Here's how to request that your personal information not be used to train Meta's AI model. "Request" is the operative word here.

As Meta, the company behind Facebook, continues to develop its generative artificial intelligence tools, you can now request the removal of some of the personal data the company uses to train its AI model. There are a ton of caveats, though.

Earlier this year, CEO Mark Zuckerberg announced plans to build a range of AI features into Meta’s platforms like Facebook, Instagram, and WhatsApp. Despite the popularity of generative AI in Silicon Valley, murky legal questions remain for the technology, and many people are anxious about its rapid advancement.

Want to stop Meta from using all of your info to improve its AI? The company added a new form to one of its help centers titled “Generative AI Data Subject Rights at Facebook.” With this form, you can request that Meta give you access to the third-party data it uses for AI development and that the personal information is deleted. The operative word here is “request.” There’s no guarantee from the company that it’ll delete it, or that it’ll provide you with the information you’re asking for, even if it’s yours.

It’s important to point out that this form does not pertain to the gobs of personal information Meta has already collected from you on its platforms; it only applies to outside data the company may bring in to beef up its generative AI. This outside data could include stuff that’s elsewhere on the internet as well as data purchased from third-party data brokers.

You don’t need to be signed in to a Facebook account to submit the opt-out request. All that Facebook requires is your country of residence, full name, and email address. In my experience, the website was quite glitchy on mobile, and it was easier to fill out the form on my desktop. It took the company over 24 hours to send a basic confirmation email stating it was “reviewing \[my\] request.”

For those in the US, it’s unclear if anything happens at all when you fill out this form. Data privacy laws protecting UK residents make this form more worthwhile for people who live in the UK. “Depending on where people live, they may be able to exercise their data subject rights and object to certain data being used to train our AI models,” said Thomas Richards, a Meta spokesperson, to Gizmodo. Meta did not respond to multiple requests from WIRED to comment on this story.

A company blog post about Meta’s use of personal info to train its AI goes just a little further in detail about its different approaches to personal data collection, but specifics are scant: “In the European region and United Kingdom, we rely on the basis of legitimate interests to collect and process any personal information included in these publicly available and licensed sources to train our generative AI models. For other jurisdictions where applicable, we rely on an adequate legal basis to collect and process this data.”

This opt-out form comes just a few months after European regulators struck Meta with a $1.3 billion fine for misusing data that originated in the UK.

Facebook Trains Its AI on Your Data. Opting Out May Be Futile

After leaving many questions unanswered, a new post mortem from Microsoft explains the series of slip-ups that allowed attackers to steal and abuse a valuable cryptographic key.

Microsoft said in June that a China-backed hacking group had stolen a cryptographic key from the company's systems. This key allowed the attackers to access cloud-based Outlook email systems for 25 organizations, including multiple United States government agencies. At the time of the disclosure, however, Microsoft did not explain how the hackers were able to compromise such a sensitive and highly guarded key, or how they were able to use the key to move between consumer- and enterprise-tier systems. But a new post mortem published by the company on Wednesday explains a chain of slip-ups and oversights that allowed the improbable attack.

Such cryptographic keys are significant in cloud infrastructure because they are used to generate authentication “tokens” that prove a user’s identity for accessing data and services. Microsoft says it stores these sensitive keys in an isolated and strictly access-controlled “production environment.” But during a particular system crash in April 2021, the key in question was an incidental stowaway in a cache of data that crossed out of the protected zone.

“All the best hacks are deaths by 1,000 paper cuts, not something where you exploit a single vulnerability and then get all the goods,” says Jake Williams, a former US National Security Agency hacker who is now on the faculty of the Institute for Applied Network Security.

After the fateful crash of a consumer signing system, the cryptographic key ended up in an automatically generated “crash dump” of data about what had happened. Microsoft's systems are meant to be designed so signing keys and other sensitive data doesn't end up in crash dumps, but this key slipped through because of a bug. Worse still, the systems built to detect errant data in crash dumps failed to flag the cryptographic key.

With the crash dump seemingly vetted and cleared, it was moved from the production environment to a Microsoft “debugging environment,” a sort of triage and review area connected to the company's regular corporate network. Once again though, a scan designed to spot the accidental inclusion of credentials failed to detect the key's presence in the data.

Sometime after all of this occurred in April 2021, the Chinese espionage group, which Microsoft calls Storm-0558, compromised the corporate account of a Microsoft engineer. With this account, the attackers could access the debugging environment where the ill-fated crash dump and key were stored. Microsoft says it no longer has logs from this era that directly show the compromised account exfiltrating the crash dump, “but this was the most probable mechanism by which the actor acquired the key.” Armed with this crucial discovery, the attackers were able to start generating legitimate Microsoft account access tokens.

Another unanswered question about the incident had been how the attackers used a cryptographic key from the crash log of a consumer signing system to infiltrate the enterprise email accounts of organizations like government agencies. Microsoft said on Wednesday that this was possible because of a flaw related to an application programming interface that the company had provided to help customer systems cryptographically validate signatures. The API had not been fully updated with libraries that would validate whether a system should accept tokens signed with consumer keys or enterprise keys, and as a result, many systems could be tricked into accepting either.

The company says it has fixed all of the bugs and lapses that cumulatively exposed the key in the debugging environment and allowed it to sign tokens that would be accepted by enterprise systems. But the recap does not describe how attackers compromised the engineer's corporate account, and Microsoft did not immediately respond to WIRED's request for comment about how the account breach occurred. This is important information for fully understanding how the attack played out, independent security researcher Adrian Sanabria says. He adds, too, that the fact Microsoft kept limited logs during this time period is significant. As part of its response to the Storm-0558 hacking spree overall, the company said in July that it would expand the cloud logging capabilities that it offers for free.

