One hacker solved the CrowdStrike outage mystery with simple crash reports, illustrating the wealth of detail about potential bugs and vulnerabilities those key documents hold.

When a bad software update from the security firm CrowdStrike inadvertently caused digital chaos around the world last month, the first signs were Windows computers showing the Blue Screen of Death. As websites and services went down and people scrambled to understand what was happening, conflicting and inaccurate information was everywhere. Rushing to understand the crisis, longtime Mac security researcher Patrick Wardle knew that there was one place he could look to get the facts: crash reports from computers impacted by the bug.

“Even though I am not a Windows researcher, I was intrigued by what was going on, and there was this dearth of information,” Wardle tells WIRED. “People were saying that it was a Microsoft problem, because Windows systems were blue-screening, and there were a lot of wild theories. But actually it had nothing to do with Microsoft. So I went to the crash reports, which to me hold the ultimate truth. And if you were looking there you were able to pinpoint the underlying cause long before CrowdStrike came out and said it.”

At the Black Hat security conference in Las Vegas on Thursday, Wardle made the case that crash reports are an underutilized tool. Such system snapshots give software developers and maintainers insight into possible problems with their code. And Wardle emphasizes that they can particularly be a fount of information about potentially exploitable vulnerabilities in software—for both defenders and attackers.

In his talk, Wardle presented multiple examples of vulnerabilities he has found in software when the app crashed and he combed through the report looking for the possible cause. Users can readily view their own crash reports on Windows, macOS, and Linux, and they're also available on Android and iOS, though they can be more challenging to access on mobile operating systems. Wardle notes that to glean insights from crash reports, you need a basic understanding of instructions written in the low-level machine code known as Assembly, but he emphasizes that the payoff is worth it.

In his Black Hat talk, Wardle presented multiple vulnerabilities he discovered simply by examining crash reports on his own devices—including bugs in the analysis tool YARA and in the current version of Apple's macOS operating system. In fact, when Wardle discovered in 2018 that an iOS bug caused apps to crash anytime they displayed the Taiwanese flag emoji, he got to the bottom of what was happening using, you guessed it, crash reports.

“We revealed conclusively that Apple had acquiesced to demands from China to censor the Taiwanese flag, but their censorship code had a bug in it—ridiculous,” he says. “My friend who originally observed this was like, ‘My phone is being hacked by the Chinese. Whenever you text me it crashes. Or are you hacking me?' And I said, ‘Rude, I wouldn’t hack you. And also, rude, if I did hack you, I wouldn’t crash your phone.’ So I pulled the crash reports to see what was going on.”

Wardle emphasizes that if he can find so many vulnerabilities just by looking at crash reports from his own devices and those of his friends, software developers need to be looking there, too. Sophisticated criminal actors and well-funded state-backed hackers alike are probably already getting ideas from their own crash reports. Over the years, news reports have indicated that intelligence agencies like the US National Security Agency do mine crash logs. Wardle points out that crash reports are also a valuable source of information for detecting malware, since they can reveal anomalous and potentially suspicious activity. The notorious spyware broker NSO Group, for example, would often build mechanisms into into their malware specifically to delete crash reports immediately upon infecting a device. And the fact that malware is often buggy makes crashes more likely and crash reports valuable to attackers as well for understanding what went wrong with their code.

“With crash reports, the truth is out there,” Wardle says. “Or, I guess, in there.”

Computer Crash Reports Are an Untapped Hacker Gold Mine

New research shows how known techniques for finding weaknesses in websites are actually practical in uncovering vulnerabilities, for better or worse.

Researchers have long known that they can glean hidden information about the inner workings of a website by measuring the amount of time different requests take to be fulfilled and extrapolating information—and potential weaknesses—from slight variations. Such “web timing attacks” have been described for years, but they would often be too involved for real-world attackers to utilize in practice, even if they work in theory. At the Black Hat security conference in Las Vegas this week, though, one researcher warned that web timing attacks are actually feasible and ripe for exploitation.

James Kettle, director of research at the web application security company PortSwigger, developed a set of web timing attack techniques that can be used to expose three different categories of vulnerabilities in websites. He validated the methods using a test environment he made that compiled 30,000 real websites, all of which offer bug bounty programs. He says the goal of the work is to show that once someone has a conceptual grasp on the types of information web timing attacks can deliver, taking advantage of them becomes more feasible.

“I’ve always kind of avoided researching timing attacks because it’s a topic with a reputation,” Kettle says. “Everyone does research into it and says their research is practical, but no one ever seems to actually use timing attacks in real life, so how practical is it? What I’m hoping this work will do is show people that this stuff does actually work these days and get them thinking about it.”

Kettle was inspired in part by a 2020 research paper titled “Timeless Timing Attacks,” which worked toward a solution for a common issue. Known as “network jitter,” the paper's moniker refers to time delays between when a signal is sent and received on a network. These fluctuations impact timing measurements, but they are independent of the web server processing measured for timing attacks, so they can distort readings. The 2020 research, though, pointed out that when sending requests over the ubiquitous HTTP/2 network protocol, it is possible to put two requests into a single TCP communication packet so you know that both requests arrived at the server at the same time. Then, because of how HTTP/2 is designed, the responses will come back ordered so that the one that took less time to process is first and the one that took longer is second. This gives reliable, objective information about timing on the system without requiring any extra knowledge of the target web server—hence, “timeless timing attacks.”

