Pixel Binary Transparency is the latest security benefit for Pixel owners.

It's not in Google's best interests for its smartphones to be easily compromised, and the tech giant has just rolled out a new security feature that for now is exclusive to Pixel devices: Pixel Binary Transparency.

You can think of it like a certificate of authenticity for your phone. It proves that the Pixel handset you have in your hands is the genuine article and not one that's been modified at the software level—potentially with security consequences.

While this is Pixel-only at the moment, it joins the existing Android Verified Boot feature in making sure that the phone that's in your hand hasn't been tampered with in any way—perhaps even before it reached you.

Along with speedy software updates, exclusive apps, and top-level camera performance, Google wants this new security feature to be another reason you'll buy a Pixel over anything else—and here's how it works.

The Security Problem

Are you sure your Pixel hasn't been compromised?

Photograph: Google

There are a lot of steps along the way before your new smartphone reaches you in its tidily cellophaned box, and all of those steps can be exploited by bad actors looking to take control of your device. If you think that opening a factory-fresh device means you don't have any security concerns to worry about, you'd be wrong.

Malware can be inserted into software code—Android software code, in this case—before a new handset gets put in the box. Remember that, as well as the basic Android operating system, you have additions by carriers and manufacturers (including Google and Samsung), not to mention a host of third-party libraries and open source code that all today's software is built on.

It only takes one part of the supply chain process to get exploited—one check that isn't carried out, or one assumption that is wrong—for devices to be put at risk. These attacks can also be launched once you start using your phone, with ostensibly safe apps unknowingly taken over by harmful code. Over-the-air software updates can also be hijacked before reaching users.

If you think about all the businesses involved in maintaining the software on your phone, from individual app developers to corporations such as Google, that's a lot of attack surfaces for hackers to consider. These kinds of attacks are on the rise too. All of this doesn't even consider the secondhand market as well, where used and refurbished Android devices (and especially Pixel phones, in this case) sold by prior owners come with no such guarantees that they're fresh installations of Android that are safe and clear of malware.

Google's Android Fixes

A Merkle tree is used to verify software.

Courtesy of David Nield

In simple terms, the new Pixel Binary Transparency checks the Android operating system on a Pixel phone to make sure the code is exactly as it should be. It's a bit like checking the authenticity of a painting, looking for signs of tampering, or checking that all the office doors and windows are locked at the end of the day. Google has written about the new feature in a blog post, and it says the feature will be built upon in the future.

More specifically, the new Android safety measure uses public cryptographic logs—digital bookkeeping systems—to show what a Pixel installation should look like. Entries can be appended to these logs when new software is released, but they can't be changed or deleted. In other words, any unauthorized edits are going to stand out.

The logs use what's known as a Merkle tree to maintain the integrity of the records within them, a cryptographic structure that speeds up the process of checking large amounts of data for any tampering. The approach means that much smaller portions of data can be analyzed to identify whether or not any changes have been made.

While Google itself admits that most users won't need the Pixel Binary Transparency feature because of the other safeguards already in place on Android, you can in fact try it out on your own Pixel phone or tablet. You're going to need to be familiar with compiling code and using the Android Debug Bridge (ADB) software that lets you analyze Android devices from a computer.

Pixel Binary Transparency complements the existing Android Verified Boot (AVB) safeguard, which works in a similar way. The instant that an Android device boots up, it looks for a special software “signature” (a little like a password) verifying that all is well, the software is untampered with, and the boot process can continue. As with Pixel Binary Transparency, any tampering is virtually impossible to conceal. At the same time, AVB also protects the device from being rolled back to older, less secure versions of Android.

Google's New Feature Ensures Your Pixel Phone Hasn't Been Hacked. Here’s How It Works

New research reveals the strategies hackers use to hide their malware distribution system, and companies are rushing to release mitigations for the “Downfall” processor vulnerability on Intel chips.

At the Defcon security conference in Las Vegas last weekend, thousands of hackers competed in a red-team challenge to find flaws in generative AI chat platforms and help better secure these emerging systems. Meanwhile, researchers presented findings across the conference, including new discoveries about strategies to bypass a recent addition to Apple’s macOS that is supposed to flag potentially malicious software on your computer. 

Kids are facing a massive online scam campaign that targets them with fake offers and promotions related to the popular video games _Fortnite_ and _Roblox_. And the racket all traces back to one rogue digital marketing company. The social media platform X, formerly Twitter, has been filing lawsuits and pursuing a strategic legal offensive to oppose researchers who study hate speech and online harassment using data from the social network.

On Thursday, an innovation agency within the US Department of Health and Human Services announced plans to fund research into digital defenses for health care infrastructure. The goal is to rapidly develop new tools that can protect US medical systems against ransomware attacks and other threats.

But wait, there’s more! Each week, we round up the stories we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

A large phishing campaign that’s been active since May has been targeting an array of companies with malicious QR codes in attempts to steal Microsoft account credentials. Notably, researchers from the security firm Cofense observed the attacks against “a major Energy company based in the US.” The campaign also targeted organizations in other industries, including finance, insurance, manufacturing, and tech. Malicious QR codes were used in nearly a third of the emails reviewed by researchers. QR codes have disadvantages in phishing, since victims need to be compelled to scan them for the attack to progress. But they make it more difficult for victims to evaluate the trustworthiness of the URL they’re clicking on, and it’s more likely that emails containing a QR code will reach their target, because it’s more difficult for spam filters to assess QR images included in an attachment like a PDF.

It’s common practice for attackers—both criminal actors and state-backed hackers—to scam or otherwise lure victims from a starting point of mainstream services like email, photo sharing, or social media. Now, research from the security firm Recorded Future attempts to categorize the types of malware most often distributed from these various jumping-off points, and which strategies are most common. The goal was to give defenders deeper insight into the services they need to prioritize securing. The review found that cloud platforms are the most used by attackers, but communication platforms like messaging apps, email, and social media are also widely abused. Pastebin, Google Drive, and Dropbox were all popular among attackers, as are Telegram and Discord.

In response to the “Downfall” Intel processor vulnerability disclosed by Google researchers last week, organizations have been releasing tailored fixes for the flaw. The bug could be exploited by an attacker to grab sensitive information like login credentials or encryption keys. Amazon Web Services, Google Cloud, Microsoft Azure, Cisco, Dell, Lenovo, VMWare, Linux distributions, and many others have all released guidance on responding to the vulnerability. Prior to public disclosure, Intel spent a year developing fixes to distribute across the industry and coordinating to encourage widespread patch release from individual vendors.