“It's particularly notable, because one of the complaints about Microsoft is that they don't set up their own customers for security success,” Sanabria says. “Logs disabled by default, security features are an add-on requiring additional spending, or more premium licenses. It appears they themselves got bit by this practice.”

As Williams from The Institute for Applied Network Security points out, organizations like Microsoft must face highly motivated and well-resourced attackers who are unusually capable of capitalizing on the most esoteric or improbable mistakes. He says that from reading Microsoft's latest updates on the situation, he is more sympathetic to why the situation played out the way it did.

“You'll only hear about highly complex hacks like this in an environment like Microsoft's,” he says. “In any other organization the security is relatively so weak that a hack doesn't need to be complex. And even when environments are pretty secure, they often lack the telemetry—along with the retention—needed to investigate something like this. Microsoft is a rare organization that has both. Most organizations wouldn't even store logs like this for a few months so I'm impressed that they had as much telemetry as they did."

The Comedy of Errors That Let China-Backed Hackers Steal Microsoft’s Signing Key

Some foreign companies may be complying—potentially offering China’s spies hints for hacking their customers.

For state-sponsored hacking operations, unpatched vulnerabilities are valuable ammunition. Intelligence agencies and militaries seize on hackable bugs when they're revealed—exploiting them to carry out their campaigns of espionage or cyberwar—or spend millions to dig up new ones or to buy them in secret from the hacker gray market.

But for the past two years, China has added another approach to obtaining information about those vulnerabilities: a law that simply demands that any network technology business operating in the country hand it over. When tech companies learn of a hackable flaw in their products, they’re now required to tell a Chinese government agency—which, in some cases, then shares that information with China's state-sponsored hackers, according to a new investigation. And some evidence suggests foreign firms with China-based operations are complying with the law, indirectly giving Chinese authorities hints about potential new ways to hack their own customers.

Today, the Atlantic Council released a report—whose findings the authors shared in advance with WIRED—that investigates the fallout of a Chinese law passed in 2021, designed to reform how companies and security researchers operating in China handle the discovery of security vulnerabilities in tech products. The law requires, among other things, that tech companies that discover or learn of a hackable flaw in their products must share information about it within two days with a Chinese agency known as the Ministry of Industry and Information Technology. The agency then adds the flaw to a database whose name translates from Mandarin as the Cybersecurity Threat and Vulnerability Information Sharing Platform but is often called by a simpler English name, the National Vulnerability Database.

The report’s authors combed through the Chinese government's own descriptions of that program to chart the complex path the vulnerability information then takes: The data is shared with several other government bodies, including China’s National Computer Network Emergency Response Technical Teams/Coordination Center, or CNCERT/CC, an agency devoted to defending Chinese networks. But the researchers found that CNCERT/CC makes its reports available to technology "partners" that include exactly the sort of Chinese organizations devoted not to fixing security vulnerabilities but to exploiting them. One such partner is the Beijing bureau of China's Ministry of State Security, the agency responsible for many of the country's most aggressive state-sponsored hacking operations in recent years, from spy campaigns to disruptive cyberattacks. And the vulnerability reports are also shared with Shanghai Jiaotong University and the security firm Beijing Topsec, both of which have a history of lending their cooperation to hacking campaigns carried out by China's People Liberation Army.

“As soon as the regulations were announced, it was apparent that this was going to become an issue,” says Dakota Cary, a researcher at the Atlantic Council's Global China Hub and one of the report’s authors. “Now we've been able to show that there is real overlap between the people operating this mandated reporting structure who have access to the vulnerabilities reported and the people carrying out offensive hacking operations.”

Given that patching vulnerabilities in technology products almost always takes far longer than the Chinese law’s two-day disclosure deadline, the Atlantic Council researchers argue that the law essentially puts any firm with China-based operations in an impossible position: Either leave China or give sensitive descriptions of vulnerabilities in the company’s products to a government that may well use that information for offensive hacking.

The researchers found, in fact, that some firms appear to be taking that second option. They point to a July 2022 document posted to the account of a research organization within the Ministry of Industry and Information Technologies on the Chinese-language social media service WeChat. The posted document lists members of the Vulnerability Information Sharing program that “passed examination,” possibly indicating that the listed companies complied with the law. The list, which happens to focus on industrial control system (or ICS) technology companies, includes six non-Chinese firms: Beckhoff, D-Link, KUKA, Omron, Phoenix Contact, and Schneider Electric.

WIRED asked all six firms if they are in fact complying with the law and sharing information about unpatched vulnerabilities in their products with the Chinese government. Only two, D-Link and Phoenix Contact, flatly denied giving information about unpatched vulnerabilities to Chinese authorities, though most of the others contended that they only offered relatively innocuous vulnerability information to the Chinese government and did so at the same time as giving that information to other countries’ governments or to their own customers.

The Atlantic Council report’s authors concede that the companies on the Ministry of Industry and Information Technology’s list aren’t likely handing over detailed vulnerability information that could immediately be used by Chinese state hackers. Coding a reliable “exploit,” a hacking software tool that takes advantage of a security vulnerability, is sometimes a long, difficult process, and the information about the vulnerability demanded by Chinese law isn’t necessarily detailed enough to immediately build such an exploit.

But the text of the law does require—somewhat vaguely—that companies provide the name, model number, and version of the affected product, as well as the vulnerability's “technical characteristics, threat, scope of impact, and so forth.” When the Atlantic Council report’s authors got access to the online portal for reporting hackable flaws, they found that it includes a required entry field for details of where in the code to “trigger” the vulnerability or a video that demonstrates “detailed proof of the vulnerability discovery process,” as well as a nonrequired entry field for uploading a proof-of-concept exploit to demonstrate the flaw. All of that is far more information about unpatched vulnerabilities than other governments typically demand or that companies generally share with their customers.

