Select Page
What Is Zero Trust? It Depends What You Want to Hear

What Is Zero Trust? It Depends What You Want to Hear

Confusion about the real meaning and purpose of zero trust makes it harder for people to implement the ideas in practice. Proponents are largely in agreement about the overall goals and purpose behind the phrase, but busy executives or IT administrators with other things to worry about can easily be led astray and end up implementing security protections that simply reinforce old approaches rather than ushering in something new.

“What the security industry has been doing for the past 20 years is just adding more bells and whistles—like AI and machine learning—to the same methodology,” says Paul Walsh, founder and CEO of the zero trust-based anti-phishing firm MetaCert. “If it’s not zero trust it’s just traditional security no matter what you add.”

Cloud providers in particular, though, are in a position to bake zero trust concepts into their platforms, helping customers adopt them in their own organizations. But Phil Venables, chief information security officer of Google Cloud, notes that he and his team spend a lot of their time talking to clients about what zero trust really is and how they can apply the tenets in their own Google Cloud use and beyond.

“There’s quite a lot of confusion out there.” he says. “Customers say, ‘I thought I knew what zero trust was and now that everyone is describing everything as zero trust I understand it less.’”

Other than agreeing on what the phrase means, the biggest obstacle to zero trust’s proliferation is that most infrastructure currently in use was designed under the old moat-and-castle networking model. There’s no easy way to retrofit those types of systems for zero trust since the two approaches are so fundamentally different. As a result, implementing the ideas behind zero trust everywhere in an organization potentially involves significant investment and inconvenience to rearchitect legacy systems. And those are precisely the types of projects that are at risk of never getting done.

That makes implementing zero trust in the federal government—which uses a hodgepodge of vendors and legacy systems that will take massive investments of time and money to overhaul—particularly daunting, despite the Biden administration’s plans. Jeanette Manfra, former assistant director for cybersecurity at CISA who joined Google at the end of 2019, saw the difference firsthand moving from government IT to the tech giant’s own zero trust-focused internal infrastructure.

“I was coming from an environment where we were investing just tremendous amount of taxpayer dollars into securing very sensitive personal data, mission data, and seeing the friction you experienced as a user, especially in the more security-oriented agencies,” she says. “That you could have more security and a better experience as a user was just mind-blowing for me.”

Which is not to say that zero trust is a security panacea. Security professionals who are paid to hack organizations and discover their digital weaknesses—known as “red teams”—have started studying what it takes to break into zero trust networks. And for the most part, it’s still easy enough to simply target the portions of a victim’s network that haven’t yet been upgraded with zero trust concepts in mind.

“A company moving its infrastructure off-premises and putting it in the cloud with a zero trust vendor would close some traditional attack paths,” says longtime red teamer Cedric Owens. “But in all honesty I have never worked in or red-teamed a full zero trust environment.” Owens also emphasizes that while zero trust concepts can be used to materially strengthen an organization’s defenses, they aren’t bulletproof. He points to cloud misconfigurations as just one example of the weaknesses companies can unintentionally introduce when they transition to a zero trust approach.

Manfra says that it will take time for many organizations to fully grasp the benefits of the zero trust approach over what they’ve relied on for decades. She adds, though, that the abstract nature of zero trust has its benefits. Designing from concepts and principles rather than particular products lends a flexibility, and potentially a longevity, that specific software tools don’t. 

“Philosophically it seems durable to me,” she says. “Wanting to know what and who are touching what and whom in your system are always things that will be useful for understanding and defense.”


More Great WIRED Stories

A Texas Abortion ‘Whistleblower’ Site Still Can’t Find a Host

A Texas Abortion ‘Whistleblower’ Site Still Can’t Find a Host

Under a recently passed Texas law, private citizens can sue anyone involved in helping a person receive an abortion in the state after the sixth week of pregnancy. In response, an anti-abortion group called Texas Right to Life set up a website designed to collect anonymous information about any alleged infractions. Or, at least, it tried to. So far, no company has been willing to host it.

