Plus: Google issues fixes for Android bugs, and Cisco, Citrix, SAP, WordPress, and more issue major patches for enterprise systems.

June has seen the release of multiple security updates, with important patches issued for the likes of Google's Chrome and Android as well as dozens of patches for Microsoft products, including fixes for a Windows zero-day vulnerability that attackers had already exploited. Apple updates were absent at the time of writing, but the month also included some major enterprise-focused patches for Citrix, SAP, and Cisco products.

Here’s what you need to know about the major patches released in the past month.

Microsoft

Microsoft’s Patch Tuesday release was pretty hefty in June, including fixes for 55 flaws in the tech giant’s products. This Patch Tuesday was particularly important because it addressed an already exploited remote code execution (RCE) issue in Windows dubbed Follina, which Microsoft has been aware of since at least May.

Tracked as CVE-2022-30190, Follina—which takes advantage of vulnerabilities in the Windows Support Diagnostic tool and can execute without the need to open a document—has already been used by multiple criminal groups and state-sponsored attackers.

Three of the vulnerabilities addressed in Patch Tuesday affecting Windows Server are RCE flaws and rated as critical. However, the patches seem to be breaking some VPN and RDP connections, so be careful.

Google Chrome

Google Chrome updates continue to come thick and fast. That’s no bad thing, as the world’s most popular browser is by default one of the biggest targets for hackers. In June, Google released Chrome 103 with patches for 14 vulnerabilities, some of which are serious.

Tracked as CVE-2022-2156, the biggest flaw is a use-after-free issue in Base reported by Google’s Project Zero bug-hunting team that could lead to arbitrary code execution, denial of service, or corruption of data. Worse, when chained with other vulnerabilities the flaw could lead to full system compromise.

Other issues patched in Chrome include vulnerabilities in Interest Groups, WebApp Provider, and a flaw in the V8 Javascript and WebAssembly engine.

Google Android

Of the multiple Android security issues Google patched in June, the most severe is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed, Google said in its Android Security Bulletin.

Google also released updates for its Pixel devices to patch issues in the Android Framework, Media Framework, and System Components.

Samsung users seem to have gotten lucky with Android updates of late, with the device maker rolling out its patches very quickly. The June security update is no different, reaching the Samsung Galaxy Tab S7 series, Galaxy S21 series, Galaxy S22 series, and the Galaxy Z Fold 2 straightaway.

Cisco

Software maker Cisco released a patch in June to fix a critical vulnerability in Cisco Secure Email and Web Manager and Cisco Email Security Appliance that could allow a remote attacker to bypass authentication and log in to the web management interface of an affected device.

The issue, tracked as CVE-2022-20798, could be exploited if an attacker enters something specific on the login page of the affected device, which would provide access to the web-based management interface, Cisco said.

Citrix

Citrix has issued a warning urging users to patch some major vulnerabilities that could let attackers reset admin passwords. The vulnerabilities in Citrix Application Delivery Management could result in corruption of the system by a remote, unauthenticated user, Citrix said in a security bulletin. “The impact of this can include the reset of the administrator password at the next device reboot, allowing an attacker with ssh access to connect with the default administrator credentials after the device has rebooted,” the company wrote.

Citrix recommends that traffic to the Citrix ADM’s IP address be segmented from standard network traffic. This diminishes the risk of exploitation, it said. However, the vendor also urged customers to install the updated versions of Citrix ADM server and Citrix ADM agent “as soon as possible.”

SAP

Software firm SAP has released 12 security patches as part of its June Patch Day, three of which are serious. The first listed by SAP relates to an update released on April 2018 Patch Day and applies to the browser control Google Chromium used by the firm’s business clients. Details of this vulnerability aren’t available, but it has a severity score of 10, so the patch should be applied straightaway.

Another major fix concerns an issue in the SAProuter proxy in NetWeaver and ABAP Platform, which could allow an attacker to execute SAProuter administration commands from a remote client. The third major patch fixes a privilege escalation bug in SAP PowerDesigner Proxy 16.7.

Splunk Enterprise

Splunk has released some out-of-band patches for its Enterprise product, fixing issues including a critical-rated vulnerability that could lead to arbitrary code execution.

Labeled CVE-2022-32158, the flaw could allow an adversary to compromise a Universal Forwarder endpoint and execute code on other endpoints connected to the deployment server. Thankfully, there’s no indication that the vulnerability has been used in any real-world attacks.

