her newfound fame. Gleeful cries of “fuck Denuvo!” flooded her uploads.

But slowly, over the last day, downloaders realized that Empress had capped the speed. She designed it so nobody could download the game in less than 24 hours. That would prevent repackers from repackaging her cracks for easier downloads—and potentially claiming the credit.

When fans in her community chat began questioning her motivation, Empress had an explanation ready. “If not for my plan here, everybody would already be shouting: ‘fitgirl you are AWESOME!,’” she said, singling out, a popular repacker. Empress maintains she doesn’t need attention. But at the same time, she says, “everyone just should know ‘Who’ is actually responsible of the cracks, and also to support and donate to the person who did the REAL work.”

More Great WIRED Stories

Read More

Sites Have a Sneaky New Way to Track You Across the Web

This week saw the first known appearance of malware written specifically for Apple’s M1 processors, in inevitable but still somewhat concerning development, especially given how little time it took the bad guys to adjust to the new ARM-based architecture. Fortunately, this week Apple also put out its latest Platform Security Guide, which should help security researchers and companies protect against the latest and greatest macOS and iOS threats.

International hacking made the news this week as well. France tied Russia’s destructive Sandworm hackers to a campaign that exploited an IT monitoring tool from Centreon, a company based there. And the Department of Justice indicted three North Korean hackers this week, alleging their involvement in a sweeping series of heists and scams that includes the 2014 assault against Sony Pictures and attempted thefts totally $1.3 billion.

Elsewhere, we took a look at how to avoid phishing scams and how Parler got back online despite being cut off by the big tech companies. We published the latest installment of 2034, a novel that looks at a fictional future war with China that feels all too real. And you should set aside some time this weekend to read this excerpt from Nicole Perlroth’s This Is How They Tell Me the World Ends, which looks at the unlikely and previously untold origins of the market for so-called zero-day bugs.

And there’s more! Each week we round up all the news we didn’t cover in depth. Click on the headlines to read the full stories. And stay safe out there.

To be extremely clear, the technique that we’re about to explain for sites to track you across the web—even if you clear your cache or use an incognito window—is one that researchers found, not necessarily one that sites are actually using, especially not at scale. (Then again, there’s not much these analytics companies won’t do.) The technique works by focusing on favicons, the little icon that your browser displays to represent the site you’re on. Because most browsers store those favicons separately from your browsing history and cookies, traditional means of avoiding tracking like using a private mode or clearing your cache don’t affect them. Which in turn means, according to researchers from the University of Illinois, Chicago, that sites could use a unique series of favicons to identify you and track you across the web no matter what. Chrome, Safari, and Edge are all currently vulnerable to the attack, although Google and Apple have both said they’re looking into it.

LastPass has long been one of the go-to password managers, in part thanks to its relatively generous free tier, which has until now worked across mobile and traditional computers. As of March 16, though, you’ll have to pick one or the other for free unlimited access, or pony up for LastPass Premium or LastPass Families. This is understandably frustrating for existing users, but also brings LastPass in line with many of its competitors. You still have plenty of free options at your disposal, though, including WIRED pick Bitwarden. And no matter what, it’s a good reminder that everyone needs a password manager, even if it costs you a few bucks a month.

The audio social network Clubhouse is all the rage among a certain subset of Silicon Valley doyenne. But as it broadens its reach, security researchers have raised a host of concerns about its privacy and security measures. The Stanford Internet Observatory took a close look specifically at Clubhouse’s relationship with China, and didn’t like what it found. Researchers found that Clubhouse uses a Shanghai-based company for part of its back-end infrastructure, transmits user IDs and room IDs in plain text, and may inadvertently expose its raw audio to the Chinese government. Combined with the app’s aggressive grab of you contact list, it’s probably best not to get in on the beta until it resolves some of its security issues. 

John Deere has long been a focal point of the right to repair movement, given its refusal to let farmers fix their own tractors when high-tech components go down. In response to the growing backlash, the company promised in 2018 to give its customers the tools they need to be self-sufficient. But an investigation by the nonprofit US Public Interest Research Group found that little if any progress had been made to that effect. Farmers by and large still don’t have access to the tools and diagnostics that they need to address software malfunctions and other breakdowns associated with John Deere’s proprietary technology. Meanwhile, right to repair legislation has  gained momentum across dozens of states. It appears that may be the only way to empower farmers to fix the equipment they own the way they want to.

