Plus: Chinese hackers stealing US Covid relief funds, a cyberattack on the Met Opera website, and more.

We at WIRED have written plenty about the threat that cyberattacks pose to power grids worldwide. But lately, the most significant attacks on electrical systems have demonstrated that hacking is hardly necessary when physical destruction and sabotage are an option: Just as Russia’s invasion force in Ukraine has systematically destroyed electrical infrastructure to cause vast blackouts across the country, a mysterious and continuing series of physical attacks have hit power utilities in the American southeast—and in one case, have caused an extended outage for tens of thousands of people.

We’ll get to that. In the meantime, though, the cyber news we’ve reported on hasn’t exactly let up this week: Apple added end-to-end encryption for its iCloud backups, while also officially nixing its plan to hunt for child sexual abuse materials in iCloud and reopening a long-running rift with the FBI. Payroll and HR services provider Sequoia admitted to a data breach that included users’ Social Security numbers. A study of cybercrime forums revealed a trend of scammers scamming scammers. And we looked at how the Twitter Files will fuel conspiracy theorists, how technology is contributing to UK authorities creating a “hostile environment” for immigrants, and security and privacy concerns around the Lensa AI portrait app.

But there’s more. Each week, we highlight the security news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories.

When shootings at two electrical substations in North Carolina left 40,000 customers without power for days, the incident seemed like an isolated—if bizarre and troubling—case. But this week, the same utility, Duke Energy, reported gunfire at another facility, a hydroelectric power plant in South Carolina. And combined with two more incidents of hands-on sabotage of US power facilities that occurred in Oregon and Washington in October and November, the vulnerability of the US grid to old-fashioned physical harm has begun to seem like a serious threat.

No damage seems to have occurred in the South Carolina case, and in the earlier incidents in Washington, the utilities involved described the cases as “vandalism.” But the intruders in Oregon carried out a more deliberate attack, cutting through a perimeter fence and damaging equipment, according to the Oregon utility, causing a “brief” power outage in one case. And in yet another, separate collection of incidents, Duke Energy saw half a dozen “intrusions” at substations in Florida, according to documents seen by Newsnation. Federal law enforcement is investigating the cases.

The incidents are reminiscent of another strange, isolated attack on the California power grid in 2015, when a sniper fired on an electrical substation and triggered a blackout to parts of Silicon Valley along with $15 million in damage. These newer cases, while still relatively small in scale, show just how disturbingly vulnerable the American power grid remains to relatively simple forms of sabotage.

The state-sponsored Chinese hacker group APT41 has long carried out a rare mix of cyberespionage and cybercrime. The group, linked in a 2020 US indictment to a company called Chengdu 404 working as a contractor for China’s Ministry of State Security, has been accused of moonlighting as for-profit thieves and even deploying ransomware. Now, NBC News reports that the Secret Service believes APT41 went so far as to steal $20 million from US Covid relief funds—state-sponsored hackers stealing money from the US government itself. About half of the stolen funds were reportedly recovered. But a hacker group on the Chinese government payroll stealing from US federal coffers represents a far more brazen form red-line crossing than even APT41’s previous exploits.

The Met Opera announced earlier this week that it was hit with an ongoing cyberattack that took down its website and online ticketing system. Given that the Met Opera sells $200,000 in tickets a day, the losses from the disruption could do serious harm to one of New York’s major cultural institutions. As of Friday afternoon, the website remained offline, and its administrators had moved ticket sales to a new site. _The New York Times_, in its reporting on the attack, pointed out that the Met Opera had been critical of Russia’s war in Ukraine—going so far as to part ways with its Russian soprano singer—but there’s still no real explanation of the attack.

Cybersecurity firm ESET this week pinned responsibility for a campaign of data-destroying malware attacks targeting the diamond industry on a hacker group it calls Agrius, which has been previously linked to the Iranian government. The attackers hijacked the software updates of an Israeli-made diamond industry software suite to deploy the wiper malware, which ESET calls Fantasy, in March of this year. As a result, it hit targets not only in Israel but others as far-flung as a mining operation in South Africa and a jeweler in Hong Kong. Although Iranian cyberattacks on Israeli targets are certainly nothing new, ESET’s researchers’ writeup doesn’t speculate on the attack’s motivation.

Attackers Keep Targeting the US Electric Grid

Despite mitigation, one of the worst bugs in internet history is still prevalent—and being exploited.

Apache had to scramble at the beginning of December 2021 to be ready to release patches for Log4Shell when it publicly disclosed the situation on December 9 of last year. As a result, researchers quickly found edge cases and workarounds to the patches, and Apache was forced to release multiple iterations, which added to the confusion. 

“This thing was everywhere, truly everywhere,” says Jonathan Leitschuh, an open source security researcher. “Attackers were jumping on it, the security community was jumping on it, payloads were flying everywhere.”

Researchers say, though, that Apache's overall response was solid. Nalley adds that Apache has made changes and improvements in reaction to the Log4Shell saga and hired dedicated staff to expand the security support it can offer to open-source projects to catch bugs before they ship in code and respond to incidents when necessary.

“In a short period of time, two weeks, we had fixes out, which is great,” Nalley says. “In some ways, this is not a new situation to us, and I would love to say we dealt with it perfectly. But the reality is, even at the Apache Software Foundation, this highlighted what a responsibility we have to everyone who consumes our software.” 

Going forward, the more concerning aspect of the situation is that, even a year later, roughly a quarter or more of the Log4j downloads from the Apache repository Maven Central and other repository servers are still full of vulnerable versions of Log4j. In other words, software developers are still actively maintaining systems running vulnerable versions of the utility or even building new software that is vulnerable.

"The reality is that the majority of the time when people are choosing a vulnerable open-source software component, there's already a fix available,” says Brian Fox, cofounder and chief technology officer of the software supply-chain firm Sonatype, which operates Maven Central and is also a third-party Apache repository provider. “I've been around for a long time, and I'm jaded, but that really is shocking. And the only explanation is that people really do not understand what’s inside their software.”

Fox says that after the initial scramble to address Log4Shell, version downloads in Maven Central and other repositories hit a shelf where roughly 60 percent of the downloads were of patched versions and 40 percent were still of vulnerable versions. Over the last three months or so, Fox and Apache's Nalley say they've seen the numbers fall for the first time to roughly a 75/25 percent split. As Fox puts it, though, “After a year, a quarter of the downloads is still pretty terrible."

“Some people feel Log4j was a big wake-up to the industry, a collective freak-out and awakening,” he says. “And it has helped us really expand upon the message about software supply-chain security, because no longer were people in denial. The thing we were all talking about was real now' we were all living it. But the peer pressure alone of Log4j should have forced everyone to upgrade, so if we can’t get this one to 100 percent, what about all the other ones?”