Web timing attacks are part of a class of hacks known as “side channels,” in which the attacker gathers information about a target based on its real world, physical properties. In his new work, Kettle refined the “timeless timing attacks” technique for reducing network noise and also took steps to address similar types of issues with server-related noise so his measurements would be more accurate and reliable. He then started using timing attacks to look for otherwise invisible coding errors and flaws in websites that are usually difficult for developers or bad actors to find, but that are highlighted in the information that leaks with timing measurements.

In addition to using timing attacks to find hidden footholds to attack, Kettle also developed effective techniques for detecting two other common types of exploitable web bugs. One, known as a server-side injection vulnerability, allows an attacker to introduce malicious code to send commands and access data that shouldn't be available. And the other, called misconfigured reverse proxies, allows unintended access to a system.

In his presentation at Black Hat on Wednesday, Kettle demonstrated how he could use a web timing attack to uncover a misconfiguration and ultimately bypass a target web application firewall.

“Because you found this inverse proxy misconfiguration you just go around the firewall,” he told WIRED ahead of his talk. “It's absolutely trivial to execute once you’ve found these remote proxies, and timing attacks are good for finding these issues.”

Alongside his talk, Kettle released functionality for the open source vulnerability-scanning tool known as Param Miner. The tool is an extension for the popular web application security assessment platform Burp Suite, which is developed by Kettle's employer, PortSwigger. Kettle hopes to raise awareness about the utility of web timing attacks, but he also wants to make sure the techniques are being utilized for defense even when people don't grasp the underlying concepts.

“I integrated all these new features into Param Miner so people out there who don't know anything about this can run this tool and find some of these vulnerabilities,” Kettle says. “It’s showing people things that they would have otherwise missed.”

Tricky Web Timing Attacks Are Getting Easier to Use—and Abuse

Attacks on Microsoft’s Copilot AI allow for answers to be manipulated, data extracted, and security protections bypassed, new research shows.

Microsoft raced to put generative AI at the heart of its systems. Ask a question about an upcoming meeting and the company’s Copilot AI system can pull answers from your emails, Teams chats, and files—a potential productivity boon. But these exact processes can also be abused by hackers.

Today at the Black Hat security conference in Las Vegas, researcher Michael Bargury is demonstrating five proof-of-concept ways that Copilot, which runs on its Microsoft 365 apps, such as Word, can be manipulated by malicious attackers, including using it to provide false references to files, exfiltrate some private data, and dodge Microsoft’s security protections.

One of the most alarming displays, arguably, is Bargury’s ability to turn the AI into an automatic spear-phishing machine. Dubbed LOLCopilot, the red-teaming code Bargury created can—crucially, once a hacker has access to someone’s work email—use Copilot to see who you email regularly, draft a message mimicking your writing style (including emoji use), and send a personalized blast that can include a malicious link or attached malware.

“I can do this with everyone you have ever spoken to, and I can send hundreds of emails on your behalf,” says Bargury, the cofounder and CTO of security company Zenity, who published his findings alongside videos showing how Copilot could be abused. “A hacker would spend days crafting the right email to get you to click on it, but they can generate hundreds of these emails in a few minutes.”

That demonstration, as with other attacks created by Bargury, broadly works by using the large language model (LLM) as designed: typing written questions to access data the AI can retrieve. However, it can produce malicious results by including additional data or instructions to perform certain actions. The research highlights some of the challenges of connecting AI systems to corporate data and what can happen when “untrusted” outside data is thrown into the mix—particularly when the AI answers with what could look like legitimate results.

Among the other attacks created by Bargury is a demonstration of how a hacker—who, again, must already have hijacked an email account—can gain access to sensitive information, such as people’s salaries, without triggering Microsoft’s protections for sensitive files. When asking for the data, Bargury’s prompt demands the system does not provide references to the files data is taken from. “A bit of bullying does help,” Bargury says.

In other instances, he shows how an attacker—who doesn’t have access to email accounts but poisons the AI’s database by sending it a malicious email—can manipulate answers about banking information to provide their own bank details. “Every time you give AI access to data, that is a way for an attacker to get in,” Bargury says.

Another demo shows how an external hacker could get some limited information about whether an upcoming company earnings call will be good or bad, while the final instance, Bargury says, turns Copilot into a “malicious insider” by providing users with links to phishing websites.

Phillip Misner, head of AI incident detection and response at Microsoft, says the company appreciates Bargury identifying the vulnerability and says it has been working with him to assess the findings. “The risks of post-compromise abuse of AI are similar to other post-compromise techniques,” Misner says. “Security prevention and monitoring across environments and identities help mitigate or stop such behaviors.”

As generative AI systems, such as OpenAI’s ChatGPT, Microsoft’s Copilot, and Google’s Gemini, have developed in the past two years, they’ve moved onto a trajectory where they may eventually be completing tasks for people, like booking meetings or online shopping. However, security researchers have consistently highlighted that allowing external data into AI systems, such as through emails or accessing content from websites, creates security risks through indirect prompt injection and poisoning attacks.

“I think it’s not that well understood how much more effective an attacker can actually become now,” says Johann Rehberger, a security researcher and red team director, who has extensively demonstrated security weaknesses in AI systems. “What we have to be worried \[about\] now is actually what is the LLM producing and sending out to the user.”

Bargury says Microsoft has put a lot of effort into protecting its Copilot system from prompt injection attacks, but he says he found ways to exploit it by unraveling how the system is built. This included extracting the internal system prompt, he says, and working out how it can access enterprise resources and the techniques it uses to do so. “You talk to Copilot and it’s a limited conversation, because Microsoft has put a lot of controls,” he says. “But once you use a few magic words, it opens up and you can do whatever you want.”

Rehberger broadly warns that some data issues are linked to the long-standing problem of companies allowing too many employees access to files and not properly setting access permissions across their organizations. “Now imagine you put Copilot on top of that problem,” Rehberger says. He says he has used AI systems to search for common passwords, such as Password123, and it has returned results from within companies.

Both Rehberger and Bargury say there needs to be more focus on monitoring what an AI produces and sends out to a user. “The risk is about how AI interacts with your environment, how it interacts with your data, how it performs operations on your behalf,” Bargury says. “You need to figure out what the AI agent does on a user's behalf. And does that make sense with what the user actually asked for.”

Microsoft’s AI Can Be Turned Into an Automated Phishing Machine

The Smishing Triad network sends up to 100,000 scam texts per day globally. One of those messages went to Grant Smith, who infiltrated their systems and exposed them to US authorities.

Smith trawled Reddit and other online sources to find people reporting the scam and the URLs being used, which he subsequently published. Some of the websites running the Smishing Triad’s tools were collecting thousands of people’s personal information per day, Smith says. Among other details, the websites would request people’s names, addresses, payment card numbers and security codes, phone numbers, dates of birth, and bank websites. This level of information can allow a scammer to make purchases online with the credit cards. Smith says his wife quickly canceled her card, but noticed that the scammers still tried to use it, for instance, with Uber. The researcher says he would collect data from a website and return to it a few hours later, only to find hundreds of new records.

The researcher provided the details to a bank that had contacted him after seeing his initial blog posts. Smith declined to name the bank. He also reported the incidents to the FBI and later provided information to the United States Postal Inspection Service (USPIS).

Michael Martel, a national public information officer at USPIS, says the information provided by Smith is being used as part of an ongoing USPIS investigation and that the agency cannot comment on specific details. “USPIS is already actively pursuing this type of information to protect the American people, identify victims, and serve justice to the malicious actors behind it all,” Martel says, pointing to advice on spotting and reporting USPS package delivery scams.

Initially, Smith says, he was wary about going public with his research, as this kind of “hacking back” falls into a “gray area”: It may be breaking the Computer Fraud and Abuse Act, a sweeping US computer-crimes law, but he’s doing it against foreign-based criminals. Something he is definitely not the first, or last, to do.

**Multiple Prongs**

The Smishing Triad is prolific. In addition to using postal services as lures for their scams, the Chinese-speaking group has targeted online banking, ecommerce, and payment systems in the US, Europe, India, Pakistan, and the United Arab Emirates, according to Shawn Loveland, the chief operating officer of Resecurity, which has consistently tracked the group.

The Smishing Triad sends between 50,000 and 100,000 messages daily, according to Resecurity’s research. Its scam messages are sent using SMS or Apple’s iMessage, the latter being encrypted. Loveland says the Triad is made up of two distinct groups—a small team led by one Chinese hacker that creates, sells, and maintains the smishing kit, and a second group of people who buy the scamming tool. (A backdoor in the kit allows the creator to access details of administrators using the kit, Smith says in a blog post.)

“It’s very mature,” Loveland says of the operation. The group sells the scamming kit on Telegram for a $200-per month subscription, and this can be customized to show the organization the scammers are trying to impersonate. “The main actor is Chinese communicating in the Chinese language,” Loveland says. “They do not appear to be hacking Chinese language websites or users.” (In communications with the main contact on Telegram, the individual claimed to Smith that they were a computer science student.)

The relatively low monthly subscription cost for the smishing kit means it’s highly likely, with the number of credit card details scammers are collecting, that those using it are making significant profits. Loveland says using text messages that immediately send people a notification is a more direct and more successful way of phishing, compared to sending emails with malicious links included.

As a result, smishing has been on the rise in recent years. But there are some tell-tale signs: If you receive a message from a number or email you don't recognize, if it contains a link to click on, or if it wants you to do something urgently, you should be suspicious.

USPS Text Scammers Duped His Wife, So He Hacked Their Operation

Hacker Samy Kamkar is debuting his own open source version of a laser microphone—a spy tool that can invisibly pick up the sounds inside your home through a window, and even the text you’re typing.

In a famous scene from the 1992 movie _Sneakers_, a hacker classic, the main characters park a surveillance van across the street from their target's office and point a telephoto lens through his window—only to find that their view of his computer keyboard is blocked by the surprise entrance of his love interest at the precise moment when he types his password. The surveillance team ends up watching and rewatching their partially obstructed VHS video of his keystrokes, bickering comically about the layout of a QWERTY keyboard.

Today, with a few decades of surveillance tech advancements and some clever feats of physics, all it would take to grab that password—as well as anything typed on the computer, or, for that matter, every word spoken in the room—would be a well-aimed infrared laser.

At the Defcon security conference this weekend in Las Vegas, renowned hacker Samy Kamkar plans to debut his own DIY advances in a form of laser-based surveillance, demonstrating that he can point a laser that's invisible to the human eye at a faraway laptop, through a window, and detect the computer's vibrations to reconstruct virtually every character typed on it. The trick, which takes advantage of the subtle acoustics created by tapping different keys on a computer, works even without a view of the computer's keyboard, so long as the hacker has a line-of-sight view of any relatively reflective portion of the target laptop.