Even without those details or a proof-of-concept exploit, a mere description of a bug with the required level of specificity would provide a “lead” for China’s offensive hackers as they search for new vulnerabilities to exploit, says Kristin Del Rosso, the public sector chief technology officer at cybersecurity firm Sophos, who coauthored the Atlantic Council report. She argues the law could be providing those state-sponsored hackers with a significant head start in their race against companies’ efforts to patch and defend their systems. “It’s like a map that says, ‘Look here and start digging,’” says Del Rosso. “We have to be prepared for the potential weaponization of these vulnerabilities.”

If China’s law is in fact helping the country’s state-sponsored hackers gain a greater arsenal of hackable flaws, it could have serious geopolitical implications. US tensions with China over both the country’s cyberespionage and apparent preparations for disruptive cyberattack have peaked in recent months. In July, for instance, the Cybersecurity and Information Security Agency (CISA) and Microsoft revealed that Chinese hackers had somehow obtained a cryptographic key that allowed Chinese spies to access the email accounts of 25 organizations, including the State Department and the Department of Commerce. Microsoft, CISA, and the NSA all warned as well about a Chinese-origin hacking campaign that planted malware in electric grids in US states and Guam, perhaps to obtain the ability to cut off power to US military bases.

Even as those stakes rise, the Atlantic Council’s Cary says he’s had firsthand conversations with one Western tech firm on the Ministry of Industry and Information Technology’s list that directly told him it was complying with China’s vulnerability disclosure law. According to Cary, the lead executive for the Chinese arm of the company—which Cary declined to name—told him that complying with the law meant that it had been forced to submit information about unpatched vulnerabilities in its products to the Ministry of Industry and Information Technology. And when Cary spoke to another executive of the company outside of China, that executive wasn’t aware of the disclosure.

Cary suggests that a lack of awareness of vulnerability information shared with the Chinese government may be typical for foreign companies that operate in the country. “If it’s not on executives’ radar, they don’t go around asking if they’re in compliance with the law that China just implemented,” says Cary. “They only hear about it when they’re _not_ in compliance.”

Of the six non-Chinese firms on the Ministry of Industry and Information Technology’s list of compliant ICS technology firms, Taiwan-based D-Link gave WIRED the most direct denial, responding in a statement from its chief information security officer for North America, William Brown, that it “has never provided undisclosed product security information to the Chinese government.”

German industrial control system tech firm Phoenix Contact also denied giving China vulnerability information, writing in a statement, “We make sure that potential new vulnerabilities are handled with utmost confidentiality and by no means get into the hands of potential cyber attackers and affiliated communities wherever they are located.”

Other companies on the list said that they do report vulnerability information to the Chinese government, but only the same information provided to other governments and to customers. Swedish industrial automation firm KUKA responded that it “fulfills legal local obligations in all countries, where we operate,” but wrote that it offers the same information to its customers, publishes known vulnerability information about its products on a public website, and will comply with a similar upcoming law in the EU that requires disclosing vulnerability information. Japanese technology company Omron similarly wrote that it gives vulnerability information to the Chinese government, CISA in the US, and the Japanese Computer Emergency Response Team, as well as publishing information about known vulnerabilities on its website.

German industrial automation firm Beckhoff spelled out a similar approach in more detail. “Legislation in several nations requires that any vendor selling products in their market must inform their authorized body about security vulnerabilities prior to their publication,” wrote Torsten Förder, the company’s head of product security. “General information about the vulnerability is disclosed as further research and mitigation strategies are developing. This enables us to notify all regulatory bodies quickly, while refraining from publishing comprehensive information on how to exploit the vulnerability under investigation.”

French electric utility technology firm Schneider Electric offered the most ambiguous response. The company’s head of product vulnerability management, Harish Shankar, wrote only that “cybersecurity is integral to Schneider Electric’s global business strategy and digital transformation journey” and referred WIRED to its Trust Charter as well as the cybersecurity support portal on its website, where it releases security notifications and mitigation and remediation tips.

Given those carefully worded and sometimes elliptical responses, it’s difficult to know to exactly what degree companies are complying with China’s vulnerability disclosure law—particularly given the relatively detailed description required on the government’s web portal for uploading vulnerability information. Ian Roos, a China-focused researcher at cybersecurity R&D firm Margin Research who reviewed the Atlantic Council report prior to publication, suggests that companies might be engaging in a kind of “malicious compliance,” sharing only partial or misleading information with Chinese authorities. And he notes that even if they are sharing solid vulnerability data, it may still not be specific enough to be immediately helpful to China’s state-sponsored hackers. “It’s very hard to go from ‘there's a bug here’ to actually leveraging and exploiting it, or even knowing if it can be leveraged in a way that would be useful,” Roos says.

The law is still troubling, Roos adds, since the Chinese government has the ability to impose serious consequences on companies that don’t share as much information as it would like, from hefty fines to revocation of business licenses necessary to operate in the country. “I don’t think it’s doomsday, but it’s very bad,” he says. “I think it absolutely does create a perverse incentive where now you have private organizations that need to basically expose themselves and their customers to the adversary.”

In fact, China-based staff of foreign companies may be complying with the vulnerability disclosure law more than executives outside of China even realize, says J. D. Work, a former US intelligence official who is now a professor at National Defense University College of Information and Cyberspace. (Work holds a position at the Atlantic Council, too, but wasn’t involved in Cary and Del Rosso’s research.) That disconnect isn’t just due to negligence or willful ignorance, Work adds. China-based staff might broadly interpret another law China passed last year focused on countering espionage as forbidding China-based executives of foreign firms from telling others at their own company about how they interact with the government, he says. “Firms may not fully understand changes in their own local offices’ behavior,” says Work, “because those local offices may not be _permitted_ to talk to them about it, under pain of espionage charges.”