Ninja Forms WordPress Plug-In

Ninja Forms, a WordPress plug-in with over a million active installations, has patched a serious issue that’s probably being used by attackers in the wild. “We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection,” security analysts at the WordPress Wordfence Threat Intelligence team said in an update.

This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present, researchers said.

The flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11. WordPress appears to have performed a forced automatic update for the plug-in, so your site may already be using one of the patched versions.

Atlassian

Australian software company Atlassian has released a patch to fix a zero-day flaw that’s already being exploited by attackers. Tracked as CVE-2022-26134, the RCE vulnerability in the Confluence Server and Data Center can be used to backdoor internet-exposed servers.

GitLab

GitLab has issued patches for versions 15.0.1, 14.10.4, and 14.9.5 for GitLab Community Edition and Enterprise Edition. The updates contain important security fixes for eight vulnerabilities, one of which could allow for account takeover.

With this in mind, the firm “strongly recommends” that all GitLab installations be upgraded to the latest version “as soon as possible.” GitLab.com is already running the patched version.

You Need to Update Windows and Chrome Right Now

A German ad-tech trial features what Vodafone calls “digital tokens.” Should you be worried?

Customers of some phone companies in Germany, including Vodafone and Deutsche Telekom, have had a slightly different browsing experience from those on other providers since early April. Rather than seeing ads through regular third-party tracking cookies stored on devices, they’ve been part of a trial called TrustPid.

TrustPid allows mobile carriers to generate pseudo-anonymous tokens based on a user’s IP address that are administered by a company also named TrustPid. Each user is assigned a different token for each participating website they visit, and these can be used to provide personalized product recommendations—but in what TrustPid calls “a secure and privacy-friendly way.” It’s that “privacy-friendly” part that has raised critics’ hackles.

The internet runs on advertising: Digital ads worth a total of $189 billion were bought and sold last year, according to the Internet Advertising Bureau (IAB). But the ad industry’s dirty little not-so-secret is that it relies on intrusive surveillance of people’s online activities, piecing together their interests based on the websites they visit, what they post, and more.

For Vodafone, the company running the trial in Germany, TrustPid offers an alternative by allowing advertisers to gain value from customer insights while also supposedly keeping those users’ data private. But not everyone agrees. Internet privacy experts have labeled TrustPid a supercookie—a piece of technology that links a crumb of data to a user’s IP address and mobile phone number—and believe the trial should be halted and commercial plans shelved. They are particularly concerned about the way network operators are co-opting what is meant to be a simple passage of communications data, which they have unique access to, to transform it into a targeted advertising platform. Deutsche Telekom did not respond to WIRED’s request for comment. Vodafone says it’s all a misunderstanding.

“Let me stress that the TrustPid service is not a supercookie,” says Simon Poulter, senior manager of corporate communications at Vodafone Group, which is overseeing the German trial. Instead, the telco refers to the technology as being “based on digital tokens which do not include any personally identifiable information.” Each token, says Poulter, has a limited lifespan of 90 days that is specific to individual advertisers and publishers.

William Harmer, product lead at Vodafone, says the project isn’t a supercookie because it doesn’t use data interception to build up customer profiles, unlike the ad tech once used by Verizon Wireless, which in 2016 was fined $1.35 million by the US Federal Communications Commission (FCC) for having injected supercookies into users’ mobile browser requests for two years without consent. A 2015 investigation by digital civil rights nonprofit Access Now found that carriers across 10 different countries used supercookies dating back to 2000. Those negative headlines are why Vodafone pushes back so vehemently against the supercookie designation.

Vodafone claims TrustPid, which has each partner website generate a different token for the same user, reduces the likelihood of user data being triangulated across websites to create extensive profiles of user interests—a major concern for internet users sick of being chased around the web by targeted ads. “The technology has been built following a privacy-first design, and it complies with all GDPR requirements and related legislation,” says Poulter.

The TrustPid pilot came about because of the changing face of online advertising, says Harmer. “On the one hand, you have a lot of privacy measures being looked at for being anti-competitive,” he says. “Then you’ve got a lot of discussions around customer data being hemorrhaged and leaked quite openly on the internet.” Vodafone believed it could tackle both issues, giving advertisers the confidence to spend money online while offering customers protection over their data.