For security researchers, the question of how to address the long tail of a vulnerability is always present. And the issue applies not just to open-source software, but proprietary systems as well. Just think about how many years it took to move the last 10 percent of Windows users off of XP.

“With these worst-case scenarios—black swan events in open source—you just know they're going to keep happening, because the community has gotten a lot better at reacting, but the pace of open-source development is even faster,” ChainGuard's Lorenc says. “So we have to find the balance of prevention and mitigation, and keep coming up with efforts to reduce the frequency as much as possible. It's like _The Simpsons_ meme when Bart says, ‘This is the worst day of my life.’ And Homer says no, ‘The worst day of your life _so far_.’”

Log4j’s Log4Shell Vulnerability: One Year Later, It’s Still Lurking

Are you thinking about uploading some selfies and buying a pack of ‘Magic Avatars’? Consider these expert tips first.

Has the stale selfie that’s served as your profile picture gone a little _too_ long without a refresh? You’ve likely seen friends using the Lensa AI app to create colorful, custom cartoon images of themselves as ethereal fairies or stern astronauts. Prisma Labs, the company behind Lensa, went viral back in 2016 with a similar (albeit less powerful) app that turned smartphone pics into paintings.

The release of Lensa’s “magic avatars” feature is a global hit for the company. Recent advancements in generative artificial intelligence allow the app to produce more impressive and varied results than its predecessor. According to preliminary estimates provided by Sensor Tower, over 4 million people worldwide downloaded the app during the first five days of December. In that same time period, users spent over $8 million in the app.

AI-generated profile pictures have always raised questions about digital privacy, however. If you’re curious whether it’s a good idea to use Lensa, here’s what you should consider before spending money and uploading your selfies.

Always Read the Privacy Policy

Before diving in, take a minute to browse through the privacy policy and the terms of use to get a better understanding of what the app does with your data. “We always have to be aware when our biometric data is being used for any purpose. This is sensitive data. We should be extra cautious with how that data is being used,” says David Leslie, a director of ethics and responsible innovation research at The Alan Turing Institute and professor at the Queen Mary University of London.

Andrey Usoltsev, the CEO and cofounder of Prisma Labs, claimed the company is working to update the privacy policy in an email to WIRED. “Lensa uses a copy of the Stable Diffusion model and teaches it to recognize the face on the uploaded images in each particular case. This means there is a separate model for each individual user,” writes Usoltsev. “The user’s photos are deleted from our servers as soon as the avatars are generated. The servers are located in the US.”

Although it’s impossible to know exactly how a company is using and storing your data without an independent assessment, this statement is a move in the right direction. With that in mind, however, uploads are only a small part of the larger equation.

The Security Implications Beyond Your Uploaded Pics

While biometrics might be your initial concern, it’s also crucial to understand just how much additional data is automatically collected from your smartphone. Lensa may use third-party analytics, log file information, device identifiers, and registered user information to gather data on you. Go to section 3 of the privacy policy to check it out in detail. 

Any user can opt out of that data collection by contacting the company at privacy@lensa-ai.com. If you use an iOS device, you have the option to opt out by going into your privacy settings. To be fair, it’s not just Lensa: Every app on your phone is probably collecting more data than you realize. Even if you decide to trust Lensa with your personal data, it’s quite possible for the data to change hands if the company is acquired in the future. “That especially happens when it goes into bigger companies that are much more adept at bullshitting around how they talk about it,” says Ben Winters, a lead on the AI and human rights projects at the Electronic Privacy Information Center.

Don’t Import Pictures of Children or Nudity

It goes against the terms of use to insert images of children or nudity to generate images on Lensa. But even if you don’t input nudes, women may receive hypersexual results; “the app not only generates nudes but also ascribes cartoonishly sexualized features, like sultry poses and gigantic breasts, to their images. I, for example, received several fully nude results despite uploading only headshots,” writes WIRED contributor Olivia Snow. The app generated disturbing imagery when Snow uploaded her childhood photos, changing what would have been stylized mementos into dehumanizing imagery. “Since the feature is not designed for minors, we advise against using any images of children,” writes Usoltsev.

Lensa can also produce sexual images of adults without their consent. “It’s a potential instance where insufficient forethought has been put into protecting the dignity of individuals,” says Leslie. “When technologies can harm, we’re on the hook to do all that we can to anticipate those impacts.”

Be Prepared for Odd or Offensive Results

It’s not just funky fingers and second heads, you may also receive results that are racist or sexist when you interact with generative AI. “The internet is filled with a lot of images that will push AI image generators toward topics that might not be the most comfortable, whether it’s sexually explicit images or images that might shift people’s AI portraits toward racial caricatures,” says Grant Fergusson, an Equal Justice Works fellow at EPIC. 

Consider the Larger Impact for Real Artists

Some artists are embracing the potential for generative AI to produce fascinating results. Others are much more hesitant about the technology’s potential repercussions. “The commercialization of these image generators will have an impact on the ability for artists to keep sort of sustaining themselves in the long term,” says Leslie. 

Although it’s a more expensive route, those who are able to should consider commissioning smaller artists to create digital pieces for their new profile picture, phone wallpaper, or portrait. Instagram and Twitter are full of artists who work in a variety of styles that you could never get from generative AI, and many of them are eager for commissions. For a nominal fee, you can get something truly unique and personal. You could even ask around at your community art center and support a local artist.

Try Deleting the App Afterward

Let’s say you’ve considered everything above and still decided to spend a couple of bucks to get a pack of “magic avatars.” After you’ve saved the colorful creations, check out the photo- and video-editing capabilities on Lensa. Is this something you want to use often or is it just another app that’ll collect digital dust on your smartphone? “Control the settings, delete after use, and exercise any and all rights that they offer you,” recommends Winters to anyone worried about data collection.

Lensa AI and ‘Magic Avatars’: What to Know Before Using the App

The company, which works with hundreds of startups, said it detected unauthorized access to personal data, including Social Security numbers.

The human resources, payroll, and benefits management company Sequoia said in disclosures to customers at the beginning of the month that it detected unauthorized access to a cloud storage repository that contained an array of sensitive and personal data related to the company's Sequoia One customers. 

Sequoia notified both its corporate customers and the individual people whose data may have been impacted by the breach, which the company says occurred between September 22 and October 6. The company is offering victims three years of free Experian identity protection services. Sequoia's breached cloud system stored an array of sensitive personal data, including names, addresses, dates of birth, gender, marital status, employment status, Social Security numbers, work email addresses, wage data related to benefits, and member IDs as well as any other ID cards, Covid-19 test results, and vaccine cards that individuals uploaded to the employment system.

