Select Page
Hackers Keep Targeting the US Water Supply

Hackers Keep Targeting the US Water Supply

In light of all the Facebook news lately—although frankly, when isn’t there any—you may finally be thinking about jumping ship. If so, here’s how to delete your Facebook account. You’re welcome.

That’s not all that happened this week, though! Google shed some new light on the Iranian hacking group known as APT35, or Charming Kitten, and how they use Telegram bots to let them know when a phishing lure has a nibble. Speaking of Telegram, a new report shows just how poor a job the messaging service has done keeping extremism off the platform.

There was good news for Cloudflare this week, as a judge ruled that the internet infrastructure company isn’t liable when one of its customers infringe copyright designs on their websites. And there was bad news for humanity, as the governor of Missouri has threatened repeatedly to sue a journalist for responsibly disclosing a security flaw on a state website that he uncovered.

And there’s more! Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories, and stay safe out there.

In February, someone tried to poison a Florida city’s water supply by hacking into its control system and dramatically increasing the amount of sodium hydroxide. In 2020, a former employee at a Kansas water facility accessed and tampered with its controls remotely.  And that’s before you even get to the four ransomware attacks that intelligence officials documented this week, in a joint warning about the ongoing threats that hackers pose to US water and wastewater facilities. The alert notes that water treatment plants tend to invest in physical infrastructure rather than IT resources, and tend to use outdated versions of software, both of which leave them susceptible to attack. Disgruntled insiders have ample access to wreck havoc, and ransomware attackers always like a target that can’t afford to stay offline for any significant period of time. While this isn’t necessarily surprising—we sounded the same warning back in April—the joint FBI/CISA/NSA/EPA memo gives new detail into how many confirmed attacks have taken place in recent months, and it offers some guidance for critical infrastructure operators on how not to be the next victim.

A comprehensive hack of Twitch recently included source code, gamer payouts, and more, causing quite a stir among streamers especially. But it’s not the biggest hack in Twitch history. That distinction belongs to a 2014 compromise, detailed by Motherboard this week, that was devastating enough that Twitch had to “rebuild much of its code infrastructure,” according to the report, because so many of its servers had likely been compromised. Inside Twitch, the hack became known as “Urgent Pizza” because of how much overtime engineers had to work—and dinners the company had to feed them—to mitigate the attack. It’s well worth a full read. 

Chances are you’ve heard this story by now, but it’s still worth including a case with allegations this wild. The Department of Justice has charged Navy nuclear engineer Jonathan Toebbe and his wife with trying to give state secrets to a foreign country; the people on the other end of the line turned out to be FBI agents. Toebbe allegedly participated in several “dead drops” of sensitive information; court documents say he hid data cards in everything from a peanut butter sandwich to pack of gum. He allegedly offered up thousands of documents, asking for $100,000 of cryptocurrency in return. 

It’s always a good idea to update all of your devices all of the time—automatically, even—but especially so when that update is specifically designed to fix a so-called zero-day bug. In this case, a security researcher had gotten so tired of Apple not crediting his submissions that last month he posted a proof-of-concept exploit and full details for four separate iOS security flaws. This is the second one to be patched, which leaves two to go. Hopefully Apple will give him a proper hat tip when it gets around to fixing those. 


More Great WIRED Stories

Cloudflare Isn’t Liable for Sites That Hawk Counterfeits

Cloudflare Isn’t Liable for Sites That Hawk Counterfeits

Cloudflare is not liable for the copyright infringement of websites that use its content-delivery and security services, a federal judge ruled yesterday.

Cloudflare was sued in November 2018 by Mon Cheri Bridals and Maggie Sottero Designs, two wedding dress manufacturers and sellers that alleged Cloudflare was guilty of contributory copyright infringement because it didn’t terminate services for websites that infringed on the dressmakers’ copyrighted designs. The companies sought a jury trial, but Judge Vince Chhabria yesterday granted Cloudflare’s motion for summary judgment in a ruling in US District Court for the Northern District of California.

Chhabria noted that the dressmakers have been harmed “by the proliferation of counterfeit retailers that sell knock-off dresses using the plaintiffs’ copyrighted images” and that they have “gone after the infringers in a range of actions, but to no avail—every time a website is successfully shut down, a new one takes its place.” Chhabria continued, “In an effort to more effectively stamp out infringement, the plaintiffs now go after a service common to many of the infringers: Cloudflare. The plaintiffs claim that Cloudflare contributes to the underlying copyright infringement by providing infringers with caching, content delivery, and security services. Because a reasonable jury could not—at least on this record—conclude that Cloudflare materially contributes to the underlying copyright infringement, the plaintiffs’ motion for summary judgment is denied and Cloudflare’s motion for summary judgment is granted.”