In the process of perfecting that light-based keystroke eavesdropping technique, Kamkar says he's also created what may well be one of the world's most high-fidelity implementations of a laser microphone—a tool that bounces a laser off a room's window to detect its vibrations and record all the sounds inside—or at least, one of the most advanced such laser microphones whose technical details have been publicly released. (Kamkar plans to publish the full schematics on his website and GitHub.) The result is an open-source spying setup that can, in various forms, potentially pick up virtually everything either typed or spoken aloud in a surveillance target's room.

Kamkar says he's been determined to build his own laser-based spy setup since he watched a Defcon talk 15 years ago, in which a pair of hackers demonstrated some rudimentary detection of keystrokes with a laser pointed at a laptop from across a room. “It blew my mind. ‘I want to do this,’” Kamkar says he remembers thinking. “But I also wanted to improve the attack. Can I make it work from outside, from far away? Can I do it with an infrared laser so the target can't see it? And can I also hear what's happening in the room, such as by bouncing the laser off a window?”

The answers: Yes to all the above. The video below shows an example of Kamkar's prototype setup–he tested it through different windows of his house with varying results—with his infrared laser outside pointed at his Macbook inside, where he's typing and listening to music.

Here's a sample of text he was able to recover in one case from his own typing, compared to the original:

Kamkar says that his keystroke spying trick works best when he can aim his laser at a spot on a laptop that reflects light—ideally a shiny metal or plastic spot on the laptop's case, such as a logo. “The Apple logo is nearly a mirror,” he says. “So that's a really good reflective surface.” The video clip below, captured with an infrared camera and steam to make the laser's path visible, shows Kamkar's infrared laser bouncing off that shiny Apple logo.

When it came to recording sounds inside a room, Kamkar was in some cases able to pick up music clearly, as in the first two samples below—though he found that double-paned glass produced far more muffled results, which you can hear in the third audio sample.

Neither of Kamkar's two laser-spying techniques are entirely new concepts: Both the keystroke-surveillance technique and the laser-based audio eavesdropping trick are essentially his own versions of a tool known as a laser microphone, a decades-old invention that bounces a laser off a surface and measures the reflected light to detect the target's vibrations—such as those caused by either key presses on a laptop's keyboard or someone's nearby voice.

For both of his laser-based techniques, however, Kamkar used his own engineering tricks and a few thousand dollars in hardware to significantly advance the fidelity of his optical eavesdropping. To reduce the noise created by ambient light when attempting to detect vibrations in his reflected infrared laser, for instance, he designed his laser microphone system to strobe on and off 400,000 times per second, picking up the reflected light through a lens so that the light hits a photo diode—or doesn't—depending on the target's vibrations. By using that 400-kilohertz frequency and measuring variances in the signal's amplitude just as an amplitude-modulated, or AM, radio does, Kamkar was able to later filter out everything other than that frequency to vastly reduce noise. He then amplified that signal and used a piece of hardware known as an upconverter to shift that AM radio signal to a higher frequency, so that it could be fed it into a software-defined radio—a digital, programmable radio capable of handling a far larger range of frequencies than a typical radio—to analyze it.

“I think I've created the first laser microphone that's actually modulated in the radio frequency domain,” Kamkar says. “Once I have a radio signal, I can treat it like radio, and I can take advantage of all the tools that exist for radio communication.” In other words, Kamkar converted sound into light into radio—and then back again into sound.

Samy Kamkar at his home workstation.Photograph: Roger Kisby

For his keystroke detection technique, Kamkar then fed the output of his laser microphone into an audio program called iZotopeRX to further remove noise and then an open source piece of software called Keytap3 that can convert the sound of keystrokes into legible text. In fact, security researchers have demonstrated for years that keystroke audio, recorded from a nearby microphone, can be analyzed and deciphered into the text that a surveillance target is typing by distinguishing tiny acoustic differences in various keys. One group of researchers has shown that relatively precise text can even be derived from the sounds of keystrokes recorded over a Zoom call.

Kamkar, however, was more interested in the 2009 Defcon demonstration in which security researchers Andrea Barisani and Daniele Bianco showed that they could use a simple laser microphone to roughly detect words typed on a keyboard, a trick that would allow long-distance line-of-sight spying. In that demo, the two Italian hackers only got as far as testing out their laser spying technique across the room from a laptop and generating a list of possible word pairs that matched the vibration signature they recorded.

Speaking to WIRED, Barisani says their experiment was only a “quick and dirty” proof of concept compared to Kamkar's more polished prototype. “Samy is brilliant, and there was a lot of room for improvement,” Barisani says. “I'm 100 percent sure that he was able to improve our attack both in the hardware setup and the signal processing.”

Kamkar’s laser spying kit: An infrared laser…Photograph: Roger Kisby

…attached to an oscilloscope’s signal generator, current controller, temperature controller, and amplifier power supply.Photograph: Roger Kisby

Kamkar's results do appear to be dramatically better: Some samples of text he recovered from typing with his laser mic setup and shared with WIRED were almost entirely legible, with only a missed letter every word or two; others showed somewhat spottier results. Kamkar's laser microphone worked well enough for detecting keystrokes, in fact, that he also tested using it to record audio in a room more generally, by bouncing his infrared laser off a window. It produced remarkably clear sound, noticeably better than other samples of laser microphone audio released online—at least among those recorded stealthily from a window's vibrations.

Of course, given that laser microphones have existed for decades, Kamkar admits he doesn't know what advancements the technology may have made in commercial implementations available to governments or law enforcement, not to mention even more secret, custom-built technologies potentially created or used by intelligence agencies. “I would assume they're doing this or something like it,” Kamkar says.