“An unauthorized party may have accessed a cloud storage system that contained personal information,” the company wrote in the customer and individual disclosures. WIRED reviewed examples of both notifications. “As soon as the Company became aware of the situation, a response plan was initiated and a number of immediate actions were completed, including working with outside counsel to initiate a forensic review by Dell Secureworks … The forensic review found no evidence that the unauthorized party misused or distributed data.”

Sequoia One is a “professional employer organization,” or PEO, that provides outsourced HR and payroll services. The company is popular with startups because it streamlines the process of managing and adjudicating core programs like compensation, benefits, and equity. Sequoia One is popular with US startups and says it currently works with more than 500 venture-backed companies. 

When WIRED asked Sequoia how many people had their data exposed and are being offered free identity protection services, Kristin Schaeffer, vice president of public relations at the communications firm AMF Media Group, declined to comment on behalf of the company. “At this time our focus and communication is only with our clients,” she said.

The disclosures say that Dell Secureworks did not find malware on Sequoia's systems, did not see evidence of a data extortion attempt, did not find any compromised computers or servers in Sequoia's infrastructure, and did not see evidence of ongoing unauthorized access to the company's systems. Sequoia emphasizes that it has not detected any use or distribution of the data so far. 

“Unauthorized access of information in a cloud storage system occurred between September 22 and October 6, 2022,” the company wrote. “The access was ‘read only,’ and there is no evidence that the unauthorized party changed any client data.”

Still, it is common for hackers or even their automated systems to find and scrape unsecured cloud storage systems, and stolen data can take time to surface.

“Sequoia One is very popular with startups; the last two I've worked for used them,” says open source security researcher Jonathan Leitschuh, who was notified this week that his data was compromised in the breach. “I honestly was not surprised when I got the notification in the mail, not because of Sequoia specifically, I’ve just been in the security space long enough to know that it’s just a matter of time."

Leitschuh notes that after three years, the free identity theft monitoring will end, but his Social Security number and many other personal details will remain the same. 

“With third-parties like Sequoia that others contract with, the end user can't really opt out or change anything about the relationship if they want the job,” he says. "But you don't know how these companies are defending this data long-term.”

Popular HR and Payroll Company Sequoia Discloses a Data Breach

From QAnon influencers to @catturd, the very online right sees exactly what they want to see in the CEO’s orchestrated disclosure.

Liz Crokin, a popular QAnon influencer who boasts more than 100,000 followers on Telegram and hundreds of paid subscribers on Substack, wrote on Telegram that the emails implicate Dorsey in the same Satanic cabal as Hillary Clinton adviser John Podesta. “Pizza is a pedophile code word that’s been identified by law enforcement,” Crokin wrote. (She, too, is still suspended from Twitter.)

On Tuesday, Crokin spoke at Mar-a-Lago, where she discussed “Pizzagate, Balenciaga, and what President Trump’s Administration did to combat human trafficking,” according to her Telegram channel. Crokin also uploaded a speech from Trump to the small gathering, where he heaped praise on his briefly tenured national security adviser, Michael Flynn—who has become one of the most high-profile QAnon influencers in recent years.

The enormously popular @catturd account, with its more than 1 million followers on Twitter and more than 800,000 on Truth Social, called to “disband the FBI” and “arrest \[FBI Director\] Christopher Wray” following the release of the documents. “After what Elon Musk revealed about #TwitterGate—I never want to hear the phrase ‘free and fair elections’ coming from the FBI, big tech fact checkers, the media, or the Democrat party, ever again,” the anonymous person behind the account wrote.

Yet, as Tabbi himself explains, the files prove no such thing. “Although several sources recalled hearing about a ‘general’ warning from federal law enforcement that summer about possible foreign hacks, there’s no evidence—that I've seen—of any government involvement in the laptop story,” Taibbi wrote.

In fact, Taibbi reports, the decision was made at high levels of Twitter, but below then CEO Dorsey. “They freelanced it,” a source who spoke to the journalist said.

The actual contents of the Twitter Files wouldn’t get in the way of a good story, however. Eagle-eyed supporters of Trump picked up on one particular name in the Twitter Files: James Baker.

In the leaked internal emails, Baker, Twitter’s deputy general counsel, urged a careful approach. “We need more facts to assess whether the materials were hacked,” he wrote. As one of the company’s most senior lawyers, he noted that some evidence pointed to the contents of the laptop having been hacked, while other indicators pointed to it being legitimately abandoned by Biden. In the absence of good information, he recommended that Twitter assume the worst and proceed with “caution.”

Baker had been general counsel at the FBI from 2014 to 2017, as the bureau had been investigating Russian efforts to influence the 2016 election. Baker was also implicated in a particularly thorny saga—he interviewed a source whom John Durham, a special counsel appointed by Trump, would accuse of lying and concealing his ties to the Hilary Clinton campaign. Baker denied that he knew of those ties, and he furnished documents to prove it. His source was acquitted earlier this year.

Baker, after leaving the FBI, had become Twitter’s deputy general counsel. The mere presence of Baker’s name set off alarm bells for right-wing onlookers.

“The same James Baker neck deep in Russiagate?” Lori Mills, a failed Republican state assembly candidate, wrote on Twitter. “Anyone ever notice it’s always the same people?” A QAnon Telegram account mused: “So the General Counsel at the FBI during the Russia Hoax was also the General Counsel at Twitter during the Hunter Biden laptop scandal, where he helped cover it up. See a pattern?”

Elon Musk’s Twitter Files Are a Feast for Conspiracy Theorists

The company plans to expand its Communication Safety features, which aim to disrupt the sharing of child sexual abuse material at the source.

In August 2021, Apple announced a plan to scan photos that users stored in iCloud for child sexual abuse material (CSAM). The tool was meant to be privacy-preserving and allow the company to flag potentially problematic and abusive content without revealing anything else. But the initiative was controversial, and it soon drew widespread criticism from privacy and security researchers and digital rights groups who were concerned that the surveillance capability itself could be abused to undermine the privacy and security of iCloud users around the world. At the beginning of September 2021, Apple said it would pause the rollout of the feature to “collect input and make improvements before releasing these critically important child safety features.” In other words, a launch was still coming. Now the company says that in response to the feedback and guidance it received, the CSAM-detection tool for iCloud photos is dead.

Instead, Apple told WIRED this week, it is focusing its anti-CSAM efforts and investments on its “Communication Safety” features, which the company initially announced in August 2021 and launched last December. Parents and caregivers can opt into the protections through family iCloud accounts. The features work in Siri, Apple’s Spotlight search, and Safari Search to warn if someone is looking at or searching for child sexual abuse materials and provide resources on the spot to report the content and seek help. Additionally, the core of the protection is Communication Safety for Messages, which caregivers can set up to provide a warning and resources to children if they receive or attempt to send photos that contain nudity. The goal is to stop child exploitation before it happens or becomes entrenched and reduce the creation of new CSAM.