The fate of prolifewhistleblower.com remains uncertain, and its absence from the internet does not negate the Texas law or its impacts. But in recent years, internet infrastructure giants have begun to draw blurry lines around who they’re willing to have as customers, a sometimes murky process exemplified by the travails of far-right social media network Parler. In contrast, prolifewhistleblower.com offers a rare example of consensus about what constitutes acceptable behavior online.

The site did make a brief appearance on the internet, launching last Wednesday, but had an ignominious start. First, a small army of TikTok and Reddit users flooded the reporting mechanism with false claims in an attempt to overwhelm the system. By Saturday, the web hosting service GoDaddy had terminated its relationship with the site for violating the company’s terms of service, which explicitly forbid collecting identifying information about third parties without their prior consent.

“The big thing is that in some cases services should warn the user and give them a chance to cure,” says Whitney Merrill, a privacy and data protection lawyer and former Federal Trade Commission attorney. “Like how GoDaddy warned the site owner that they were doing something in violation of the terms. That’s not a legal requirement, just a good business practice in my mind.”

Texas Right to Life then registered the site with the notorious service provider Epik, which has been known to offer safe haven to contentious platforms like Parler and Gab. But Epik never offered to host prolifewhistleblower.com content, only a way to register the site’s domain. On Saturday evening, prolifewhistleblower.com simply started redirecting to the Texas Right to Life homepage rather than reviving its previous incarnation as a tip submission system.

“We contacted the owner of the domain, who agreed to disable the collection of user submissions on this domain,” Epik said in a statement on Saturday. In other words, Epik will act as prolifewhistleblower.com’s registrar so long as it’s only redirecting to the group’s main site. If it resumes collecting third-party data, Epik will pull its registration.

Texas Right to Life spokesperson Kim Schwartz offers a different assessment of the situation. “Prolifewhistleblower.com is currently forwarding to TexasRightToLife.com because we’re establishing extra security protocols to protect our users before we put it back up,” she said in a statement Monday evening. She added that the site has lined up a new host, but is not saying which hosting company “for security reasons.”

As of Wednesday afternoon, though, the URL continued to redirect to the Texas Right to Life homepage. And given that the site’s entire premise is gathering information about people who may have helped facilitate an abortion in Texas—an inherent violation of basic third-party data collection protections—it seems unlikely to find a way to come into compliance. 

The situation evokes past conflicts in which internet infrastructure providers have withdrawn hosting, DDoS protection, or other support for extremist sites, causing them to go offline permanently or until they can find new providers. Cloudflare, for example, has grappled with decisions about how to remain neutral and protect speech rights while taking action in extreme cases. The company dropped support for white supremacist and otherwise controversial platforms like the Daily Stormer in 2017 and 8chan in 2019.

BrakTooth Flaws Affect Billions of Bluetooth Devices

BrakTooth Flaws Affect Billions of Bluetooth Devices

When Apple announced in August that it would check for child sexual abuse materials on its customers’ devices, privacy advocates and cryptographers immediately and loudly rejected the idea. In the face of that sustained backlash, the company said Friday that it would stand down, at least for now. While Apple hasn’t reversed course completely, many of its critics were at least relieved that it’s taking more time to hear out their concerns before pushing the system live.

In Louisiana, hundreds of thousands of people remain without power several days after Hurricane Ida tore through. We took a look at what it takes to get lights back on in New Orleans and the surrounding parishes, and why it could be weeks still until everyone’s back up and running.

Happy Labor Day weekend to those who celebrate! Well, except for ransomware gangs and other hackers, who use long weekends and holidays to inflict maximum pain on targets who are likely to be short-staffed or distracted. The biggest ransomware hacks of the year have taken place before Mother’s Day, Memorial Day, and the Fourth of July. Like clockwork, not long after we published this story US Cyber Command warned of a “mass exploitation” of a flaw in remote management software from Atlassian. Hope you got your patches done! On a more individual level, here’s a guide from our friends at WIRED UK to help prevent getting hacked yourself.

And there’s more! Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories, and stay safe out there.