Vodafone says it has informed appropriate regulatory bodies of the trial, adding that it has met twice with the German Federal Commissioner for Data Protection and Freedom of Information (BfDI). BfDI spokesperson Christof Stein says the organization was “merely informed by Vodafone about its trial of TrustPid technology together with Deutsche Telekom, as we are the responsible data protection authority for those telco companies.” Stein also pointed out that the establishment of TrustPid as a separate company based in the UK means that the responsible data authority for TrustPid is the UK’s Information Commissioner’s Office (ICO). ICO spokesperson Debora Biasutti tells WIRED that “any proposal that continues to facilitate cross-web tracking without putting users firmly in control is unlikely to resolve the privacy issues prevalent in online advertising.” Harmer confirmed that TrustPid has not had a conversation with the UK data protection authority.

Stein confirmed that the BfDI has not been contacted by the independent company running TrustPid. As for whether it adheres to data protection rules, the BfDI says TrustPid could argue that its unique, pseudonymous network identifier is a value-added service under the EU’s ePrivacy Directive.

The key word is “could.” “Only an informed and voluntary given consent is an acceptable foundation for the use of this technology,” says Stein. “High standards must be set here, and we are skeptical that the current consent fulfills that aim.”

The BfDI has not yet made a final decision about the data processing in the German trial, Stein says. The GSM Association, an industry body with more than 1,200 members, including Vodafone’s German and UK arms, says it hasn’t been consulted about the TrustPid trial but will be asking its technical teams to look at how data is handled.

One former GSMA director of privacy has made up his mind, however. “It’s extremely disappointing to see mobile operators behave in this way,” says Pat Walshe, a data protection and privacy consultant who worked at the GSMA between 2009 and 2015. “They should be the custodians of the confidentiality of your communications and your data—but here it’s quite clear these operators see you as yet another source of revenue by mining your personal data and treating you as a digital billboard.” Walshe sees it as particularly troublesome because it comes a decade after he wrote a set of privacy principles for the GSMA and the industry that he thinks TrustPid’s approach would contradict.

Walshe isn’t alone. “Companies that operate communication networks should neither track their customers nor should they help others to track them,” says Wolfie Christl, a researcher at Cracked Labs in Vienna, which investigates the data industry. “I consider the project an abuse of their very specific trusted position as communication network providers. It is a dangerous attack on the rights of millions.”

Walshe believes that TrustPid would struggle to claim it has obtained user consent to gather the data it does. “I don’t know how anybody would agree to an honest statement that we can analyze all your data, who you call, where you were when you called them, and so on,” he says. “I don’t know anybody who would agree to that statement—and it would have to be that explicit.” TrustPid’s privacy policy outlines the types of information that it collects from users and follows two key guidelines, says Vodafone’s Harmer: that you can accept or reject the service easily, and that there’s a clear explanation of what data is processed and how.

Christl worries that TrustPid is trying to justify its deployment with “the misleading and meaningless pseudo-consent banners we have to deal with on websites every day.” (For his part, Harmer says that cookie banners are themselves problematic because they’re not easy enough for users to reject, and TrustPid is trying to steer clear of using them.) Christl says the project is “irresponsible and outrageous” and “undermines trust into communication technology, and thus should be stopped immediately.”

Whether you call it a digital token or a supercookie, TrustPid’s bid to revolutionize online advertising has struck a nerve among digital privacy campaigners. Vodafone claims it wasn’t allowed to explain its side of the story in early coverage of the trial in German media. “There were assumptions that we were repeating some of the things that have happened elsewhere, which are in our view bad from a customer’s point of view,” says Harmer. That early coverage set the tone for what followed, the company believes. A second issue? “We are trying to facilitate digital advertising,” he says. “There is a limited exchange of data we think is required to make that take place between a customer and a website. Some people don’t believe that should take place at all.”

A successful trial for Vodafone would involve convincing content providers—or websites wanting to sell ads against their content—that it’s an idea worth pursuing. The company also recognized it needs to win advertisers over. “There probably won’t be enough scale in the pilot to say that this is redefining how things work, but \[there could be enough\] to give us some signs that it could help advertisers and publishers work,” says Harmer. The company is also conscious of consumer feedback—and that it’s been far from positive to date. For Walshe, that negative response is unsurprising. “I think it’s an arrogant view of customers,” he says, “as these passive individuals who don’t care about their data being used in this way.”

‘Supercookies’ Have Privacy Experts Sounding the Alarm

If you use a mix of Apple, Android, and Windows gadgets, you're in luck: The security tool is now available to any Microsoft 365 subscriber.

Microsoft Defender, the company’s security app, is now available to any individual who has a subscription to Microsoft 365, the online productivity suite that includes Word, Excel, and more. Different from the previously released Microsoft Defender software that was built exclusively into Windows computers, this version is available on Windows, Android, macOS, and iOS devices.

