All posts tagged: security roundup

Chinese Hackers Target Trump Campaign via Verizon Breach

Chinese Hackers Target Trump Campaign via Verizon Breach

The Chinese spy operation adds to the growing sense of a melee of foreign digital interference in the election, which has already included Iranian hackers’ attempt to hack and leak emails from the Trump campaign—with limited success—and Russia-linked disinformation efforts across social media. Ahead of the full launch next week of Apple’s AI platform, Apple Intelligence, the company debuted tools this week for security researchers to evaluate its cloud infrastructure known as Private Cloud Compute. Apple has gone to great lengths to engineer a secure and private AI cloud platform, and this week’s release includes extensive detailed technical documentation of its security features as well as a research environment that is already available in the macOS Sequoia 15.1 beta release. The testing features allow researchers (or anyone) to download and evaluate the actual version of PCC software that Apple is running in the cloud at a given time. The company tells WIRED that the only modifications to the software relate to optimizing it to run in the virtual machine for the research environment. Apple also …

Geofence Warrants Ruled Unconstitutional—but That’s Not the End of It

Geofence Warrants Ruled Unconstitutional—but That’s Not the End of It

The 2024 US presidential election is entering its final stretch, which means state-backed hackers are slipping out of the shadows to meddle in their own special way. That includes Iran’s APT42, a hacker group affiliated with Iran’s Islamic Revolutionary Guard Corps, which Google’s Threat Analysis Group says targeted nearly a dozen people associated with Donald Trump’s and Joe Biden’s (now Kamala Harris’) campaigns. The rolling disaster that is the breach of data broker and background-check company National Public Data is just beginning. While the breach of the company happened months ago, the company only acknowledged it publicly on Monday after someone posted what they claimed was “2.9 billion records” of people in the US, UK, and Canada, including names, physical addresses, and Social Security numbers. Ongoing analysis of the data, however, shows the story is far messier—as are the risks. You can now add bicycle shifters and gym lockers to the list of things that can be hacked. Security researchers revealed this week that Shimano’s Di2 wireless shifters can be vulnerable to various radio-based attacks, …

A New Surveillance Tool Invades Border Towns

A New Surveillance Tool Invades Border Towns

This week, WIRED reported that a group of prolific scammers known as the Yahoo Boys are openly operating on major platforms like Facebook, WhatsApp, TikTok, and Telegram. Evading content moderation systems, the group organizes and engages in criminal activities that range from scams to sextortion schemes. On Wednesday, researchers published a paper detailing a new AI-based methodology to detect the “shape” of suspected money laundering activity on a blockchain. The researchers—composed of scientists from the cryptocurrency tracing firm Elliptic, MIT, and IBM—collected patterns of bitcoin transactions from known scammers to an exchange where dirty crypto could get turned into cash. They used this data to train an AI model to detect similar patterns. Governments and industry experts are sounding the alarm about the potential for major airline disasters due to increasing attacks against GPS systems in the Baltic region since the start of the war in Ukraine. The attacks can jam or spoof GPS signals, and can result in serious navigation issues. Officials in Estonia, Latvia, and Lithuania blame Russia for the GPS issues in …

School Employee Allegedly Framed a Principal With Racist Deepfake Rant

School Employee Allegedly Framed a Principal With Racist Deepfake Rant

Controversial gunshot-detection company ShotSpotter has deployed more than 25,000 microphones across 170 cities worldwide. This week, WIRED and South Side Weekly revealed the company may continue to provide gunshot data to police in cities even after contracts have ended. Internal emails seen by the publications suggest ShotSpotter sensors may have stayed online despite law enforcement deals having expired, raising questions about what will happen to 2,500 microphones in Chicago when its contract runs out at the end of the year. Elsewhere, Change Healthcare finally admitted to paying a ransom to the AlphV hackers, also known as BlackCat, that extorted the medical company. Weeks ago, WIRED revealed the attackers were paid $22 million, one of the largest ransomware payments ever. However, in a statement this week the company admitted for the first time that it paid the ransom as part of its effort “to do all it could to protect patient data from disclosure.” Some of that data still found its way onto the dark web. In another successful grift, researchers have found animators in North …

AI-Controlled Fighter Jets Are Dogfighting With Human Pilots Now

AI-Controlled Fighter Jets Are Dogfighting With Human Pilots Now

Looking for love? Be careful what you wish for. A loose-knit community of con artists known as Yahoo Boys has begun using real-time face-swap technology to woo victims with romance scams. Using a variety of tools and techniques, the scammers use AI-powered apps to make themselves look like entirely different people on video calls. Just remember: If someone you’ve never met IRL is asking you for money, just say no. Elsewhere in the world of harmful deepfakes, two major websites used for creating fake nude images of people are now blocked in the United Kingdom. The censorship, which appears to be self-imposed, comes just days after the UK proposed legislation that would ban nonconsensual, sexualized AI-generated images. A Russian cybercriminal gang called Cyber Army of Russia Reborn appears to have been created with the help of Sandworm, the notorious Russian military hacking unit that has carried out devastating cyberattacks against Ukraine for years. The difference? Cyber Army of Russia Reborn is even more brazen, taking credit for attacks against critical infrastructure in Europe and the …

