Security
Headlines
HeadlinesLatestCVEs

Headline

Security News This Week: Sensitive US Military Emails Exposed

Plus: Iran’s secret torture black sites, hacking a bank account with AI-generated voice, and Lance Bass’ unhinged encounter in Russia.

Wired
#web#ios#mac#apple#google#microsoft#auth

Late last week, Twitter announced that it would no longer allow users to secure their accounts using SMS-based two-factor authentication (2FA) unless users paid for its Twitter Blue subscription—a move that’s baffled security experts. It’s especially confusing because SMS 2FA is widely considered to be one of the less secure multi-factor authentication options. Fortunately, Twitter will still allow anyone to use other 2FA options, including authentication apps and physical security keys. Here’s how to switch away from SMS 2FA.

Physical security keys are one of the most secure methods of multi-factor authentication. But they’re not just for logging in to Twitter. You can also unlock your iPhone using a physical key in just a few steps. Unlocking a device isn’t the only security issue iPhone users need to worry about. Research published this week details a new class of bugs that affected Apple’s iOS and macOS that could have potentially allowed an attacker to access a target’s message, photos, and call histories. So if you haven’t updated to the latest version of those operating systems, now is the time.

If anyone knows what it’s like to be targeted by hackers, it’s Ukraine. Over the past year, the country’s systems have faced an unprecedented Russian bombardment of data-destroying “wiper” malware, according to multiple cybersecurity firms. Researchers say Russia unleashed more wipers on Ukraine than at any point in its long-running cyberwar against its neighbor. The only upside—if you can call it that—is that the newly discovered wipers are less destructive than earlier Russian wipers, especially compared to NotPetya, which Russia unleashed on Ukraine in 2017. The malware spread around the world, causing a still-unmatched $10 billion in damage.

In addition to cyberattacks, Russia’s war has also severely impacted Ukraine’s electric grid, which has caused blackouts and internet outages. To keep themselves online and connected to each other and the world, Ukrainians have increasingly turned toward high-capacity lithium-ion batteries to keep cell phone towers online when Russia attacks Ukraine’s electric grid.

Elsewhere in the world, China hawks in the US Congress continue to gather support for a nationwide ban on TikTok, which is owned by China-based ByteDance. The intense focus on a single app, which TikTok critics claim is a national security threat, has some wondering why lawmakers care so much about Americans’ privacy when it comes to TikTok but not US-based tech firms. The answer? Silicon Valley is our friend, China isn’t.

That notion doesn’t always ring true, however. Mozilla researchers this week say they found rampant inaccuracies in the privacy claims app developers make on Google Play’s Data Safety labels. Facebook received a “poor” grade from Mozilla, while Google’s YouTube, Gmail, and Google Maps apps ranked as “needs improvement.”

But that’s not all. Each week, we round up the security news we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.

On Tuesday, TechCrunch reported that the US Department of Defense had secured an unprotected server that had been leaking internal US military emails to anyone who knew where to look. The server was hosted on Microsoft’s Azure and was part of an internal government mailbox system that stored terabytes of internal military emails. According to TechCrunch, a simple misconfiguration allowed anyone who knew the server’s IP address access the sensitive data using only a web browser—no password needed.

The exposed server was discovered by security researcher Anurag Sen, who provided the details to TechCrunch. The data had been exposed for two weeks, but it’s unclear if anyone other than Sen accessed it while it was available.

US Special Operations Command’s spokesperson Ken McGraw told TechCrunch that an investigation is underway. “We can confirm at this point [that] no one hacked US Special Operations Command’s information systems,” said McGraw.

In an investigation published Tuesday, CNN pinpointed the locations of more than three dozen black sites across Iran where protesters were brutally tortured. According to the report, many are undeclared prisons inside government facilities or makeshift jails in warehouses. Some are even in the basements of mosques. Survivors of torture at these sites told CNN that the brutality they faced was unprecedented: electrocutions, removal of nails, lashings, beatings, and sexual violence.

Iran was rocked by protests last year during the Mahsa Amini uprising, which prompted a spread of black sites around Iran’s capital city, Tehran. According to the investigation, these unofficial detention centers were instrumental in making torture systematic and laid the groundwork for scores of death sentences against protesters. More than 100 protesters have been charged with crimes that carry the death sentence.

CNN reached out to the Iranian government for comment on the allegations of torture in their secret prisons but has not received a response.

On Thursday, Vice reporter Joseph Cox detailed how he was able to break into his bank account using an AI-generated voice. Banks across the US and Europe have implemented so-called “voice verification” technology that lets customers log in to their bank accounts over the phone. While advertised as a safe and convenient form of authentication, Cox’s experiment demonstrates a very real, albeit rare, attack that fraudsters could exploit to access bank accounts.

Using a free voice creation service to spoof his own voice, Cox gained entry into his account at Lloyds Bank. To do this, all he had to do was record about five minutes of speech and upload it to the service. Within minutes, the service spit out a synthetic voice capable of fooling his bank’s voice verification software. Lloyds Bank told Vice that it is aware of the threat of synthetic voices and is deploying countermeasures.

In an interview with Ars Technica, Lance Bass, a former member of NSYNC, recalled how he was held at gunpoint by Russian officials after failing to secure funding for a trip to space. In 2002, the singer was scheduled to spend 10 days aboard the International Space Station alongside two cosmonauts. When the singer and his production team couldn’t come up with $20 million to finance the trip, he says that Russian officials threatened him at gunpoint.

“There were a lot of problems with Russia and Hollywood in trying to make this happen,” Bass told Ars. “There were even a couple of weekends that I would get kicked off the base in Russia. They would put a gun to my head and be like, ‘Where’s the money? Where’s the money?’”

Bass never ended up going to space.

Wired: Latest News

Bitfinex Hacker Gets 5 Years for $10 Billion Bitcoin Heist