Sophos’ Del Rosso notes that even if companies operating in China are finding the wiggle room to avoid disclosing actual, hackable vulnerabilities in their products today, that’s still no guarantee that China won’t begin tightening its enforcement of the disclosure law in the future to close any loopholes.

“Even if people aren't complying—or if they are complying but only to a certain extent—it can only devolve and get worse,” says Del Rosso. “There’s no way they’re going to start asking for _less_ information, or requiring _less_ of people working there. They’ll never get softer. They’ll crack down more.”

_Updated 9:20 am, September 6, 2023: A previous version of this article incorrectly identified Margin Research's Ian Roos. We regret the error._

How China Demands Tech Firms Reveal Hackable Flaws in Their Products

Chatbots like Open AI’s ChatGPT and Google’s Bard are vulnerable to indirect prompt injection attacks. Security researchers say the holes can be plugged—sort of.

It's easy to trick the large language models powering chatbots like OpenAI's ChatGPT and Google's Bard. In one experiment in February, security researchers forced Microsoft’s Bing chatbot to behave like a scammer. Hidden instructions on a web page the researchers created told the chatbot to ask the person using it to hand over their bank account details. This kind of attack, where concealed information can make the AI system behave in unintended ways, is just the beginning.

Hundreds of examples of “indirect prompt injection” attacks have been created since then. This type of attack is now considered one of the most concerning ways that language models could be abused by hackers. As generative AI systems are put to work by big corporations and smaller startups, the cybersecurity industry is scrambling to raise awareness of the potential dangers. In doing so, they hope to keep data—both personal and corporate—safe from attack. Right now there isn’t one magic fix, but common security practices can reduce the risks.

“Indirect prompt injection is definitely a concern for us,” says Vijay Bolina, the chief information security officer at Google’s DeepMind artificial intelligence unit, who says Google has multiple projects ongoing to understand how AI can be attacked. In the past, Bolina says, prompt injection was considered “problematic,” but things have accelerated since people started connecting large language models (LLMs) to the internet and plug-ins, which can add new data to the systems. As more companies use LLMs, potentially feeding them more personal and corporate data, things are going to get messy. “We definitely think this is a risk, and it actually limits the potential uses of LLMs for us as an industry,” Bolina says.

Prompt injection attacks fall into two categories—direct and indirect. And it’s the latter that’s causing most concern amongst security experts. When using a LLM, people ask questions or provide instructions in prompts that the system then answers. Direct prompt injections happen when someone tries to make the LLM answer in an unintended way—getting it to spout hate speech or harmful answers, for instance. Indirect prompt injections, the really concerning ones, take things up a notch. Instead of the user entering a malicious prompt, the instruction comes from a third party. A website the LLM can read, or a PDF that's being analyzed, could, for example, contain hidden instructions for the AI system to follow.

“The fundamental risk underlying all of these, for both direct and indirect prompt instructions, is that whoever provides input to the LLM has a high degree of influence over the output,” says Rich Harang, a principal security architect focusing on AI systems at Nvidia, the world’s largest maker of AI chips. Put simply: If someone can put data into the LLM, then they can potentially manipulate what it spits back out.

Security researchers have demonstrated how indirect prompt injections could be used to steal data, manipulate someone’s résumé, and run code remotely on a machine. One group of security researchers ranks prompt injections as the top vulnerability for those deploying and managing LLMs. And the National Cybersecurity Center, a branch of GCHQ, the UK’s intelligence agency, has even called attention to the risk of prompt injection attacks, saying there have been hundreds of examples so far. “Whilst research is ongoing into prompt injection, it may simply be an inherent issue with LLM technology,” the branch of GCHQ warned in a blog post. “There are some strategies that can make prompt injection more difficult, but as yet there are no surefire mitigations.”

OpenAI spokesperson Niko Felix says prompt injections are an area of active research, while OpenAI has previously name-checked “jailbreaks,” another term used for some prompt injections. Caitlin Roulston, director of communications at Microsoft, says the company has “large teams” working on the security issues. “As part of this ongoing effort, we take action to block suspicious websites, and we continuously improve our systems to help identify and filter these types of prompts before they get to the model,” Roulston says.

AI systems might be creating new problems, but they could help solve them too. Google’s Bolina says the company uses “specially trained models” to “help identify known malicious inputs and known unsafe outputs that violate our policies.” Nvidia has released an open source series of guardrails for adding restrictions to models. But these approaches can only go so far; it isn’t possible to know all the kinds of ways malicious prompts may be used. Both Bolina and Nvidia’s Harang say that developers and companies wanting to deploy LLMs into their systems should use a series of security industry best practices to reduce the risks of indirect prompt injections. “You have to really think about the way that you're going to be integrating and implementing these models into additional applications and services,” Bolina says.

“The second you are taking input from third parties like the internet, you cannot trust the LLM any more than you would trust a random internet user,” Harang says. “The core issue is that you always have to put the LLM outside of any trust boundary, if you want to really focus on security.” Within cybersecurity, trust boundaries can establish how much particular services can be relied upon and the levels of access they can get to types of information. Siloing a system reduces risk. Since introducing plug-ins for ChatGPT earlier this year, OpenAI has added user authentication, meaning people have to approve when plug-ins want to take some actions. Harang says companies should understand who wrote plug-ins and how they were designed before they integrate them.

Google’s Bolina adds that when connecting systems to LLMs, people should also follow the cybersecurity principle of least privileges, giving the system the minimum access to data it needs and the lowest ability to make changes required. “If I'm asking an LLM to read my email, should the service layer that provides that interaction grant that service \[the ability\] to write email? Probably not,” he says. Ultimately, Harang adds, it’s a new version of an old security problem. “The attack surface is new. But the principles and the problems we're dealing with are the same ones we've been dealing with for 30-plus years.”