We’ve written about big Bluetooth flaws so many times, not to mention why they keep happening and why you might want to turn Bluetooth off when you’re not using it as a result. Which is to say that the existence of a new set of flaws, known collectively as BrakTooth, should not be surprising. But it also shouldn’t be ignored; the vulnerabilities can lead to a range of outcomes, up to and including the ability to execute malware on a device. On a less destructive but still annoying level, an attacker could us the flaws to crash a nearby Bluetooth device. Given the huge number of affected companies, it’s impossible to know how many potential targets are patched or ever will be. Add BrakTooth to the increasingly alarming pile.

The FTC this week banned a company called SpyFone from selling surveillance software, a first for the agency. It took the additional step of ordering SpyFone to notify anyone who had the spyware installed on their device. The app and others like it can give stalkers an abusers a way to monitor a victim’s photos, texts, emails, location, and more. The FTC ordered the company to delete any of that information it may still have on its servers. Spyware remains a bustling industry in general, so the FTC should have no shortage of opportunities for further enforcement.

Speaking of enforcement! Ireland’s Data Protection Commission fined WhatsApp the equivalent of close to $270 million for not properly informing European Union residents what it does with their data. The ruling relates to WhatsApp’s longstanding practice of sharing user data with parent company Facebook, which many people were surprised to discover when the secure messaging company finally got around to updating its privacy policy earlier this year. The ruling gives WhatsApp three months to come into compliance with the EU’s General Data Protection Regulation; WhatsApp has said it will appeal the decision.

The OMG cable, first introduced in 2019, is something of a hacker’s delight. While it looks like a normal Lightning cable, it creates its own hotspot, allowing hackers connect to any device that it plugs into. From there, they can implant malware, steal data, or record keystrokes. The latest version, demonstrated this week, comes in new formats like Lightning to USB-C and USB-C to USB-C, has a wider range, and introduces geofencing features. You should only be using cables from trusted sources anyway, but let this be a reminder.


More Great WIRED Stories

California Man Stole 620,000 iCloud Photos in Search of Nudes

California Man Stole 620,000 iCloud Photos in Search of Nudes

There’s a lot to worry about in the world today, so apologies in advance for this additional level of existential stress: New research indicates that in the event of a solar superstorm—the kind that hit in 1859—the internet could go down entirely, and take even longer than the power grid to restore. The risk lies primarily in the undersea cables that connect continents, which are inconsistently grounded and rely on components that a geomagnetic surge could disrupt. While solar storms of that magnitude are rare, they do happen—and internet infrastructure has never been tested against it.

Cheery! Although it admittedly does not get much better from there. Medical devices have a shoddy cybersecurity record as it is, and researchers this week shared details about vulnerabilities in an infusion pump that could let hackers administer extra doses. It’s a complicated attack to pull off, but a less-sophisticated version of it could still enable a ransomware attack on a hospital’s network.

A privacy unfriendly default setting in Microsoft Power Apps—a feature intended to make building web apps a cinch—resulted in the exposure of 38 million records across thousands of organizations. The data included Covid-19 contact tracing information from the state of Indiana, as well as a payroll database from Microsoft itself.

Another iOS “zero-click” attack came to light this week in a report from the University of Toronto’s Citizen Lab. These hacks require no interaction from the victims: no attachments opened, no links clicked. It’s the latest in a string of nation state surveillance attacks against dissidents that takes advantage of holes in Apple’s iMessage security. There’s plenty that the company could do to make the messaging service safer for its most at-risk victims; the question is how far it’s willing to go.

While geofence warrants—which target anyone within a certain area at a certain time—have long been a concern of privacy advocates, new data released by Google recently shows just how broadly law enforcement has deployed them. The number of geofence warrant requests the company received since 2018 has gone up tenfold, and they now comprise 25 percent of incoming warrant requests overall.

And there’s more! Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories, and stay safe out there.

A Los Angeles-area man pleaded guilty this month to four felonies in connection to a scheme that resulted in the theft of over 620,000 iCloud photos and videos from over 300 victims. Rather than a vulnerability in iCloud itself, the perpetrator relied on phishing and social engineering, sending “customer support” emails from from Gmail addresses like “applebackupicloud” and “backupagenticloud.” He procured the private files both for his own purposes and by request—denoting photos and videos that contained nudity as “wins”—promoting an “icloudripper4you” service that offered to break into iCloud accounts. He now faces up to 20 years in prison.