More Great WIRED Stories

Read More

Feds Indict North Korean Hackers for Years of Heists

Most surprising, perhaps, is the extent of the hackers’ alleged schemes as cryptocurrency scammers and even would-be entrepreneurs. The indictment outlines how the North Koreans—specifically Kim Il—made plans to launch a cryptocurrency token scheme called Marine Chain, which would sell a blockchain-based stake in marine vessels including cargo ships. According to the British think tank the Royal United Services Institute, Marine Chain was identified by the United Nations as a North Korean sanctions-evasion scheme in 2018; it’s not clear if it ever got off the ground.

In another cryptocurrency theft scheme, the hackers are charged with creating a long list of malicious cryptocurrency apps with names like WorldBit-Bot, iCryptoFx, Kupay Wallet, CoinGo Trade, Dorusio, Ants2Whales, and CryptoNeuro Trader, all designed to surreptitiously steal victims’ cryptocurrencies. The US Cybersecurity and Infrastructure Security Agency issued an advisory Wednesday about the malware family integrated into those apps known as AppleJeus, warning that the malicious apps have been distributed by hackers posing as legitimate cryptocurrency firms, who sent the apps in phishing emails or tricked users into downloading them from fake websites. Security firm Kaspersky had warned about versions of AppleJeus as early as 2018.

The indictment demonstrates the United States’ growing willingness to indict foreign hackers for cyberattacks and cybercriminal schemes that don’t merely target US institutions, says Greg Lesnewich, a threat intelligence analyst at security firm Recorded Future. For some of the charges, he points out, Americans were impacted only as the holders of cryptocurrency stolen from international exchanges. “It’s an expansion of what the US is willing to prosecute for, even if the victims aren’t US entities,” he says.

At the same time, Lesnewich says the long arc of the crimes the indictment describes also show North Korea has expanded its ambitions to use and steal cryptocurrency in any way that might help fund its sanctions-starved government. “They’re using very ingenious methods to steal cryptocurrency now,” says Lesnewich. “They’re clearly putting some of their ‘best’ people on this to solve this problem in a diverse number of ways.”

While none of the three North Koreans have been arrested and extradited—and given that they’re in North Korea, likely never will be—prosecutors also unsealed charges against Ghaleb Alaumary, a 37-year-old Canadian man who allegedly served as a money launderer for the North Koreans’ bank heists. Alaumary, who has already pleaded guilty to the money-laundering charges, had previously been arrested and charged with a business-email-compromise hacking scheme in the Southern District of Georgia.

As for Park, Jon, and Kim, the Justice Department has little expectation of ever laying hands on them, assistant attorney general John Demers acknowledged in Wednesday’s press conference. But he argued that the indictment nonetheless sends a message to the North Korean regime and to any other states contemplating similar rogue behavior that they and their hackers will be identified and, whenever possible, held accountable, including with other diplomatic tools such as sanctions. “You think you’re anonymous behind a keyboard, but you’re not,” Demers said, holding out the indictment as proof. “We lay out how we can prove attribution not to a nation state level, or a unit level within a military or intelligence organization, but to an individual hacker.”

More Great WIRED Stories

Read More

Parler Says It’s Back is getting back online after being kicked off Amazon’s hosting service, with the controversial social network saying it no longer relies on “Big Tech” for its web infrastructure. A Parler announcement Monday said its relaunched website is “built on sustainable, independent technology and not reliant on so-called ‘Big Tech’ for its operations.”

Amazon cut off Parler’s web-hosting service on January 10, a few days after a Trump-incited mob stormed the US Capitol, saying that “Parler cannot comply with our terms of service and poses a very real risk to public safety.” Parler sued Amazon in response, but a federal judge denied Parler’s request for a preliminary injunction that would have forced Amazon to reinstate its services.

Now, Parler is using hosting services from a company called SkySilk. Parler said its site is available this week only to users who already had accounts. New users, on the other hand, will be able to sign up next week. While existing users can now log in to Parler, their old posts have been removed from the site, TechCrunch reported.

