3 August 2021

Security News This Week: The Top 30 Vulnerabilities Include Plenty of Usual Suspects


THIS WEEK, WIRED reported on an alarming phenomenon of real warships having their locations faked by some unknown miscreant. Over the past several months, dozens of vessels have appeared to cross into disputed waters when they were in fact hundreds of miles away. The misinformation has come in the form of simulated AIS tracking data, which shows up on aggregation sites like MarineTraffic and AISHub. It's unclear who's responsible, or how exactly they're pulling it off, but it holds a match dangerously close to powder kegs in Crimea and elsewhere.

Speaking of controversy, a pair of researchers this week released a tool into the world that crawls every website looking for vulnerabilities that are low-hanging fruit—think SQL injections and cross-site scripting—and makes the results not only public but searchable. This is actually the second iteration of the system, known as Punkspider; they shut the first down after numerous complaints to their hosting provider. Many of the same criticisms remain this time around, leaving Punkspider's long-term fate uncertain.

Apple advertises itself as the most privacy-friendly major tech company, and it has done plenty to back up that claim. But we took a look this week at a major step toward consumer privacy that the company is decidedly not taking: the implementation of global privacy controls that would let Safari and iOS users stop most tracking automatically.

Our colleagues in the UK also spoke with a cam girl who goes by Coconut Kitty who has been using digital effects to make herself look younger on-stream. In many ways, it could be the future of adult content, which has potential repercussions far beyond this one Only Fans account.

And there's more. Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories, and stay safe out there.


A joint advisory from law enforcement agencies in the US, UK, and Australia this week tallied the 30 most-frequently exploited vulnerabilities. Perhaps not surprisingly, the list includes a preponderance of flaws that were disclosed years ago; everything on the list has a patch available for whoever wants to install it. But as we've written about time and again, many companies are slow to push updates through for all kinds of reasons, whether it's a matter of resources, know-how, or an unwillingness to accommodate the downtime often necessary for a software refresh. Given how many of these vulnerabilities can cause remote code execution—you don't want this—hopefully they'll start to make patching more of a priority.


An app called Doxcy presented itself as a dice-rolling game, but in fact it gave anyone who downloaded it access to content from Netflix, Amazon Prime, and more once they entered a passcode into the search bar. Apple took the app down from the App Store after Gizmodo inquired, but you probably shouldn't have installed it anyway; it was riddled with ads and likely mishandled your data. All in all, you're better off paying for a subscription.


In early July, Iran's train system suffered a cyberattack that looked very much like an elaborate troll; the hackers put up messages on screens that suggested passengers call the Supreme Leader Khamenei's office for assistance. Closer inspection by security firm SentinelOne, though, shows that the malware was in fact a wiper, designed to destroy data rather than merely hold it hostage. The malware, which the researchers call Meteor, appears to have come from a new threat actor, and it lacked a certain degree of polish. Which is fortunate for whomever they decide to target next.


Last week, Amnesty International and more than a dozen other organizations released a report on how authoritarian governments abused spyware from the NSO Group to spy on journalists and political rivals. Not long after, the Israeli government visited the notorious surveillance vendor's offices in that country. NSO Group has repeatedly and forcefully denied the Amnesty International report, but the domestic pressure appears to have heated up after names like French president Emmanuel Macron appeared on a list of purported potential spyware targets.


The Justice Department Friday disclosed that Cozy Bear, the hackers behind the SolarWinds hack and other sophisticated espionage campaigns, also broke into at least one email account at 27 US Attorney offices last year. Eighty percent of email accounts used in the four New York-based US Attorney offices were compromised. The campaign likely gave them access to all manner of sensitive information, which the Russian government will surely use in a responsible manner.

No comments: