Select Page
Hackers Keep Targeting the US Water Supply

Hackers Keep Targeting the US Water Supply

In light of all the Facebook news lately—although frankly, when isn’t there any—you may finally be thinking about jumping ship. If so, here’s how to delete your Facebook account. You’re welcome.

That’s not all that happened this week, though! Google shed some new light on the Iranian hacking group known as APT35, or Charming Kitten, and how they use Telegram bots to let them know when a phishing lure has a nibble. Speaking of Telegram, a new report shows just how poor a job the messaging service has done keeping extremism off the platform.

There was good news for Cloudflare this week, as a judge ruled that the internet infrastructure company isn’t liable when one of its customers infringe copyright designs on their websites. And there was bad news for humanity, as the governor of Missouri has threatened repeatedly to sue a journalist for responsibly disclosing a security flaw on a state website that he uncovered.

And there’s more! Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories, and stay safe out there.

In February, someone tried to poison a Florida city’s water supply by hacking into its control system and dramatically increasing the amount of sodium hydroxide. In 2020, a former employee at a Kansas water facility accessed and tampered with its controls remotely.  And that’s before you even get to the four ransomware attacks that intelligence officials documented this week, in a joint warning about the ongoing threats that hackers pose to US water and wastewater facilities. The alert notes that water treatment plants tend to invest in physical infrastructure rather than IT resources, and tend to use outdated versions of software, both of which leave them susceptible to attack. Disgruntled insiders have ample access to wreck havoc, and ransomware attackers always like a target that can’t afford to stay offline for any significant period of time. While this isn’t necessarily surprising—we sounded the same warning back in April—the joint FBI/CISA/NSA/EPA memo gives new detail into how many confirmed attacks have taken place in recent months, and it offers some guidance for critical infrastructure operators on how not to be the next victim.

A comprehensive hack of Twitch recently included source code, gamer payouts, and more, causing quite a stir among streamers especially. But it’s not the biggest hack in Twitch history. That distinction belongs to a 2014 compromise, detailed by Motherboard this week, that was devastating enough that Twitch had to “rebuild much of its code infrastructure,” according to the report, because so many of its servers had likely been compromised. Inside Twitch, the hack became known as “Urgent Pizza” because of how much overtime engineers had to work—and dinners the company had to feed them—to mitigate the attack. It’s well worth a full read. 

Chances are you’ve heard this story by now, but it’s still worth including a case with allegations this wild. The Department of Justice has charged Navy nuclear engineer Jonathan Toebbe and his wife with trying to give state secrets to a foreign country; the people on the other end of the line turned out to be FBI agents. Toebbe allegedly participated in several “dead drops” of sensitive information; court documents say he hid data cards in everything from a peanut butter sandwich to pack of gum. He allegedly offered up thousands of documents, asking for $100,000 of cryptocurrency in return. 

It’s always a good idea to update all of your devices all of the time—automatically, even—but especially so when that update is specifically designed to fix a so-called zero-day bug. In this case, a security researcher had gotten so tired of Apple not crediting his submissions that last month he posted a proof-of-concept exploit and full details for four separate iOS security flaws. This is the second one to be patched, which leaves two to go. Hopefully Apple will give him a proper hat tip when it gets around to fixing those. 


More Great WIRED Stories

A Telegram Bot Told Iranian Hackers When They Got a Hit

A Telegram Bot Told Iranian Hackers When They Got a Hit

When the Iranian hacking group APT35 wants to know if one of its digital lures has gotten a bite, all it has to do is check Telegram. Whenever someone visits one of the copycat sites they’ve set up, a notification appears in a public channel on the messaging service, detailing the potential victim’s IP address, location, device, browser, and more. It’s not a push notification; it’s a phish notification.

Google’s Threat Analysis Group outlined the novel technique as part of a broader look at APT35, also known as Charming Kitten, a state-sponsored group that has spent the last several years trying to get high-value targets to click on the wrong link and cough up their credentials. And while APT35 isn’t the most successful or sophisticated threat on the international stage—this is the same group, after all, that accidentally leaked hours of videos of themselves hacking—their use of Telegram stands out as an innovative wrinkle that could pay dividends.