Owners of Windows computers without Microsoft 365 don’t need to sweat; Microsoft is still preinstalling software on Windows to protect against viruses and other malware. That software is now simply branded as Windows Security. Beyond accessing a security dashboard where all your connected devices are visible, there’s not a lot of extra incentive for Windows owners to download the new Microsoft Defender app.

Microsoft is extending protection options to Mac and smartphone owners who use Microsoft 365. Not all devices receive the same protections, however. For example, on the Mac, anti-malware protection is provided by Microsoft Defender, while web protection is not.

On the other hand, iPhones and Android devices are able to use web protection from Microsoft Defender. The web protection runs a virtual private network on your smartphone in the background and tries to intervene if any dangerous hyperlinks appear. Microsoft claims that the data from your browsing history is stored on-device and not shared with the company. Learn even more about VPNs and boosting your digital privacy with WIRED senior writer and reviewer Scott Gilbertson’s guide to the best VPNs. In addition to web protection, the anti-malware protection from Microsoft Defender is supported for Android phones.

The new Microsoft Defender app is designed to be used specifically by consumers—as in families and individuals. Although the names are similar, Microsoft Defender for Endpoint is a separate security suite for businesses. Microsoft has guidance on its website to help you understand the Endpoint version and how to switch between accounts.

If you aren’t a Microsoft 365 subscriber but want to get Microsoft Defender, a personal plan costs $70 a year, and a family plan for up to six people costs $100 a year. With a subscription to Microsoft 365, you get OneDrive cloud storage access, in addition to both online and downloadable versions of popular software like Microsoft Word, Excel, and Powerpoint. (Check out this article from WIRED contributor David Nield if you’re on the hunt for a free version of Microsoft Word.)

So who will benefit from the new Microsoft Defender? The features offered are slim at the moment, and it might not be as involved as software from Norton or McAfee, but that may be a good thing considering Defender is more lightweight than either of those options. Keeping that in mind, the large quantity of devices tracked from a single dashboard could be a boon for family leaders trying to keep an eye on the whole crew’s security across multiple devices.

Subscribers to the Microsoft 365 individual plan can get Microsoft Defender to protect five devices at once. For those on the family plan, you can simultaneously shield up to 30 devices. The suite will send you alerts whenever Grandma downloads malware onto her computer (again) or the teens on their smartphones click a malicious link.

Searching for even more strategies to beef up your digital security? WIRED has helpful advice on everything from password protecting your files to keeping those spicy pics private. You wouldn’t leave your front door unlocked while running errands, and with so much of our lives experienced online, taking protective measures on your computer and smartphone makes just as much sense.

How to Use Microsoft Defender on All Your Devices

Plus: Microsoft details Russia’s Ukraine hacking campaign, Meta’s election integrity efforts dwindle, and more.

The United States Supreme Court yesterday struck down _Roe v. Wade_, the monumental 1973 decision that guaranteed the right to abortion in the US for 49 years and, as Maryn McKenna writes for WIRED, “revolutionized life for women.” Now, all of that is in peril. 

It is impossible to overstate the profound consequences of the court's decision. In addition to the life\-and\-death dangers now facing people who become pregnant, the end of _Roe_ and the rise of criminalized abortion stand to usher in a privacy nightmare that civil liberties advocates have warned about for decades. 

As we reported in May after a draft of the Supreme Court's decision was leaked to Politico, the criminalization of abortion in states across the US requires that people adopt a comprehensive digital privacy strategy to protect themselves from the surveillance state. This can include steps like switching to an end-to-end encrypted app like Signal, limiting your data footprint by using search engines like DuckDuckGo instead of Google, locking down your privacy settings on your phone, and using a browser extension to block web trackers. For more details on securing your digital privacy, we recommend guides from the Digital Defense Fund and the Electronic Frontier Foundation.

If you plan to protest against the Supreme Court's decision, check out our guide on how to protest safely. And if you're seeking information about receiving an abortion in post-_Roe_ America, we have a list of resources for that as well.

In other stories this week, we explained how to password-protect any file and dove into lingering security risks related to Microsoft's now defunct Internet Explorer browser. We got a look at Brave's new Goggles tool for its privacy-focused search engine, which lets you create custom search filters. We explored the ways in which the US intelligence community is using artificial intelligence. And we detailed a new type of spyware that Google and Lookout researchers say has been used to target people in multiple countries.

But that's not all. We've rounded up here the big security news from the past week that we haven't been able to cover ourselves. Click on the headlines to read the full stories. And stay safe out there.

