It’s late summer, which means it’s Black Hat and DefCon week! Hackers, researchers, cybersecurity companies, and government officials descended on Las Vegas for two of the world’s biggest security conferences. A huge amount of news has come out of the event, and we’ve been all over it.
For starters, a researcher revealed it is possible to hack into Elon Musk’s Starlink terminals using just $25 worth of hardware. The flaw is one of the first major vulnerabilities found in the satellite internet device. And the Ofrak reverse engineering tool, which allows firmware analysis of IoT devices, was finally released—a decade after it was first announced.
Next, we detailed an anti-tracking tool that can tell whether people are following you. We looked at how Android’s red team broke into the Pixel 6 before it was released and discovered multiple critical bugs. And we examined the API flaws in some of the biggest 5G and IoT platforms that companies aren’t taking seriously enough.
There’s more: We highlighted a “disturbing” uptick in flawed software patches and notifications, a macOS vulnerability that gave a researcher full access to a machine’s files, and exposed a zero-day vulnerability in Zoom for MacOS.
Last but not least, we broke the news of the US government naming and shaming members of the Conti ransomware gang for the first time.
This week’s security news didn’t just come out of Vegas, however. Facebook handed over data to cops in June after it received a warrant in an abortion-related case, leading to criticism for not protecting more people’s messages with end-to-end encryption. Soon after those reports—although Meta says it was not related—the company rolled out more encryption on Messenger.
In recent months there’s been a rise in supply chain attacks against open source code, which makes up key parts of thousands of apps and services. However, when much of this code is downloaded it isn’t verified as official before it is used in apps. So starting this week, GitHub is moving to roll out code signing that will protect open source projects.
That’s not all though. In a news-filled week, we looked at the big takeaways from the FBI’s raid on Donald Trump’s Mar-a-Lago Florida home. As WIRED contributing editor Garrett M. Graff writes: “The bottom line of Monday’s search is that the FBI and the Justice Department must have been inordinately clear that they had the goods—and someone’s legal trouble is just beginning.” And after news broke that FBI agents were reportedly searching Mar-a-Lago for “nuclear documents,” Graff explained what the heck that might mean. According to the search warrant, Trump is under investigation for potentially obstructing a federal procedure and possibly violating the Espionage Act—a flawed law used to charge both former NSA contractor Reality Winner and WikiLeaks founder Julian Assange.
We’ve also looked at how new data rulings in Europe could stop Meta from sending data from the EU to the US, potentially prompting app blackouts across the continent. However, the decisions also have a wider impact: reforming US surveillance laws.
Also this week, a new phone carrier launched and it has a specific goal: protecting your privacy. The Pretty Good Phone Privacy or PGPP service, by Invisv, separates phone users from the identifiers linked to your device, meaning it can’t track your mobile browsing or link you to a location. The service helps to deal with a huge number of privacy problems. And if you want to enhance your security even more, here’s how to use Apple’s new Lockdown Mode in iOS 16.
But that’s not all. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.
The Federal Trade Commission this week announced it has begun the process for writing new rules around data privacy in the United States. In a statement, FTC chair Lina Khan pressed the need for strong privacy rules that rein in the “surveillance economy” that she says is opaque, manipulative, and responsible for “exacerbating … inbalances of power.” Anyone can submit rules for the agency to consider between now and mid-October. And the FTC will hold a public “virtual event” on the issue on September 8.
Communications company Twilio said this week that “sophisticated” attackers successfully waged a phishing campaign that targeted its employees. The attackers sent text messages with malicious links and included words like “Okta,” the identity management platform that itself suffered a hack by the Lapsus$ hacker group earlier this year. Twilio later said that the scheme allowed the attackers to access the data of 125 customers. But the campaign didn’t stop there: Cloudflare later disclosed that it, too, was targeted by the attackers—although they were stopped by the company’s hardware-based multifactor authentication tools. As always, be careful what you click.
Elsewhere, enterprise technology giant Cisco disclosed that it became the victim of a ransomware attack. According to Talos, the company’s cybersecurity division, an attacker compromised an employee’s credentials after gaining access to a personal Google account, where they were able to access credentials synced from the browser. The attacker, identified as part of the Yanluowang ransomware gang, then “conducted a series of sophisticated voice phishing attacks” in an attempt to trick the victim into accepting a multifactor authentication request, which was ultimately successful. Cisco says the attacker was unable to gain access to critical internal systems and was eventually removed. However, the attacker claims to have stolen more than 3,000 files totaling 2.75 GB of data.
Meta’s WhatsApp is the world’s biggest end-to-end encrypted messaging service. While it may not be the best encrypted messenger—you’ll want to use Signal for the most protection—the app prevents billions of texts, photos, and calls from being snooped on. WhatsApp is now introducing some extra features to help improve people’s privacy on its app.
Later this month, you’ll be able to leave a WhatsApp group without notifying every member that you’ve left. (Only the group admins will be alerted). WhatsApp will also allow you to select who can and can’t see your “online” status. And finally, the company is also testing a feature that allows you to block screenshots on photos or videos sent using its “view once” feature, which destroys messages when they’ve been seen. Here are some other ways to boost your privacy on WhatsApp.
And finally, security researcher Troy Hunt is perhaps best known for his Have I Been Pwned website, which allows you to check whether your email address or phone number has been included in any of 622 website data breaches, totaling 11,895,990,533 accounts. (Spoiler: It probably has.) Hunt’s latest project is taking revenge on email spammers. He’s created a system, dubbed Password Purgatory, that encourages spammers emailing him to create an account on his website so they can work together to “truly empower real-time experiences.”
The catch? It’s not possible to meet all the password requirements. Each time a spammer tries to create an account, they’re told to jump through more hoops to create a proper password. For instance: “Password must end with dog” or “Password must not end in ‘!’” One spammer spent 14 minutes trying to create an account, attempting 34 passwords, before finally giving up with: catCatdog1dogPeterdogbobcatdoglisadog.