Unlike the creators of those professional spy tools, though, Kamkar is publishing the full schematics of his DIY laser microphone spy kit. “Ideally, I want the public to know everything that intelligence agencies are doing, and the next thing, too," Kamkar says. “If you don't know something is possible, you're probably not going to protect against it.”

Even knowing that Kamkar's silent, invisible, long-distance laser spy trick exists, how does anyone hide their secrets from it? He suggests that companies install double-paned or reflective glass. Some security device companies also sell protection devices that affix to windows and vibrate them to prevent laser microphone spying, and Kamkar concedes he hasn't tested his attack against those. But he also suggests a safer countermeasure: “Don't work on computers visible from a window,” he says. “Or just have dirty windows.”

Kamkar admits that beyond any idea of enabling or defeating surveillance, he was driven to develop his laser spying tricks mostly to test what was possible in the realm of physics-based hacking. More than a warning about any particular spy trick, he hopes his Defcon talk will inspire the conference's hacker audience to think more broadly about how information resonates through the real world in unexpected and exploitable ways, defying any simple model of computer security.

“You hit a key, it produces a sound that emanates in all directions. All the light hitting the laptop also vibrates at that frequency. The key then closes a circuit on the keyboard that generates electromagnetism and emits radio frequency in all directions,” Kamkar says. “The physical world screams secrets, and we have the ability to listen.” And if you don't, whoever's watching outside your window just might.

Watch How a Hacker’s Infrared Laser Can Spy on Your Laptop’s Keystrokes

From tricking companies into handing over victims’ personal data to offering violence as a service, the online doxing ecosystem is not just still a problem—it’s getting more extreme.

Since the early 1990s, people have used doxing as a toxic way to strike digital revenge—stripping away someone’s anonymity by unmasking their identity online. But in recent years, the poisonous practice has taken on new life, with people being doxed and extorted for cryptocurrency and, in the most extreme cases, potentially facing physical violence.

For the past year, security researcher Jacob Larsen—who was a victim of doxing around a decade ago when someone tried to extort him for a gaming account—has been monitoring doxing groups, observing the techniques used to unmask people, and interviewing prominent members of the doxing community. Doxing actions have led to incomes of “well over six figures annually,” and methods include making fake law enforcement requests to get people’s data, according to Larsen’s interviews.

“The primary target of doxing, particularly when it involves a physical extortion component, is for finance,” says Larsen, who leads an offensive security team at cybersecurity company CyberCX but conducted the doxing research in a personal capacity with the support of the company.

Over several online chat sessions last August and September, Larsen interviewed two members of the doxing community: “Ego” and “Reiko.” While neither of their offline identities is publicly known, Ego is believed to have been a member of the five-person doxing group known as ViLe, and Reiko last year acted as an administrator of the biggest public doxing website, Doxbin, as well as being involved in other groups. (Two other ViLe members pleaded guilty to hacking and identity theft in June.) Larsen says both Ego and Reiko deleted their social media accounts since speaking with him, making it impossible for WIRED to speak with them independently.

People can be doxed for a full range of reasons—from harassment in online gaming, to inciting political violence. Doxing can “humiliate, harm, and reduce the informational autonomy” of targeted individuals, says Bree Anderson, a digital criminologist at Deakin University in Australia who has researched the subject with colleagues. There are direct “first-order” harms, such as risks to personal safety, and longer-term “second-order harms,” including anxiety around future disclosures of information, Anderson says.

Larsen’s research mostly focused on those doxing for profit. Doxbin is central to many doxing efforts, with the website hosting more than 176,000 public and private doxes, which can contain names, social media details, Social Security numbers, home addresses, places of work, and similar details belonging to people’s family members. Larsen says he believes most of the doxing on Doxbin is driven by extortion activities, although there can be other motivations and doxing for notoriety. Once information is uploaded, Doxbin will not remove it unless it breaks the website’s terms of service.

“It is your responsibility to uphold your privacy on the internet,” Reiko said in one of the conversations with Larsen, who has published the transcripts. Ego added: “It’s on the users to keep their online security tight, but let’s be real, no matter how careful you are, someone might still track you down.”

**Impersonating Police, Violence as a Service**

Being entirely anonymous online is almost impossible—and many people don’t try, often using their real names and personal details in online accounts and sharing information on social media. Doxing tactics to gather people’s details, some of which were detailed in charges against ViLe members, can include reusing common passwords to access accounts, accessing public and private databases, and social engineering to launch SIM swapping attacks. There are also more nefarious methods.

Emergency data requests (EDR) can also be abused, Larsen says. EDRs allow law enforcement officials to ask tech companies for people’s names and contact details without any court orders as they believe there may be danger or risks to people’s lives. These requests are made directly to tech platforms, often through specific online portals, and broadly need to come from official law enforcement or government email addresses.

Inside the Dark World of Doxing for Profit

A researcher found a vulnerability that would let hackers strategically downgrade a target’s Windows version to reexpose patched vulnerabilities. Microsoft is working on fixes for the issue.

New research being presented at the Black Hat security conference in Las Vegas today shows that a vulnerability in Windows Update could be exploited to downgrade Windows to older versions, exposing a slew of historical vulnerabilities that then can be exploited to gain full control of a system. Microsoft says that it is working on a complex process to carefully patch the issue, dubbed “Downdate.”