“After extensive consultation with experts to gather feedback on child protection initiatives we proposed last year, we are deepening our investment in the Communication Safety feature that we first made available in December 2021,” the company told WIRED in a statement. “We have further decided to not move forward with our previously proposed CSAM detection tool for iCloud Photos. Children can be protected without companies combing through personal data, and we will continue working with governments, child advocates, and other companies to help protect young people, preserve their right to privacy, and make the internet a safer place for children and for us all.”

Apple’s CSAM update comes alongside its announcement today that the company is vastly expanding its end-to-end encryption offerings for iCloud, including adding the protection for backups and photos stored on the cloud service. Child safety experts and technologists working to combat CSAM have often opposed broader deployment of end-to-end encryption because it renders user data inaccessible to tech companies, making it more difficult for them to scan and flag CSAM. Law enforcement agencies around the world have similarly cited the dire problem of child sexual abuse in opposing the use and expansion of end-to-end encryption, though many of these agencies have historically been hostile toward end-to-end encryption in general because it can make some investigations more challenging. Research has consistently shown, though, that end-to-end encryption is a vital safety tool for protecting human rights and that the downsides of its implementation do not outweigh the benefits.

Communication Safety for Messages is opt-in and analyzes image attachments users send and receive on their devices to determine whether a photo contains nudity. The feature is designed so Apple never gets access to the messages, the end-to-end encryption that Messages offers is never broken, and Apple doesn’t even learn that a device has detected nudity.

The company told WIRED that while it is not ready to announce a specific timeline for expanding its Communication Safety features, the company is working on adding the ability to detect nudity in videos sent through Messages when the protection is enabled. The company also plans to expand the offering beyond Messages to its other communication applications. Ultimately, the goal is to make it possible for third-party developers to incorporate the Communication Safety tools into their own applications. The more the features can proliferate, Apple says, the more likely it is that children will get the information and support they need before they are exploited. 

“Potential child exploitation can be interrupted before it happens by providing opt-in tools for parents to help protect their children from unsafe communications,” the company said in its statement. “Apple is dedicated to developing innovative privacy-preserving solutions to combat Child Sexual Abuse Material and protect children, while addressing the unique privacy needs of personal communications and data storage.”

Similar to other companies that have grappled publicly with how to address CSAM—including Meta—Apple told WIRED that it also plans to continue working with child safety experts to make it as easy as possible for its users to report exploitative content and situations to advocacy organizations and law enforcement.

"Technology that detects CSAM before it is sent from a child’s device can prevent that child from being a victim of sextortion or other sexual abuse, and can help identify children who are currently being exploited,” says Erin Earp, interim vice president of public policy at the anti-sexual violence organization RAINN. “Additionally, because the minor is typically sending newly or recently created images, it is unlikely that such images would be detected by other technology, such as Photo DNA. While the vast majority of online CSAM is created by someone in the victim’s circle of trust, which may not be captured by the type of scanning mentioned, combatting the online sexual abuse and exploitation of children requires technology companies to innovate and create new tools. Scanning for CSAM before the material is sent by a child’s device is one of these such tools and can help limit the scope of the problem.” 

Countering CSAM is a complicated and nuanced endeavor with extremely high stakes for kids around the world, and it’s still unknown how much traction Apple’s bet on proactive intervention will get. But tech giants are walking a fine line as they work to balance CSAM detection and user privacy.

_Updated 5:20pm ET, Wednesday, December 7, 2022 to include commentary from RAINN._

Apple Kills Its Plan to Scan Your Photos for CSAM. Here’s What’s Next

The company will also soon support the use of physical authentication keys with Apple ID, and is adding contact verification for iMessage in 2023.

Apple announced today that it is launching expanded end-to-end encryption protections in its iCloud service. The company already offers the vital security feature for some data in its cloud platform—including passwords, credit card and other payment data, and health data—but it will offer an option to extend the protection to other sensitive information including photos, notes, and, crucially, iCloud backups. The feature, known as Advanced Data Protection for iCloud, debuts today for users enrolled in Apple’s Beta Software Program. It will be available to all United States users by the end of the year and will start rolling out globally in early 2023.

The move comes as part of a broader slate of security-related announcements from the company. Beginning early next year, Apple will support the use of hardware keys for Apple ID two-factor authentication. And later in the year, the company will also roll out a feature called iMessage Contact Key Verification that will allow users to confirm they are communicating with the person they intend and warn them if an entity has compromised the iMessage infrastructure.

Apple said today that the new releases come “as threats to user data become increasingly sophisticated and complex.” There were 1.8 billion Apple devices in active use around the world as of a January earnings call. An Apple representative told WIRED that threats to data stored in the cloud are visibly on the rise across the industry, and that in general, it is clear that data stored in the cloud is at greater risk of compromise than data stored locally. A study commissioned by Apple found that 1.1 billion records were exposed in data breaches around the world in 2021. Earlier this year, Apple announced a feature for iOS and macOS known as Lockdown Mode, which provides more intensive security protections for users facing aggressive, targeted digital attacks. The step was a departure for Apple, which had formerly taken the approach that its security protections should be strong enough to defend all users without special add-ons. 

End-to-End Encrypted iCloud Backups—With Exceptions

When it comes to end-to-end encryption, Apple was early to deploy the protection with the launch of iMessage in 2011. Meanwhile, tech giants like Meta and Google are still working to retrofit some of their popular messaging platforms to support the feature. End-to-end encryption locks down your data so only you and any other owners (like other participants in a group chat) can access it regardless of where it is stored. The protection isn’t in use everywhere across the Apple ecosystem, though, and a particularly glaring omission has been iCloud backups. Since these backups weren’t end-to-end encrypted, Apple could access the data—essentially a complete copy of everything on your device—and share it with other entities, like law enforcement. 

Apple added specific workarounds, like one known as Messages in iCloud, to protect end-to-end encrypted data, but it was easy for users to make mistakes or misunderstand the options and end up exposing data they didn’t intend in iCloud backups. Users who wanted to avoid these potential pitfalls have relied on Apple’s local backup options for years. The company told WIRED that it plans to continue to support local backups for iOS and macOS and believes firmly in the concept, but it hopes that expanded end-to-end encryption in iCloud will reassure users who have been waiting to make the move.

Expanded end-to-end encryption would protect a user’s data even if Apple itself were breached. An Apple representative told WIRED that the company is not aware of any situations in which a user’s iCloud data has ever been stolen because of a breach of iCloud’s servers. He added, though, that Apple’s infrastructure is constantly under attack, as is the case for all major cloud companies.