Generative AI’s Biggest Security Flaw Is Not Easy to Fix

Posts praising the Wagner Group boss following his death in a mysterious plane crash last month indicate he was still in control of his "troll farm," researchers claim.

Yveneny Prigozhin’s wartime atrocities propelled the brutal mercenary into the limelight. But Prigozhin—who was once Russian president Vladimir Putin’s chef and a small-time criminal—also held a title as one of the world’s biggest disinformation peddlers. For years, Prigozhin operated the notorious Internet Research Agency, a Russian troll farm that meddled in US elections and beyond.

When Prigozhin suddenly died in a mysterious plane crash on August 23, around two months after he led his Wagner Group mercenaries in a failed mutiny against Putin, the trolls didn’t stop posting. Instead, according to a new analysis shared with WIRED, some continued to show their support for him.

In the days immediately after his death, a coordinated network of pro-Prigozhin accounts on X (formerly known as Twitter) pushed messages saying that the warlord was a hero and good for Russia, despite the Wagner Group’s failed rebellion against Putin in June. These messages also blamed the West for the plane crash and said that the Wagner Group would continue operating in Africa.

“It was not profitable for Putin to kill Prigozhin. PMC \[private military company\] carry a lot of weight in Africa, and Prigozhin skillfully managed it, despite his ‘character quirks,’” one account posted on X. “Prigozhin served for the good of Russia, remained faithful to his military oath, and was killed by saboteurs, or terrorists mined the plane,” another speculated. “In short, he just ditched his phone and disappeared into the sunset, just like in a typical action movie,” a third posted.

The organized accounts were all identified and shared with WIRED by Antibot4Navalny, an anonymous group of volunteers who track Russian-language influence operations on X. A person behind the group, whom WIRED granted anonymity due to safety concerns, says they started inspecting the posts of suspected X accounts after the crash when they “noticed that Prigozhin is surprisingly covered in an exclusively positive light.” The group found 30 accounts pushing pro-Prigozhin narratives, they say.

The activity could be a sign that Prigozhin remained in control of the Internet Research Agency troll factory until he died, the group claims, adding that it echoes similar activity they previously saw. Reports have said that after the attempted June uprising, Prigozhin-owned news websites and the troll factory were being shut down or looking for new owners. “Domestically, there was a lot of debate whether or not Prigozhin lost his control over the troll factory as one of the immediate aftermaths of the mutiny,” the Antibot4Navalny member says.

While the posts on X are only a tiny snapshot of social media activity, they highlight how Russian-linked propaganda has changed since the Internet Research Agency interfered in US politics in 2016, experts say. The Russian misinformation and disinformation industry has evolved into a rich ecosystem of state-backed media, massive Telegram channels, and more conventional social media posts. Millions of people follow so-called military bloggers and war journalists on Telegram—some of these channels are linked to the Russian state, while others are aligned with Pirgozhin and the Wagner Group. But all can muddy the waters or repeat set lines.

“Confusion in the information space is one of the aims of the Kremlin information operations—to make everything equally unbelievable so people’s trust in all kinds of sources is undermined,” says Eto Buziashvili, a disinformation and influence operations researcher with a focus on Russia at the Atlantic Council’s Digital Forensic Research Lab. Since the start of its full-scale war in Ukraine in February 2022, Russia has blocked and censored social media websites, banned independent news media, and pushed reams of disinformation.

Kyle Walter, head of research at misinformation and disinformation research company Logically, reviewed the posts shared by Antibot4Navalny and says they show “signs of being inauthentic.” The X accounts were largely created earlier this year, have low volumes of original posts, and mostly retweet or reply to accounts, and some of them also follow each other, Walter says. The themes the accounts posted about around the plane crash also match what Logically has seen from monitoring Telegram channels linked to the Wagner Group, he says. Walter adds, however, that linking them directly to the Internet Research Agency is harder to do.

The Antibot4Navalny researcher says that based on their previous research, they believe that the pro-Prigozhin trolls operate in similar ways. They “primarily serve” the interests of Putin, but they also push pro-Prigozhin narratives when it doesn’t “hurt” the Russian president, the researcher says. The approach “still worked in the plane-crash episode: Cover Putin as strongly as possible, but also, it is a nice opportunity to praise Prigozhin,” they say. The researcher says they are reporting the accounts to X.

As well as the posts around the plane crash, the Antibot4Navalny group also shared previous research and analysis with WIRED. In one instance, the group reported more than 7,000 suspected accounts to X. We tested dozens of these accounts and found that they have all been removed from the Elon Musk-owned social media company. Antibot4Navalny says the “troll” accounts are often active in groups, pushing the “same set of talking points” and mostly replying to tweets about news related to Russia and Ukraine or pro-Ukrainian channels. X did not immediately respond to WIRED’s request for comment.

On July 14, the Antibot4Navalny researcher says, some of the accounts they have tracked replied to posts discussing comments from Putin, who said that the Wagner Group “does not exist” and that there is no legal basis for the group. The accounts, the researcher says, sent messages saying that Wagner operated legally and referenced Concord, the catering company owned by Prigozhin. The Antibot4Navalny researcher claims that the points were not included in any Kremlin-controlled media and that mentions of the company “served interests of the troll factory/its owner—rather than interests of the Kremlin.”

Buziashvili, the Atlantic Council researcher, says she believes the troll factory is still operating. “Part of them might be still supporting Prigozhin,” she says. “For most of the people who were working there, they would just continue their work regardless of who is their current boss.”