Security News This Week: US Energy Firm Targeted With Malicious QR Codes in Mass Phishing Attack

An innovation agency within the US Department of Health and Human Services will fund research into better defenses for the US health care system’s digital infrastructure.

The Advanced Research Projects Agency for Health (Arpa-H), a research support agency within the United States Department of Health and Human Services, said today that it is launching an initiative to find and help fund the development of cybersecurity technologies that can specifically improve defenses for digital infrastructure in US health care. Dubbed the Digital Health Security project, also known as Digiheals, the effort will allow researchers and technologists to submit proposals beginning today through September 7 for cybersecurity tools geared specifically to health care systems, hospitals and clinics, and health-related devices.

For more than a decade, health care providers in the United States and around the world have been plagued by criminal cyberattacks, particularly ransomware attacks, that take advantage of medical facilities’ high-stakes work to attempt to extort big payouts. Efforts in recent years to crack down on and deter cybercriminal actors have made some limited progress, but health care attacks still occur regularly, disrupting vital services and endangering patients.

Health and Human Service’s research agency Arpa-H doesn’t specifically focus on cybersecurity innovation. The agency has programs running, for example, to spur advances in osteoarthritis treatment and medical imaging for cancer removal. But Digiheals program manager and longtime security researcher Andrew Carney says there is a dire need to make progress on digital defense tools for health care that are both effective and usable for medical facilities in practice.

“We’re looking for rapid and stupendous progress,” Carney told WIRED ahead of the announcement. “We want to ensure that the impact we have is significant but also equitably distributed. It doesn’t matter if we develop a perfect cure that makes a network completely impenetrable if a rural hospital can’t adopt it because of light IT staff or minimal or no security budget.”

Digiheals is seeking broad and diverse submissions related to vulnerability detection, software hardening, and system patching, as well as the expansion or development of security protocols. The initiative will accept submissions from anyone, including academic and nonprofit researchers or commercial industry. Carney emphasizes that, ultimately, the goal is to foster novel and inventive solutions regardless of where they come from or what category they fit into.

“We are looking to very rapidly cast a wide net,” he says. “I’d encourage folks even if they have ideas that don’t fit cleanly or won’t fit the timeline of the solicitation to come talk to us. We will make the process fit the ideas we receive as best we can.”

Carney points out that it is particularly difficult to study the real-world conditions of cybersecurity in health care, because each medical provider’s network is made up of a vast patchwork of systems, services, and devices that vary widely. And there is no margin for error in probing individual institutions’ systems or attempting to attack them intentionally to discover weaknesses. So Digiheals is also encouraging researchers to make submissions related to the types of security tools that are not working in health care settings and the reasons for these failings.

“Currently, off-the-shelf software tools fall short in detecting emerging cyber threats and protecting our medical facilities, resulting in a technical gap we seek to bridge with this initiative,” Arpa-H director Renee Wegrzyn said in a statement. “The Digiheals project comes when the US health care system urgently requires rigorous cybersecurity capabilities to protect patient privacy, safety, and lives.”

After years of damaging cyberattacks on hospitals and disruptions to patient care, the Digiheals initiative may feel like too little, too late. Earlier this month, a ransomware attack on the medical group Prospect Medical Holdings, which operates in Connecticut, Pennsylvania, Rhode Island and Southern California, caused disruptions at multiple hospitals and clinics in the network. The recovery process is ongoing. But Arpa-H is a new agency launched by the Biden administration last year to help address a number of issues in US health care that are massively overdue for investment.

“Health care gets the most difficult of the challenges from every angle,” Carney says. “We’re constantly working at near or above capacity, and any reduction in service can have real harm very quickly. But we have an ability to move very fast on new digital defenses, and it behooves us to do so. It would be irresponsible of us not to move fast.”

HHS Launches 'Digiheals' Project to Better Protect US Hospitals From Ransomware

The social media giant filed a lawsuit against a nonprofit that researches hate speech online. It’s the latest effort to cut off the data needed to expose online platforms’ failings.

On July 19, Bloomberg News reported what many others have been saying for some time: Twitter (now called X) was losing advertisers, in part because of its lax enforcement against hate speech. Quoted heavily in the story was Callum Hood, the head of research at the Center for Countering Digital Hate (CCDH), a nonprofit that tracks hate speech on social platforms, whose work has highlighted several instances in which Twitter has allowed violent, hateful, or misleading content to remain on the platform.

The next day, X announced it was filing a lawsuit against the nonprofit and the European Climate Foundation, for the alleged misuse of Twitter data leading to the loss of advertising revenue. In the lawsuit, X alleges that the data CCDH used in its research was obtained using the login credentials from the European Climate Foundation, which had an account with the third-party social listening tool, Brandwatch. Brandwatch has a license to use Twitter’s data through its API. X alleges that the CCDH was not authorized to access the Twitter/X data. The suit also accuses the CCDH of scraping Twitter’s platform without proper authorization, in violation of the company’s terms of service.

X did not respond to WIRED’s request for comment.

“The Center for Countering Digital Hate’s research shows that hate and disinformation is spreading like wildfire on the platform under Musk’s ownership, and this lawsuit is a direct attempt to silence those efforts,” says Imran Ahmed, CEO of the CCDH.

Experts who spoke to WIRED see the legal action as the latest move by social media platforms to shrink access to their data by researchers and civil society organizations that seek to hold them accountable. “We're talking about access not just for researchers or academics, but it could also potentially be extended to advocates and journalists and even policymakers,” says Liz Woolery, digital policy lead at PEN America, a nonprofit that advocates for free expression. “Without that kind of access, it is really difficult for us to engage in the research necessary to better understand the scope and scale of the problem that we face, of how social media is affecting our daily life, and make it better.”

In 2021, Meta blocked researchers at New York University’s Ad Observatory from collecting data about political ads and Covid-19 misinformation. Last year, the company said it would wind down its monitoring tool CrowdTangle, which has been instrumental in allowing researchers and journalists to monitor Facebook. Both Meta and Twitter are suing Bright Data, an Israeli data collection firm, for scraping their sites. (Meta had previously contracted Bright Data to scrape other sites on its behalf.) Musk announced in March that the company would begin charging $42,000 per month for its API, pricing out the vast majority of researchers and academics who have used it to study issues like disinformation and hate speech in more than 17,000 academic studies.

There are reasons that platforms don’t want researchers and advocates poking around and exposing their failings. For years, advocacy organizations have used examples of violative content on social platforms as a way to pressure advertisers to withdraw their support, forcing companies to address problems or change their policies. Without the underlying research into hate speech, disinformation, and other harmful content on social media, these organizations would have little ability to force companies to change. In 2020, advertisers, including Starbucks, Patagonia, and Honda, left Facebook after the Meta platform was found to have a lax approach to moderating misinformation, particularly posts by former US president Donald Trump, costing the company millions.