Advanced Data Protection for iCloud is an optional feature that users can elect to enable. When you turn it on, the feature will guide you through a process to set up a recovery contact or recovery key so you can access your iCloud data if you lose the devices the keys are stored on. The change could make using iCloud slightly less seamless in certain scenarios, but it is similar conceptually to the familiar process of backing up your device on an external hard drive. If you lose or break the hard drive or forget the password you protected it with, you can’t access the backups that are on it.

Apple notes that three important categories of data—contacts, emails, and calendar data—will still not be end-to-end encrypted, even with Advanced Data Protection for iCloud turned on. The company says that all three are difficult to lock down because they involve legacy protocols and must be in a format that allows them to interoperate with a host of third-party applications. In short, Apple doesn’t want to break your ability to use your favorite email client or calendar app. The three categories represent a body of extremely sensitive user data, though. When asked whether they will ever be end-to-end encrypted in iCloud, an Apple representative said there were no other announcements at this time, but that the company is always working to move forward.

Physical Keys Give Apple ID a Security Boost

Apple will soon support the use of physical authentication keys with Apple ID, providing a more secure two-factor authentication.

Photograph: Apple

The new Apple ID support for physical authentication keys is another feature long-sought by users. Apple now requires two-factor authentication for all new Apple IDs and says that 95 percent of its users have the login protection enabled. Hardware tokens are particularly protective, though, because users can’t be tricked into providing them to attackers, unlike two-factor authentication codes that can be accidentally shared or otherwise compromised. Apple is a member of the FIDO Alliance, which develops authentication standards, and the company says it will support any hardware keys that are certified by FIDO. 

An Apple representative told WIRED that the company has been working to implement hardware keys for some time, but that it was concerned about implementation and ease of use until the recent generation of FIDO standards. The representative also said that the company was motivated by evolving and escalating threats as well as a recent uptick in the availability of the keys. The popular hardware token maker YubiKey, for example, didn’t have Apple's approval to make hardware keys with Lightning adapters for iOS devices until 2019.

iMessage Takes a Page From Signal

The new iMessage Contact Key Verification feature will enable users to confirm they’re texting with the person they think they are.

Photograph: Apple

The new iMessage Contact Key Verification feature, which will also be an optional protection that users can choose to enable, offers a mechanism for users to check that the person they are communicating with is the intended recipient. Similar to a feature offered by the secure messaging app Signal, iMessage Contact Key Verification provides users with a Contact Verification Code that they can compare with their digital companion through another channel—either in person or through another communication platform they trust. In other words, if you want to make sure you’re really messaging with your cousin, you can call her and ask her to produce the contact verification code for your chat. If the codes match, you’re good. If they don’t match, it could mean you’re messaging with someone who is impersonating your cousin. 

The feature also includes a mechanism to automatically alert users if the iMessage infrastructure is ever compromised to target individual communications by a third party outside of Apple. Such an attack, in which a hacker could silently join end-to-end encrypted chats as an invisible lurker, would be very sophisticated and costly to pull off, but would be immensely valuable to a malign actor. The new warning feature could make such a compromise somewhat less attractive, though, since it will reduce the chance that attackers would be able to lurk and eavesdrop unnoticed.

Taken together, the features represent critical steps forward in Apple’s user security docket, but as with any punch list, many of the items were overdue for completion.

Apple Expands End-to-End Encryption to iCloud Backups

On cybercrime forums, user complaints about being duped may accidentally expose their real identities.

Nobody is immune to being scammed online—not even the people running the scams. Cybercriminals using hacking forums to buy software exploits and stolen login details keep falling for cons and are getting ripped off thousands of dollars at a time, a new analysis has revealed. And what’s more, when the criminals complain that they are being scammed, they’re also leaving a trail of breadcrumbs of their own personal information that could reveal their real-world identities to police and investigators.

Hackers and cybercriminals often gather on specific forums and marketplaces to do business with each other. They can advertise upcoming work they need help with, sell databases of people’s stolen passwords and credit card information, or tout new security vulnerabilities that can be used to break into people’s devices or systems. However, these deals often don’t go to plan.

The new research, published today by cybersecurity firm Sophos, examines these failed transactions and the complaints people have made about them. “Scammers scamming scammers on criminal forums and marketplaces is much bigger than we originally thought it was,” says Matt Wixey, a researcher with Sophos X-Ops who studied the marketplaces.

Wixey examined three of the most prominent cybercrime forums: the Russian-language forums Exploit and XSS, plus the English-language BreachForums, which replaced RaidForums when it was seized by US law enforcement in April. While the sites operate in slightly different ways, they all have “arbitration” rooms where people who think they’ve been scammed or wronged by other criminals can complain. For instance, if someone purchases malware and it doesn’t work, they may moan to the site’s administrators.

The complaints sometimes lead to people getting their money back, but more often act as a warning for other users, Wixey says. In the past 12 months—the period the research covers—criminals on the forums have lost more than $2.5 million to other scammers, the analysis says. Some people complain about losing as little as $2, while the median scams on each of the sites ranges from $200 to $600, according to the research, which is being presented at the BlackHat Europe security conference.

The scams come in multiple forms. Some are simple, others are more sophisticated. Frequently, there are “rip-and-run” scams, Wixey says, where the buyer doesn’t pay for what they’ve received or the seller gets the money but doesn’t send across what they sold. (These are often known as “rippers.”) Other types of scams involve faked data or security exploits that don’t work: One person on BreachForums claimed a seller tried to send them Facebook data that was already public.

In one extreme incident on the Exploit forum, an account posted a lengthy complaint that they had provided someone with a Windows kernel exploit and hadn’t been paid the $130,000 they had agreed for it. The buyer said they would pay once they had tested the software but never stumped up the cash. “At each stage, he gave different excuses for delaying the payment,” a translated version of the complaint says. 

In some scams, multiple accounts or people appeared to work together, the research says. A user with a good reputation can introduce one person to another. This accomplice then directs the victim to a scam website. In one instance, Wixey says, a user wanted to buy a fake copy of the NFT-focused game _Axie Infinity_. “They wanted a fake copy of it with the intent of basically siphoning off legitimate user’s funds,” Wixey says. “They bought this fake copy from someone else, and the fake copy contained a backdoor which then stole the stolen cryptocurrency.” The scammer was essentially being scammed through their own scam.