Following the plane crash, Buziashvili says, Russian officials and state media pushed multiple “theories” simultaneously. On one TV show, both the UK and NATO were blamed for the plane crash, she says. Other instances blame Ukraine and claim that Prigozhin was not killed in the crash. Pro-Wagner Telegram channels were also pushing claims that the plane was shot down by Russian aviation, Buziashvili says, and that they wanted “revenge.” Nobody has formally claimed responsibility for the explosion—both Putin and Ukraine have denied involvement.

Despite the changing information ecosystem, the amount of Russian disinformation on social media is colossal. During the first year after it launched the war in Ukraine, Russia’s disinformation reached an audience of “at least” 165 million and generated 16 billion views across Facebook, Instagram, Twitter/X, YouTube, TikTok, and Telegram, according to a European Commission study of Russia-linked activity published last week. Subscribers to pro-Kremlin Telegram channels have “more than tripled” since the start of the war, the report says. “Preliminary analysis suggests that the reach and influence of Kremlin-backed accounts has grown further in the first half of 2023, driven in particular by the dismantling of Twitter’s safety standards.”

“What we typically see these days is narratives formulated on Telegram,” says Logically’s Walter. The company has recently found pro-Russian channels pushing disinformation about Niger’s military coup, and it has also linked a Russian fact-checking website and Telegram account to a presenter on Russia’s “biggest” propaganda TV show. “You have Western influencers who are sympathetic to Russian causes that will translate those narratives and then share them on mainstream platforms. And they circulate more broadly,” he says.

Walter says that over time, and largely because of the war, it has become easier for Russian propaganda and disinformation to attack the West. “From a tactics perspective, there’s a lot less direct involvement that we can attribute from the Russian state itself, and it is more these proxies,” he says. “Russian disinformation efforts are gradually adapting to any sort of Western countering that gets put in place.”

The Strange Afterlife of Wagner’s Yevgeny Prigozhin

If you want the highest possible level of protection, this is it.

There's a constant battle going on between software developers trying to keep their apps and platforms secure, and hackers and malware writers eager to break through those digital defenses. In its quest to offer a more secure and private suite of web apps, security-focused service provider Proton is rolling out a new feature called Proton Sentinel.

If you're new to Proton, the Switzerland-based company offers email, VPN, cloud storage, and various other digital services, with a clear emphasis on security and privacy. It's a bit like Google without the tracking or the ads, and the newly unveiled Proton Sentinel is a “high-security program” for keeping users and their data safe.

It's worth emphasizing that Proton accounts already come with a bunch of security features and protections to keep out bad actors. There's end-to-end, zero-access encryption for user data, there's two-factor authentication to help you prove you are who you say you are when you log in, there's a custom-built spam filtering system, there are real-time notifications of logins, and more.

However, Sentinel goes further. Proton describes the additional feature as offering more protection than most people will need, aimed at “users who need the most security”: Journalists, government officials, religious leaders, and leaders of international peace organizations are mentioned as some of those who are particularly at risk from hacking attempts.

You can enable Sentinel from inside your Proton account.

Proton via David Nield

"Accounts such as these have a high risk of being attacked by criminals or state-backed hackers," writes Proton's Dingchao Lu. “We are now ready to provide the same level of advanced protection and support that we reserved for these VIPs to any Proton user that wants it through the Proton Sentinel program.”

You don't have to fall into one of those categories to use Proton Sentinel, but you do have to be a paying Proton user: a Visionary, Lifetime, Family, Unlimited, or Business plan is required, and you can see details of all the plans here.

A lot of the work that Proton Sentinel does goes on behind the scenes, and you'll find that Proton itself doesn't go into too much detail about how it functions—which is sensible if you want to minimize the chances of someone else getting around it.

The advanced security protection it offers includes strict challenges for “suspicious” login attempts, typically those from devices that you don't normally use and parts of the world that you're not normally in. You might find yourself asked to confirm more of your logins to Proton services with Sentinel enabled, but it's worth it for the extra peace of mind.

Proton says that suspicious logins are flagged by automated systems and then escalated to human security analysts, around the clock. Any support requests you file related to account security will also get escalated to trained security specialists, meaning that if there is a security problem, it's going to be dealt with more quickly.

Related to this stricter policy on logins, Proton Sentinel also gives you access to detailed security logs inside your account, listing attempts to log in using your credentials, as well as other key actions you need to be aware of (such as password changes.)

More detailed security logs are available with Proton Sentinel.

Proton via David Nield

If you're on board with Proton Sentinel and everything that it offers, log into your Proton account on the web. Click the **settings** cogwheel, then **Go to settings**, and then **Security and privacy**: At the top of the screen there should be an **Enable Proton Sentinel** toggle switch that you can turn on. That's all there is to it: You're now protected.

Farther down the same screen is the security logs panel: Turn on both **Enable authentication logs** and **Enable advanced logs** to get all of the information possible about when and where your account is being used. All successful and unsuccessful login attempts are listed here, since the very first day you opened your Proton account—and if security actions were taken on a login attempt, this will be recorded next to it.

If you see something you don't recognize, you can click the **Revoke** button next to an existing session: The device in question will be remotely logged out, and a fresh sign-in will be required to use Proton's apps on that device. It's better to err on the side of caution here, and log out from any sessions that you don't immediately recognize. If you do notice anything suspicious, you should contact Proton Support too.

Proton Sentinel is simple to set up, takes very little effort to maintain, and keeps your Proton account as well protected as possible—so it makes a lot of sense to enable the feature. Like the Enhanced Safety Mode that Google offers as part of Chrome's feature set, Sentinel goes above and beyond the norms to make sure that there's no unauthorized access to your account.

How to Use Proton Sentinel to Keep Your Accounts Safe

Plus: A major FBI botnet takedown, new Sandworm malware, a cyberattack on two major scientific telescopes—and more.