Alon Leviev, the SafeBreach Labs researcher who discovered the flaw, says he started looking for possible downgrade attack methods after seeing that a startling hacking campaign from last year was using a type of malware (known as the “BlackLotus UEFI bootkit”) that relied on downgrading the Windows boot manager to an old, vulnerable version. After probing the Windows Update flow, Leviev discovered a path to strategically downgrading Windows—either the entire operating system or just specifically chosen components. From there, he developed a proof-of-concept attack that utilized this access to disable the Windows protection known as Virtualization-Based Security (VBS) and ultimately target highly privileged code running in the computer's core “kernel.”

“I found a downgrade exploit that is fully undetectable because it is performed by using Windows Update itself,” which the system trusts, Leviev told WIRED ahead of his conference talk. “In terms of invisibility, I didn't uninstall any update—I basically updated the system even though under the hood it was downgraded. So the system is not aware of the downgrade and still appears up-to-date.”

Leviev's downgrade capability comes from a flaw in the components of the Windows Update process. To perform an upgrade, your PC places what is essentially a request to update in a special update folder. It then presents this folder to the Microsoft update server, which checks and confirms its integrity. Next, the server creates an additional update folder for you that only it can control, where it places and finalizes the update and also stores an action list—called “pending.xml”—that includes the steps of the update plan, such as which files will be updated and where the new code will be stored on your computer. When you reboot your PC, it takes the actions from the list and updates the software.

The idea is that even if your computer, including your update folder, is compromised, a bad actor can't hijack the update process because the crucial parts of it happen in the server-controlled update folder. Leviev looked closely at the different files in both the user's update folder and the server's update folder, though, and he eventually found that while he couldn't modify the action list in the server's update folder directly, one of the keys controlling it—called “PoqexecCmdline”—was not locked. This gave Leviev a way to manipulate the action list, and with it the entire update process, without the system realizing that anything was amiss.

With this control, Leviev then found strategies to downgrade multiple key components of Windows, including drivers, which coordinate with hardware peripherals; dynamic link libraries, which contain system programs and data; and, crucially, the NT kernel, which contains the most core instructions for a computer to run. All of these could be downgraded to older versions that contain known, patched vulnerabilities. And Leviev even cast a wider net from there, to find strategies for downgrading Windows security components including the Windows Secure Kernel; the Windows password and storage component Credential Guard; the hypervisor, which creates and oversees virtual machines on a system; and VBS, the Windows virtualization security mechanism.

The technique does not include a way to first gain remote access to a victim device, but for an attacker who already has initial access, it could enable a true rampage, because Windows Update is such a trusted mechanism and can reintroduce a vast array of dangerous vulnerabilities that have been fixed by Microsoft over the years. Microsoft says that it has not seen any attempts to exploit the technique.

“We are actively developing mitigations to protect against these risks while following an extensive process involving a thorough investigation, update development across all affected versions, and compatibility testing, to ensure maximized customer protection with minimized operational disruption,” a Microsoft spokesperson told WIRED in a statement.

Part of the company's fix involves revoking vulnerable VBS system files, which must be done carefully and gradually, because it could cause integration issues or reintroduce other, unrelated problems that were previously addressed by those same system files.

Leviev emphasizes that downgrade attacks are an important threat for the developer community to consider as hackers endlessly seek paths into target systems that are stealthy and difficult to detect.

A Flaw in Windows Update Opens the Door to Zombie Exploits

As digital threats against US water, food, health care, and other vital sectors loom large, a new project called UnDisruptable27 aims to help fix cybersecurity weaknesses where other efforts have failed.

An endless parade of data breaches, brutally disruptive ransomware attacks, and crippling IT outages has somehow become the norm around the world. And in spite of escalating impacts to critical infrastructure and daily life, progress has been intermittent and often fleeting. Something's gotta give—and at the BSides Las Vegas security conference this week, a longtime critical-infrastructure security researcher is launching a project to communicate with utility operators, municipalities, and regular people in creative ways about both urgency and optimism around protecting critical infrastructure now.

Dubbed UnDisruptable27, the project will start as a pilot with a $700,000 grant for the first year through Craig Newmark Philanthropies' Cyber Civil Defense coalition. Led by Josh Corman, who was chief strategist for the US Cybersecurity and Infrastructure Security Agency's Covid Task Force, in collaboration with the Institute for Security and Technology (IST), the project will focus on the critical interdependence of water, food, emergency medical care, and power as the backbone of human safety. Corman says that the key goal is to foster new discourse about these challenges inspired by the disaster management tenets “inform, influence, inspire.” In other words, people need to understand the risks and feel empowered that they can take action.

“We are overdependent on undependable things. No one should feel comfortable with the potential for harm here with our current state of defense,” Corman told WIRED ahead of the announcement. “Our dependence on connected tech has grown faster than our ability to secure it. People have been doing good things, but public policy takes time, and I think this year we need to cross certain thresholds on the sense of urgency.”

One of Corman's main motivations to launch the effort as quickly as possible came from comments made during a January congressional hearing about the cybersecurity threat China poses to the US. In the hearing, then Cyber Command head and NSA director Paul Nakasone, Cybersecurity and Infrastructure Security Agency director Jen Easterly, FBI director Christopher Wray, and head of the Office of the National Cyber Director Harry Coker Jr. testified about pressing threats to US critical infrastructure, including specific campaigns the Chinese hacking group known as Volt Typhoon has been conducting to pre-position itself in US water infrastructure. The goal of this targeting is apparently to create leverage and a credible threat against the US as part of a Chinese plan to invade Taiwan, potentially in 2027.