The Wall Street Journal this week ran an interview with the purported hacker behind this month’s devastating T-Mobile data breach. In it, the 21-year-old American describes T-Mobile’s security as “awful,” but doesn’t confirm whether he actually sold any of the data he stole and advertised on the dark web. The story goes into detail about the hacker’s background and the state of breaches generally; it’s definitely worth setting aside some time to read through.

The good news is that there’s no sign that any hacker actually abused the latest Microsoft Azure bug. The bad news is that if they had, they would have gained a scary amount of access—read/write privileges that could have let them view, edit, or delete at whim—to every database on the platform. Microsoft has since patched the vulnerability, but it’s a big one to have let slip through in the first place.

Speaking of Microsoft and security! A Razer bug made it a cinch to get system-level privileges on a Windows 10 device through the simple act of plugging in a $20 mouse. Razer said it’s going to vix the vulnerability, but it speaks to broader concerns around similar software that relies on the Windows “plug-and-play” set-up.


More Great WIRED Stories

Hacker Steals $610M of Cryptocurrency—and Returns Most of It

Hacker Steals $610M of Cryptocurrency—and Returns Most of It

It was a big week for smartphone privacy, at least in various ways that external forces make your location data more or less secure. On the bad side of the ledger, most 5G connections in the US today aren’t actually full 5G, which means they’re susceptible to the sort of stingray surveillance that the next-generation standard was supposed to prevent. On the plus side, researchers have figured out a way to prevent your carrier from knowing where you are every single time you reconnect to a cell tower. The tricky part is getting any of them to actually implement it.

Privacy advocates this week also released documents showing that the NYPD has spent at least $159 million since 2007 to purchase surveillance tools, including stingrays, policing software, and biometric tools. 

Our colleagues in the UK took a look at new research that shows how and where extremists have set up shop on platforms like Steam and Discord. It’s a long-stewing problem, which makes it all the more frustrating that these well-resourced services haven’t managed to tackle it yet.

Google has made some changes to the Play Store, most of which matter for developers more than end users. But the switch from an Android application package to an Android app bundle does mean it should be harder for scammers to push through malware-laced sideloaded apps. 

It’s been quite a roller coaster for Poly Network, a decentralized finance system. A hacker stole over $600 million early in the week, only to begin returning it on Wednesday. By Thursday, they had returned $342 million of the funds, while another $33 million worth of Tether stablecoins had been frozen. The remaining crypto assets have been placed in a wallet that requires keys from both Poly Network and the hacker; their ultimate fate is still in the balance. 

Virtual private networks are nice in theory; they let you browse without your ISP knowing what you’re up to, and their encrypted connections make it harder for anyone to snoop on your activity. But a new investigation from the Markup shows that many VPNs still allow trackers from third-party sites, even if they themselves don’t log your activity. It’s a practice that undermines the whole privacy aspect of a VPN—and also something we factor into our best VPN recommendations.

In 2019, Apple sued a company called Corellium over its iOS virtualization software. Corellium’s products are popular among security researchers, who have limited insight into iOS itself; Apple claimed that the software violated the company’s copyright claims. The retreat comes at a time when Apple has come under fire from privacy advocates over its controversial new steps to find child sexual abuse materials in iCloud that involves iPhones themselves. It needs all the friends in the security community it can get; an unpopular lawsuit against a critical research tool wasn’t going to be the way to make them.

Over the last few months, Microsoft has dealt with a plethora of security issues tied to its Windows Print Spooler function, including more than one failed attempt to patch a vulnerability called PrintNightmare. This week, the company finally offered a way to end its printer-related woes, although it’s a bit of a workaround. Now, anyone who wants to use the Windows Point and Print feature to install drivers will need administrative privileges. That should stave off most PrintNighmare attacks—but it has already been demonstrated not to stop all of them.


More Great WIRED Stories