Plus: Joe Biden’s classified-documents scandal, the end of security support for Windows 7, and more.

A WIRED investigation this week found that the app SweepWizard, which some US law enforcement agencies use to coordinate raids, was publicly exposing sensitive data about hundreds of police operations until WIRED disclosed the flaw. The exposed data included personally identifying information about hundreds of officers and thousands of suspects, including geographic coordinates of suspects’ homes and the time and location of raids, demographic and contact information, and some suspects’ Social Security numbers.

Meanwhile, police in the Indian state of Telangana are using grassroots educational initiatives to help people avoid digital scams and other online exploitation. And the industrial control giant Siemens disclosed a major vulnerability in one of its most popular lines of programmable logic controllers this week. The company does not have plans to fix the vulnerability because, on its own, it is exploitable only through physical access. Researchers say, though, that it creates exposure for the industrial control and critical infrastructure environments that incorporate any of the 120 models of vulnerable S7-1500 PLCs.

And there’s more. Each week, we highlight the security news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories.

The UK’s Royal Mail service said on Wednesday that it had been hit by a ransomware attack and, as a result, could not process packages and letters to ship internationally. The company asked customers not to attempt to ship international mail until the attack is remediated. Royal Mail officials blamed the prolific cybercriminal ransomware group LockBit, which is thought to be based in Russia, for the attack. Royal Mail has not provided extensive comment about the situation but called it a “cyber incident” and cautioned that there would be “severe disruption” as a result of the attack.

In November, aides of President Joe Biden found classified material from his time as vice president in an office he used before beginning his 2020 presidential campaign and at his Wilmington, Deleware, home. Now, after combing through the president's papers and offices, they have found more classified documents in an additional location. NBC News, which first reported the new details on Wednesday, wrote, “The classification level, number, and precise location of the additional documents was not immediately clear. It also was not immediately clear when the additional documents were discovered and if the search for any other classified materials Biden may have from the Obama administration is complete.”

Microsoft said in March 2019 that it would sunset Windows 7 and that customers should migrate to newer versions of the operating system. Beginning in January 2020, the company continued providing security updates only to enterprise customers who paid for extended support. Microsoft said that this, too, would run out at the end of 2022. The company confirmed on Tuesday that security updates for Windows 7 have ended and that all users should upgrade if they haven't done so already. Computers that continue to run Windows 7 will not receive updates and will be vulnerable to hacking. The operating system first launched in 2009 and was ubiquitous in its heyday. As with many versions of Windows, it will likely have a long tail. TechCrunch reports that some market-share data analysts estimate that 10 percent of Windows PCs around the world still run Windows 10. Seemingly because of lower adoption rates, Microsoft ended support for Windows 8 in January 2016 and ended support for Windows 8.1 on Tuesday as well. And the company will not offer extended support for Windows 8.1.

Cybercriminals looking to conduct identity theft have been exploiting a very basic security weakness in the website of the credit bureau Experian. Experian designed its systems so people who want a copy of their credit report need to correctly answer a number of multiple-choice questions about their financial histories to validate their identity. Until the end of 2022, though, Experian’s website was allowing anyone to get around the requirement by simply entering a person's name, birth date, Social Security number, and address. This set of information is often readily accessible to cybercriminals because of past data breaches and composite troves of many breaches put together.

A September 2022 investigation by the _The New York Times_ included frank commentary from Russian soldiers about their criticisms of Russia's invasion of Ukraine and ongoing war in the country. But the story seems to have accidentally exposed phone numbers and other identifying metadata about some of the sources, and the information persisted in publicly available source code for the story until Motherboard notified the publication in January. Though unintentional, the lapse has real potential implications for the physical safety of the sources, who could face repercussions from the Russian government or other entities.

Russian Ransomware Gang Attack Destabilizes UK Royal Mail

Police in the Indian state of Telangana have found a novel way to help people avoid getting swindled online: grassroots education.

Preetika, a 15-year-old student from the southern Indian city of Hyderabad, has stopped playing her favorite mobile game, _Free Fire,_ because of what can happen when she does. 

In October, while she was tapping on her smartphone playing this game after school, a text message popped up asking her to share bank information in order to purchase more “diamonds” on the app. The diamonds are used to buy add-ons within the game, such as weapons, skins, and more. Unaware that this could be a potential scam, Preetika clicked on the link, shared her mother’s bank details—then realized that 10,000 rupees ($120) were instantly debited from the account. (WIRED is using only the first names of the minors quoted in this story to protect their privacy.) 

“I didn’t tell anyone, but since it was my mother’s account, she got a message,” says Preetika. “I lost all that money suddenly; it was very scary.”

Fortunately, one of Preetika’s friends from her class, Rajeshwari, came to her rescue, helping her understand what could have potentially happened and directing her to the authorities who helped them retrieve the money. Rajeshwari is one among thousands of students from the south Indian state of Telangana who are being trained to become “cyber ambassadors” in the region. 

Telangana, a state that has been infamous for deploying invasive technology for surveillance purposes across Hyderabad, its capital city, is now trying to create awareness around digital safety and hygiene for the betterment of its citizens. With the Covid pandemic came a rise in online scams and many Indians falling prey to them. India experienced an 86 percent jump in cybercrimes with the global pandemic, according to a July 2022 study by researchers at the Central University of Kerala, in Kasargod, India. To battle this issue, the Telangana state police over the past year developed a 10-month-long curriculum to teach students how to identify and dodge potential online scams and how to handle cyberbullying and trolling. 

Part of the so-called Cyber Congress initiative started by the women safety wing of the state police department, the cyber ambassador program is meant to educate the students so that they can also help their family, friends, and neighbors stay safe on the internet. Rajeshwari, one of the newly minted cyber ambassadors, says she has been able to help some of her friends and family evade digital scams. “I have been able to create awareness amongst many people at my hostel and my village back home,” says Rajeshwari, a 10th grader. “We are also conducting programs at school even after the course is done.” 

Over 3,000 students graduated from the first class of cyber ambassadors last year. And following the success of the first batch, the Telangana government—which is perhaps the first state in India to have come up with a novel concept like this—has started the second batch of the course with almost 10,000 students. Telangana has over 5 million students across more than 40,000 public schools.

