Top 30 vulnerabilities include many usual suspects
This week, WIRED reported an alarming phenomenon of real warships whose location is rigged by an unknown disbeliever. Over the past few months, dozens of ships have appeared to be crossing contested waters when they were in fact hundreds of miles away. The disinformation came in the form of simulated AIS tracking data, which appears on aggregation sites like MarineTraffic and AISHub. It’s unclear who is responsible, or how exactly they are doing, but it does hold a game dangerously close to barrels of gunpowder in Crimea and elsewhere.
Speaking of controversy, a pair of researchers this week released a tool to the world that crawls every website for vulnerabilities at hand (think SQL injections and cross-site scripting) and makes the results not only public, but searchable. This is actually the second iteration of the system, known as the Punkspider; they closed the first one after numerous complaints to their hosting provider. Much of the same criticism remains this time around, leaving Punkspider’s long-term fate in doubt.
Apple is promoting itself as the most privacy-friendly large tech company, and it has done a lot to back that claim. But this week we took a look at a major step towards consumer privacy that the company is decidedly not taking: implementing global privacy controls that would allow Safari and iOS users to automatically stop most tracking. .
Our colleagues in the UK also spoke with a cam girl named Coconut Kitty who uses digital effects to make herself look younger live. In many ways, this could be the future of adult content, which has potential repercussions far beyond just that one Only Fans account.
And there’s more. Each week, we put together all the security news that WIRED hasn’t covered in depth. Click on the titles to read the full stories and stay safe.
A joint opinion from law enforcement agencies in the United States, United Kingdom and Australia this week identified the 30 most frequently exploited vulnerabilities. Perhaps unsurprisingly, the list includes a preponderance of flaws that were disclosed years ago; everything on the list has a fix available for anyone who wants to install it. But as we’ve written over and over again, many companies are slow to roll out for all kinds of reasons, whether it’s resources, know-how, or unwillingness to adapt. downtime often required for a software update. Given how many of these vulnerabilities can cause remote code execution (which you don’t want), hopefully they’ll start making fixes a priority.
An app called Doxcy billed itself as a dice game, but it actually gave anyone who downloaded it access to content from Netflix, Amazon Prime, and more once they entered a password into it. the search bar. Apple has removed the app from the App Store after Gizmodo inquires, but you probably shouldn’t have installed it anyway; it was riddled with ads and likely mishandled your data. All in all, you had better pay a subscription.
In early July, the Iranian rail system suffered a cyberattack that looked a lot like an elaborate troll; hackers posted messages on screens suggesting passengers to call Supreme Leader Khamenei’s office for help. Further inspection by security firm SentinelOne, however, shows that the malware was in fact a wiper, designed to destroy data rather than just hold it hostage. The malware, which researchers call Meteor, appears to have come from a new threat actor, and it lacked some degree of finishing. Which is happy for whoever they decide to target next.
Last week, Amnesty International and more than a dozen other organizations released a report on how authoritarian governments abused NSO Group spyware to spy on journalists and political rivals. Shortly after, the Israeli government visited the offices of the famous surveillance provider in that country. The NSO group has repeatedly and forcefully denied Amnesty International’s report, but national pressure appears to have intensified after names like French President Emmanuel Macron appeared on a list of potential spyware targets.
The Justice Department revealed on Friday that Cozy Bear, the hackers behind the SolarWinds hack and other sophisticated spy campaigns, also broke into at least one email account in 27 US prosecutor’s offices. Last year. Eighty percent of email accounts used at the four New York-based US attorney’s offices have been compromised. The campaign likely gave them access to all kinds of sensitive information, which the Russian government will surely use responsibly.
More great WIRED stories