A monthslong WIRED investigation published this week revealed the inner workings of the Trickbot ransomware gang, which has targeted hospitals, businesses, and government agencies around the world. 

The investigation stemmed from a mysterious leak publish on X (formerly Twitter) last year by an anonymous account called Trickleaks. The document trove contained dossiers on 35 alleged Trickbot members, including names, dates of birth, and much more. It also listed thousands of IP addresses, cryptocurrency wallets, email addresses, and Trickbot chat logs. Armed with this information, we enlisted the help of multiple cybersecurity and Russian cybercrime experts to paint a vivid picture of Trickbot’s organizational structure and corroborate the real-world identity of one of its key members. 

Last weekend, someone (more on that later) successfully disrupted more than 20 trains in Poland. The incidents were originally described as a “cyberattack,” but it was actually something much simpler: a radio hack. Using equipment that can cost as little as $30, the attack exploited the trains’ unencrypted radio system to cause them to perform an emergency stop. 

Over on the dark web, cybercriminals are making money in an unexpected way: writing contests. With total prizes reaching as high as $80,000, the competitions enlist hacking forum members to craft the best essays, many of which explain how to carry out cyberattacks and scams. 

Last December, Apple officially killed its controversial photo-scanning tool for detecting child sexual abuse material (CSAM) on iCloud, a tool the company launched in August 2021 before un-launching it a month later after backlash from cybersecurity experts, civil liberties advocates, and others who argued that the tool would violate users’ security and privacy. But the issue is far from resolved. This week, a new child safety group called Heat Initiative demanded that Apple reinstate the tool. Apple responded with a letter, which it shared with WIRED, detailing for the first time its full reasoning behind terminating the tool. Heat Initiative’s push comes amid international pressure to weaken encryption for law enforcement purposes.

Elsewhere, we detailed the big security patches you need to install to keep your devices safe (looking at you, Google Chrome and Android users). And we dove into the supremely nerdy world of a code-cracking competition that had contestants racing to decode a German U-boat cipher from World War II. One team had a secret weapon.

But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

When more than 20 trains in Poland were bought to a halt last weekend in what was described as a “cyberattack,” all eyes turned to Russia. After all, Poland’s rails serve as a key piece of infrastructure for supporting Ukraine’s war effort. But as we reported a day later, the disruption had been caused not through any sophisticated cyber intrusion but through a simple radio hack that sent a “radio stop” command to the Polish trains over an unencrypted and unauthenticated system. “The frequencies are known. The tones are known. The equipment is cheap,” Polish-speaking cybersecurity researcher Lukasz Olejnik told WIRED. “Everybody could do this. Even teenagers trolling.”

Well, not teenagers exactly, but twentysomethings. This week, Polish police arrested a 24-year-old man and a 29-year-old man, both Polish citizens, who allegedly carried out the radio train hack. One of the two men, based in the city of Bialystok near the border with Belarus, was a police officer. Amateur radio equipment was found in one of their apartments, according to Poland’s RMF Radio, where the younger man was found (reportedly in a drunken state).

2 Polish Men Arrested for Radio Hack That Disrupted Trains

Child safety group Heat Initiative plans to launch a campaign pressing Apple on child sexual abuse material scanning and user reporting. The company issued a rare, detailed response on Thursday.

In December, Apple said that it was killing an effort to design a privacy-preserving iCloud photo-scanning tool for detecting child sexual abuse material (CSAM) on the platform. Originally announced in August 2021, the project had been controversial since its inception. Apple had first paused it that September in response to concerns from digital rights groups and researchers that such a tool would inevitably be abused and exploited to compromise the privacy and security of all iCloud users. This week, a new child safety group known as Heat Initiative told Apple that it is organizing a campaign to demand that the company “detect, report, and remove” child sexual abuse material from iCloud and offer more tools for users to report CSAM to the company. 

Today, in a rare move, Apple responded to Heat Initiative, outlining its reasons for abandoning the development of its iCloud CSAM scanning feature and instead focusing on a set of on-device tools and resources for users known collectively as Communication Safety features. The company's response to Heat Initiative, which Apple shared with WIRED this morning, offers a rare look not just at its rationale for pivoting to Communication Safety, but at its broader views on creating mechanisms to circumvent user privacy protections, such as encryption, to monitor data. This stance is relevant to the encryption debate more broadly, especially as countries like the United Kingdom weigh passing laws that would require tech companies to be able to access user data to comply with law enforcement requests.

“Child sexual abuse material is abhorrent and we are committed to breaking the chain of coercion and influence that makes children susceptible to it,” Erik Neuenschwander, Apple's director of user privacy and child safety, wrote in the company's response to Heat Initiative. He added, though, that after collaborating with an array of privacy and security researchers, digital rights groups, and child safety advocates, the company concluded that it could not proceed with development of a CSAM-scanning mechanism, even one built specifically to preserve privacy.

“Scanning every user’s privately stored iCloud data would create new threat vectors for data thieves to find and exploit," Neuenschwander wrote. "It would also inject the potential for a slippery slope of unintended consequences. Scanning for one type of content, for instance, opens the door for bulk surveillance and could create a desire to search other encrypted messaging systems across content types.”

WIRED could not immediately reach Heat Initiative for comment about Apple's response. The group is led by Sarah Gardner, former vice president of external affairs for the nonprofit Thorn, which works to use new technologies to combat child exploitation online and sex trafficking. In 2021, Thorn lauded Apple's plan to develop an iCloud CSAM scanning feature. Gardner said in an email to CEO Tim Cook on Wednesday, August 30, which Apple also shared with WIRED, that Heat Initiative found Apple's decision to kill the feature “disappointing.”