Sailaja Vadlamudi, one of the two teachers of the program, explains that with rising cybercrime cases, and the pandemic providing more digital access to people, the government wanted to help out the most vulnerable: students in public schools. She says that the course is taught in simple, understandable language with real-life analogies for the children to grasp the concept quickly. For instance, she tells her students to treat passwords like a toothbrush: change them often and don’t share them with anyone else. 

“When we looked into statistics, we realized that there is a huge rise in cybercrime especially targeting women and children,” says Vadlamudi, who also works at SAP as senior director and chief expert of security and data privacy. “We can always give them tools, but in the end, if people have the right set of awareness, then they can become the strongest chain in this entire ecosystem of cybercrimes.”

Students who are chosen to partake in the program are also given a series of assignments that help them understand how to handle attempted scams, like phishing links or fake job postings where the teachers asked them to double-check email addresses and look for misspellings—indicators that the content is part of a swindle. 

As for the program successfully helping people avoid falling prey to online scams, Vadlamudi remembers one specific instance where a student said her father, a daily wage worker, received a call from someone pretending to be from a bank asking for the one-time password. Before the student became a cyber ambassador, her father would have perhaps shared these details. But since his daughter warned him not to do so, he knew it was a trap and refused to share the information.

Bruce Schneier, a security technologist and author, says that controlling cyber scams is a difficult task, because “these scams prey on the most vulnerable and the most ignorant.” He explains that people are often reliant on third parties—typically banks and other financial institutions—to recognize scams in progress and try to intervene. 

That said, Schneier believes that the Telangana police’s approach of catching them young shows potential. “I think it's a great idea,” says Schneier, who is also an adjunct lecturer at Harvard Kennedy School. “Computer literacy generally starts with the young and moves upward, so this is a great way to leverage that natural expertise.”

In the Fight Against Scams, ‘Cyber Ambassadors’ Enter the Chat

SweepWizard, an app that law enforcement used to coordinate raids, left sensitive information about hundreds of police operations publicly accessible.

Last September, law enforcement agents from five counties in Southern California coordinated an operation to investigate, raid, and arrest more than 600 suspected sex offenders. The mission, Operation Protect the Innocent, was one of the largest such raids in years, involving ​​over 64 agencies. According to the Los Angeles Police Department, it was coordinated using a free trial of an app called SweepWizard.

The raid was hailed as a success by Chief Michael Moore of the LAPD at a press conference the following week. But there was a problem: Unbeknownst to police, SweepWizard had been leaking a trove of confidential details about the operation to the open internet.  

The data, which the LAPD and partners in the regional Internet Crimes Against Children (ICAC) Task Force uploaded to SweepWizard, included private information about the suspects as well as sensitive details that, in the wrong hands, could tip off suspects as to when they were going to be raided and cast suspicion on people who had not yet been convicted of any crime. 

The SweepWizard app, built by a company called ODIN Intelligence, is meant to help police manage multi-agency raids. But WIRED found that it didn’t just expose data from Operation Protect the Innocent; it had already leaked confidential details about hundreds of sweeps from dozens of departments over multiple years. The data included personally identifying information about hundreds of officers and thousands of suspects, such as geographic coordinates of suspects’ homes and the time and location of raids, demographic and contact information, and occasionally even suspects’ Social Security numbers. All this data was likely exposed due to a simple misconfiguration in the app, according to security experts.

The Los Angelese Police Department said it was unaware of the problem until WIRED reached out for comment. In a phone call, Captain Jeffery Bratcher, commanding officer of the LAPD Juvenile Division and project director for the ICAC Task Force, said the department is concerned and is taking the matter seriously. “Operational security is always paramount to us. We don’t want people to know when and if we are coming,” he says. 

In a separate statement, Captain Kelly Muniz of the LAPD’s Media Relations Division, said the department has suspended the use of SweepWizard until a thorough investigation is complete. According to their statement, “the department is working with federal law enforcement to determine the source of the unauthorized release of information, which is currently unclear. At this point in the investigation, it has not been determined if the third-party application or another means is the source of the unauthorized release.”

The exposed data contained the location and names of 5,770 suspects, mostly located in California. In some instances, the data included their height, weight, and eye color and indicated whether they were experiencing homelessness. For more than 1,000 of these suspects, SweepWizard also exposed their Social Security numbers. According to the data, several of these suspects were juveniles at the time of the sweeps. Arrest records and press releases confirm that several people whose names appeared in the leaked data were arrested after the raid. 

SweepWizard also appeared to have revealed the names, phone numbers, and email addresses of hundreds of law enforcement officers, as well as the operational details of nearly 200 sweeps. These details included the exact date and time of the sweep, the organizing officers, as well as information like where the pre-sweep briefings were to occur.

After verifying the data exposure, WIRED notified ODIN Intelligence, which quickly took down the app and began an investigation. After declining an interview, Erik McCauley, the CEO and founder of the company, said in a statement, “ODIN Intelligence Inc. takes security very seriously.  We have and are thoroughly investigating these claims.” He added, “Thus far, we have been unable to reproduce the alleged security compromise to any ODIN system. In the event that any evidence of a compromise of ODIN or SweepWizard security has occurred, we will take appropriate action.” McCauley did not respond to specific questions about the issue.

At the time of publication, SweepWizard’s website is no longer accessible, and the app has been removed from Google Play and Apple’s App Store.

WIRED received a tip that there was a flaw in SweepWizard’s application programming interface, or API, that allowed anyone with a specific URL to retrieve confidential law enforcement data from the app. WIRED downloaded the Android version of the app from Google Play and verified that its API endpoints were in fact returning data regardless of authentication—in other words, you didn’t need to be logged in to the app to view sensitive data about years’ worth of raids and other police operations. The data could be viewed in any web browser simply by visiting a SweepWizard URL. 