While the ruling resolves the lawsuit’s central question in Cloudflare’s favor, the judge scheduled a case management conference for October 27 “to discuss what’s left of the case.”

Hundreds of Counterfeiting Websites

The companies’ lawsuit said they “are two of the largest manufacturers and wholesalers of wedding dresses and social occasion wear in the United States” and “have developed many of the world’s most unique and original wedding and social occasion dress patterns.” They own the copyrights for those designs and for photographic images of the designs.

Most of the websites selling counterfeit versions of the dresses operate from China, the lawsuit said. In addition to Cloudflare, an amended complaint listed 500 “Doe” defendants whose real names were unknown. The lawsuit said the Cloudflare terms say that any violation of law justifies termination of service and that “CloudFlare’s policy is to investigate violations of these terms of service and terminate repeat infringers.”

The plaintiffs said they used a vendor called Counterfeit Technology to find over 365 infringing websites that are users of Cloudflare, including cabridals.com, bidbel.com, stydress.com, angelemall.co.nz, jollyfeel.com, russjoan.com, missydress.com.au, and livedressy.com. The plaintiffs said they sent Cloudflare thousands of takedown notices, and often up to four notices about the same infringing sites, but “Cloudflare has ignored these notices and takes no action after being notified of infringing content on its clients’ websites.

“Specifically, even after learning of specific, identified acts of copyright infringement by the infringing websites through plaintiffs’ takedown notices, Cloudflare continues to cache, mirror, and store a copy of the infringing websites and the infringing content on its data center servers, and to transmit upon request copies of the infringing content to visitors of the infringing websites,” the amended complaint said. “Cloudflare’s contributions allow the Internet browsers of visitors to the infringing websites to access and load the infringing websites and content much faster than if the user was forced to access the infringing websites and content from the primary host absent Cloudflare’s services.”

The plaintiffs argued that Cloudflare should have terminated caching services to these websites, blocked traffic traveling through Cloudflare’s network to the websites, “and reconfigur[ed] its firewall settings so that users trying to access the infringing domain would be redirected to a blank page.”

Cloudflare: ‘Lawsuit Based on a Fundamental Misunderstanding’

Cloudflare argued that the plaintiffs “brought this lawsuit based on a fundamental misunderstanding of Cloudflare’s services, the contributory copyright infringement doctrine, and the Digital Millennium Copyright Act, all in pursuit of a statutory damages windfall that has nothing to do with the harm they claim to have suffered.” A victory for the plaintiffs would amount to “an expansion of the contributory infringement doctrine far beyond its established limits,” Cloudflare told the court.

Cloudflare continued: “Cloudflare is nothing like the search engines and peer-to-peer networks that the [US Court of Appeals for the] Ninth Circuit has found ‘significantly magnify otherwise immaterial infringements.’ Whereas Cloudflare’s services protect against malicious attacks and at most confer a split-second advantage to the loading time of a website someone is already visiting, the services previously considered by the Ninth Circuit actually helped visitors find infringing material they otherwise never would have found. There also is no ‘simple measure’ that Cloudflare failed to take to prevent further infringements in this case. Unlike hosting providers, Cloudflare could not remove allegedly infringing material from the Internet, and there is no question that those images would have remained available and equally accessible on the accused websites without Cloudflare’s services.” 

Cloudflare Is Taking a Shot at Email Security

Cloudflare Is Taking a Shot at Email Security

Cloudflare, The internet infrastructure company, already has its fingers in a lot of customer security pots, from DDoS protection to browser isolation to a mobile VPN. Now the company is taking on a classic web foe: email. 

On Monday, Cloudflare is announcing a pair of email safety and security offerings that it views as a first step toward catching more targeted phishing attacks, reducing the effectiveness of address spoofing, and mitigating the fallout if a user does click a malicious link. The features, which the company will offer for free, are mainly geared toward small business and corporate customers. And they’re made for use on top of any email hosting a customer already has, whether it’s provided by Google’s Gmail, Microsoft 365, Yahoo, or even relics like AOL. 