Roku Breach Hits 567,000 Users

Roku Breach Hits 567,000 Users

After months of delays, the US House of Representatives voted on Friday to extend a controversial warrantless wiretap program for two years. Known as Section 702, the program authorizes the US government to collect the communications of foreigners overseas. But this collection also includes reams of communications from US citizens, which are stored for years and can later be warrantlessly accessed by the FBI, which has heavily abused the program. An amendment that would require investigators to obtain such a warrant failed to pass. A group of US lawmakers on Sunday unveiled a proposal that they hope will become the country’s first nationwide privacy law. The American Privacy Rights Act would limit the data that companies can collect and give US residents greater control over the personal information that is collected about them. Passage of such legislation remains far off, however: Congress has attempted to pass a national privacy law for years and has thus far failed to do so. Absent a US privacy law, you’ll need to take matters into your own hands. DuckDuckGo, …

Yogurt Heist Reveals a Rampant Form of Online Fraud

Yogurt Heist Reveals a Rampant Form of Online Fraud

The Journal’s story reveals that cargo hijacking fraud remains a serious problem—one that cost $500 million in 2023, quadruple the year before. Victims say load board operators need to do more to verify users’ identities, and that law enforcement and regulators also need to do more to address the thefts. Multifactor authentication (MFA) has served as a crucial safeguard against hackers for years. In Apple’s case, it can require a user to tap or click “allow” on an iPhone or Apple Watch before their password can be changed, an important protection against fraudulent password resets. But KrebsOnSecurity reports this week that some hackers are weaponizing those MFA push alerts, bombarding users with hundreds of requests to force them to allow a password reset—or at the very least, deal with a very annoying disruption of their device. Even when a user does reject all those password reset alerts, the hackers have, in some cases, called up the user and pretended to be a support person—using identifying information from online databases to fake their legitimacy—to social engineer …

Apple Chip Flaw Leaks Secret Encryption Keys

Apple Chip Flaw Leaks Secret Encryption Keys

The next time you stay in a hotel, you may want to use the door’s deadbolt. A group of security researchers this week revealed a technique that uses a series of security vulnerabilities that impact 3 million hotel room locks worldwide. While the company is working to fix the issue, many of the locks remain vulnerable to the unique intrusion technique. Apple is having a tough week. In addition to security researchers revealing a major, virtually unpatchable vulnerability in its hardware (more on that below), the United States Department of Justice and 16 attorneys general filed an antitrust lawsuit against the tech giant, alleging that its practices related to its iPhone business are illegally anticompetitive. Part of the lawsuit highlights what it calls Apple’s “elastic” embrace of privacy and security decisions—particularly iMessage’s end-to-end encryption, which Apple has refused to make available to Android users. Speaking of privacy, a recent change to cookie pop-up notifications reveals the number of companies each website shares your data with. A WIRED analysis of the top 10,000 most popular websites …

Automakers Are Telling Your Insurance Company How You Really Drive

Automakers Are Telling Your Insurance Company How You Really Drive

How do you know the internet has a deepfake porn problem? Just look at copyright takedown requests. WIRED found this week that Google is receiving thousands of Digital Millennium Copyright Act complaints for deepfake nudes, most of which are published by just a handful of websites. Experts say the deluge of DMCA takedown requests is evidence that Google should delist the offending sites from search. In Texas, meanwhile, a federal court upheld the state’s age-verification requirements for porn sites, which could lead to even more lawsuits. In a win for privacy advocates, Airbnb announced on Monday that it will ban the use of indoor security cameras at short-term rental properties around the world. The ban extends to outdoor areas where there is a “greater expectation of privacy,” such as saunas or outdoor showers. The company has long banned the use of hidden cameras and required hosts to tell guests where it has security cameras installed. Hosts who violate the security cam ban could have their properties removed from Airbnb. Cryptocurrency firm Binance’s troubles have gone …

Security News This Week: Russian Hackers Stole Microsoft Source Code—and the Attack Isn’t Over

Security News This Week: Russian Hackers Stole Microsoft Source Code—and the Attack Isn’t Over

For years, Registered Agents Inc.—a secretive company whose business is setting up other businesses—has registered thousands of companies to people who appear to not exist. Multiple former employees tell WIRED that the company routinely incorporates businesses on behalf of its customers using what they claim are fake personas. An investigation found that incorporation paperwork for thousands of companies that listed these allegedly fake personas had links to Registered Agents. State attorneys general from around the US sent a letter to Meta on Wednesday demanding the company take “immediate action” amid a record-breaking spike in complaints over hacked Facebook and Instagram accounts. Figures provided by the office of New York attorney general Letitia James, who spearheaded the effort, show that in 2023 her office received more than 780 complaints—10 times as many as in 2019. Many complaints cited in the letter say Meta did nothing to help them recover their stolen accounts. “We refuse to operate as the customer service representatives of your company,” the officials wrote in the letter. “Proper investment in response and mitigation …