While the SweepWizard mobile app first launched in 2016, according to app store information, WIRED found data from sweeps going back to 2011, including more than 20 sweeps on Halloween over the years with names like Operation Boo, Operation Hocus Pocus, and Halloween Havoc. (Archived versions of the SweepWizard website date back to 2011.) The most recent data WIRED reviewed includes sensitive information about raids that took place on December 19, 2022. 

It’s unclear whether all SweepWizard data was exposed ahead of scheduled raids, and ODIN Intelligence did not respond to specific questions about when the data may have been publicly accessible. However, while confirming the API vulnerability, WIRED observed that data from at least one scheduled sweep had been made public. It is also unclear whether anyone used the data SweepWizard leaked to the open web for nefarious purposes.

ODIN Intelligence advertises itself as a company that develops high-tech solutions for law enforcement that “enable our communities to be safer, better informed, more organized, and crime free.” On its website, the company claims to partner with organizations like the International Association of Chiefs of Police (details of these partnerships are not available). The IACP did not respond to a request for comment. ODIN also created a product called the Homeless Management Information System (HMIS), which according to a brochure reviewed by Vice, uses face recognition to identify people experiencing homelessness. 

The company claims that its products are built by experts and secured with “state-of-the-art” security that adheres to the FBI’s Criminal Justice Information Services (CJIS) security policy for handling sensitive information. The FBI did not comment on SweepWizard’s claims of CJIS compliance. However, a policy document the agency shared with WIRED indicates that SweepWizard was likely not compliant with specific access requirements that specify who can access law enforcement information. ODIN Intelligence’s McCauley did not respond to specific questions about whether SweepWizard was CJIS-compliant.

The Yolo County District Attorney’s Office confirmed that, like the LAPD, it had used a free trial of SweepWizard during an annual sex offender sweep last November, details of which WIRED found in the exposed data. In its statement, chief deputy district attorney Jonathan Raven said that ODIN provided Yolo County with documents that explicitly stated its technology was CJIS-compliant. His office is also investigating the matter. 

Ken Munro, an ethical hacker and founder of the UK-based security research firm Pen Test Partners, says that based on how we described being able to access SweepWizard data, the error was likely caused by a simple authorization oversight. While SweepWizard was taken down before he had a chance to examine the app, Munro says that, typically, when an individual logs in to a website or app, they are assigned an access token that gets checked by the app every time their device requests data from it. According to Munro, SweepWizard was likely not checking each request for these access tokens and was simply providing data to any device that asked. 

“This is a bit of a basic technical oversight,” he says. “These sorts of authorization issues are not often seen in law enforcement.”

McCauley did not comment on how ODIN’s investigation concluded that a compromise had not occurred. However, after WIRED received his statement, we reviewed our methodology and findings about SweepWizard with Zach Edwards, an independent privacy and security researcher.  Edwards says that WIRED’s methodology is no different than what any penetration tester would have done. He adds, “They left the front, side, and back doors open.”

A Police App Exposed Secret Details About Raids and Suspects

More than 120 models of Siemens' S7-1500 PLCs contain a serious vulnerability—and no fix is on the way.

In 2009, the computer worm Stuxnet crippled hundreds of centrifuges inside Iran’s Natanz uranium enrichment plant by targeting the software running on the facility’s industrial computers, known as programmable logic controllers. The exploited PLCs were made by the automation giant Siemens and were all models from the company’s ubiquitous, long-running SIMATIC S7 product series. Now, more than a decade later, Siemens disclosed today that a vulnerability in its S7-1500 series could be exploited by an attacker to silently install malicious firmware on the devices and take full control of them.

The vulnerability was discovered by researchers at the embedded device security firm Red Balloon Security after they spent more than a year developing a methodology to evaluate the S7-1500’s firmware, which Siemens has encrypted for added protection since 2013. Firmware is the low-level code that coordinates hardware and software on a computer. The vulnerability stems from a basic error in how the cryptography is implemented, but Siemens can’t fix it through a software patch because the scheme is physically burned onto a dedicated ATECC CryptoAuthentication chip. As a result, Siemens says it has no fix planned for any of the 122 S7-1500 PLC models that the company lists as being vulnerable. 

Siemens says that because the vulnerability requires physical access to exploit on its own, customers should mitigate the threat by assessing “the risk of physical access to the device in the target deployment” and implementing “measures to make sure that only trusted personnel have access to the physical hardware.” The researchers point out, though, that the vulnerability could potentially be chained with other remote access vulnerabilities on the same network as the vulnerable S7-1500 PLCs to deliver the malicious firmware without in-person contact. The Stuxnet attackers famously used tainted USB thumb drives as a creative vector to introduce their malware into “air-gapped” networks and ultimately infect then-current S7-300 and 400 series PLCs.

“Seimans PLCs are used in very important industrial capacities around the world, many of which are potentially very attractive targets of attacks, as with Stuxnet and the nuclear centrifuges,” says Grant Skipper, a Red Balloon Security research scientist.

The ubiquity and criticality of S7-1500 PLCs are the two traits that motivated the researchers to do a deep dive into the security of the devices. To a motivated and well-resourced attacker, any flaws could be worth exploiting.

“The encrypted firmware means that without a lot of effort, you don’t have any insight inside a device, so we wanted to see what was hiding in the 1500 product line,” says Red Balloon Security research scientist Yuanzhe Wu. “The devices use a dedicated cryptography coprocessor to verify the encrypted firmware that’s loaded on the device, decrypt the firmware, and let the device boot. However, we found vulnerabilities that an attacker could abuse to make the crypto coprocessor act like an oracle to decrypt firmware and then help tamper with it to make malicious modifications.”

Since firmware underlies a device’s functions, the ability to silently modify the firmware would undermine all other security protections and give an attacker total control of the device without its owner realizing that anything has changed. 

“This separate crypto core is a very rudimentary chip. It’s not like a big processor, so it doesn’t really know who it’s talking to or what’s going on in the broader context,” Red Balloon’s Skipper says. “So if you can tell it the right things that you observed the processor telling it, it will talk to you as if you are the processor. So we can get in between the processor and the crypto core and then we basically tell it, ‘Hey, we are the processor and we are going to give you some data and we want you to encrypt it.’ And the little crypto core isn’t going to question that. It just does it.”

