Wednesday a the unprecedented Twitter hack saw the accounts of Elon Musk, Barack Obama, Joe Biden, Jeff Bezos, Bill Gates, Apple, Uber and more falling into the hands of attackers who used that access to … push a bitcoin scam ? It was a very bad day, not a very good one, but Twitter is lucky that it wasn’t much, much worse.
Elsewhere, Iranian hackers did an oopsie. IBM researchers recovered five hours of video from APT35, also known as Charming Kitten, by recording data from hacked email accounts and offering training tips on how to do so. And the researchers found a 17-year-old bug in Windows DNS that is “wormable,” meaning it could spread across a network without human interaction. Microsoft released a patch, which I hope you have already implemented if it applies to you. We also take a look at the “rental DDoS” schemes that have fueled a new wave of attacks and territorial wars online.
A new map from the Electronic Frontier Foundation shows what kind of surveillance (drones, facial recognition, and more) the police use in their city. New F-Secure research shows how counterfeit Cisco equipment can cause serious mayhem by motivated attackers. And we look again at an old debate: whether TikTok really represents a threat to the security of the United States.
Russian hackers are targeting the Covid-19 vaccine investigation. A new smart device will prevent Alexa from spying on you. And if you’re somehow still not using two-factor authentication, here’s why and how you should be.
And there is more! Every Saturday we collect security and privacy stories that we did not break or report deeply, but that we think you should know. Click on the headlines to read them and stay safe there.
In the wake of the aforementioned Twitter hack, an online evidence trail has pinpointed some people at the center of this disaster. As WIRED previously reported, the original goal appears to have been to capture identifiers with small character counts, appreciated in the SIM swap hacking community. Freelance cybersecurity journalist Brian Krebs got into posts on an account hacking forum called OGusers this week, which along with other breadcrumbs indicate that a prominent SIM exchanger was involved in Wednesday’s incident. The New York Times followed by interviewing two people allegedly linked to the security meltdown, who cited a hacker who was only “Kirk” as the central player here. They also suggested that Kirk initially gained access to the Twitter admin panel by first logging into a Twitter employee’s Slack account. More details will surely come out in the coming days; the FBI is investigating and Twitter has said it will share the results of its ongoing investigation when it does.
Last fall, Facebook-owned WhatsApp filed a lawsuit against well-known spyware provider NSO Group for allegedly providing malware that hacked 1,400 WhatsApp users. The case was based on a complicated legal argument, but the courier company removed a major hurdle this week when a judge ruled that his case could proceed based on what WhatsApp cited. NSO Group continues to deny the allegations.
Virtual private networks are wonderful tools that allow you to surf the Internet without being spied on by your Internet service provider or other third parties. They also require an excessive amount of trust in the VPN provider itself, as it can theoretically see and track everything it does. Which brings us to the Hong Kong-based UFO VPN, which reportedly exposed millions of user logs, logs of its online activity, despite the publicity that it did not keep any logs. According to Comparitech, they found 894 GB of unprotected data in the Elasticsearch databases. It’s hard to say that you can trust 100 percent of any VPN, but here are some of the WIRED favorites that pass the odor test.
Since 2016, US and EU companies have been able to share data between continents with little bureaucracy, thanks to an agreement known as the Privacy Shield. This week, the Court of Justice of the European Communities ruled that Privacy Shield does not comply with the latest privacy legislation there. While at first it seems like a victory for privacy rights, in practice the amount of data is likely to remain the same, only there will be more obstacles to jump as you cross the Atlantic. Apparently, your data is too valuable for companies on both sides to give up, not that you ever see a penny for it.
More great WIRED stories
.