Microsoft this week released a report diving into Russia's cyber efforts in its ongoing war against Ukraine. Researchers found that Russia has launched at least 48 attacks against Ukrainian entities. While some efforts have been successful, researchers found that rapidly deployed digital defenses have fended off many of these attacks, including a failed Russian military effort to deploy “wiper” malware against Ukrainian government computers. Vladimir Putin isn't limiting Russian hackers to targets in Ukraine, however. Microsoft researchers identified Russian “network intrusion efforts” against 128 organizations in 42 countries outside Ukraine. Moscow frequently targets the governments of NATO countries, and researchers say that Russian attacks have been successful 29 percent of the time. In a quarter of the successful attacks, Russian hackers have pilfered internal data from victims' networks. Microsoft also warns that Russia is carrying out global “cyber influence operations," at least some of which push propaganda encouraging people to not get vaccinated for Covid-19.

Despite political misinformation remaining rampant on Meta's platforms ahead of the midterm elections in November, CEO Mark Zuckerberg has reportedly shifted his attention from election-related issues to focus on the metaverse. According to multiple sources who spoke to _The_ _New York Times_, Facebook's “core election team … has been dispersed,” and just 60 people now focus on election integrity issues full-time. Company spokesperson Tom Reynolds disputed that figure, claiming that “hundreds" of people at Meta are focusing on election-related work.

Another day, another cryptocurrency company hack that nets criminals staggering amounts of money. The latest known attack, against California-based Web3 firm Harmony, targeted the blockchain bridge, an application used to transfer cryptocurrencies from one blockchain to another. The company says the hackers stole approximately $100 million in digital assets. Bridges are a known weak point in the crypto ecosystem. In late March, hackers believed to be part of North Korea's Lazarus Group made off with $540 million worth of cryptocurrency thanks to a bridge attack.

We've all been there: On your way home after a boozy night on the town, you realize you've misplaced a USB drive containing the names, addresses, birthdays, and tax-related information of every person in your city. Never happened to you? Well, a contractor in Amagasaki, Japan, wasn't so lucky. _The Guardian_ reports that the unnamed contractor lost a USB drive with the sensitive personal data of all 460,000 Amagasaki residents after a night of drinking at a restaurant. While the mistake is surely embarrassing, it hopefully won't lead to privacy breaches: According to city officials, the data was encrypted and they've found no evidence of leaks. Cheers!

The Post-Roe Privacy Nightmare Has Arrived

It's never been easier to switch between iPhone and Android—and to get your messages out of the Meta ecosystem entirely.

Since early 2016, WhatsApp has protected messages and conversations sent in its app with end-to-end encryption. This means that nobody other than the sender and receiver of messages can read their content—not even Meta can read or snoop on the contents of your conversations.

Despite WhatsApp being omnipresent—more than 2 billion people use it each month—securely moving your encrypted chats and photos to different platforms or apps has been a challenge. Transferring your WhatsApp chats from Android to iPhone and from iPhone to Android has historically only been possible using third-party apps. These apps are often fiddly and don’t necessarily protect your data at the level offered by WhatsApp’s ecosystem.

But in recent months WhatsApp has made it possible to officially switch between iPhones and Android (and vice versa), rolling out processes to securely move data between operating systems and working with phone manufacturers to enable the move.

If you’re fed up with Meta’s ecosystem, it’s also possible to move your groups and some chat data to other messaging apps. Here’s how to move all of your WhatsApp chats and backups.

Android to iPhone

Moving your WhatsApp account from Android to an iPhone involves a few steps. But it should be possible to bring most of your information with you: Your profile photo, individual and group chats, history, photos, videos, and settings can all make the jump from one device to another. Your call history and display name can’t be moved across, however, WhatsApp says.

Most of the work in moving your WhatsApp data comes before you make the shift. To move between devices, you need to ensure you have the same phone number on each. Before you start the process, make sure you have a recently updated version of WhatsApp on your Android phone. You also need to be running at least Android 5 on the device you’re moving from and iOS 15.5 on the iPhone you’re moving to. (The iPhone needs to be a new device or have been recently reset to its factory settings.)

Next, download and install the “Move to iOS” app from Google’s Play Store—this Apple-owned app will do all the heavy lifting. When you’re ready to migrate your data, plug both devices into a power source and connect both phones to the same Wi-Fi network. (If you don’t have a Wi-Fi network, it’s possible to use a hotspot to connect your Android phone to the iPhone.)