Siemens notes that the vulnerabilities are not related to the company’s own firmware update process and do not give attackers the ability to hijack that distribution channel. But the fact that any S7-1500 can become a firmware-blessing oracle is significant and bestows a power that individual devices should not have, undermining the whole purpose of encrypting the firmware in the first place.

“S7s should not be able to re-encrypt firmware for other S7s,” says Ang Cui, Red Balloon Security’s founder and CEO. “This is a fundamental design flaw and a significant implementation error.”

While Siemens isn’t directly releasing any fixes for the vulnerability, the company says it is in the process of releasing new-generation processor hardware that fixes the vulnerability for several S7-1500 models. And the company says it is “working on new hardware versions for remaining PLC types to address this vulnerability completely.” The Red Balloon researchers say they have not yet been able to independently validate that the vulnerability has been fixed in this latest S7-1500 hardware.

Still, the Red Balloon Security researchers say that it would be possible for Siemens to release a firmware audit tool for any PLC to check whether there has been tampering on the device. Since the vulnerability will persist on impacted devices, such a feature would give S7-1500 owners more insight into their PLCs and the ability to monitor them for suspicious activity.

“It’s the same movie, just a different day,” says Red Balloon’s Cui. “Does very complicated, exotic hardware security improve overall security? Well, if you do it right, it could help, but I haven’t seen any human do it right. When you do it wrong, it always becomes a double-edged sword—and the edge of that sword is very sharp.”

Though Siemens says it is addressing the S7-1500 vulnerability in new models, the population of vulnerable 1500s in industrial control and critical infrastructure systems around the world is extensive, and these units will remain in use for decades.

“Siemens is saying that this will not be fixed, so it’s not just a zero day—this will remain a forever day until all the vulnerable 1500s go out of service,” Cui says. “It could be dangerous to leave this unaddressed.”

A Siemens S7-1500 Logic Controller Flaw Raises the Specter of Stuxnet

Plus: Russian spies uncovered in Europe, face recognition leads to another wrongful arrest, a new porn ID law, and more.

Ever since Elon Musk spent $44 billion on Twitter and laid off a large percentage of the company’s staff, there have been concerns about data breaches. Now it seems a security incident that predates Musk’s takeover is causing headaches. This week, it emerged that hackers released a trove of 200 million email addresses and their links to Twitter handles, which were likely gathered between June 2021 and January 2022. The sale of the data may put anonymous Twitter accounts at risk and heap further regulatory scrutiny on the company.

WhatsApp has launched a new anti-censorship tool that it hopes will help people in Iran to avoid government-enforced blocks on the messaging platform. The company has made it possible for people to use proxies to access WhatsApp and avoid government filtering. The tool is available globally. We’ve also explained what pig-butchering scams are and how to avoid falling into their traps.

Also this week, cybersecurity firm Mandiant revealed that it has seen Russian cyberespionage group Turla using innovative new hacking tactics in Ukraine. The group, which is believed to be connected to the FSB intelligence agency, was spotted piggybacking on dormant USB infections of other hacker groups. Turla registered expired domains of years-old malware and managed to take over its command-and-control servers.  

We also reported on the continued fallout of the EncroChat hack. In June 2020, police across Europe revealed they had hacked into the encrypted EncroChat phone network and collected more than 100 million messages from its users, many of them potentially serious criminals. Now thousands of people have been jailed based on the intelligence gathered, but the bust is raising wider questions around law enforcement hacking and the future of encrypted phone networks.

But that’s not all. Each week, we round up the security stories we didn’t cover in-depth ourselves. Click on the headlines to read the full stories. And stay safe out there. 

On December 31, as millions of people were preparing for the start of 2023, Slack posted a new security update to its blog. In the post, the company says it detected a “security issue involving unauthorized access to a subset of Slack’s code repositories.” Starting on December 27, it found that an unknown threat actor had stolen Slack employee tokens and used them to access its external GitHub repository and download some of the company’s code.

“When notified of the incident, we immediately invalidated the stolen tokens and began investigating potential impact to our customers,” Slack’s disclosure says, adding that the attacker did not access customer data and Slack users don’t need to do anything. 

The incident is similar to a December 21 security incident disclosed by authentication firm Okta, as cybersecurity journalist Catalin Cimpanu notes. Just before Christmas, Okta revealed its code repositories had been accessed and copied.

Slack quickly discovered the incident and reported it. However, as spotted by Bleeping Computer, Slack’s security disclosure didn’t appear on its usual news blog. And in some parts of the world, the company included code to stop search engines including it in their results. In August 2022, Slack forced password resets after a bug had exposed hashed passwords for five years. 

A Black man in Georgia spent almost a week in jail after police reportedly relied on a face recognition match that was incorrect. Police in Louisiana used the technology to obtain an arrest warrant for Randal Reid in a theft case they were investigating. “I have never been to Louisiana a day in my life. Then they told me it was for theft. So not only have I not been to Louisiana, I also don’t steal,” Reid told local news site Nola.

The publication says a detective “took the algorithm at face value to secure a warrant” and says little is known about police use of face recognition technology in Louisiana. The names of any systems used have not been disclosed. However, this is just the latest case of face recognition technology being used in wrongful arrests. While police use of face recognition tech has quickly spread across US states, research has repeatedly shown it misidentifies people of color and women more frequently than white men.

On the first day of this year, Ukraine launched its deadliest missile strike against invading Russian troops to date. An attack on a temporary Russian barracks in Makiivka, in the Russian-occupied Donetsk region, killed 89 troops, the Russian defense ministry claims. Ukrainian officials say around 400 Russian soldiers were killed. In the aftermath, Russia’s defense ministry claimed the location of troops was identified because they were using mobile phones without permission. 

During the war, both sides have said they are able to intercept and locate phone calls. While Russia’s latest claim should be treated with caution, the conflict has highlighted how open source data can be used to target troops. Drones, satellite images, and social media posts have been used to monitor people on the frontlines.

