As the full implications of Texas’s SB 8 abortion law come into view, internet infrastructure companies have become an unlikely focal point. Multiple hosting and domain registration providers have declined to offer services to an abortion ‘whistleblower’ site for violating terms of service related to collecting data about third parties. The site, which aims to collect tips on people who have received, performed or facilitated abortions in Texas, has been down for more than a week.
Meanwhile, as Apple grapples with controversy over its proposed—but now paused—plans to scan iPhones for child sexual abuse material, WhatsApp moved this week to plug its biggest end-to-end encryption loophole. The ubiquitous secure communication platform can’t peek at your messages at any point on their digital journey, but if you back up your chats on a third-party cloud service, like iCloud or Google Cloud, the messages are no longer end-to-end encrypted. With some clever cryptography, the service was finally able to devise a method for the encrypting the backup before it’s sent to the cloud for storage.
After handing an activist’s IP address over to law enforcement, the secure email service ProtonMail said this week that it is updating its policies to make it more clear what customer metadata it can be legally compelled to collect. The service emphasized, though, that the actual content of emails sent on the platform is always end-to-end encrypted and unreadable, even to ProtonMail itself.
And 20 years after the attacks of September 11, 2001, privacy researchers are still contemplating the tragedy’s continued influence on attitudes toward surveillance in the United States.
But wait, there’s more! Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories, and stay safe out there.
The Russian tech giant Yandex said this week that in August and September it was hit with the internet’s largest-ever recorded distributed denial-of-service or DDoS attack. The flood of junk traffic, meant to overwhelm systems and take them down, peaked on September 5, but Yandex successfully defended against even that largest barrage. “Our experts did manage to repel a record attack of nearly 22 million requests per second,” the company said in a statement. “This is the biggest known attack in the history of the internet.”
A Russian national thought to work with the notorious malware gang TrickBot was arrested last week at Seoul international airport. Known only as Mr. A in local media, the man was attempting to fly to Russia after spending more than a year and a half in South Korea. After arriving in February 2020, Mr. A was trapped in Seoul because of international travel restrictions related to the COVID-19 pandemic. During this time his passport expired and Mr. A had to get an apartment in Seoul while working with the Russian embassy on a replacement. Concurrently, United States law enforcement officials opened an investigation into TrickBot’s activity, particularly related to a botnet the group developed and used to aid a rash of 2020 ransomware attacks. During the investigation officials gathered evidence of Mr. A’s alleged work with TrickBot, including possible 2016 development of a malicious browser tool.
A bug in the United Kingdom version of McDonald’s Monopoly VIP game exposed usernames and passwords for the game’s databases to all winners. The flaw caused data about both the game’s production and staging servers to show up in prize redemption emails. The exposed information included Microsoft Azure SQL database details and credentials. A winner who received the credentials likely couldn’t have logged into the production server because of a firewall, but could have accessed the staging server and potentially grabbed winning codes to redeem more prizes.
Hackers published 500,000 Fortinet VPN credentials, usernames and passwords, apparently collected last summer from vulnerable devices. The bug they exploited to collect the data has since been patched, but some of the stolen credentials may still be valid. This would allow bad actors to log into organizations’ Fortinet VPNs and access their networks to install malware, steal data, or launch other attacks. The data dump, published by a known ransomware gang offshoot called “Orange,” was posted for free. “CVE-2018-13379 is an old vulnerability resolved in May 2019,” Fortinet said in a statement to Bleeping Computer. “If customers have not done so, we urge them to immediately implement the upgrade and mitigations.”