“When Parler was taken offline in January by those who desire to silence tens of millions of Americans, our team came together, determined to keep our promise to our highly engaged community that we would return stronger than ever. We’re thrilled to welcome everyone back,” Parler’s interim CEO, Mark Meckler, said in the announcement. “Parler is being run by an experienced team and is here to stay. We will thrive as the premier social media platform dedicated to free speech, privacy, and civil dialog.” (Meckler, who cofounded the Tea Party Patriots in 2009, replaced recently fired CEO John Matze as head of Parler.)

Amazon said in a court filing that it cut Parler off because of its “demonstrated unwillingness and inability to remove from the servers of Amazon Web Services content that threatens the public safety, such as by inciting and planning the rape, torture, and assassination of named public officials and private citizens.”

In new Parler posts today, Parler’s official account said, “We will not be canceled,” while Meckler wrote, “Parler is live and it feels so good!”

Parler traffic is going through a data center in Ohio run by CloudRoute, and from there to a SkySilk data center in Los Angeles, where SkySilk exchanges internet traffic with NTT. This is confirmed by trace routes from tens of major cities distributed throughout the Americas, Europe, and Asia. We contacted NTT today and will update this article if we get a response.

CloudRoute and SkySilk seem to be connected in some way and may ultimately be part of the same company. CloudRoute CEO Andre Temnorod denied or downplayed any connection, telling The New York Times that “SkySilk is our customer, and Parler is SkySilk’s customer.” However, Whois information lists Temnorod’s email and other CloudRoute email addresses as contacts for SkySilk. SkySilk CEO Kevin Matossian “confirmed to NPR that the company is providing web hosting services to Parler,” according to NPR reporter Bobby Allyn.

CloudRoute is described by Scamalytics as “a potentially high​ fraud risk ISP,” with about 56 percent of traffic from the ISP “suspected to be potentially fraudulent.” We contacted CloudRoute and SkySilk today and will update this article if we get any response.

CloudRoute bills itself as a partner of Microsoft, but that doesn’t necessarily mean any content is hosted on Microsoft’s cloud services. Parler has been a user of Microsoft Office 365 for email, and Microsoft employees reportedly debated last month whether it should stop providing the service to Parler. We contacted Microsoft today and will update this article if we get a response. last month moved its domain to Epik, a domain registrar that also provides service to Gab, which is known for hosting anti-Semitic content. Parler at one point last month was using services from the Russian company DDoS-Guard but apparently isn’t anymore.

Read More

France Ties Russia’s Sandworm to a Multiyear Hacking Spree

The Russian military hackers known as Sandworm, responsible for everything from blackouts in Ukraine to NotPetya, the most destructive malware in history, don’t have a reputation for discretion. But a French security agency now warns that hackers with tools and techniques it links to Sandworm have stealthily hacked targets in that country by exploiting an IT monitoring tool called Centreon—and appear to have gotten away with it undetected for as long as three years.

On Monday, the French information security agency ANSSI published an advisory warning that hackers with links to Sandworm, a group within Russia’s GRU military intelligence agency, had breached several French organizations. The agency describes those victims as “mostly” IT firms and particularly web hosting companies. Remarkably, ANSSI says the intrusion campaign dates back to late 2017 and continued until 2020. In those breaches, the hackers appear to have compromised servers running Centreon, sold by the firm of the same name based in Paris.

Though ANSSI says it hasn’t been able to identify how those servers were hacked, it found on them two different pieces of malware: one publicly available backdoor called PAS, and another known as Exaramel, which Slovakian cybersecurity firm ESET has spotted Sandworm using in previous intrusions. While hacking groups do reuse each other’s malware—sometimes intentionally to mislead investigators—the French agency also says it’s seen overlap in command and control servers used in the Centreon hacking campaign and previous Sandworm hacking incidents.

Though it’s far from clear what Sandworm’s hackers might have intended in the years-long French hacking campaign, any Sandworm intrusion raises alarms among those who have seen the results of the group’s past work. “Sandworm is linked with destructive ops,” says Joe Slowik, a researcher for security firm DomainTools who has tracked Sandworm’s activities for years, including an attack on the Ukrainian power grid where an early variant of Sandworm’s Exaramel backdoor appeared. “Even though there’s no known endgame linked to this campaign documented by the French authorities, the fact that it’s taking place is concerning, because the end goal of most Sandworm operations is to cause some noticeable disruptive effect. We should be paying attention.”

ANSSI didn’t identify the victims of the hacking campaign. But a page of Centreon’s website lists customers including telecom providers Orange and OptiComm, IT consulting firm CGI, defense and aerospace firm Thales, steel and mining firm ArcelorMittal, Airbus, Air France KLM, logistics firm Kuehne + Nagel, nuclear power firm EDF, and the French Department of Justice. It’s unclear which if any of those customers had servers running Centreon exposed to the internet.

“It is in any case not proven at this stage that the identified vulnerability concerns a commercial version provided by Centreon over the period in question,” Centreon said in an emailed statement, adding that it regularly releases security updates. “We are not in a position to specify at this stage, a few minutes after the publication of the ANSSI document, whether the vulnerabilities pointed out by the ANSSI have been the subject of one of these patches.” ANSSI declined to comment beyond the initial advisory.

Some in the cybersecurity industry immediately interpreted the ANSSI report to suggest another software supply chain attack of the kind carried out against SolarWinds. In a vast hacking campaign revealed late last year, Russian hackers altered that firm’s IT monitoring application and it used to penetrate a still-unknown number of networks that includes at least half a dozen US federal agencies.

But ANSSI’s report doesn’t mention a supply chain compromise, and DomainTools’ Slowik says the intrusions instead appear to have been carried out simply by exploiting internet-facing servers running Centreon’s software inside the victims’ networks. He points out that this would align with another warning about Sandworm that the NSA published in May of last year: The intelligence agency warned Sandworm was hacking internet-facing machines running the Exim email client, which runs on Linux servers. Given that Centreon’s software runs on CentOS, which is also Linux-based, the two advisories point to similar behavior during the same timeframe. “Both of these campaigns in parallel, during some of the same period of time, were being used to identify externally facing, vulnerable servers that happened to be running Linux for initial access or movement within victim networks,” Slowik says. (In contrast with Sandworm, which has been widely identified as part of the GRU, the SolarWinds attacks have also yet to be definitively linked to any specific intelligence agency, though security firms and the US intelligence community have attributed the hacking campaign to the Russian government.)

Read More

A Billion-Dollar Dark Web Crime Lord Calls It Quits

Just over a week ago, an employee at a water treatment treatment plant in Oldsmar, Florida noticed that the mouse on his screen started moving seemingly on its own. Soon it was clicking through controls, raising the supply of lye in the water supply from 100 parts per million to 1,100ppm, enough to cause serious damage to human tissue. Fortunately, the employee moved quickly to revert things to normal levels. It’s still unclear who was behind this dramatic hack, and a sober reminder of how exposed so many industrial systems remain despite years of warnings.

Facebook also seems to have ignored of warnings about the proliferation of Covid-19 scams on its platform; researchers this week exposed multiple scams they found on both the social media network and the messaging service Telegram.

Cyberpunk 2077 developer CD Projekt Red had already been battered by players frustrated with the game’s rampant bugs and poor gameplay on legacy consoles. This week it disclosed that ransomware was recently added to its list of woes, as a hacker group claimed to have stolen internal documents as well as source code for its most popular games. CD Projekt Red said it would not pay the ransom.

Microsoft finally patched a vulnerability that was first introduced into its Windows Defender antivirus product—renamed Microsoft Defender last year—at least 12 years ago. A barcode scanner app started serving up adware to its millions of users after an update in December. And be sure to read the third installment of 2034, the fictional tale of an all to real-sounding future war with China.

And there’s more! Each week we round up all the news we didn’t cover in depth. Click on the headlines to read the full stories. And stay safe out there.

Since 2014, if you were in the market for a stolen credit card or identity on the dark web—or until recently out in the open—the Joker’s Stash has been your one-stop shop. According to analysis by blockchain analysis firm Elliptic, the operator of Joker’s Stash announced that they would close up shop this month after taking in what Elliptic pegs at over a billion dollars of cryptocurrency during their run. (It’s unclear whether JokerStash, the account that runs the marketplace, is an individual or a group.)