A new law in Louisiana requires porn sites to verify the ages of visitors from the state to prove they are over 18. The law says age verification must be used when a website contains 33.3 percent or more pornographic content. In response to the law, PornHub, the world’s biggest porn website, now gives people the option to link their drivers license or government ID via a third-party service to prove they are legal adults. PornHub says it does not collect user data, but the move has raised fears of surveillance.

Around the world, countries are introducing laws that require porn site visitors to prove they’re old enough to view the explicit material. Lawmakers in Germany and France have threatened to block porn sites if they don’t put the measures in place. Meanwhile, in February 2022 Twitter started blocking adult content creators in Germany because age verification systems were not in place. The UK tried to introduce similar age-checking measures between 2017 and 2019; however, the plans collapsed due to porn website admins’ confusion, design flaws, and fears of data breaches.

The world of spies is, by its very nature, cloaked in secrecy. Nations deploy agents to countries to gather intelligence, recruit other assets, and influence events. But occasionally these spies get caught. Since Russia’s full-scale invasion of Ukraine in February 2022, more of Russia’s spies across Europe have been identified and expelled from countries. A new database from open source researcher @inteltakes has pulled together known cases of Russia’s spies in Europe since 2018. The database lists 41 entries of spies being exposed and, where possible, details each asset’s nationality, profession, and the service they were recruited by.

Slack Discloses Breach of Its Github Code Repository

The exposure of hundreds of millions of email addresses puts pseudonymous users of the social network at risk.

After reports at the end of 2022 that hackers were selling data stolen from 400 million Twitter users, researchers now say that a widely circulated trove of email addresses linked to about 200 million users is likely a refined version of the larger trove with duplicate entries removed. The social network has not yet commented on the massive exposure, but the cache of data clarifies the severity of the leak and who may be most at risk as a result of it.

From June 2021 until January 2022, there was a bug in a Twitter application programming interface, or API, that allowed attackers to submit contact information like email addresses and receive the associated Twitter account, if any, in return. Before it was patched, attackers exploited the flaw to “scrape” data from the social network. And while the bug didn't allow hackers to access passwords or other sensitive information like DMs, it did expose the connection between Twitter accounts, which are often pseudonymous, and the email addresses and phone numbers linked to them, potentially identifying users.

While it was live, the vulnerability was seemingly exploited by multiple actors to build different collections of data. One that has been circulating in criminal forums since the summer included the email addresses and phone numbers of about 5.4 million Twitter users. The massive, newly surfaced trove seems to only contain email addresses. However, widespread circulation of the data creates the risk that it will fuel phishing attacks, identity theft attempts, and other individual targeting.

Twitter did not reply to WIRED's requests for comment. The company wrote about the API vulnerability in an August disclosure: “When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.” Seemingly, Twitter's telemetry was insufficient to detect the malicious scraping.

Twitter is far from the first platform to expose data to mass scraping through an API flaw, and it is common in such scenarios for there to be confusion about how many distinct troves of data actually exist as a result of malicious exploitation. These incidents are still significant, though, because they add more connections and validation to the massive body of stolen data that already exists in the criminal ecosystem about users.

“Obviously, there are multiple people who were aware of this API vulnerability and multiple people who scraped it. Did different people scrape different things? How many troves are there? It kind of doesn't matter,” says Troy Hunt, founder of the breach-tracking site HaveIBeenPwned. Hunt ingested the Twitter data set into HaveIBeenPwned and says that it represented information about more than 200 million accounts. Ninety-eight percent of the email addresses had already been exposed in past breaches recorded by HaveIBeenPwned. And Hunt says he sent notification emails to nearly 1,064,000 of his service's 4,400,000 million email subscribers.

“It's the first time I've sent a seven-figure email,” he says. “Almost a quarter of my entire corpus of subscribers is really significant. But because so much of this was already out there, I don't think this is going to be an incident that has a long tail in terms of impact. But it may de-anonymize people. The thing I'm more worried about is those individuals who wanted to maintain their privacy.”

Twitter wrote in August that it shared this concern about the potential for users' pseudonymous accounts to be linked to their real identities as a result of the API vulnerability. 

“If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened,” the company wrote. “To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.”

For users who hadn't already linked their Twitter handles to burner email accounts at the time of the scraping, though, the advice comes too late. In August, the social network said it was notifying potentially impacted individuals about the situation. The company has not said whether it will do further notification in light of the hundreds of millions of exposed records.

Ireland’s Data Protection Commission said last month that it is investigating the incident that produced the trove of 5.4 million users' email addresses and phone numbers. Twitter is also currently under investigation by the US Federal Trade Commission over whether the company violated a “consent decree” that obligated Twitter to improve its user privacy and data protection measures.

Twitter Data Leak: What the Exposure of 200 Million User Emails Means for You

The January 6 Committee’s 841-page report will go down as one of the most important documents in US history. These key details stand out.

To put a fine point on it: The Secret Service agents surrounding the Vice President believed they were about to be in a fight to the death to protect the man next in line for presidential succession. I’ve read and written about presidential security and history going back decades, and I can’t think of a parallel set of fears, except perhaps when Vice President Richard Nixon’s motorcade was attacked in Caracas in 1958, which was seen at the time as the “most violent attack ever perpetrated on a high American official while on foreign soil.” 

4\. Big unknowns remain 

As the committee notes, more than 30 witnesses invoked their Fifth Amendment privilege against self-incrimination, leading to some important holes in the committee’s knowledge. As the report says, “The Committee has substantial concerns regarding potential efforts to obstruct its investigation, including by certain counsel (some paid by groups connected to the former President) who may have advised clients to provide false or misleading testimony to the Committee.” It’ll be interesting whether any potential Justice Department indictments and investigations further pry back the lid on the White House and the role of people like Steve Bannon and Roger Stone.

5\. Parts of Trump’s plot targeted every level of government officials involved in counting and certifying elections

One of the most tragic hearings from the January 6 Committee focused last summer on the human toll of President Trump unleashing reckless personal attacks on the relatively anonymous local and state officials in battleground states who were charged with counting and certifying the votes—attacks so vicious and worrisome that some officials, who did nothing wrong and were serving in nonpartisan roles, fled their homes over safety concerns. And the final report is filled with page after page of details about the awful rhetoric—and worse—that Trump directed his supporters to unleash on officials in places like Arizona, Pennsylvania, Michigan, and Georgia. 