Cloudflare CEO Matthew Prince says that from its founding in 2009, the company very intentionally avoided going anywhere near the thorny problem of email. But he adds that email security issues are unrelenting, so it has become necessary. “I think what I had assumed is that hosting providers like Google and Microsoft and Yahoo were going to solve this issue, so we weren’t sure there was anything for us to do in the space,” Prince says. “But what’s become clear over the course of the last two years is that email security is still not a solved issue.”

Prince says that Cloudflare employees have been “astonished by how many targeted threats were getting through Google Workspace,” the company’s email provider. That’s not for lack of progress by Google or the other big providers on anti-spam and anti-malware efforts, he adds. But with so many types of email threats to deal with at once, strategically crafted phishing messages still slip through. So Cloudflare decided to build additional defense tools that both the company itself as well as its customers could use.

On Monday, the company is launching two products: Cloudflare Email Routing and Email Security DNS Wizard. The tools let customers place Cloudflare in front of their email hosting provider, essentially allowing Cloudflare to receive and process emails before sending them through to the Microsofts and Googles of the world. This is somewhat similar to Cloudflare’s long-standing role as a “content delivery network” for websites, in which the company is a proxy that can serve data or catch malicious activity as web traffic passes through. 

Cloudflare Email Routing makes it possible for individuals or organizations to manage an entire custom email domain, like @coolbusiness.com, from a single consumer email account, such as a personal Gmail address. The tool even lets you consolidate many addresses—boss@coolbusiness.com, help@coolbusiness.com—so they all forward to a single inbox. This way, small businesses in particular can get the benefits of a dedicated, custom email domain without having to manage a whole separate platform. 

The second tool, Security DNS Wizard, aims to make two email security features accessible for Cloudflare customers and easy to use. Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are two tools that are essentially a combination of caller ID and screening schemes for email: They aim to reduce email address spoofing by setting up public records that must match an email’s sender information for the message to go through. This significantly reduces how easy it is for attackers to, say, send an email to employees that really looks like it comes from “Cool Business CEO.”

SPF and DKIM have been around for more than a decade, but they aren’t ubiquitous, because they are difficult to set up without mistakes that can result in problems like legitimate emails getting lost. Cloudflare’s goal with Email Security DNS Wizard is to make it easy for users to set up one or the other protection without any flubs.

Even the CIA and NSA Use Ad Blockers to Stay Safe Online

Even the CIA and NSA Use Ad Blockers to Stay Safe Online

Everything old was new again this week as ransomware came roaring back into the headlines, hitting a crucial Iowa grain cooperative, among other targets. And WIRED sat down with DeSnake, the former number two of the dark web marketplace AlphaBay, to hear about his reemergence and relaunch of AlphaBay four years after its takedown by law enforcement. “AlphaBay name was put in bad light after the raids. I am here to make amends to that,” DeSnake said.

The Groundhog Day vibes continued with the annual release of Apple’s latest mobile operating system, iOS 15. The new OS comes with a slew of privacy features, including more granular details about what your apps are up to, a mechanism to block email trackers, and a sort of VPN-Tor Frankenstein monster called iCloud Private Relay that protects your browsing activity. Use WIRED’s handy guide to get up to speed and start changing some settings.

And if you want a DIY project that isn’t tied to a tech company’s walled garden, we’ve got tips on how to set up your own network attached storage (NAS) that plugs straight into your router and gives you a place to share files between your devices or easily store backups.

And there’s more! Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories, and stay safe out there.

A letter to Congress shared with Motherboard shows that the US National Security Agency, the Central Intelligence Agency, and other members of the Intelligence Community use ad blockers on their networks as a security protection. “The IC has implemented network-based ad-blocking technologies and uses information from several layers, including Domain Name System information, to block unwanted and malicious advertising content,” the IC chief information officer wrote in the letter.

You may use an ad blocker to make your browsing experience more pleasant, but the tools also have potential defense benefits. Attackers who try to run malicious ads on unscrupulous ad networks or taint legitimate-looking ads can steal data or sneak malware onto your device if you click, or sometimes by exploiting web vulnerabilities. The fact that the IC views ads as an unnecessary risk and even a threat speaks to long-standing problems with the industry. The NSA and Cybersecurity and Infrastructure Security Agency have released public guidance in recent years advising the use of ad blockers as a security protection, but the IC itself wasn’t required to adopt the measure. Its members deployed ad blockers voluntarily.

The security division of Russian telecom giant Rostelecom took down a portion of a notorious botnet this week, thanks to a flaw introduced by the malicious platform’s developers. The error allowed Rostelecom to “sinkhole“ part of the system. A botnet is a zombie army of devices that have been infected with malware to centrally control coordinated operations. The platforms are often used for DDoS attacks, in which actors direct a firehose of junk traffic at a target’s web systems in an attempt to overload them. 