In October 2018, Bloomberg published “The Big Hack,”, an incendiary account of how China had implanted tiny microchips on motherboards from US-based Supermicro to infiltrate dozens of companies, including Apple and Amazon. Everyone implicated in that story offered vociferous denials, and outside security experts were highly dubious. This week, Bloomberg came back with a fresh round of reporting, including several law enforcement types speaking on the record about the claims. It was still not enough, though, to appease most skeptics.

Facebook has been insistent—chief operating officer Sheryl Sandberg in particular—that the bulk of the planning for the Capitol riots happened on platforms other than its own. Court documents refute that claim, Forbes found, with Facebook garnering far more references than any other social media site. The actual uses varied, with many alleged rioters using Facebook to livestream the chaos, but clearly it had more of a role in events than it has come to terms with.

Apple continues its privacy push, this time adding a feature to its Safari browser that sends all of your traffic through its own proxy servers, effectively hiding your IP address from Google when you’re in Safe Browsing mode. It shouldn’t affect your experience in practice, or limit the effectiveness of Google’s protective feature. It just gives Mountain View a little smaller slice of data about your journey across the internet.

More Great WIRED Stories

Read More

A Barcode Scanner App With Millions of Downloads Goes Rogue

A benign barcode scanner with more than 10 million downloads from Google Play has been caught receiving an upgrade that turned it to the dark side, prompting the search-and-advertising giant to remove it.

Barcode Scanner, one of dozens of such apps available in the official Google app repository, began its life as a legitimate offering. Then, in late December, researchers with security firm Malwarebytes began receiving messages from customers complaining that ads were opening out of nowhere on their default browser.

Malwarebytes mobile malware researcher Nathan Collier was at first puzzled. None of the customers had recently installed any apps, and all the apps they had already installed came from Play, a market that despite its long history of admitting malicious apps remains safer than most third-party sites. Eventually, Collier identified the culprit as Barcode Scanner. The researcher said an update delivered in December included code that was responsible for the bombardment of ads.

“It is frightening that with one update an app can turn malicious while going under the radar of Google Play Protect,” Collier wrote. “It is baffling to me that an app developer with a popular app would turn it into malware. Was this the scheme all along, to have an app lie dormant, waiting to strike after it reaches popularity?”

Collier said that adware is often the result of third-party software development kits, which developers use to monetize apps available for free. Some SDKs, unbeknownst to developers, end up pushing the limits. As Collier was able to establish from the code itself and a digital certificate that digitally signed it, the malicious behavior was the result of changes made by the developer.

The researcher wrote:

In the case of Barcode Scanner, malicious code had been added that was not in previous versions of the app. Furthermore, the added code used heavy obfuscation to avoid detection. To verify this is from the same app developer, we confirmed it had been signed by the same digital certificate as previous clean versions. Because of its malign intent, we jumped past our original detection category of Adware straight to Trojan, with the detection of Android/Trojan.HiddenAds.AdQR.

Google removed the app after Collier notified the company. So far, however, Google has yet to use its Google Play Protect tool to remove the app from devices that had it installed. That means users will have to remove the app themselves.

Google representatives declined to say whether the Protect feature did or didn’t remove the malicious barcode scanner. Ars also emailed the developer of the app to seek comment but hasn’t received a response.

Anyone who has a barcode scanner installed on an Android device should inspect it to see whether it’s the one Collier identified. The MD5 hash digest is A922F91BAF324FA07B3C40846EBBFE30, and the package name is com.qrcodescanner.barcodescanner. The malicious barcode scanner shouldn’t be confused with the one here or other apps with the same name.

The usual advice about Android apps applies here. People should install the apps only when they provide true benefit and then only after reading user reviews and permissions required. People who haven’t used an installed app in more than six months should also strongly consider removing it. Unfortunately, in this case, following this advice would fail to have protected many Barcode Scanner users.

It’s also not a bad idea to use a malware scanner from a reputable company. The Malwarebytes app provides app scanning for free. Running it once or twice a month is a good idea for many users.

This story originally appeared on Ars Technica.

More Great WIRED Stories

Read More
Page 1 of 1812345»10...Last »