On Friday, Russia did the unthinkable earlier: it actually arrested a bunch of ransomware operators. Not only that, but also members of the infamous REvil group, which has been behind some of the biggest attacks in recent years, including IT management firm Kaseya and local giant JBS. Russian President Vladimir Putin has previously given free passes to ransomware hackers. It is not yet clear whether this was a calculated political move, a sign of wider repression or both, but it is certainly a turning point.
As everyone tries to find Log4j in their systems – not an easy task even for companies with good resources – the FTC has set strict deadlines for correcting the very bad ones, without good vulnerabilities in the ubiquitous registration library. It is unlikely, if not impossible, for everyone to find it in time, which speaks more to the fragile and opaque nature of the open source software world than to the FTC’s aggressive timeline.
Telecommunications around the world have opposed Apple’s Private Relay, not quite a VPN that transfers your traffic across multiple servers to give you extra anonymity. T-Mobile in the United States recently blocked it for customers who have parental control filters. It is not clear why they took these measures against Apple and not many, many VPNs that work indefinitely, but this may be due to the potential scale of Apple customers who could sign up for the service.
In other Apple privacy news, iOS 15 brings with it a new report that shows you what sensors your apps have access to and what domains they connect to. This is a lot of information at once; we helped to understand how to read it.
North Korean hackers had a “banner year” in 2021, stealing nearly $ 400 million in cryptocurrency. And while Israeli spyware vendor NSO Group insists it has controls to prevent misuse of its product, dozens of journalists and activists in El Salvador have infected their devices with Pegasus, NSO’s flagship product, back in November.
And that’s not all! Every week we gather all the security news that WIRED has not covered in depth. Click on the headlines to read the full stories.
A 19-year-old security researcher named David Colombo told in detail this week how he managed to unlock the doors remotely, open the windows, play music and start driving without a key for dozens of Teslas. The vulnerabilities he uses to do this are not in Tesla’s software itself, but in a third-party application. There are some limitations to what Colombo can achieve; there was nothing he could do about driving, speeding, or slowing down. But he was able to gather very sensitive data on the affected vehicles. Cars are already computers, perhaps no more than Teslas, which means they come with computer problems like third-party software that causes big problems.
As tensions rise on the Russia-Ukraine border, someone has disfigured more than 70 official Ukrainian government websites this week, announcing that people need to “prepare for the worst.” Although it is tempting to assume that this is the work of the Russian government, it is not a particularly sophisticated hack despite its wide impact and visibility. (This is also not to say was not Russia; it is simply impossible to know right now.) The White House also warned this week that Russia was planning a “false flag” to justify an invasion, so more is likely to happen.
The United States has not adopted Covid-19 contact tracking applications, although basic functionality is built into every iOS and Android phone. However, other countries have had much wider acceptance. This includes Germany, where police recently used data from the Luca contact tracking app to find out who was at a particular restaurant on a particular night in November, and used that information to identify 21 potential witnesses. Law enforcement officials said they would not use the data again after a public protest. But the incident is exactly the kind of worst-case scenario that privacy advocates have warned about, at a time when public confidence in contact tracking is more important than ever.
The developer behind two widely used open source libraries effectively smashed his own code this week, disrupting thousands of projects in the process. The changes have caused applications to print meaningless messages in an endless loop. The developer seemed motivated to make a statement about the big companies that profit from his work for free, but in the process made life quite miserable for consumers of all stripes.
More great WIRED stories