In Arizona, the committee reports, “Maricopa County Recorder Adrian Fontes testified before Congress that his family had ‘go-bags’ packed in case they needed to evacuate and that, because of the threats, he had moved his children ‘out of the family home at least once for three days in the wake of serious threats to \[his\] family’s safety.’” In Michigan, after Republican Senate Majority Leader Mike Shirkey and Republican House Speaker Lee Chatfield resisted Trump’s entreaties to overturn the state’s results, “\[Trump\] or his team maliciously tweeted out Shirkey’s personal cell phone number and a number for Chatfield that turned out to be wrong. Shirkey received nearly 4,000 text messages after that, and another private citizen reported being inundated with calls and texts intended for Chatfield.” As the committee says, the threats from Trump and myriad other supporters were un-American and beyond the pale: “This, again, is the conduct of thugs and criminals, each of whom should be held accountable.” 

Beyond the election officials themselves, the report has ample new detail about the Trump campaign’s efforts to create and forward to the National Archives and Congress slates of fake electors, people who would vote for Trump rather than Biden, as their states had properly certified. One of the interesting questions left after the January 6 report is whether state attorneys general or local prosecutors in any state will read and examine the evidence of the fake elector scheme for potential criminal charges too. 

6\. Trump’s legal and criminal exposure is real 

The January 6 Committee’s own criminal referrals made headlines in December, but the final report reminds us that federal judge David Carter also concluded as part of the court fight over the committee’s work that President Trump likely violated two criminal statutes: 18 U.S.C. § 1512(c) (corruptly obstructing, impeding or influencing Congress’s official proceeding to count electoral votes); and 18 U.S.C. § 371 (conspiring to defraud the United States). And indeed, any prosecutor looking at this report will see both plenty of evidence of corrupt acts and, notably, _knowledge_ that Trump understood he was acting corruptly—because White House aides, lawyers, and campaign officials kept telling him he was doing so. As the committee wrote, “President Trump made corrupt, dishonest, and unlawful choices to pursue his plans.”

7\. The Justice Department came close to a meltdown 

As someone who has written books about Nixon’s 1973 Saturday Night Massacre and the 2005 Comey-Mueller-Bush showdown over the NSA wiretapping program STELLAR WIND, my eyes were wide open as I read the sections about how Trump tried to install Jeffrey Clark as acting attorney general in one of his final gambits to overturn the election—an event that almost caused the entire leadership of the Justice Department to resign. Bill Barr, of course, had resigned early, leaving acting attorney general Jeffrey Rosen in charge of the department in January 2021, alongside acting deputy attorney general Richard Donoghue. The two faced down Trump as he tried to install Clark, who was willing to sign a letter saying DOJ had doubts about the election. Donoghue saw the possibility the letter “may very well have spiraled us into a constitutional crisis,” and White House counsel Pat Cipollone declared it a “murder-suicide pact.”

While Trump persisted, he was informed that all of the other assistant attorneys general would resign if he pushed the change—but the committee’s work found that even as the showdown unfolded, “contemporaneous White House documents suggest that Clark had _already_ \[italics in original\] been appointed as the acting attorney general.” Ultimately, Trump backed down as the potential mass resignations spiraled, and was told by assistant attorney general Steve Engel—himself a beloved Trump appointee—that “Clark would be here by himself with a hostile building, those folks who remained, and nothing would get done.” Clark, Engel said, would be leading a “graveyard.” Trump finally said, “It’s not going to be worth the breakage,” and dropped the plan.

8\. The US government had reliable, solid intelligence that bad stuff might happen on January 6—and it failed to take action

The committee makes clear in the second sentence of its executive summary that Trump owns everything that happened on January 6, saying its “overriding and straightforward conclusion: the central cause of January 6 was one man, former President Donald Trump, whom many others followed. None of the events of January 6 would have happened without him.” But it’s also clear from the committee report that the US government, both its security agencies and top White House staff, failed to act on warnings that armed, violent individuals were coming to Washington on January 6 in response to the president’s tweet on December 19, 2020, summoning them and promising, “Be there, will be wild!”

In fact, no less than the chairman of the Joint Chiefs of Staff, Gen. Mark Milley, remembers deputy secretary of defense David Norquist saying on a National Security Council call, “the greatest threat is a direct assault on the Capitol.” As Milley says, “I’ll never forget it.” The Secret Service was warned repeatedly, including on Christmas Eve in a document entitled “Armed and Ready, Mr. President” that summarized worrisome tweets, and at a December 30 internal intelligence briefing that specifically mentioned the fiery presidential tweet. The Capitol Police were warned, both by civilian extremism researchers as well as by the Secret Service itself, which forwarded warnings on December 29. The FBI issued a DC-area intelligence bulletin on January 5, warning of “Potential for Violence in Washington, D.C. Area in Connection with Planned ‘StopTheSteal’ Protest on 6 January 2021.” The bulletin even included maps of the Capitol that had been posted to a pro-Trump website. And there was a lot more beyond.

January 6 Report: 11 Details You May Have Missed

The infamous, FSB-connected Turla group took over other hackers' servers, exploiting their USB drive malware for targeted espionage.

The Russian cyberespionage group known as Turla became infamous in 2008 as the hackers behind agent.btz, a virulent piece of malware that spread through US Department of Defense systems, gaining widespread access via infected USB drives plugged in by unsuspecting Pentagon staffers. Now, 15 years later, the same group appears to be trying a new twist on that trick: hijacking the USB infections of _other_ hackers to piggyback on their infections and stealthily choose their spying targets.

Today, cybersecurity firm Mandiant revealed that it has found an incident in which, it says, Turla's hackers—widely believed to work in the service of Russia’s FSB intelligence agency—gained access to victim networks by registering the expired domains of nearly decade-old cybercriminal malware that spread via infected USB drives. As a result, Turla was able to take over the command-and-control servers for that malware, hermit-crab style, and sift through its victims to find ones worthy of espionage targeting.