“The budgets that emerge from discussions underway now will dictate what kind of resources we have ready in 2027, a year that, as this committee knows all too well, the CCP has circled on its calendar,” Wray told the US House of Representatives committee in January. “And that year will be on us before you know it. As I've described, the PRC is already today putting their pieces in place. I do not want those watching today to think we can't protect ourselves, but I do want the American people to know that we cannot afford to sleep on this danger.”

Having worked on embedded device security and critical infrastructure defense for years, including through the decade-old grassroots computer security and human safety initiative he founded known as I Am the Cavalry, Corman says that it felt significant that some of the nation's top intelligence officials were warning Congress of such specific threats to US infrastructure in an unclassified setting.

“It’s not just that the water goes out, it’s that when the sole wastewater facility in your community is down really bad things start to happen. For example, no water means no hospital,” he says. “I really encountered a lot of this during my leadership of the Covid Task Force. There is such interdependence across the basic functions of society.”

UnDisruptable27 will focus on interacting with communities who aren't reached by Washington, DC-based policy discussions or Information Sharing and Analysis Centers (ISACs), which are meant to represent each infrastructure sector of the US. The project aims to communicate directly with people who actually work on the ground in US critical infrastructure, and grapple together with the reality that cybersecurity-related disasters could impact their daily work.

“There’s a data breach, you get whatever services like identity protection for some period of time, and life carries on, and people think that there’s no long-term impact," says Megan Stifel, IST's chief strategy officer. “There’s this expectation that it’s fine, things will just continue. So we’re very interested in getting after this issue and thinking about how do we tackle critical infrastructure security with perhaps a new approach.”

Corman notes that even though cybersecurity incidents have become a well-known fact of life, business owners and infrastructure operators are often shaken and caught off guard when a cybersecurity incident actually affects them. Meanwhile, when government entities try to impose cybersecurity standards or become a partner on defense initiatives, communities often balk at the intrusion and perceived overreach. Last year, for example, the US Environmental Protection Agency was forced to rescind new cybersecurity guidelines for water systems after water companies and Republicans in Congress filed a lawsuit over the initiative.

“Time and time again, trade associations or lobbyists or owners and operators have an allergic reaction to oversight and say, ‘We prefer voluntary, we’re doing fine on our own,’” Corman says. “And they really are trying to do the right thing. But then also time and time again, people are just shocked that disruption could happen and feel very blindsided. So you can only conclude that the people who feel the pain of our failures are not included in the conversation. They deserve to understand the risks inherent in this level of connectivity. We’ve tried a lot of things, but we have not tried just leveling with people.”

UnDisruptable27 is launching this week for visibility among attendees at BSides as well as the other conferences, Black Hat and Defcon, that will run through Sunday in Las Vegas. Corman says that the goal is to combine the hacker mentality and, essentially, a call for volunteers with plans to work with creative collaborators on producing engaging content to fuel discourse and understanding. Information campaigns using memes and social media posts or moonshots like narrative podcasts and even reality TV are all on the table.

“We must prioritize the security, safety, and resilience of critical infrastructure—including water, health care facilities, and utilities," Craig Newmark, the Craigslist founder whose philanthropy is funding UnDisruptable27, told WIRED. "The urgency of this issue requires affecting human behavior through storytelling.”

A New Plan to Break the Cycle of Destructive Critical Infrastructure Hacks

Experts say the “nonsensical” policy proposal, which largely aligns with Donald Trump’s agenda, would weaken the US agency tasked with protecting election integrity, critical infrastructure, and more.

If anything, the military has impinged on CISA’s territory—not the other way around—out of exasperation with the civilian agency’s constrained resources, says Montgomery, a retired Navy rear admiral.

“The Department of Defense would say, ‘We're having to do things that we think CISA should be doing,’” Montgomery says, which has meant “slowly creeping outside the base fence to make sure that electrical power grids, water systems, \[and\] telecom systems \[near bases\] are properly protected in case of a crisis.”

**Department of Dubious Moves**

Of all the CISA proposals in Project 2025’s plan, the most ambitious one is highly unlikely to succeed: moving the agency into the Department of Transportation as part of a broader initiative to dismantle DHS.

The recommendation reflects conservatives’ desire to shrink the overall size of government, but it may also suggest a belief that moving CISA would curtail its scope and make it “a little more manageable,” says Brandon Pugh, director of the cybersecurity and emerging threats team at the center-right think tank R Street Institute. Pugh says some Republicans believe the agency “went beyond its original mandate and \[has\] become too bloated.”

But this idea is a virtual nonstarter because the congressional committees with oversight of CISA won’t give up their power in a rapidly growing domain. “There's no way that would ever work,” Costello says.

Apart from being infeasible, the proposal would undermine CISA’s effectiveness.

Cybersecurity fits squarely into DHS’s homeland-security portfolio, so moving CISA into a department with a different mission “doesn't make a lot of sense” and “would undermine some of the organizational logic,” Kelly says. “I don't actually understand the rationale of that.”

DHS is also better-suited to facilitate the kind of cross-government collaboration that CISA relies on for its twin missions of protecting federal computer systems and helping companies and local governments defend themselves.

“Giving CISA to Department of Transportation would reduce the cybersecurity of our national critical infrastructure for some period of time,” Montgomery says, adding that Transportation is “one of the last places” he’d put CISA and calling the proposal “nonsensical.”