“We firmly believe that the solution you unveiled not only positioned Apple as a global leader in user privacy but also promised to eradicate millions of child sexual abuse images and videos from iCloud,” Gardner wrote to Cook. “I am a part of a developing initiative involving concerned child safety experts and advocates who intend to engage with you and your company, Apple, on your continued delay in implementing critical technology … Child sexual abuse is a difficult issue that no one wants to talk about, which is why it gets silenced and left behind. We are here to make sure that doesn’t happen.”

Apple maintains that, ultimately, even its own well-intentioned design could not be adequately safeguarded in practice, and that on-device nudity detections for features like Messages, FaceTime, AirDrop, and the Photo picker are safer alternatives. Apple has also begun offering an application programming interface (API) for its Communication Safety features so third-party developers can incorporate them into their apps. Apple says that the communication platform Discord is integrating the features and that appmakers broadly have been enthusiastic about adopting them.

“We decided to not proceed with the proposal for a hybrid client-server approach to CSAM detection for iCloud Photos from a few years ago,” Neuenschwander wrote to Heat Initiative. “We concluded it was not practically possible to implement without ultimately imperiling the security and privacy of our users.”

On Heat Initiative's request that Apple create a CSAM reporting mechanism for users, the company told WIRED that its focus is on connecting its vulnerable or victimized users directly with local resources and law enforcement in their region that can assist them rather than Apple positioning itself as an intermediary for processing reports. The company says that offering this intermediary service may make sense for interactive platforms like social networks.

The need to protect children from online sexual abuse is urgent, though, and as these concerns intersect with the broader encryption debate, Apple's resolve on refusing to implement data scanning will continue to be tested.

Read the full exchange between Heat Initiative and Apple below. WIRED has redacted sensitive personal information for the privacy of senders and recipients:

Apple's Decision to Kill Its CSAM Photo-Scanning Tool Sparks Fresh Controversy

Plus: Mozilla patches more than a dozen vulnerabilities in Firefox, and enterprise companies Ivanti, Cisco, and SAP roll out a slew of updates to get rid of some high-severity bugs.

August has ended the summer in style with multiple patches issued by Microsoft, Google Chrome, and its competitor Firefox to fix serious issues, some of which are being used in attacks.

While there was no Apple iPhone update at the time of writing, some major enterprise fixes were released during the month. These include patches for exploited flaws in Ivanti products, as well as fixes for vulnerabilities in SAP and Cisco software.

Read on for everything you need to know about the patches issued in August.

Microsoft

Microsoft’s August Patch Tuesday saw the software giant fixing dozens of vulnerabilities, including two already being used in real-world attacks. The first is a Defense in Depth update to CVE-2023-36884, a remote code execution (RCE) flaw in Windows Search that could allow attackers to bypass Microsoft’s Mark of the Web security feature. If it sounds familiar, that’s because Microsoft already fixed the vulnerability in July. But installing the latest update “stops the attack chain” leading to the issue, Microsoft said.

The second flaw, CVE-2023-38180 is an issue in .NET and Visual Studio that could allow an adversary to perform denial of service.

Six of the issues fixed in August’s Patch Tuesday are rated as critical, including CVE-2023-36895—an RCE flaw in the Outlook email client. Meanwhile, CVE-2023-35385, CVE-2023-36910, and CVE-2023-36911 are RCE issues in the Microsoft Message Queuing service, according to the Security Update Guide.

The fifth and sixth critical issues fixed by Microsoft in August are CVE-2023-29328 and CVE-2023-29330, both of which are RCE flaws in Teams.

Google Chrome

August kicked off with a slew of updates for Chrome 115 including nine rated as having a high impact. The 17 patches include three type-confusion flaws in V8: CVE-2023-4068, CVE-2023-4069, and CVE-2023-4070. And CVE-2023-4071 is a heap buffer overflow issue in Visuals and CVE-2023-4076 is a use-after-free flaw in WebRTC.

A couple of weeks later, Google issued Chrome 116 to patch 26 vulnerabilities, eight of which are rated as having a high impact. The most serious issues include CVE-2023-2312—a use-after-free bug in Offline—and CVE-2023-4349, a use-after-free flaw in Device Trust Connectors. A third, CVE-2023-4350, is an inappropriate implementation bug in Fullscreen.

Then, on August 23, Google released the first of its more regular weekly security updates, patching five flaws. The four vulnerabilities rated as having a high impact include two use-after-free bugs and two out-of-bounds memory access issues.

Firefox

Google Chrome’s privacy-focused competitor Firefox also had a hectic August, fixing more than a dozen vulnerabilities in Firefox 116. The issues patched by Firefox owner Mozilla include CVE-2023-4045, an issue in Offscreen Canvas rated as high, and CVE-2023-4047, a bug in popup notifications delay calculation that could allow an attacker to trick a user into granting permissions.

The update also patches memory safety bugs tracked as CVE-2023-4056, CVE-2023-4057, and CVE-2023-4058. The flaws fixed in the latest update “showed evidence of memory corruption,” Mozilla said. “We presume that with enough effort, some of these could have been exploited to run arbitrary code.”

Google Android

Google has issued 40 updates for its Android operating system including patches for serious flaws in the Framework, System, and Kernel. Tracked as CVE-2023-21273, the most severe bug fixed in August is a critical security vulnerability in the System component that could lead to RCE with no additional execution privileges needed. User interaction is not required for exploitation, Google said in its Android Security Bulletin.

Meanwhile, CVE-2023-21282 is an RCE flaw in the Media Framework also marked as having a critical impact. Another critical issue in the Kernel, tracked as CVE-2023-21264, could lead to local escalation of privilege, although System execution privileges are needed.

Google Fixes Serious Security Flaws in Chrome and Android

A WIRED investigation into a cache of documents posted by an unknown figure lays bare the Trickbot ransomware gang’s secrets, including the identity of a central member.

Source

Wired