That hijacking technique appears designed to let Turla stay undetected, hiding inside other hackers’ footprints while combing through a vast collection of networks. And it shows how the Russian group’s methods have evolved and become far more sophisticated over the past decade and a half, says John Hultquist, who leads intelligence analysis at Mandiant. “Because the malware already proliferated through USB, Turla can leverage that without exposing themselves. Rather than use their own USB tools like agent.btz, they can sit on someone else’s,” Hultquist says. “They’re piggybacking on other people’s operations. It’s a really clever way of doing business.”

Mandiant’s discovery of Turla’s new technique first came to light in September of last year, when the company’s incident responders found a curious breach of a network in Ukraine, a country that’s become a primary focus of all Kremlin intel services after Russia’s catastrophic invasion last February. Several computers on that network had been infected after someone inserted a USB drive into one of their ports and double-clicked on a malicious file on the drive that had been disguised as a folder, installing a piece of malware called Andromeda.

Andromeda is a relatively common banking trojan that cybercriminals have used to steal victims’ credentials since as early as 2013. But on one of the infected machines, Mandiant’s analysts saw that the Andromeda sample had quietly downloaded two other, more interesting pieces of malware. The first, a reconnaissance tool called Kopiluwak, has been previously used by Turla; the second piece of malware, a backdoor known as Quietcanary that compressed and siphoned carefully selected data off the target computer, has been used exclusively by Turla in the past. “That was a red flag for us,” says Mandiant threat intelligence analyst Gabby Roncone.

When Mandiant looked at the command-and-control servers for the Andromeda malware that had started that infection chain, its analysts saw that the domain used to control the Andromeda sample—whose name was a vulgar taunt of the antivirus industry—had actually expired and been reregistered in early 2022. Looking at other Andromeda samples and their command-and-control domains, Mandiant saw that at least two more expired domains had been reregistered. In total, those domains connected to hundreds of Andromeda infections, all of which Turla could sort through to find subjects worthy of their spying.

“By doing this you can basically lay under the radar much better. You’re not spamming a bunch of people, you’re letting someone else spam a bunch of people,” says Hultquist. “Then you started picking and choosing which targets are worth your time and your exposure.”

In fact, Mandiant only found that single instance in Ukraine of the hijacked Andromeda infection distributing Turla’s malware. But the company suspects that there were likely more. Hultquist warns there’s no reason to believe the stealthy targeted spying that piggybacked off Andromeda’s USB infections would be limited to just one target, or even to just Ukraine. “Turla has a global intelligence collection mandate,” he says.

Turla has a long history of using clever tricks to hide the control of its malware, and even to hijack the control of other hackers, as Mandiant saw in this most recent case. Cybersecurity firm Kaspersky revealed in 2015 that Turla had taken control of satellite internet connections to obscure the location of its command-and-control servers. In 2019, Britain’s GCHQ intelligence agency warned that Turla had silently commandeered Iranian hackers’ servers to conceal themselves and confuse detectives trying to identify them.

Those innovative techniques have made the group a particular obsession for many cybersecurity researchers, who have traced its fingerprints all the way back to Moonlight Maze, one of the first-ever state-sponsored hacking campaigns, discovered in the late 1990s. Turla’s agent.btz thumbdrive malware represented another historic moment for the group: It resulted in a Pentagon initiative called Operation Buckshot Yankee, designed to vastly upgrade the Defense Department’s cybersecurity after the group’s embarrassing USB-based breach.

Mandiant’s discovery of another, stealthier USB-based hacking technique in Turla’s hands should serve as a reminder that even now, 15 years later, that USB-based intrusion vector has hardly disappeared. Plug an infected drive into your USB port today, it seems, and you may be offering an invitation to not only undiscerning cybercriminals, but also a far more sophisticated breed of operative hiding behind them.

Turla, a Russian Espionage Group, Piggybacked on Other Hackers' USB Infections

Amid internet shutdowns in Iran, the encrypted messaging app is introducing proxy connections that can help people get online.

When repressive governments want to control their populations, citizens’ access to the internet is often one of the first things to go. Since 2016, 74 countries around the world have shut down the internet for tens of millions of people more than 900 times. In recent years, Iran shut down the internet to hide brutality against protesters. Russia rapidly increased its censorship after its full-scale invasion of Ukraine. And internet curfews in Myanmar left people in information blackouts. 

Internet shutdowns, at their worst, can involve connections being completely shut, while censorship measures can block access to specific websites or apps. Disrupting the internet is widely considered a tactic to undermine people’s human rights. There are multiple ways people can try to dodge censorship and internet shutdowns—although, there’s no one simple way to restore connectivity for millions of people at once.

Tools to help people get around censorship are increasing. Today, WhatsApp—Meta’s end-to-end encrypted messenger that’s used by more than 2 billion people a month—is expanding its anti-censorship measures.

In particular, the company is making it possible for people facing censorship to use WhatsApp through proxy connections, potentially allowing them to communicate when a country has blocked the app. “Choosing a proxy enables you to connect to WhatsApp through servers set up by volunteers and organizations around the world dedicated to helping people communicate freely,” the company says in a blog post announcing the feature.

Proxies can help people avoid censorship by essentially disguising their traffic. If WhatsApp is blocked in a country, for example, officials doing the blocking are likely to stop devices communicating with WhatsApp’s infrastructure. When someone connects to a proxy server, their traffic is routed through this server before being passed to WhatsApp. The extra step dodges filters and blocks that may have been put in place.

Natalia Krapiva, tech legal counsel at internet rights nonprofit Access Now, says Meta’s tool is a step in the right direction. “WhatsApp can be viewed as a critical infrastructure in many countries, so when it goes offline, either because of targeted blockings or blanket internet shutdowns, people suffer as they are left unable to communicate and access life-saving information during critical events and crises,” Krapiva says. WhatsApp says its encryption, which ensures nobody can snoop on your messages, including Meta, isn’t impacted by using a proxy.

WhatsApp isn’t the first messaging platform to allow proxy connections, but the platform’s scale makes it significant. Encrypted chat app Signal also allows people to set up and run proxy servers. It launched the service for Android in February 2021 and then on iOS in September 2022, both in response to Iran’s blocking of Signal.

