Plus: WhatsApp’s court case, a VPN exposed, and more of the week’s top security news.
ON WEDNESDAY, AN unprecedented Twitter hack saw the accounts of Elon Musk, Barack Obama, Joe Biden, Jeff Bezos, Bill Gates, Apple, Uber, and more fall into the hands of attackers who used that access to… push a bitcoin scam? It was a very bad, no good day, but if anything Twitter is lucky wasn’t much, much worse.
Elsewhere, Iranian hackers did an oopsie. Researchers from IBM recovered five hours of video from APT35, also known as Charming Kitten, recording themselves swiping data from hacked email accounts and offering training tips on how to do so. And researchers found a 17-year-old bug in Windows DNS that is “wormable,” meaning it could spread through a network without any human interaction. Microsoft pushed out a patch, which hopefully you’ve implemented by now if it applies to you. We also took a look at “DDoS for hire” schemes that have fueled a new wave of attacks—and router turf wars—online.
A new map from the Electronic Frontier Foundation shows what kind of surveillance—drones, facial recognition, and more—law enforcement uses in your city. A new research from F-Secure shows how counterfeit Cisco equipment could cause serious mayhem by motivated attackers. And we took a fresh look at an old debate: whether TikTok actually poses a security threat to the US.
Russian hackers are targeting Covid-19 vaccine research. A clever new gadget will stop Alexa from spying on you. And if you somehow aren’t using two-factor authentication yet, here’s why and how you should.
And there’s more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there.Trail Leads to Possible Twitter Hack Suspects
In the wake of the aforementioned Twitter hack, a trail of online evidence has pointed to a few individuals at the center of this mess. As WIRED has previously reported, the original objective appears to have been capturing handles with small character counts, prized in the SIM-swap hacking community. Independent cybersecurity journalist Brian Krebs dove into posts on an account-hacking forum called OGusers this week, which along with other bread crumbs indicate a prominent SIM-swapper was involved in Wednesday’s incident. The New York Times followed by interviewing two people purportedly linked to the security meltdown, both of whom cited a hacker who went only by “Kirk” as the central player here. They also suggested that Kirk initially gained access to Twitter’s admin panel by first getting into a Twitter employee’s Slack account. More details are sure to come out in the coming days; the FBI is investigating, and Twitter has said it will share the results of its ongoing investigation when it has them.WhatsApp’s Case Against NSO Group Can Proceed
Last fall, Facebook-owned WhatsApp filed a lawsuit against notorious spyware vendor NSO Group for allegedly providing malware that hacked 1,400 WhatsApp users. The case has hinged on a tricky legal argument, but the messaging company cleared a major hurdle this week when a judge ruled that its case could proceed on the grounds WhatsApp cited. NSO Group has and continues to deny the allegations.A VPN That Claimed Not to Keep Logs… Kept Logs
Virtual private networks are wonderful tools that let you browse the internet without your internet service provider or other third-parties snooping on you. They also require an inordinate amount of trust in the VPN provider itself, since they can theoretically see and keep track of everything you do. Which brings us to Hong Kong-based UFO VPN, which reportedly exposed millions of user logs—records of their online activity—despite advertising that it kept no logs at all. That’s according to Comparitech, which found 894 GB of data sitting unprotected in Elasticsearch databases. It’s hard to say that you can 100 percent trust any VPN, but here are a few of WIRED’s favorites that pass the smell test.EU Strikes Down Data-Sharing ‘Privacy Shield” Pact With US
Since 2016, US and EU companies have been able to share data between continents with little red tape thanks to an accord known as Privacy Shield. This week, the European Court of Justice ruled that the Privacy Shield doesn’t comply with more recent privacy legislation there. While it sounds at first like a win for privacy rights, in practice the amount of data will likely stay the same, just with more hurdles to jump as it crosses the Atlantic. Your data is apparently just too valuable for companies on either side to give up—not that you’ll ever see a penny for it.
All Rights Reserved for BRIAN BARRETT