The Meris botnet is currently the largest botnet available to cybercriminals and is thought to be made up of about 250,000 systems working collectively. It has been used against targets in Russia, the United States, and the United Kingdom, among others. The Rostelecom partial takedown is significant, because Meris attacks are powerful and challenging for targets to combat. Earlier this month, a Meris attack on the Russian tech giant Yandex broke the record for largest-ever volumetric DDoS attack. Yandex managed to defend itself against the assault.

European law enforcement in Italy and Spain have arrested 106 people on suspicion of running a massive fraud campaign over many years, with profits totaling more than $11.7 million in the last year alone. And police said this week that the individuals involved have ties to an Italian mafia group. The suspects allegedly ran phishing schemes, conducted business email compromise scams, launched SIM-swapping attacks, and generally perpetrated credit card fraud against hundreds of victims. The activity was also allegedly connected to drug trafficking and other property-related crimes. To actually extract funds from these digital scams, the suspects allegedly laundered stolen money through a system of money mules and shell companies. In addition to the arrests, law enforcement froze 118 bank accounts and seized computers, SIM cards, 224 credit cards, and an entire cannabis plantation in connection with the bust.


More Great WIRED Stories

Apple and Google Go Further Than Ever to Appease Russia

Apple and Google Go Further Than Ever to Appease Russia

As voting began on Friday for Russia’s lower house of parliament or State Duma, Google and Apple quietly pulled a beleaguered anti-establishment voting app from their app stores. It’s just the latest in a series of concessions that Apple in particular has made to the Kremlin—whose demands seem likely to become only more aggressive from here.

As the tech industry grapples with how to address a host of complicated human rights and safety issues, the incident underscored the uncomfortable compromises that many tech companies strike in order to operate in certain regions, as well as the increasingly brazen demands of authoritarian governments.

The Russian government had pressured Apple and Google to take down the voting app for weeks, threatening fines and even accusing the companies of illegal election interference. Created by associates of imprisoned opposition leader Aleksei Navalny, it offered recommendations across each of Russia’s 225 voting districts for candidates with the best shot of defeating the dominant United Russia party in each race. Voting is open through the weekend, but the app is no longer available for download and misleading imposter apps have already started to pop up in its place.

Representatives from the two tech companies met with Russian Federation Council officials on Thursday, according to the Associated Press, after which the Council said in a statement that Apple would comply with the takedown demand. A person with knowledge of Google’s decision to remove the app said that Russian authorities threatened specific Google employees with serious criminal charges and prosecution, forcing the company’s hand.

Apple did not respond to a request for comment from WIRED. Google declined to comment.

“Removing the Navalny app from stores is a shameful act of political censorship,” tweeted Ivan Zhdanov, a Navalany ally, on Friday. Zhdanov also tweeted a purported screenshot of an email from Apple to the creators of the voting app that described Navalny’s opposition movement and its backers as “extremists,” and said that the app “includes content that is illegal in Russia.”

Apple also reportedly disabled its new iCloud Private Relay feature today in Russia, which masks users’ IP addresses and browsing activity to counter mass surveillance. Currently available in beta, Apple never offered the service in countries like China, Saudi Arabia, the Philippines, and Belarus for “regulatory reasons,” but had launched it in Russia.

The action Russia took against the voting app is part of a larger trend. In April, iPhones and other iOS devices sold in Russia started coming with an extra step in the setup process that prompts users to install a list of apps from Russian developers. The apps aren’t pre-installed and users can choose not to download them, but Apple made the change as a concession to Russian law.

And it’s not just Russia that’s making increasingly restrictive demands. Along with its Great Firewall, the Chinese government has long exercised significant control over how international tech companies operate in the country, including a requirement that all foreign services run on servers that are both owned by Chinese cloud companies and located in China. India has also increasingly forced international tech companies including Twitter and Facebook to make privacy-eroding compromises. But something so baldly political as the takedown of a voting guide app is an alarming and dangerous new frontier.

The episode also comes on the heels of a separate Apple controversy over a company plan to scan for child sexual abuse material directly on users’ iPhones and iPads in addition to in iCloud. Apple has now delayed the project after privacy and security advocates argued that such a service could be abused by foreign governments demanding that Apple access customer data. The company had said firmly that it would not comply with any such demands.