While it shouldn’t be a surprise that criminals often try to con each other—there’s no honor among cybercriminals, after all—the research shows how prevalent it is. In 2017, security firm Digital Shadows pointed out a database that had been created to name and shame known rippers. Similarly, in 2021, the firm found that some administrators on cybercrime forums are scamming their own customers. In the past decade, there have been thousands of complaints about criminals scamming each other, according to threat intelligence firm Analyst1. Meanwhile, a previous analysis from TrendMicro concluded that while forums and marketplaces have rules, they don’t deter scammers. “The perpetrators are typically those who go for quick profits over reputation,” the firm’s 2019 research says.

Arguably, the most organized scam that Sophos’ Wixey spotted stemmed from an investigation into the Genesis marketplace, which has been online since 2017 and sells hotel login details, cookies, and access to data from compromised systems. When researching Genesis, Sophos discovered a faked version of the website appearing high in Google’s search results. “This is a really bizarre case,” Wixey says. “It was a really basic WordPress template and it asked for money, whereas the real Genesis is invitation only.”

As well as not looking like the official Genesis market, the faked version showed other weird behaviors: It linked out to another cybercrime website, the Bitcoin address people could make payments to changed when someone clicked the copy and paste button on the website, and it was also being advertised on Reddit. These signs, Wixey says, hinted the fake could be a “coordinated” effort. Armed with details from the fake Genesis website—including portions of the text and cryptocurrency addresses—the researchers discovered 20 websites that all appear to be connected and run by the same group or individual. The websites all look the same and were registered between August 2021 and June 2022—eight of them are still live. 

Almost all of these websites, Wixey says, imitate defunct criminal marketplaces and try to get people to pay to access them. The scam appears to work, too. The researcher says the Bitcoin addresses the scam sites pay into have collectively received $132,000, although he is cautious to say the money may all have come from the false websites. Sophos appeared to find one threat user who may be behind the sites—an actor going by the handle “waltcranston.” Among several pieces of information linking the handle to the sites, someone with the username claimed to have created the fake marketplaces on another forum.

Despite not being able to fully confirm that waltcranston is behind the network of fake sites, Wixey says that criminals complaining about being scammed and trying to resolve their disputes through arbitration can be a potential rich source of intelligence for investigators. 

Because those complaining about scams need to post evidence to back up their claims, they often share screenshots containing more personal information than they may have intended. Sophos says it saw a “treasure trove” of data, including cryptocurrency addresses, transaction IDs, email addresses, victims’ names, some malware source code, and other information. All these details may help to uncover more information about the people behind the usernames or provide clues about how they operate.

In one scamming complaint, a user shared a screenshot that showed someone’s Telegram usernames, email addresses, Jabber chat names, plus Skype and Discord usernames. In others, IP addresses and countries where users may be situated are displayed. Screenshots reveal the software people use, as well as the websites they visit and details about their computer setup. In some instances, Wixey saw details of victims that the cybercriminals had targeted.

Criminals, by the nature of what they’re doing, are usually very cautious about sharing anything that may identify them. Real names are not used; they often will use anonymization services such as Tor. “They typically employ pretty good operational security, but with scam reports, that’s not so much the case,” Wixey says. “So much of this stuff is just not available anywhere else on these marketplaces.” Going forward, the data could prove a useful tool for tracking down some of the criminals. “It’s certainly a starting point,” Wixey says.

Scammers Are Scamming Other Scammers Out of Millions of Dollars

The UK's use of technology to enforce its hard-line immigration policy brings the border into every facet of migrants' lives.

In 2019, Anna moved from Poland to the UK with her partner and three children. Soon after they settled into their home and new life, he became violent. Anna attempted to leave, taking their children with her. But when she contacted her local council’s social services, they asked her about her immigration status. There was a problem.

Anna—a pseudonym, for privacy and safety reasons—had a valid visa under the EU Settlement Scheme (EUSS), which required European citizens to register with the British immigration authorities after Britain voted to leave the EU in 2017. But when she tried to prove it, she couldn’t. She had never received a text message or a physical letter saying that she had settled status. Anna went back into the household with her children and her abuser, with nowhere else to go.

When Anna got in touch with the immigration authorities, they put her through to a technical team that, she says, rarely called her back and seemed to constantly be too busy, with long waiting times. Once she got through to the helpline, they confirmed that she had made a valid application (and that her children had settled status, so they had the right to remain in the UK). But they couldn’t give her access to her account. Without it, she couldn’t generate a sharecode—digital proof of her immigration status that would allow her to access social services, get a job, or rent an apartment.

After another serious incident, the police finally gave her abuser an injunction. Anna left the house, but she lost a job offer because she couldn’t prove her immigration status. She couldn’t apply for benefits because she didn’t have proof that she was also actively working. In March 2022, she received confirmation through a charity that was helping her that she had presettled status. But she still hasn’t been contacted by the UK’s Home Office directly—and still has no access to her sharecode.

Anna’s story is shocking. But as the UK’s immigration and policing agency, the Home Office, emphasizes a “digital-by-default” approach to border management, these stories are becoming increasingly common. Earlier this year, the Home Office released its “New Plan for Immigration,” which laid out the increasing digitization of the UK’s immigration system. “We will have a seamless, fully digital, end-to end journey for customers interacting with the immigration system by 2025,” the Home Office said in its plan. 

Currently, migrants and people applying for new visas in the UK are encouraged to use an app to submit their biometrics, including scans of their face; to fill out forms online; and to prove their immigration status with sharecodes. Technology is playing a larger role in immigration systems around the world, affecting the ways borders can be enforced in a physical space and borders and immigration status are maintained once people enter a country. For migrants, this increasing digitization of the immigration system makes it possible for the border to be anywhere and everywhere, spreading into all corners of their lives. 

A Hostile Environment

Public interest in migration is significant in the UK, with more than 50 percent of Britons polled saying it was one of the most important issues facing the union. The Home Office has made multiple justifications for its move to digital status: that it will be better for older people who won’t have to keep track of a piece of paper, that it could enhance security for vulnerable people who might otherwise have their documents taken away by nefarious actors (for example, traffickers or exploitative employers), and that there will be sufficient time for people to fully transition to digital status. But campaigners, organizations, and lawyers working with migrant communities around the UK say these digital systems are already rife with problems, many of which will only get worse.

“Do we have an immigration system that treats people as full humans, that is responsive to people’s circumstances and is based on common sense?” asks Mary Atkinson of the Joint Council for the Welfare of Immigrants, a UK-based nonprofit. “A digital system might work to make the system that it’s implementing quicker, but there will always be problems, glitches that cause anguish and real pain.” 

In 2012, then-home secretary Theresa May announced that the UK’s immigration policy would be geared toward making the UK a “hostile environment” for immigrants. If you didn’t have regularized immigration status (such as a visa or a settlement route), the UK would become such a difficult place to live that you would leave of your own volition. As part of this plan, more and more people were tasked with checking immigration status—from landlords to bank clerks, teachers, university lecturers, and doctors—to ensure that people could access services.

