The two stories that have dominated headlines in the US in 2020, the Covid-19 pandemic and the presidential election, were still in the news this week as virus cases and death tolls rise and the promise of a vaccine looms. New research, though, indicates that phishers have been targeting vaccine development groups and particularly organizations that work on the global cold chain, which will be crucial for storing and shipping vaccine doses worldwide. Meanwhile, President Donald Trump has continued to spread falsehoods and conspiracy theories about the validity of his loss to president-elect Joe Biden. On Tuesday, though, US attorney general William Barr went on record saying that the Justice Department “has not seen fraud on a scale that could have effected a different outcome in the election,” a crucial pronouncement that leaves the Trump reelection campaign with even fewer options to contest the result.
A “magical bug” in iOS, now patched, could have let an attacker take full control of any iPhones in the hacker’s Wi-Fi range and then automatically worm the infection to other nearby devices. Startups are rushing to develop tools that can vet artificial intelligence systems to find vulnerabilities and loopholes before they can be exploited. And the hackers behind the notorious botnet TrickBot have added malware capabilities to check if a target device’s firmware is vulnerable to attack and, if so, burrow deeper for long-term persistence.
In good news, a coalition of internet infrastructure groups is making progress securing the foundational internet data-routing system known as Border Gateway Protocol. And as Google looks to offer end-to-end encryption in the RCS messaging protocol, it plans to use the open source Signal Protocol, which already underpins secure messaging app Signal as well as giants like WhatsApp. Now that it may roll out to Android’s 2 billion users, we took a look at how the protocol works and what you need to know about it.
And there’s more. Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there.
The US government has been using Section 215 of the Patriot Act to justify allowing law enforcement to log who visits certain popular web pages, according to documents obtained by The New York Times. The government has not gone so far as to collect users’ keyword searches in search engines, but it has felt emboldened to monitor website visitors without a warrant. Section 215 and a couple of other surveillance provisions of the Patriot Act expired in March as the US descended into pandemic social distancing and lockdown measures, and Congress has still not made headway on how to reinstate or revise it. The law allows the FBI to seek clandestine court orders to collect any data from a business that connects to national-security-related investigations.
The news about identifying visitors to certain pages was concerning to privacy and digital rights advocates. “Our web-browsing records are windows into some of the most sensitive information about our lives,” Patrick Toomey, a senior staff attorney with the ACLU’s National Security Project said in a statement on Thursday. “The FBI should not be collecting this information without a warrant. If Congress considers reviving Section 215 at all, it must prohibit the government from abusing this surveillance law to track the web-browsing activities of people in the United States.”
Researchers from Citizen Lab at the Munk School of Global Affairs, University of Toronto, published evidence this week that the surveillance firm Circles has been exploiting known flaws in global telephony networks to conduct phone surveillance in 25 countries. Circles is known for selling hacking tools that target the vulnerable infrastructure, known as the SS7 network, and the firm is an affiliate of the notorious mobile spyware maker NSO Group. The Citizen Lab researchers say they were able to determine, with varying degrees of confidence, that Circle services were purchased by a wide array of countries, including Australia, Belgium, Botswana, Chile, Denmark, Ecuador, El Salvador, Estonia, Equatorial Guinea, Guatemala, Honduras, Indonesia, Israel, Kenya, Malaysia, Mexico, Morocco, Nigeria, Peru, Serbia, Thailand, the United Arab Emirates, Vietnam, Zambia, and Zimbabwe.
In December 2017, Twitter took the long overdue step to finally offer alternatives to receiving two-factor authentication codes via SMS. At the time, the company expanded its offerings to include third-party authenticator apps, but didn’t go all the way to add support for physical authentication tokens like YubiKeys. This week, three years later, Twitter finally took the step—a welcome change, if a belated one, given that attackers are more attuned than ever to the potential value of taking over a high-profile Twitter account.
A hacker going by the name “Daniel” took control of prominent Spotify pages on Wednesday from artists like Dua Lipa, Lana Del Rey, Future, and Pop Smoke. The attacker replaced the profile photos with photos that were apparently of himself and modified the musicians’ biographies. Daniel also promoted a Snapchat account to gain followers and included phrases like “Trump 2020.” Musicians use a tool called Spotify for Artists to claim ownership of their pages and upload content likes photos and biographies. It is unclear how the attacker gained access to these accounts. “Best of all shout out to my queen Taylor Swift,” Daniel wrote before the defacements were removed.
More Great WIRED Stories