The group uses a variety of approaches to try to get people to visit their phishing pages in the first place. Google outlined a few scenarios it has observed lately: the compromise of a UK university website, a fake VPN app that briefly snuck into the Google Play Store, and phishing emails in which the hackers pretend to be organizers of real conferences, and attempt to entrap their marks through malicious PDFs, Dropbox links, websites, and more. 

In the case of the university website, the hackers direct potential victims to the compromised page, which encourages them to log in with the service provider of their choice—everything from Gmail to Facebook to AOL is on offer—to view a webinar. If you enter your credentials, they go straight to APT35, which also asks for your two-factor authentication code. It’s a technique so old it’s got whiskers on it; APT35 has been running it since 2017 to target people in government, academia, national security, and more. 

screenshot

Phishing page hosted on a compromised website.

Courtesy of Google TAG

The fake VPN isn’t especially innovative, either, and Google says it booted the app from its store before anyone managed to download it. If anyone had fallen for the ruse, though—or does install it on another platform where it’s still available—the spyware can steal call logs, texts, location data, and contacts. 

Frankly, APT35 are not exactly overachievers. While they convincingly impersonated officials from the Munich Security conference and Think-20 Italy in recent years, that too is straight out of Phishing 101. “This is a very prolific group that has a wide target set, but that wide target set is not representative of the level of success the actor has,” says Ajax Bash, security engineer at Google TAG. “Their success rate is actually very low.”

Cloudflare Isn’t Liable for Sites That Hawk Counterfeits

Cloudflare Isn’t Liable for Sites That Hawk Counterfeits

Cloudflare is not liable for the copyright infringement of websites that use its content-delivery and security services, a federal judge ruled yesterday.

Cloudflare was sued in November 2018 by Mon Cheri Bridals and Maggie Sottero Designs, two wedding dress manufacturers and sellers that alleged Cloudflare was guilty of contributory copyright infringement because it didn’t terminate services for websites that infringed on the dressmakers’ copyrighted designs. The companies sought a jury trial, but Judge Vince Chhabria yesterday granted Cloudflare’s motion for summary judgment in a ruling in US District Court for the Northern District of California.

Chhabria noted that the dressmakers have been harmed “by the proliferation of counterfeit retailers that sell knock-off dresses using the plaintiffs’ copyrighted images” and that they have “gone after the infringers in a range of actions, but to no avail—every time a website is successfully shut down, a new one takes its place.” Chhabria continued, “In an effort to more effectively stamp out infringement, the plaintiffs now go after a service common to many of the infringers: Cloudflare. The plaintiffs claim that Cloudflare contributes to the underlying copyright infringement by providing infringers with caching, content delivery, and security services. Because a reasonable jury could not—at least on this record—conclude that Cloudflare materially contributes to the underlying copyright infringement, the plaintiffs’ motion for summary judgment is denied and Cloudflare’s motion for summary judgment is granted.”

While the ruling resolves the lawsuit’s central question in Cloudflare’s favor, the judge scheduled a case management conference for October 27 “to discuss what’s left of the case.”

Hundreds of Counterfeiting Websites

The companies’ lawsuit said they “are two of the largest manufacturers and wholesalers of wedding dresses and social occasion wear in the United States” and “have developed many of the world’s most unique and original wedding and social occasion dress patterns.” They own the copyrights for those designs and for photographic images of the designs.

Most of the websites selling counterfeit versions of the dresses operate from China, the lawsuit said. In addition to Cloudflare, an amended complaint listed 500 “Doe” defendants whose real names were unknown. The lawsuit said the Cloudflare terms say that any violation of law justifies termination of service and that “CloudFlare’s policy is to investigate violations of these terms of service and terminate repeat infringers.”

The plaintiffs said they used a vendor called Counterfeit Technology to find over 365 infringing websites that are users of Cloudflare, including cabridals.com, bidbel.com, stydress.com, angelemall.co.nz, jollyfeel.com, russjoan.com, missydress.com.au, and livedressy.com. The plaintiffs said they sent Cloudflare thousands of takedown notices, and often up to four notices about the same infringing sites, but “Cloudflare has ignored these notices and takes no action after being notified of infringing content on its clients’ websites.