These types of checks have played a role in a host of problems, including the Windrush scandal.  Academics and activists have noted that it has become relatively easy for people to slip through the cracks of legal status, making them vulnerable to removal or detention. Since May, there have been five home secretaries, all of whom have repeatedly emphasized their desire to reduce immigration to the UK (even when these plans draw condemnation from the UN and other international bodies). The most recent, Suella Braverman (who was in the post for 40 days, fired for a security breach, and then reinstated a week later), courted controversy for saying that it was her dream to see refugees to the UK deported to Rwanda. Those in the sector say Braverman is just as hard-line as her predecessor, Priti Patel—if not more so. 

What this means in practice is that people’s information and proof of immigration status are kept on databases owned and operated by the Home Office. The first example of this was the EUSS, but other visa routes are going the same way—such as the Graduate Route visa, which was introduced last year and which people apply for with an app, and the Ukraine Family Scheme, which was introduced earlier in 2022 for people fleeing the conflict in Ukraine. If you’re approved to remain under these conditions, when you apply for a job or try to open a bank account, you will be asked to generate a sharecode that your employer or a bank employee or a police officer can input into their end of the Home Office database to verify your status. 

“We’re at the beginning of a widespread conversation about data collection, and we see that the Home Office has no accountability,” says Andreea Dimitrsou, who works at the 3million, a campaign group in the UK that advocates for the rights of EU citizens living in the UK.

People working in the sector, particularly with migrant communities, have countless stories of the way that digital-by-default systems are affecting their clients. “We have real concerns about the digital hostile environment,” says Julia Tinsley-Kent of Migrants Rights Network, an NGO. “If people are buying data packages to prove their visa status—that’s a worry, especially with the cost of living. There are risks of harm that haven’t been properly investigated—security issues, people being able to see other people’s statuses erroneously, system failures.”

In 2019, the Home Office announced the Status Checking Project, a centralized database that made it possible for migrants to prove their status. Immigrant rights campaigners and members of parliament at the time called it “seriously concerning,” both because of the scale of data collected and the seeming lack of safeguards in place. As a result of the nature of the UK’s immigration system, where people who aren’t border guards are tasked with checking immigration status, the digitization of these services has wide-reaching impacts.

“It’s a good idea for the government to be thinking about this, and the government should be taking initiative around digitization,” says Joe Tomlinson, a lecturer at the University of York who has carried out extensive research into automation in the UK’s immigration system. “My concern is that they’re not doing it very well.” Tomlinson and fellow researcher Jed Meers recently released a paper after surveying 200 landlords about their willingness to use a digital immigration checking service when renting to prospective tenants. They found that an applicant whose name didn’t sound “British” but who had a British passport had an 87 percent chance of being accepted as a tenant. However, if this prospective tenant only had digital proof of immigration status, they had a 13 percent chance of being accepted as a tenant—with the digital status taking precedence over factors like employment, age, and gender.

The EUSS has increasingly become a testing ground for some of these issues. “You bake problems into the way that systems are built,” says Tomlinson. “You can have something that looks like it’s producing outcomes, but the procedural systemic flaws happen, and you get situations like what’s happening with the EUSS.” As of June 2022, more than 5.83 million people had applied to the EUSS, with 5.4 million of those granted status. (The Home Office told WIRED in a statement that the total number of people granted status is now 5.9 million.)  But since the program opened in June 2020, the number of people waiting more than 18 months for a decision has grown too, and data breaches are reported frequently.

Vivian, a researcher at a higher education institution who asked not to be identified for privacy reasons, says that knowing she would only have digital proof of her immigration status under the EUSS made her worried. “When my partner and I were renewing our mortgage, the bank really scrutinized our digital immigration status. They realized that my name had been recorded properly, with my first name and then my last name, and then my partner’s was recorded with his last name first. So they blocked our mortgage application,” she says “We faced a wall in trying to solve this problem, and we kept getting through to people on the Home Office helpline who said, ‘Look, we’ve taken notice of this but we can’t do anything.’”

Their frustration grew, and instability in the British economy caused Vivian and her partner even more stress. Eventually, they were able to solve the issue by writing a letter to the bank and emphasizing that they were both in full-time employment by large institutions. But Vivian says that she knows they got lucky. ”Essentially, someone at the bank decided to let it go. But what if our status had been harder to read? Or if we were self-employed?”

In a statement, the Home Office defended EUSS as an “overwhelming success” and said it has measures in place when its technology fails to function.

 “Our digital services are rigorously tested and designed to be highly resilient and, as with any major digital program, we have contingency measures in place should issues occur,” the Home Office said. “If individuals experience technical issues, they are still able to evidence their rights by gaining support from our resolution center, available seven days a week.”

Even within migrant communities, there are differences in access. The 3million submits reports to the Independent Monitoring Authority, which monitors the post-Brexit rights of EU and EEA citizens, who theoretically are able to use this information in stakeholder consultations. For non-EU migrants, there are precious few other avenues or bodies that can advocate for them, except for individual charities and NGOs, many of which are already overstretched.

Right-to-work checks for migrants have been in place since 1996—on the Home Office website, it still says that you can check people’s original documents if they don’t have a sharecode. People with pending visas can work on the basis of their previous work conditions, but few employers seem to understand this, and many worry they’ll be penalized. Elisa, who is Polish and has settled status, has been waiting to take up employment for a month because she can’t access her sharecode. Her job is with the National Health Service, and while her employer is understanding, she’s worried about how much longer this will go on. 

“The digital systems are a total failure,” says Ake Achi, who cofounded Migrants at Work, an organization challenging right-to-work checks in the UK. “People are falling into these gaps because there’s nothing to protect us.”

Paper Thin

In 2019, the Home Office set up its Digital, Data & Technology team—its 2024 strategy emphasized that the digitization of the immigration system was already significantly underway—for example, the “Person Centric Data Platform” provides “a single view of individuals to around 700 services, and this single view is crucial to the protection of our borders.” In 2021, it was revealed the Home Office was “hoarding data” on 650 million people, with very few safeguards. Even more recently, the Home Office was told to stop using an automated decision-making algorithm for short-term visas after a legal challenge, which seemed to indirectly discriminate against people from certain nationalities—such as Pakistan or Nigeria—by labeling these countries as “riskier.” 

For people whose immigration status is not as cut and dry—for example, asylum seekers—these digital systems pose challenges too. For a while, Border Force officials and Home Office staff who were monitoring the arrival of asylum seekers to the UK via the Channel were illegally seizing their phones and extracting data from it. Privacy International, which is mounting a legal challenge over this policy, said that the policy was “in line with this government’s (and many others’) efforts to criminalize migration and rob migrants of their basic human rights.” 