Still, observers say it might be worth reviewing the structure of DHS, which has steadily accumulated functions since its post-9/11 creation and is now considered something of a Frankenstein department. But that review has to be “well thought out,” Todt says. “Reorganization of government should never be taken lightly.”

**Squandering a Moment**

Even as Project 2025 appears to misunderstand some aspects of CISA’s mission and focus disproportionately on others, the document also misses opportunities to recommend meaningful reforms.

Congress has spent years waiting for CISA to complete a “force structure assessment” that would better define its mission and the resources and organization needed to accomplish it. But even beyond CISA, there are serious concerns that the government as a whole isn’t coordinating well on cyber issues.

Pugh says it’s worth examining whether the system is working well. “Do we need to take a harder look at who's responsible for different leadership aspects of cyber?”

For now, though, experts agree that Project 2025 misses the mark. The document, Montgomery says, is “full of little tantrums” and “shows a lack of understanding of how federal government works.”

Costello says it’s “embarrassing” to see Project 2025 “call for essentially the hollowing out of CISA,” and he worries that its implementation could create a perilous feedback loop for the agency.

“If you were to reduce the mission scope and importance of CISA,” he says, “morale is going to drop, people are going to want to leave, and Congress is going to be less willing to fund \[it\].”

How Project 2025 Would Put US Elections at Risk

Plus: Meta pays $1.4 million in a historic privacy settlement, Microsoft blames a cyberattack for a major Azure outage, and an artist creates a face recognition system to reveal your NYPD “coppelganger.”

If it seems like there’s suddenly a whole lot more data breaches, you may be right. Part of this apparent spike is thanks to the growing popularity of infostealer malware. These types of malicious software are increasingly being used by cybercriminals to scoop up as many login credentials and other sensitive data as possible. That stolen data is then sold on criminal hacker forums, then used to break into victims’ accounts, which can include those of massive corporations. It’s a good reminder to always enable multi-factor authentication anywhere it’s available.

A security researcher this week disclosed the discovery of more than a dozen unsecured databases containing sensitive information on voters in counties across Illinois. The data, which was stored by a government contractor, includes driver’s license numbers, Social Security numbers, death certificates, and more. While election security has generally improved in recent years, the episode illuminates how difficult it can be to protect all voter data all the time.

The history of confidential FBI informants is long and sordid—and ongoing. A WIRED investigation published this week revealed how one informant infiltrated far-right groups and turned over their secrets to the Feds—all while pushing hateful ideologies that helped inspire a new generation of violent extremists online.

Hacking computers with lasers has always been a rich person’s game—until now. Security researchers Sam Beaumont and Larry “Patch” Trowell are releasing an open source laser hacking tool called RayV Lite, which can be produced for just $500, a tiny fraction of the $150,000 price tag of laser equipment historically used for hardware hacking. The pair will be detailing the RayV Lite at the Black Hat security conference next week in Las Vegas. (WIRED will be on the ground for Black Hat and Defcon, the _other_ big security conference happening next week in Vegas, so check back for our full coverage starting on Tuesday.)

Finally, we dove into the fine print of OpenAI’s ChatGPT-4o to lay out the privacy wins and pitfalls of the generative AI tool.

But that’s not all. Each week, we round up the big security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

In a historic prisoner swap between the US and Russia, Wall Street Journal reporter Evan Gershkovich and former Marine Paul Whelan were freed from Russian detention on Thursday. The White House said the secret deal, negotiated for over a year, involved 24 prisoners: 16 moved from Russia to the West and eight from the West to Russia, including two cybercriminals. NBC News reports this is likely the first time the US has released international hackers in a prisoner exchange.

The two Russian hackers are Roman Seleznev and Vladislav Klyushin. Seleznev was sentenced in 2017 to 27 years in prison for racketeering convictions. According to the US Department of Justice, he installed malware on point-of-sale systems software that allowed him to steal millions of credit card numbers from more than 500 US businesses. In September 2023, Klyushin was sentenced to nine years in prison for what US prosecutors described as a “$93 million hack-to-trade conspiracy.”

**Meta Pays $1.4 Billion Over Face Recognition Controversy**

Meta, the parent company of Facebook and Instagram, will pay $1.4 billion to settle a lawsuit brought by the Texas attorney general, whose office accused the social media behemoth of illegally capturing the biometric data of millions of Texans. In 2022, the state sued Meta over its implementation of a feature that used face recognition to automatically suggest people to tag in photos and videos uploaded to Facebook. Prosecutors say the feature, initially called Tag Suggestions, violated a Texas law that makes it illegal for companies to capture and profit from someone’s biometric identifiers without their consent. While Meta did not admit to any wrongdoing as part of the agreement, according to Texas attorney general Ken Paxton's office, it’s the single largest privacy settlement ever obtained by a state.

**Cyberattack Sparks Eight-Hour Microsoft Azure Outage**

A widespread Microsoft Azure outage that impacted a range of services—including Microsoft 365 products such as Office and Outlook—was caused by a cyberattack, the tech company revealed on Wednesday. According to Microsoft’s Azure status history page, the incident lasted approximately eight hours on Tuesday and affected “a subset” of customers globally.

The company described the attack as a distributed denial of service, a malicious attempt by hackers to disrupt a target company’s operations by overwhelming its infrastructure with a flood of internet traffic. According to PCMag, two hacktivist groups have claimed responsibility. Microsoft plans on publishing a review of the incident.

Source

Wired