“Specifically, even after learning of specific, identified acts of copyright infringement by the infringing websites through plaintiffs’ takedown notices, Cloudflare continues to cache, mirror, and store a copy of the infringing websites and the infringing content on its data center servers, and to transmit upon request copies of the infringing content to visitors of the infringing websites,” the amended complaint said. “Cloudflare’s contributions allow the Internet browsers of visitors to the infringing websites to access and load the infringing websites and content much faster than if the user was forced to access the infringing websites and content from the primary host absent Cloudflare’s services.”

The plaintiffs argued that Cloudflare should have terminated caching services to these websites, blocked traffic traveling through Cloudflare’s network to the websites, “and reconfigur[ed] its firewall settings so that users trying to access the infringing domain would be redirected to a blank page.”

Cloudflare: ‘Lawsuit Based on a Fundamental Misunderstanding’

Cloudflare argued that the plaintiffs “brought this lawsuit based on a fundamental misunderstanding of Cloudflare’s services, the contributory copyright infringement doctrine, and the Digital Millennium Copyright Act, all in pursuit of a statutory damages windfall that has nothing to do with the harm they claim to have suffered.” A victory for the plaintiffs would amount to “an expansion of the contributory infringement doctrine far beyond its established limits,” Cloudflare told the court.

Cloudflare continued: “Cloudflare is nothing like the search engines and peer-to-peer networks that the [US Court of Appeals for the] Ninth Circuit has found ‘significantly magnify otherwise immaterial infringements.’ Whereas Cloudflare’s services protect against malicious attacks and at most confer a split-second advantage to the loading time of a website someone is already visiting, the services previously considered by the Ninth Circuit actually helped visitors find infringing material they otherwise never would have found. There also is no ‘simple measure’ that Cloudflare failed to take to prevent further infringements in this case. Unlike hosting providers, Cloudflare could not remove allegedly infringing material from the Internet, and there is no question that those images would have remained available and equally accessible on the accused websites without Cloudflare’s services.” 

A Devastating Twitch Hack Sends Streamers Reeling

A Devastating Twitch Hack Sends Streamers Reeling

This morning, an anonymous hacker released what they claim is an enormous cache of proprietary data from Twitch, the popular streaming platform, including Twitch.tv source code and streamers’ revenue information.

“Jeff Bezos paid $970 million for this, we’re giving it away FOR FREE,” wrote the poster on 4chan. Today’s leak, which its original poster described as “extremely poggers,” is by far the biggest to ever hit Twitch, which was acquired by Amazon in 2014.

The leak, first reported by Video Games Chronicle, reportedly contains 125 GB of data. That data includes the source code for Twitch.tv; Twitch’s mobile, desktop, and game console clients; proprietary SDKs; Twitch-owned properties including Vapor, Amazon’s alleged Steam competitor from Amazon Game Studios; and internal security tools. The leak does not appear to contain streamers’ or users’ personal information, but the damage appears extensive. The post is titled “twitch leaks part one,” implying that there may be more to come.

“Anytime source code gets leaked it’s not good and potentially disastrous,” says Ekram Ahmed, spokesperson at security firm Check Point. “It opens a gigantic door for evildoers to find cracks in the system, lace malware, and potentially steal sensitive information.”

The 4chan poster also referenced Twitch’s recent wave of hate raids, in which botmakers have been spamming marginalized streamers’ chats with bigoted harassment. Mentioning the #DoBetterTwitch hashtag (more commonly #TwitchDoBetter), the poster claimed that Twitch is a “disgusting cesspool.” They wrote that the leak, which appears to contain huge amounts of proprietary data, is to “foster more disruption and competition in the online video game streaming space.” Twitch has introduced several new tools to combat these hate raids, and sued two alleged hate raiders last month.

Twitch declined to comment to WIRED but confirmed Wednesday morning that a breach had taken place. “Our teams are working with urgency to understand the extent of this,” the official Twitch account tweeted. “We will update the community as soon as additional information is available.”

“I wish I could say I’m surprised,” says Avery, a streamer who goes by Littlesiha and does not publicly share her last name for privacy reasons. “It took Twitch two months to find a way to protect marginalized creators that were getting harassed, threatened, and doxed through chatbot raids. Security on the site feels like a joke at this point.”

While much of the data appears to be legitimate, there is some debate over the accuracy of streamers’ revenue numbers. Some streamers have tweeted that their payout numbers are accurate, while others have claimed otherwise. “It was wrong, for my number,” said popular Twitch personality Asmongold while streaming Amazon’s new video game New World this morning. “It’s harder to fuck up more than this,” he told WIRED.

Also streaming on Twitch, Nick “NMP” Polom said, “I kind of feel violated right now.” His viewers, numbering in the tens of thousands, took the leak as an opportunity to meme, donating money attached to messages like “Seems like you need this more than me. I work at McDonald’s.” (On Twitter, he wrote that he is “live right now being relentlessly SHIT ON by my community for being ‘poor.’ THANKS @twitch.”) Although many streamers have expressed deep worry over the leak, some are turning it into a joke: Top streamer Chance “Sodapoppin” Morris, who was 42nd in the streamer revenue number list, begged his viewers not to view it as real: “I swear I’m one of the richest ones on the platform,” he joked. “I make WAY more than that.” (For many top streamers, Twitch payouts are just one revenue stream among many.) Streaming on Twitch, Felix “xQc” Lengyel shouted, “I told y’all—it’s trillionaire with a fucking ‘T’!”

Cloudflare Is Taking a Shot at Email Security

Cloudflare Is Taking a Shot at Email Security

Cloudflare, The internet infrastructure company, already has its fingers in a lot of customer security pots, from DDoS protection to browser isolation to a mobile VPN. Now the company is taking on a classic web foe: email. 

On Monday, Cloudflare is announcing a pair of email safety and security offerings that it views as a first step toward catching more targeted phishing attacks, reducing the effectiveness of address spoofing, and mitigating the fallout if a user does click a malicious link. The features, which the company will offer for free, are mainly geared toward small business and corporate customers. And they’re made for use on top of any email hosting a customer already has, whether it’s provided by Google’s Gmail, Microsoft 365, Yahoo, or even relics like AOL. 

Cloudflare CEO Matthew Prince says that from its founding in 2009, the company very intentionally avoided going anywhere near the thorny problem of email. But he adds that email security issues are unrelenting, so it has become necessary. “I think what I had assumed is that hosting providers like Google and Microsoft and Yahoo were going to solve this issue, so we weren’t sure there was anything for us to do in the space,” Prince says. “But what’s become clear over the course of the last two years is that email security is still not a solved issue.”

Prince says that Cloudflare employees have been “astonished by how many targeted threats were getting through Google Workspace,” the company’s email provider. That’s not for lack of progress by Google or the other big providers on anti-spam and anti-malware efforts, he adds. But with so many types of email threats to deal with at once, strategically crafted phishing messages still slip through. So Cloudflare decided to build additional defense tools that both the company itself as well as its customers could use.

On Monday, the company is launching two products: Cloudflare Email Routing and Email Security DNS Wizard. The tools let customers place Cloudflare in front of their email hosting provider, essentially allowing Cloudflare to receive and process emails before sending them through to the Microsofts and Googles of the world. This is somewhat similar to Cloudflare’s long-standing role as a “content delivery network” for websites, in which the company is a proxy that can serve data or catch malicious activity as web traffic passes through. 

Cloudflare Email Routing makes it possible for individuals or organizations to manage an entire custom email domain, like @coolbusiness.com, from a single consumer email account, such as a personal Gmail address. The tool even lets you consolidate many addresses—boss@coolbusiness.com, help@coolbusiness.com—so they all forward to a single inbox. This way, small businesses in particular can get the benefits of a dedicated, custom email domain without having to manage a whole separate platform. 

The second tool, Security DNS Wizard, aims to make two email security features accessible for Cloudflare customers and easy to use. Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are two tools that are essentially a combination of caller ID and screening schemes for email: They aim to reduce email address spoofing by setting up public records that must match an email’s sender information for the message to go through. This significantly reduces how easy it is for attackers to, say, send an email to employees that really looks like it comes from “Cool Business CEO.”

SPF and DKIM have been around for more than a decade, but they aren’t ubiquitous, because they are difficult to set up without mistakes that can result in problems like legitimate emails getting lost. Cloudflare’s goal with Email Security DNS Wizard is to make it easy for users to set up one or the other protection without any flubs.