People who are on immigration bail and classified as high risk have to wear GPS ankle monitors, which track where they are 24/7. Those who are classified as low risk may soon have to start wearing “smartwatches” with “facial recognition capabilities,” although it’s unclear whether this technology already exists.

“They have the right to use the data accrued from GPS monitoring—to look at that data anonymously, to understand the impact, looking where people have been frequenting and using that to carry out enforcement activity,” says Rudy Schulkind of Bail for Immigration Detainees. “It’s quite a stigmatizing and degrading thing to put people through, and we don’t know where that data is going to go. It’s got incredibly worrying implications for allowing this kind of technology to be normalized.”

Campaigners and organizers in the sector point out some immediate potential fixes to the digitization of the UK’s hostile environment. “Digitization follows substantive policy priorities,” says Tomlinson. “But just because policy is digital-first doesn’t mean it has to be digital-only. Giving people the option to also have a paper record would make some kind of difference.” Organizations like JCWI have campaigned for people to be given paper records of their visa status. Others have emphasized that the Home Office should put up a data firewall between immigration enforcement authorities and police in cases where a victim is vulnerable—currently, the police refer 204 victims per month to immigration enforcement, including victims of human trafficking and labor exploitation.

In the US, digital systems are a significant part of how Immigration and Customs Enforcement (ICE) teams carry out raids on communities. In Canada, a new automated decision-making tool is increasingly being tested on asylum and immigration applications. In the EU, a massive biometric database—which will be used for migration purposes, among others—is set to become the largest police biometrics database in the world, despite concerns from rights advocates and organizations. Digital-by-default immigration systems are slowly becoming the norm. But in many senses, they exacerbate existing issues with the systems that they work within. 

“There’s a reality in which somewhere up to a million of our fellow citizens are too scared to rent a safe home or to seek help from the police when they’re facing domestic abuse, to get a Covid vaccine, and that’s a big result of the hostile environment, whether it’s digital or not,” says Atkinson. “The ‘Papers, please’ society which this has created exists whether it’s on an app that you’re showing to your landlord or on a piece of paper.”

The Dangerous Digital Creep of Britain's ‘Hostile Environment’

Plus: ICE accidentally doxes asylum seekers, Google fails to uphold a post-Roe promise, and LastPass suffers the second breach this year.

It was another busy week in security that saw big news about protests, surveillance, spyware, data breaches, and more. In the US, recent court filings detail how the FBI’s use of a controversial warrant yielded a trove of Google’s location data from thousands of devices in and around the Capitol on January 6. Meanwhile, in Iran, videos of antigovernment protests shared on social media highlight the importance of Twitter’s role in documenting human rights abuses and the consequences if the social media platform breaks.

On November 30, Google’s Threat Analysis Group moved to block a Spanish hacking framework that targets desktop computers. The exploitation framework, dubbed Heliconia, came to Google’s attention after a series of anonymous submissions to the Chrome bug reporting program. While Google, Microsoft, and Mozilla have all patched the Heliconia vulnerabilities, it’s a good reminder to keep your devices updated. ​​Here’s what you need to know about all the important security updates released in the past month.

Google researchers also found this week that the encryption keys phone-makers use to verify software on their devices are genuine—including the Android operating system itself—were stolen and used in malware.

Finally, we published part six of WIRED reporter Andy Greenberg’s series, “The Hunt for the Dark Web’s Biggest Kingpin,” which chronicles the downfall of AlphaBay, the world’s largest dark-web marketplace. Read the final installment here, and check out the full book from which the series was excerpted, _Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency_, available now from wherever you buy books.

And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. 

A deadly fire in an apartment building sparked massive demonstrations in China where thousands of protestors in major cities have taken to the streets in defiance of the nation’s zero-Covid policy. The current wave of protests—the scale of which has not been seen in the country since the deadly 1989 Tiananmen Square protests—has been met with the massive surveillance and censorship apparatus that the state has been refining for decades. Authorities are using facial recognition, phone searches, and informants to identify, intimidate, and detain those who attended protests. 

The protests are stress-testing China’s sophisticated censorship apparatus, and experts say that the sheer volume of video clips has likely overwhelmed China’s armies of censors. Leaked documents from China’s Cyberspace Administration called the protests a “Level I Internet Emergency Response,” and authorities ordered ecommerce platforms to limit the availability of VPNs and firewall-circumventing routers. On Sunday, Chinese-language Twitter accounts spammed the service with links to escort services alongside city names where protests were occurring to drown out information about the protests. 

US Immigration and Customs Enforcement is in hot water after the agency mistakenly posted confidential data about thousands of asylum seekers during a routine update to their website. The data—which included the names, birthdates, nationalities, and detention locations of more than 6,000 individuals—was public for five hours before being taken down by the agency. The data disclosure could expose the immigrants affected by the breach to retaliation from the gangs and governments they had fled. 

The agency’s tech negligence comes as the Biden administration is dramatically expanding the use of technology to monitor immigrants during conditional release through smartphone apps and ankle monitors.

“The US government has an obligation to hold asylum seekers’ names and information in confidence so they don’t face retaliation,” a lawyer at Human Rights First, the organization that discovered the leak, told the _Los Angeles Times_. “ICE’s publication of confidential data is illegal and ethically unconscionable, a mistake that must never be repeated.”

New research shows that Google continues to retain sensitive location data from individuals seeking abortions in spite of promises the company made in July to purge this kind of data from its systems. Researchers with Accountable Tech, an advocacy group, conducted various experiments to analyze the data that Google stores about individuals looking for abortions online. They found that searches for directions to abortion clinics on Google Maps, as well as the routes taken to visit Planned Parenthood locations, were stored by Google for weeks. Google spokesperson Winnie King told the _Guardian_ that users “can turn Web & App Activity off at any time, delete all or part of their data manually, or choose to automatically delete the data on a rolling basis.”

Their findings contradict the pledges Google made after the US Supreme Court overturned _Roe v Wade_. “If our systems identify that someone has visited one of these places, we will delete these entries from Location History soon after they visit,” the company said in July. Five months later, Google appears to have not implemented this change.

LastPass, a popular password manager, is investigating a security incident after its systems were compromised for the second time this year. In a blog post about the incident, chief executive Karim Toubba said that an attacker gained access to their customers’ information using data stolen from LastPass’ systems in August, but did not specify what specific customer information was taken—although he stipulated that users’ stored passwords remained protected by the company’s encryption scheme. “We are working to understand the scope of the incident and identify what specific information has been accessed,” Toubba says. “In the meantime, we can confirm that LastPass products and services remain fully functional.”

Source

Wired