Friday, Russia He did the previously unthinkable: he arrested a group of ransomware operators. Not only that, but members of the notorious REvil group, which have been behind some of the biggest attacks in the past several years, including IT management firm Kaseya and meat giant JBS. Russian President Vladimir Putin has given ransomware hackers free access. It is not yet clear whether this is a calculated political move, a sign of a broader crackdown, or both, but it is certainly a watershed moment.
While everyone is scrambling to find Log4j in their systems – not an easy task even for well-resourced companies – the FTC has set strict deadlines for patching very bad and not-so-good vulnerabilities in the ubiquitous registry library. It would be unlikely if not impossible for everyone to find it in time, which speaks to the fragile and opaque nature of the open source software world more than the FTC’s strict timetable.
Carriers around the world have fallen back against Apple’s Private Relay, a completely mismatched VPN that bounces your traffic through two servers to give you more anonymity. T-Mobile in the US recently blocked it for customers with parental control filters. It’s not clear why they’re taking those actions against Apple and not the many, many VPNs that operate without restrictions, but it could have something to do with the potential volume of Apple customers who could sign up for the service.
In other Apple privacy news, iOS 15 brought with it a new report that shows you which sensors your apps access and which domains they connect to. It’s too much information at once; Help us break down how to read it.
North Korean hackers had a “significant year” in 2021, stealing nearly $400 million in cryptocurrency. And while the Israeli spyware group NSO Group insists it has controls in place to prevent abuse of its product, dozens of journalists and activists in El Salvador infected their devices with Pegasus, NSO’s signature product, as recently as November.
And that’s not all! Each week we round up all the security news that WIRED hasn’t covered in depth. Click on the titles to read the full stories.
A 19-year-old security researcher named David Colombo detailed how he was able to remotely unlock doors, open windows, blast music, and start keyless driving of dozens of Tesla cars. The vulnerabilities he exploited to do this are not in the Tesla software itself, but in a third-party app. There are limits to what Colombo can achieve; He couldn’t do anything in the way of steering, speeding up, or slowing down. But he managed to gather a lot of sensitive data about the affected vehicles. Cars are computers now, perhaps no more than Teslas, which means that they come with computer problems like third-party software that cause major problems.
With tensions rising along the Russia-Ukraine border, someone defaced more than 70 official Ukrainian government websites this week, placing a notice that people should “prepare for the worst”. While it’s tempting to assume this was the work of the Russian government, this isn’t a particularly complicated hack despite its widespread influence and visibility. (This also does not mean that was not Russia; It’s impossible to know now.) The White House also warned this week that Russia was planning “pseudo-science” to justify the invasion, so more is supposed to come on the matter.
The US has not adopted Covid-19 contact tracing apps even though basic functions are built into every iOS and Android phone. However, other countries have experienced much wider adoption. This includes Germany, where police recently used data from a contact-tracing app Luca to see who was at a particular restaurant on a specific night in November, and used that information to identify 21 potential witnesses. Law enforcement said it would not use this data any more after a public outcry. But the incident represents exactly the kind of worst-case scenario that privacy advocates have warned of, at a time when public confidence in contact tracing is more important than ever.
The developer responsible for two widely used open libraries effectively cracked his code this week, disabling thousands of projects in the process. The changes caused applications to print meaningless messages in an infinite loop. The developer seemed excited to make a statement about the big companies that profit from his work for free, but in the process it has made life pretty miserable for users of all walks of life.
More great wired stories