As soon as Musk took over Twitter in late October 2022, he proceeded to fire many of the staff members responsible for keeping hate speech and misinformation off the platform and reinstated the accounts of users who had been previously banned, including Trump and influencer Andrew Tate, who is currently indicted under human trafficking laws in Romania. A study released earlier this year from the University of Southern California’s Information Sciences Institute, Oregon State University, UCLA, and UC Merced found that hate speech increased dramatically after Musk took the helm at Twitter. Over roughly the same time period, the company saw its advertising revenue slashed in half as brands—including General Motors, Pfizer, and United Airlines—fled the platform, apparently concerned about their products appearing next to misinformation and hate speech.

And this has bothered Musk, immensely. On November 4, 2022, he tweeted, “Twitter has had a massive drop in revenue, due to activist groups pressuring advertisers, even though nothing has changed with content moderation and we did everything we could to appease the activists. Extremely messed up! They’re trying to destroy free speech in America.”

PEN America’s Woolery worries that, whether or not X’s lawsuit against CCDH holds water, the cost of fighting it will be enough to intimidate other organizations doing similar work. “Lawsuits like this, especially when we are talking about a nonprofit, are definitely seen as an attempt to silence critics,” she says. “If a nonprofit or another individual is not in a financial position where they can really, truly give it all it takes to defend themselves, then they run the risk of either having a poor defense or of simply settling and just trying to get out of it to avoid incurring further costs and reputational damage.”

But the lawsuit doesn’t just put pressure on researchers themselves. It also highlights another avenue through which it now may be more difficult for advocates to access data: third-party social listening platforms. These companies access and analyze data from social platforms to allow their clients—from national security contractors to marketing agencies—to gain insights into their audiences and target messages.

Tal-Or Cohen Montemayor, founder and executive director of CyberWell, a nonprofit that tracks anti-Semitism online in both English and Arabic, says that in November 2022, shortly after Musk took ownership of the company, CyberWell reached out to Talkwalker, a third-party social listening company, to get a subscription that would allow them to analyze anti-Semitic speech on the platform then called Twitter.

Cohen Montemayor says Talkwalker told her the company could not take them on as a client because of the nature of CyberWell’s work. She says it appears that “the existing open source tools and social listening tools are being reserved and paywalled only for advertisers and paid researchers. Nonprofit organizations are actively being blocked from using these resources.”

Talkwalker did not respond to a request for comment about whether its agreements with X prohibit it from taking on organizations doing hate speech monitoring as clients. X did not respond to questions about what parameters it sets for the kinds of customers third-party social listening companies can take on.

According to X’s lawsuit against CCDH, a 2023 agreement between Brandwatch and X outlined that any breach of X data via Brandwatch’s customers would be considered the responsibility of the social listening company. On X competitor Bluesky, Yoel Roth, the former senior director of trust and safety at Twitter, posted, “Brandwatch’s social listening business is entirely, completely, 100% dependent on Twitter data access, so I guess it’s not surprising to see how far backwards they’re bending to placate the company.”

For its part, in a July 20 tweet, Brandwatch referenced the same CCDH report cited in the X lawsuit, saying, “Recently, we were cited in an article about brand relevance that relied on incomplete and outdated data. It contained metrics used out of context to make unsubstantiated assertions about Twitter.”

Brandwatch did not respond to a request for comment.

But CCDH’s Ahmed says the assertion that his organization’s research is based on incomplete data is a way for X to obfuscate problems with its own platform. “Whenever you claim that you’ve found information on there, they just say, ‘No, it’s a lie. Only we have the data. You couldn't possibly know the truth. Only we know the truth. And we grade our own homework,’” he says.

A representative from another third-party social listening tool that uses X data, who asked to remain anonymous to protect their company from retaliation by X, confirmed to WIRED that companies like theirs are heavily reliant on Twitter/X data. “A lot of the services that are very Twitter-centric, a lot of them are 100 percent Twitter,” they say, noting that Instagram has long since shut down its API, and that conversations on Meta’s platforms tend not to be as public as those on X. “In terms of data, Twitter continues to play a significant role in providing data to analytics companies.” They note that, while X’s new paid-for API has put the squeeze on third-party analytics companies—“it’s basically almost like they’re holding you for ransom’”—losing access to X data entirely could kill a company.

They add that they have not seen guidelines that restrict the use of X data for hate speech or advocacy research, but there are specific “know your customer” guidelines that prohibit sharing X data with government agencies without prior permission. The same day X announced the lawsuit, on July 31, America First Legal, a right-wing nonprofit led by former Trump appointee Stephen Miller, announced that it had filed Freedom of Information Act (FOIA) requests to examine communications between CCDH and various US government agencies, alleging that it is a “coordinator of illegal censorship activities.” (Ahmed says his organization has never coordinated with the US government). This would, if true, seemingly also be a violation of those terms of service.

The X lawsuit also alleges that the CCDH is being funded by X’s competitors as well as “government entities and their affiliates,” but says that “X Corp. currently lacks sufficient information to include the identities of these entities, organizations, and persons in this Complaint.”

Even without legal threats, there are significant costs to researchers focused on disinformation and hate speech on platforms. Experts who spoke to WIRED say they worry the threat of legal action could cause a chilling effect on other organizations that study hate speech and disinformation.

After publishing a report showing that anti-Semitic content had doubled on the platform after Musk’s takeover, Sasha Havlicek, cofounder and CEO of the Institute for Strategic Dialogue (ISD), a London-based think tank focused on extremism and disinformation, says the company experienced a deluge of abusive tweets. “In response, Twitter came out with a thread that got 3 million views or so,” she says. “Musk himself responded with a poop emoji.”

In December, Musk worked with right-wing journalists to release the so-called Twitter Files, a selection of internal documents that seemed to show that pre-Musk Twitter had silenced some conservative users. Some of the documents included the names and email of disinformation researchers at the Stanford Internet Observatory, many of whom were undergraduate students at the time. One former student, who asked to remain anonymous for fear of harassment, says that people whose emails ended up in the Twitter Files have been targets of ongoing harassment for their role in disinformation research.

“Seeing how things have gone, and seeing the possibility of being harassed, has made a lot of people that worked on it very closely to now think twice,” says the former student.

“You have to ask,” says the ISD’s Havlicek. “Who’s the censor now?”

Havlicek says she hopes that the EU’s Digital Services Act (DSA), which will eventually mandate access for researchers to data from large social platforms, will be a road map for other countries. Whether there will be legal land mines regarding data pulled legally by European researchers under the DSA but shared with non-European researchers or advocates is another open question.

“I was in Brussels a few weeks ago talking to the Digital Services people about how we can use the data that will be made available through the DSA data transparency regime,” says Ahmed. “And when that appears, we will use that in the most effective way possible.”

How X Is Suing Its Way Out of Accountability

The wide-ranging scams, often disguised as game promotions, can all be linked back to one network.

Thousands of websites belonging to US government agencies, leading universities, and professional organizations have been hijacked over the last half decade and used to push scammy offers and promotions, new research has found. Many of these scams are aimed at children and attempt to trick them into downloading apps, malware, or submitting personal details in exchange for nonexistent rewards in _Fortnite_ and _Roblox_.

For more than three years, security researcher Zach Edwards has been tracking these website hijackings and scams. He says the activity can be linked back to the activities of affiliate users of one advertising company. The US-registered company acts as a service that sends web traffic to a range of online advertisers, allowing individuals to sign up and use its systems. However, on any given day, Edwards, a senior manager of threat insights at Human Security, uncovers scores of .gov, .org, and .edu domains being compromised.

“This group is what I would consider to be the number one group at bulk compromising infrastructure across the internet and hosting scams on it and other types of exploits,” Edwards says. The scale of the website compromises—which are ongoing—and the public nature of the scams makes them stand out, the researcher says.

Courtesy of Matthew Burgess

The schemes and ways people make money are complex, but each of the websites is hijacked in a similar way. Vulnerabilities or weaknesses in a website's backend, or its content management system, are exploited by attackers who upload malicious PDF files to the website. These documents, which Edwards calls “poison PDFs,” are designed to show up in search engines and promote “free _Fortnite_ skins,” generators for _Roblox_’s in-game currency, or cheap streams of _Barbie_, _Oppenheimer_, and other popular films. The files are packed with words people may search for on these subjects.

When someone clicks the links in the poison PDFs, they can be pushed through multiple websites, which ultimately direct them to scam landing pages, says Edwards, who presented the findings at the Black Hat security conference in Las Vegas. There are “lots of landing pages that appear super targeted to children,” he says.

For example, if you click the link in one PDF advertising free coins for an online game, you are directed to a website where it asks for your in-game username and operating system, before asking how many coins you would like for free. A pop-up appears saying, “Last Step!” This “locker page” claims the free game coins will be unlocked if you sign up for another service, enter personal details, or download an app. “I've tested it hundreds of times,” Edwards says. He has never received a reward. When people are led through this maze of pages and end up downloading an app, entering personal details, or any number of required actions, those behind the scams can earn money.

These kinds of scams have been around for a while, ad fraud researchers say. But these stand out, as they all have links back to the advertising firm CPABuild and the members that work for its network, Edwards says. All the compromised websites that have PDFs uploaded are calling to command-and-control servers owned by CPABuild, Edwards says. “They're pushing advertising campaigns into someone else’s infrastructure,” he says. Googling for a file linked to the PDFs brings up pages of results of compromised websites.

CPABuild’s website, which lists its legal registry in Nevada, describes itself as a “content-locking network first and foremost.” The company, which has existed since 2016, hosts tasks from its customers, such as giving people the chance to win money by submitting their email and postal code details. Then users of CPABuild, often known as affiliates, try to get people to complete these offers. They often do so via spamming links to YouTube comments or creating the kind of pop-up “locker” pages towards the end of the poison PDF click chain. This results-based process is known as a cost per action (CPA) by advertisers and marketers.

WIRED contacted multiple email addresses listed on CPABuild’s website, as well as sending questions via a contact form, but we did not receive any response. The company website does not name any individuals who are behind CPABuild and is sparse on overall details. The website claims it has “daily” fraud checks in place to catch bad actors abusing its platform, and its terms of service prohibit those using it from being involved in fraud and from sharing multiple kinds of content.

The website claims it has paid out more than $40 million to publishers and has thousands of templates and landing pages. Within CPABuild, there are various tiers of users. The website’s affiliate structure is displayed in an image on its homepage. Members can be categorized as managers, devils, demons, wizards, masters, and knights. In one video uploaded by a CPABuild member on August 11, an admin account can be seen sharing a message with users that indicates the company has taken steps to prevent the platform from being used for fraud. “We are still getting reports that CPABuild publishers are promoting offers in ways that violate our terms of service,” a message seen on the screen reads. Edwards’ research shows, however, that whatever efforts CPABuild has taken have failed to prevent its users from engaging in rampant fraud.

“CPA fraud, which includes cost per app install, is very common,” says Augustine Fou, an independent cybersecurity and ad fraud investigator, who reviewed a summary of Edwards’ findings. “Specialists like the ones identified in the research carve out a niche where they become the category leader in a particular kind of fraud,” Fou says. “Customers come to them for that speciality.”

Scores of websites are currently impacted by the PDFs. This week, the New York State Department of Financial Services removed PDFs uploaded after being contacted by WIRED. Ciara Marangas, a spokesperson for the department, says the issue was first identified in 2022, and following a review and additional steps, the files were removed.

In 2022, Edwards says, he alerted the US Cybersecurity Infrastructure Agency (CISA) to more than 50 compromised websites, which included the Oak Ridge National Laboratory and the Lawrence Berkeley National Laboratory. A spokesperson for Oak Ridge said it “immediately” responded to CISA’s alert, “deleted the suspicious content, and resolved the issue.” No data belonging to the laboratory was impacted, they say. Meanwhile, a spokesperson for Lawrence Berkeley National Laboratory said it cannot comment on the individual case but “no vulnerability has resulted in the compromise of systems for visitors” to its website. CISA's .gov registry manager, Cameron Dixon, says when it is made aware of vulnerabilities in government websites, it notifies them and offers assistance. “In any given day, you could have a list this big of new victims,” Edwards says. (In 2020, Italy’s Computer Security Incident Response Team, CIRST, issued an alert about compromised domains Edwards had found.)

While there has been some reporting linked to potential CPABuild affiliates, Edwards says the scheme can fly under the radar, as the links in the process are passed through redirecting services, which mask their identity. Also, he says, the compromises can get overlooked as they are not as impactful as ransomware or other cyberattacks.

However, there are traces of activity linked to CPABuild members and affiliates spread across the web. Various users of CPABuild have uploaded videos to YouTube exposing how parts of the site work. One video shows someone using a “_Fortnite_ skins generator” and a locker page that is created through CPABuild’s tools. Within another video, the kinds of offers hosted by CPABuild can be seen, including getting people to submit their email and postal code details, submitting their credit card details, installing mobile apps, and completing “general surveys.”

Hundreds of the content lockers on CPABuild’s website have been captured by the Internet Archive over the last seven years. One locker page called “Amazon gift cards” offers people the chance to complete a survey to “Win a $5,000 cash now” or to “enter” to win $25,000. Others push people to download apps, such as the Opera web browser, or enter their details to “get a $100 _Roblox_ Game Card.” Popular kids games are frequently used as a lure for these “offers.”

“We hate this kind of stuff as much as you do, but it helps us to stay alive,” one locker page says. “Please fill in one quick form to get your password and show us your support.”

Website inspection tools, such as URLScan, show multiple suspicious domains communicating with CPABuild’s infrastructure, which is hosted by Amazon’s Web Services (AWS). Amazon's trust and safety teams are looking at the results of Edwards’ research, says Patrick Neighorn, an AWS spokesperson. “AWS's terms of service prohibit customers from using our services for any illegal or fraudulent activity, and our customers are responsible for complying with our terms and all applicable laws,” Neighorn says.

Courtesy of Zach Edwards

Meanwhile, gaming companies say examples of the websites hosting the locker pages are not legitimate. “These are scams,” says Jake Jones, senior communications manager at Epic Games, which created _Fortnite_. “Players have never been able to sell, gift, or trade in-game V-Bucks to another player or sell virtual items to one another,” he says. Similarly, James Kay, a spokesperson for _Roblo_x, says that using third-party services to "buy, sell, trade or give away Robux” is prohibited, and people should avoid “offers” on websites that promise free in-game currency or other items.

Victoria Kivilevich, director of threat research at security firm KELA, says the company has seen CPABuild discussed on cybercrime and hacking forums. On one site, Kivilevich says, someone recommends creating a YouTube channel with stolen games and software content to attract videos. “The user recommends using CPABuild to place a content locker URL—apparently obtained through CPABuild—to the description of the videos and earn on visitors who click on the URL,” Kivilevich says, adding that there are frequent discussions about _Fortnite_ and _Roblox_.

“Multiple users are looking for instructions on how to be approved on CPABuild and for accounts on CPABuild they can buy,” Kivilevich says.

While many of the poison PDFs push people towards scams, not all of them do. “It would appear that specific CPABuild clients are malware authors,” Edwards says. Sometimes, in the days after a negative article about China has appeared in the news, he says, some of these keyword-filled PDFs would appear and include words similar to the news articles. “The legitimate article will show up as the first result of the first page of a search, and then maybe three or four down would be honeypots,” he says. “On all of these pages, it was malware.”

A Huge Scam Targeting Kids With Roblox and Fortnite 'Offers' Has Been Hiding in Plain Sight

The macOS Background Task Manager tool is supposed to spot potentially malicious software on your machine. But a researcher says it has troubling flaws.

One of your Mac's built-in malware detection tools may not be working quite as well as you think. At the Defcon hacker conference in Las Vegas, longtime Mac security researcher Patrick Wardle presented findings today about vulnerabilities in Apple's macOS Background Task Management mechanism, which could be exploited to bypass and, therefore, defeat the company's recently added monitoring tool.

There's no foolproof method for catching malware on computers with perfect accuracy because, at their core, malicious programs are just software, like your web browser or chat app. It can be difficult to tell the legitimate programs from the transgressors. So operating system makers like Microsoft and Apple, as well as third-party security companies, are always working to develop new detection mechanisms and tools that can spot potentially malicious software behavior in new ways.

Apple's Background Task Management tool focuses on watching for software “persistence.” Malware can be designed to be ephemeral and operate only briefly on a device or until the computer restarts. But it can also be built to establish itself more deeply and “persist” on a target even when the computer is shut down and rebooted. Lots of legitimate software needs persistence so all of your apps and data and preferences will show up as you left them every time you turn on your device. But if software establishes persistence unexpectedly or out of the blue, it could be a sign of something malicious. 

With this in mind, Apple added Background Task Manager in macOS Ventura, which launched in October 2022, to send notifications both directly to users and to any third-party security tools running on a system if a “persistence event” occurs. This way, if you know you just downloaded and installed a new application, you can disregard the message. But if you didn't, you can investigate the possibility that you've been compromised. 

“There should be a tool \[that notifies you\] when something persistently installs itself, it's a good thing for Apple to have added, but the implementation was done so poorly that any malware that’s somewhat sophisticated can trivially bypass the monitoring,” Wardle says about his Defcon findings. 

Apple could not immediately be reached for comment.

As part of his Objective-See Foundation, which offers free and open source macOS security tools, Wardle has offered a similar persistence event notification tool known as BlockBlock for years. “Because I've written similar tools, I know the challenges my tools have faced, and I wondered if Apple’s tools and frameworks would have the same issues to work through—and they do," he says. "Malware can still persist in a manner that is completely invisible.”

When Background Task Manager first debuted, Wardle discovered some more basic issues with the tool that caused persistence event notifications to fail. He reported them to Apple, and the company fixed the error. But the company didn't identify deeper issues with the tool.

“We went back and forth, and eventually, they fixed that issue, but it was like putting some tape on an airplane as it’s crashing,” Wardle says. “They didn't realize that the feature needed a lot of work.”

One of the bypasses Wardle presented on Saturday requires root access to a target's device, meaning that attackers need to have full control before they can stop users from receiving persistence alerts. The bug related to this potential attack is important to patch because hackers can sometimes gain this level of access to a target and might be motivated to stop notifications so they can install as much malware as they want on a system. 

More concerning is that Wardle also found two paths that don't require root access to disable the persistence notifications Background Task Manager is supposed to send to the user and to security monitoring products. One of these exploits takes advantage of a bug in how the alerting system communicates with the core of a computer's operating system known as the kernel. The other capitalizes on a capability that allows users, even those without deep system privileges, to put processes to sleep. Wardle found that this capability can be manipulated to disrupt persistence notifications before they can get to the user.

Wardle says he chose to release these bugs at Defcon without first notifying Apple because he had already notified the company about flaws in Background Task Manager that could have led it to improve the tool’s overall quality more comprehensively. He adds, too, that bypassing this monitoring simply brings the state of macOS security back to what it was a year ago, before this feature debuted. But he notes that it’s problematic when Apple releases monitoring tools that seem rushed or need more testing, because it can give users and security vendors a false sense of security.

An Apple Malware-Flagging Tool Is ‘Trivially’ Easy to Bypass

A pair of major data breaches rock the UK, North Korea hacks a Russian missile maker, and Microsoft’s Chinese Outlook breach sparks new problems.

Of course, generative AI tools are the talk of the security industry this year. And Microsoft is no exception. In fact, since 2018, the company has had an AI red team that attacks AI tools to find vulnerabilities and help prevent them from behaving badly.

Outside of Black Hat and Defcon coverage, we detailed the ins and outs of the data privacy that HIPPA provides people in the US, and explained how to use Google's new “Results About You” tool to get your personal information removed from search results.

But that’s not all. Each week, we round up the security news that we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

Your keyboard may be exposing your secrets without you even knowing it. Researchers in the UK developed a deep-learning algorithm that can figure out what a person is typing just by listening to keystrokes. In a best-case scenario (for an attacker, that is), the algorithm is 95 percent accurate. The researchers even tested it over Zoom and found it performed with 93 percent accuracy.

Now, if you’re thinking the researchers tested the attack on the noisiest mechanical keyboard they could find, you’d be wrong. They performed their tests on a MacBook Pro. And the attack doesn’t even require fancy recording equipment—a phone’s microphone works just fine. Someone who successfully carries out the attack could use it to learn a target’s passwords or snoop on their conversations. These kinds of acoustic attacks aren’t new, but this research shows they’re getting frighteningly accurate and easier to pull off in the wild.

A series of data breaches rocked the United Kingdom this week. On August 8, the Electoral Commission, the independent body responsible for overseeing elections and regulating political finances, revealed a cyberattack had exposed the data of 40 million voters to hackers. The organization has been unable to determine whether data was taken; however, it says that full names, emails, phone numbers, home addresses, and data provided during contact with the body could be impacted. “The attack has not had an impact on the electoral process,” the commission said. (Elections are run by local councils.)

The commission has, however, been criticized for how it communicated the cyberattack: The incident happened in August 2021 but was detected only in October 2022, and then finally communicated to the public nine months later. It has also been reported the breach may be linked to an unpatched Microsoft Exchange zero-day.

But that wasn’t all. The same day, the Police Service of Northern Ireland (PSNI) accidentally published the names and roles of 10,000 officers and staff in response to a Freedom of Information request. The breach, arguably, has more significant ramifications than that of the Electoral Commission. Officers working in intelligence and security services were included in the breach, which stayed online for three hours. The PSNI blamed “human error” for the breach, and the British data regulator, the Information Commissioner’s Office, has opened an investigation. (Previously, the regulator has issued guidance on making sure information is not accidentally disclosed via spreadsheets.) Since the breach, officers have expressed concerns about their safety, and the police service has been reviewing moving people to different roles for safety reasons.

North Korean hackers don’t just steal cryptocurrency, they also may have stolen Russia’s missile secrets. According to Reuters, the state-linked hacking group Lazarus breached the networks of NPO Mashinostroyeniya, a major Russian missile manufacturer, in late 2021. The breach wasn’t detected until May 2022. A researcher with the cybersecurity firm SentinelOne who discovered the breach said that the hackers would have had “the ability to read email traffic, jump between networks, and extract data,” Reuters reports.

It is unclear what exactly the Lazarus hackers stole while inside the NPO network, although North Korea did announce several updates to its missile program following the breach, so the two may be linked.

Last month, Microsoft revealed damning news: China-based hackers stole a digital key that the company uses to cryptographically sign tokens that are assigned to users when they log in to their Outlook email accounts. The hackers used this stunning access to break into the Outlook accounts of at least 25 organizations, including government bodies. But that’s only the start of the problems for Microsoft.

US senator Ron Wyden, an Oregon Democrat, sent a letter this week demanding three federal inquiries into Microsoft’s “negligent cybersecurity practices,” _The Wall Street Journal_ reports. Wyden also asked that the Cyber Safety Review Board, which the Biden administration created to investigate cybersecurity incidents, also look into the incident. And according to Bloomberg News, the review board is already planning to do just that.

Wyden’s letter, which is dated July 27, demands that the Department of Justice, the Federal Trade Commission, and the Cybersecurity and Infrastructure Security Agency all launch investigations. Microsoft, for its part, tells the _Journal_ that it plans to fully cooperate with any federal inquiries into the hack.

A New Attack Reveals Everything You Type With 95 Percent Accuracy

GitHub has spent two years researching and slowly rolling out its multifactor authentication system. Soon it will be mandatory for all 100 million users—with no opt-out.

You’ve heard the advice for years: Turn on two-factor authentication everywhere it’s offered. It’s long been clear that using only a username and password to secure digital accounts isn’t enough. But layering on an additional authentication “factor”—like a randomly generated code or a physical token—makes the keys to your kingdom much tougher to guess or steal. And the stakes are high for both individuals and institutions trying to protect their valuable and sensitive networks and data from targeted hacking or opportunist criminals.

Even with all its benefits, though, it often takes a little tough love to get people to actually turn on two-factor authentication, often known as 2FA. At the Black Hat security conference in Las Vegas yesterday, John Swanson, director of security strategy at GitHub, presented findings from the dominant software development platform's two-year effort to research, plan, and then start rolling out mandatory two-factor for all accounts. And the effort has taken on ever-increasing urgency as software supply chain attacks proliferate and threats to the software development ecosystem grow.

“There’s a lot of talk about exploits and zero days and build pipeline compromises in terms of the software supply chain, but at the end of the day, the easiest way to compromise the software supply chain is to compromise an individual developer or engineer,” Swanson told WIRED ahead of his conference presentation. “We believe that 2FA is a really impactful way to work on preventing that.”

Companies like Apple and Google have made concerted efforts to push their massive user bases toward 2FA, but Swanson points out that companies with a hardware ecosystem, like phones and computers, in addition to software have more options for easing the transition for customers. Web platforms like GitHub need to use tailored strategies to make sure two-factor isn't too onerous for users all over the world who all have different circumstances and resources.

For example, receiving randomly generated codes for two-factor via SMS text messages is less secure than generating those codes in a dedicated mobile app, because attackers have methods for compromising targets' phone numbers and intercepting their text messages. Primarily as a cost-saving measure, companies like X, formerly known as Twitter, have curtailed their SMS two-factor offerings. But Swanson says that he and his GitHub colleagues studied the choice carefully and concluded that it was more important to offer multiple two-factor options than to take a hard line on SMS code delivery. Any second factor is better than nothing. GitHub also offers and more strongly promotes alternatives like using a code-generating authentication app, mobile push message-based authentication, or a hardware authentication token. The company also recently added support for passkeys.

The bottom line is that, one way or another, all 100 million GitHub users are going to end up turning on 2FA if they haven't already. Before starting the rollout, Swanson and his team spent significant time studying the two-factor user experience. They overhauled the onboarding flow to make it harder for users to misconfigure their two-factor, a leading cause of customers getting locked out of their accounts. The process included more emphasis on things like downloading backup recovery codes so people have a safety net to get into their accounts if they lose access. The company also examined its support capacity to ensure that it could field questions and concerns smoothly. 

Since those improvements, Swanson says, the company has seen a 38 percent increase in users downloading their recovery codes and a 42 percent reduction in 2FA-related support tickets. GitHub users are also making 33 percent fewer attempts to recover locked accounts. In other words, account lockouts appear to be down by a third.

Swanson says the results have been very heartening as the company has started rolling out mandatory two-factor to batches of users in recent months. The effort will continue throughout 2023 and beyond. But all the concern and care that has gone into the process has a specific goal in mind.

“As we approach enrollment for a user, they receive a number of emails spread out over about 45 days, and they also receive site banners when they visit the site that inform them of the changes and the requirements,” Swanson says. “Then they have an option right at the end of the 45 days for a one-time, seven-day opt-out if they must. Maybe they’re on vacation or need to do something ultra-critical to help ease that enforcement point. But after the seven days, you are blocked from accessing github.com. There is no option for an opt-out at this point.”

In their two-factor campaigns, Apple and Google have left some wiggle room for users who want to intentionally and deliberately leave 2FA off. But other than a legitimate and insurmountable accessibility issue, Swanson says GitHub has no plans for lenience. And no one has raised such a concern so far.

“We take every measure we can to try and make folks aware and avoid problems. But at some point, we feel like we have an obligation—and a responsibility—to support the broader software ecosystem and help it be secure,” Swanson says. “And we think this is an important way of doing it.”

Swanson emphasizes that digital platforms need to promote two-factor adoption across the board, but that they first need to conduct research, carefully plan, and expand their support capacity before mandating the protection.

“Though we want folks to join us on this journey, this isn’t something that organizations should take lightly. You need to prepare and get the user experience right,” he says. “If our intent is to normalize 2FA for the broader community, the worst thing we could do is fail and fail visibly.”

GitHub’s Hardcore Plan to Roll Out Two-Factor Authentication (2FA)

In 2008, Boston’s transit authority sued to stop MIT hackers from presenting at the Defcon hacker conference on how to get free subway rides. Today, four teens picked up where they left off.

In early August of 2008, almost exactly 15 years ago, the Defcon hacker conference in Las Vegas was hit with one of the worst scandals in its history. Just before a group of MIT students planned to give a talk at the conference about a method they’d found to get free rides on Boston’s subway system—known as the Massachusetts Bay Transit Authority—the MBTA sued them and obtained a restraining order to prevent them from speaking. The talk was canceled, but not before the hackers’ slides were widely distributed to conference attendees and published online.

In the summer of 2021, 15-year-olds Matty Harris and Zachary Bertocchi were riding the Boston subway when Harris told Bertocchi about a Wikipedia article he’d read that mentioned this moment in hacker history. The two teenagers, both students at Medford Vocational Technical High School in Boston, began musing about whether they could replicate the MIT hackers’ work, and maybe even get free subway rides.

They figured it had to be impossible. “We assumed that because that was more than a decade earlier, and it had got heavy publicity, that they would have fixed it,” Harris says.

Bertocchi skips to the end of the story: “They didn’t.”

The Boston subway hackers (from left to right) Scott Campbell, 16; Noah Gibson, 17; Matty Harris, 17; and Zack Bertocchi, 17.Photograph: Roger Kisby

Now, after two years of work, that pair of teens and two fellow hacker friends, Noah Gibson and Scott Campbell, have presented the results of their research at the Defcon hacker conference in Las Vegas. In fact, they not only replicated the MIT hackers’ 2008 tricks, but took them a step further. The 2008 team had hacked Boston’s Charle Ticket magstripe paper cards to copy them, change their value, and get free rides—but those cards went out of commission in 2021. So the four teens extended other research done by the 2008 hacker team to fully reverse engineer the CharlieCard, the RFID touchless smart cards the MBTA uses today. The hackers can now add any amount of money to one of these cards or invisibly designate it a discounted student card, a senior card, or even an MBTA employee card that gives unlimited free rides. “You name it, we can make it,” says Campbell.

To demonstrate their work, the teens have gone so far as create their own portable “vending machine”—a small desktop device with a touchscreen and an RFID card sensor—that can add any value they choose to a CharlieCard or change its settings, and they’ve built the same functionality into an Android app that can add credit with a tap. They demonstrate both tricks in the video below:

In contrast to the Defcon subway-hacking blowup of 2008—and in a sign of how far companies and government agencies have come in their relationship with the cybersecurity community—the four hackers say the MBTA didn’t threaten to sue them or try to block their Defcon talk. Instead, it invited them to the transit authority headquarters last year to deliver a presentation on the vulnerabilities they’d found. Then the MBTA politely asked that they obscure part of their technique to make it harder for other hackers to replicate.

The hackers say the MBTA hasn’t actually fixed the vulnerabilities they discovered and instead appears to be waiting for an entirely new subway card system that it plans to roll out in 2025. When WIRED reached out to the MBTA, its director of communications, Joe Pesaturo, responded in a statement that “the MBTA was pleased that the students reached out and worked collaboratively with the fare collection team.”

“It should be noted that the vulnerability identified by the students does NOT pose an imminent risk affecting safety, system disruption, or a data breach,” Pesaturo added. “The MBTA's fraud detection team has increased monitoring to account for this vulnerability \[and\] does not anticipate any significant financial impact to the MBTA. This vulnerability will not exist once the new fare collection system goes live, due to the fact that it will be an account-based system versus today’s card-based system.”

The high schoolers say that when they started their research in 2021, they were merely trying to replicate the 2008 team’s CharlieTicket hacking research. But when the MBTA phased out those magstripe cards just months later, they wanted to understand the inner workings of the CharlieCards. After months of trial and error with different RFID readers, they were eventually able to dump the contents of data on the cards and begin deciphering them.

Unlike credit or debit cards, whose balances are tracked in external databases rather than on the cards themselves, CharlieCards actually store about a kilobyte of data in their own memory, including their monetary value. To prevent that value from being changed, each line of data in the cards’ memory includes a “checksum,” a string of characters computed from the value using the MBTA’s undisclosed algorithm.

The hackers figured out how to reproduce a “checksum” calculation intended to prevent the value stored on CharlieCards from being changed, circumventing that anti-hacking protection.Photograph: Roger Kisby

By comparing identical lines of memory on different cards and looking at their checksum values, the hackers began to figure out how the checksum function worked. They were eventually able to compute checksums that allowed them to change the monetary value on a card, along with the checksum that would cause a CharlieCard reader to accept it as valid. They computed a long list of checksums for every value so that they could arbitrarily change the balance of the card to whatever amount they chose. At the MBTA’s request, they’re not releasing that table, nor the details of their checksum reverse engineering work.

Not long after they made this breakthrough, in December of last year, the teens read in the _Boston Globe_ about another hacker, an MIT grad and penetration tester named Bobby Rauch, who had figured out how to clone CharlieCards using an Android Phone or a Flipper Zero handheld radio-hacking device. With that technique, Rauch said he could simply copy a CharlieCard before spending its value, effectively obtaining unlimited free rides. When he demonstrated the technique to the MBTA, however, it claimed it could spot the cloned cards when they were used and deactivate them.

Early this year, the four teenagers showed Rauch their techniques, which went beyond cloning to include more granular changes to a card’s data. The older hacker was impressed and offered to help them report their findings to the MBTA—without getting sued.

In working with Rauch, the MBTA had created a vulnerability disclosure program to cooperate with friendly hackers who agreed to share cybersecurity vulnerabilities they found. The teens say they were invited to a meeting at the MBTA that included no fewer than 12 of the agency’s executives, all of whom seemed grateful for their willingness to share their findings. The MBTA officials asked the high schoolers to not reveal their findings for 90 days and to hold details of their checksum hacking techniques in confidence, but otherwise agreed that they wouldn’t interfere with any presentation of their results. The four teens say they found the MBTA’s chief information security officer, Scott Margolis, especially easy to work with. “Fantastic guy,” say Bertocchi.

The teens say that as with Rauch’s cloning technique, the transit authority appears to be trying to counter their technique by detecting altered cards and blocking them. But they say that only a small fraction of the cards they’ve added money to have been caught. “The mitigations they have aren’t really a patch that seals the vulnerability. Instead, they play whack-a-mole with the cards as they come up,” says Campbell.

“We’ve had some of our cards get disabled, but most get through,” adds Harris.

So are all four of them using their CharlieCard-hacking technique to roam the Boston subway system for free? “No comment.”

For now, the hacker team is just happy to be able to give their talk without the heavy-handed censorship that the MBTA attempted with its lawsuit 15 years ago. Harris argues that the MBTA likely learned its lesson from that approach, which only drew attention to the hackers’ findings. “It’s great that they’re not doing that now—that they’re not shooting themselves in the foot. And it’s a lot less stressful for everyone,” Harris says.

He’s also glad, on the other hand, that the MBTA took such a hardline approach to the 2008 talk that it got his attention and kickstarted the group’s research almost a decade and a half later. “If they hadn’t done that,” Harris says, “we wouldn’t be here.”

_Update 5 pm ET, August 10, 2023: Added a statement form an MBTA spokesperson._

Teens Hacked Boston Subway’s CharlieCard to Get Infinite Free Rides—and This Time Nobody Got Sued

As the international tech giant moves toward Russian ownership, the leak raises concerns about the volume of data it has on its users.

The code also shows how Yandex can combine data from multiple services. McCrea says in one complex process, an adult’s search data may be pulled from the Yandex search tool, AppMetrica, and the company’s taxi app to predict whether they have children in their household. Some of the code categorizes whether children may be over or under 13. (Yandex’s Cherevko says people can order taxis with children’s seats, which is a sign they may be “interested in specific content that might be interesting for someone with a child.”)

One element within the Crypta code indicates just how all of this data can be pulled together. A user interface exists that acts as a profile about someone: It shows marital status, their predicted income, whether they have children, and three interests—which include broad topics such as appliances, food, clothes, and rest. Cherevko says this is an “internal Yandex tool” where employees can see how Crypta’s algorithms classify them, and they can only access their own information. “We have not encountered any incidents related to access abuse,” he says.

Government Influence

Yandex is going through a breakup. In November 2022, the company’s Netherlands-based parent organization, Yandex NV, announced it will separate itself from the Russian business, following Russia’s invasion of Ukraine. Internationally, the company, which will change its name, is planning to develop self-driving technologies and cloud computing, while divesting itself from search, advertising, and other services in Russia. Various Russian businessmen have been linked to the potential sale. (At the end of July, Yandex NV said it plans to propose its restructuring to shareholders later this year.)

While the uncoupling is being worked out, Russia has been trying to consolidate its control of the internet and increasing censorship. A slew of new laws requires more companies and government services in the country to use home-grown tech. For instance, this week, Finland and Norway’s data regulators blocked Yandex’s international taxi app from sending data back to Russia due to a new law, which comes into force in September, that will allow the Federal Security Service (FSB) access to taxi data.

These nationalization efforts coupled with the planned ownership change at Yandex are creating concerns that the Kremlin may soon be able to use data gathered by the company. Stanislav Shakirov, the CTO of Russian digital rights group Roskomsvoboda and founder of tech development organization Privacy Accelerator, says historically Yandex has tried to resist government demands for data and has proved better than other firms. (In June, it was fined 2 million rubles ($24,000) for not handing data to Russian security services.) However, Shakirov says he thinks things are changing. “I am inclined to believe that Yandex will be attempted to be nationalized and, as a consequence, management and policy will change,” Shakirov says. “And as a consequence, user data will be under much greater threat than it is now.”

Bakunov, the former Yandex engineer, who reviewed some of McCrea’s findings at WIRED’s request, says he is scared by the potential for the misuse of data going forward. He says it looks like Russia is a “new generation” of a “failed state,” highlighting how it may use technology. “Yandex here is the big part of these technologies,” he says. “When we built this company, many years ago, nobody thought that.” The company’s head of privacy, Cherevko, says that within the restructuring process, “control of the company will remain in the hands of management.” And its management makes decisions based on its “core principles.”

But the leaked code shows, in one small instance, that Yandex may already share limited information with one Russian government-linked company. Within Crypta are five “matchers” that sync fingerprinting events with telecoms firms—including the state-backed Rostelecom. McCrea says this indicates that the fingerprinting events could be accessible to parts of the Russian state. “The shocking thing is that it exists,” McCrea says. “There's nothing terribly shocking within it.” (Cherevko says the tool is used for improving the quality of advertising, helping it to improve its accuracy, and also identifying scammers attempting to conduct fraud.)

Overall, McCrea says that whatever happens with the company, there are lessons about collecting too much data and what can happen to it over time when circumstances change. “Nothing stays harmless forever,” she says.

Source

Wired