WhatsApp says it is also launching proxy connections now because of the ongoing internet disruption in Iran. The country has been shutting down the internet for several months, following nationwide protests over the death of 22-year-old Mahsa Amini, who died in police custody. Iran’s internet blackouts and blocking of services, including WhatsApp, have further crippled its economy and drawn international scorn. (Analysts forecast that internet shutdowns cost the world $24 billion in 2022.)

The company says it started putting the capability for proxies to be used in WhatsApp in the final few months of 2022 and is launching it now as most people are using a version of its app that can support proxies. In its blog post, the company says internet disruptions, like Iran’s, “deny people’s human rights and cut people off from receiving urgent help.”

To connect to a WhatsApp proxy, people need to have the proxy’s details. These can usually be found, when proxies are running, by searching social media. (Proxies aren’t effective during full internet shutdowns where there is no connectivity). Proxy details can be entered in WhatsApp’s iOS and Android apps through the Storage and Data menu, which is found in the app’s settings. WhatsApp says people wanting to set up proxy servers can use ports 80, 443, or 5222, and a domain or subdomain that points to the server’s IP address—it has published detailed documentation on its GitHub page. 

As the number of internet shutdowns and disruptions has increased in recent years, the available censorship circumvention tools have risen as well. Most commonly, anonymity service Tor and VPNs are used to get around government censorship, blocking, or filtering of apps and websites. However, new tools are also appearing: Samizdat Online allows Russians to access blocked news websites without any technical knowledge, and the CENO browser is built on peer-to-peer sharing technology, which the organization says reduces the reliance on international networks.

Ksenia Ermoshina, a user experience researcher for CENO and researcher with the Center for Internet and Society CNRS and Citizen Lab, says CENO has been widely used during Iran’s shutdowns, and WhatsApp’s introduction of proxies may also help people communicate where the app is blocked. Ermoshina says proxies helped to keep Telegram online in Russia in 2018 when the country unsuccessfully tried to block the messaging app.

There are some limitations to proxies though, Ermoshina says. “They can slow down your traffic considerably, in terms of calls, for example, or file sharing.” Connections via proxies can also be blocked if authorities discover their details. “VPNs and proxies are part of cat-and-mouse tools,” Ermoshina says. Their developers are always trying to evade censors. The more people that run proxy servers, the harder it is for governments to take them all down.

For people who are looking to avoid censorship, it is likely that a mix of anti-censorship tools will be useful. People should research the tools they are planning to use in the event of a future shutdown, if possible, and consider any risk that may be unique to them. “Different users will have different needs, threat models, and technical skills, so one tool will not fit all,” Access Now’s Krapiva says. “I do hope that Meta will ensure that they provide guidance to their users on what proxy servers can and cannot do, however, and how to use them securely, as the kinds of people who are likely going to be needing this feature the most will also tend to be the most at risk.”

WhatsApp Launches Proxy Tool to Fight Internet Censorship

When police infiltrated the EncroChat phone system in 2020, they hit an intelligence gold mine. But subsequent legal challenges have spread across Europe.

For a week in October 2020, Christian Lödden’s potential clients wanted to talk about only one thing. Every person whom the German criminal defense lawyer spoke to had been using the encrypted phone network EncroChat and was worried their devices had been hacked, potentially exposing crimes they may have committed. “I had 20 meetings like this,” Lödden says. “Then I realized—oh my gosh—the flood is coming.”

Months earlier, police across Europe, led by French and Dutch forces, revealed they had compromised the EncroChat network. Malware the police secretly planted into the encrypted system siphoned off more than 100 million messages, laying bare the inner workings of the criminal underground. People openly talked about drug deals, organized kidnappings, planned murders, and worse.

The hack, one of the largest ever conducted by police, was an intelligence gold mine—with hundreds arrested, homes raided, and thousands of kilograms of drugs seized. But it was just the beginning. Fast-forward two years, and thousands of EncroChat users across Europe—including in the UK, Germany, France, and the Netherlands—are in jail. 

However, a growing number of legal challenges are questioning the hacking operation. Lawyers claim investigations are flawed and that the hacked messages should not be used as evidence in court, saying rules around data-sharing were broken and the secrecy of the hacking means suspects haven’t had fair trials. Toward the end of 2022, a case in Germany was sent to Europe’s highest court. If successful, the challenge could potentially undermine the convictions of criminals around Europe. And experts say the fallout has implications for end-to-end encryption around the world.

“Even bad people have rights in our jurisdictions because we are so proud of our rule of law,” Lödden says. “We’re not defending criminals or defending crimes. We are defending the rights of accused people.”

Hacking EncroChat

Around 60,000 people were signed up to the EncroChat phone network, which was founded in 2016, when it was busted by cops. Subscribers paid thousands of dollars to use a customized Android phone that could, according to EncroChat’s company website, “guarantee anonymity.” The phone’s security features included encrypted chats, notes, and phone calls, using a version of the Signal protocol, as well as the ability to “panic wipe” everything on the phone, and live customer support. Its camera, microphone, and GPS chip could all be removed.

Police who hacked the phone network didn’t appear to break its encryption but instead compromised the EncroChat servers in Roubaix, France, and ultimately pushed malware to devices. While little is known about how the hacking took place or the type of malware used, 32,477 of EncroChat’s 66,134 users were impacted in 122 countries, according to court documents. Documents obtained by Motherboard showed all data on the phones could potentially be hoovered up by the investigators. This data was shared between law enforcement agencies involved in the investigation. (EncroChat has claimed it was a legitimate company and shut itself down after the hack.)

Across Europe, legal challenges are building up. In many countries, courts have ruled that messages from EncroChat can be used as evidence. However, these decisions are now being disputed. The cases, many of which have been reported in detail by Computer Weekly, are complex: Each country has its own legal system with separate rules around the types of evidence that can be used and the processes prosecutors need to follow. For instance, the UK largely doesn’t allow “intercepted” evidence to be used in court; meanwhile, Germany has a high bar for allowing malware to be installed on a phone.

Source

Wired