When both phones are on the same network, open up the “Move to iOS” app on the Android phone and follow the instructions to connect the two phones. Then select WhatsApp as the data source you want to transfer from, and the app will prepare your chats to be moved across—final prompts will confirm you want to make the switch.

This process will log you out of WhatsApp on your Android phone, and you’ll need to download the app on the iPhone you are moving to. When you first use WhatsApp on this iPhone, it’ll ask you to use the same number as on the Android device and prompt you to complete the transfer process. When the process is complete, if you are getting rid of your old phone, make sure to do a factory reset and wipe all your data.

iPhone to Android

It’s been possible to transfer your WhatsApp chat history from iPhones to Android devices since October 2021. This transfer process includes your photos, messages, voice messages, and group conversations.

The compatibility was first rolled out for Samsung phones but has since expanded to include Google Pixel phones and all devices running Android 12. To make the move, you’ll need a USB-C-to-Lightning cable to physically connect the two devices, Google explains. “When prompted while setting up your new Android device, scan a QR code on your iPhone to launch WhatsApp,” the company says in a blog post. Alternatively, in WhatsApp you can go to **Settings** > **Chats** > **Move Chats to Android** and follow the transfer prompts.

WhatsApp’s guide to moving your chats between iPhones and Samsung devices says you will need the Samsung SmartSwitch app installed on the new phone and the same phone number on both devices. As with moving from Android to an iPhone, make sure you delete or wipe your old phone if you’re getting rid of it.

WhatsApp to Signal

Signal is widely considered the best messaging app for security and privacy. Check out our guide to switching your text messages to Signal and moving your messages between devices. While you can’t directly move your WhatsApp chat history to Signal, there are some things you can do to make the switch more straightforward.

It’s possible to easily recreate your WhatsApp groups on Signal—although getting all your family and friends to ditch the Meta-owned app may be more of a challenge. To recreate your groups, open the Signal app and start a new group by tapping the **pencil icon**. When you are asked to add people from your contacts, **tap on Skip** and instead pick the option to get a link to invite people to the group (a QR code is also available). From here, you can share this link with your WhatsApp chats and allow people to move over.

WhatsApp to Telegram

Unlike Signal and WhatsApp, Telegram is not end-to-end encrypted by default. As a result, security experts often warn against using Telegram. However, if you still want to use Telegram, it’s possible to move your chat history from one app to the other.

On both iOS and Android, open the chat you want to move to Telegram and click on the chat’s name or details (using _⋮_ on Android). From here, tap **Export Chat** and when you get the choice of where to **share** the chat, pick Telegram. When exporting chats from WhatsApp to Telegram, you have the choice to take photos and videos with you, or just chat messages.

Back up your WhatsApp chats

You can also back up your WhatsApp conversations in the cloud. This allows you to keep your messages and photos safe if you’re moving from one iPhone to another iPhone or Android to Android—for instance, if you upgrade or break your device and replace it with one using the same operating system.

Until September 2021, WhatsApp didn’t end-to-end encrypt backups, creating a potential security risk and exposing people’s chats to requests from law enforcement. However, the company has since closed that loophole, so it’s now much less of a risk to have your chats backed up to iCloud or Google’s Cloud. To back up to either platform, you will need a Google Drive account or an iCloud account.

On Android, in WhatsApp go to **More options** > **Settings** > **Chats** > **Chat backup** > **Back up to Google Drive**. While on iOS go to WhatsApp **Settings** > **Chats** > **Chat Backup** > **Back Up Now**. You’ll then be able to set the frequency of your backups and elect whether data-heavy videos are included.

How to Move Your WhatsApp Chats Across Devices and Apps

The spyware has been used to target people in Italy, Kazakhstan, and Syria, researchers at Google and Lookout have found.

In hearings this week, the notorious spyware vendor NSO group told European legislators that at least five EU countries have used its powerful Pegasus surveillance malware. But as ever more comes to light about the reality of how NSO's products have been abused around the world, researchers are also working to raise awareness that the surveillance-for-hire industry goes far beyond one company. On Thursday, Google's Threat Analysis Group and Project Zero vulnerability analysis team published findings about the iOS version of a spyware product attributed to the Italian developer RCS Labs.

Google researchers say they detected victims of the spyware in Italy and Kazakhstan on both Android and iOS devices. Last week, the security firm Lookout published findings about the Android version of the spyware, which it calls “Hermit” and also attributes to RCS Labs. Lookout notes that Italian officials used a version of the spyware during a 2019 anti-corruption probe. In addition to victims located in Italy and Kazakhstan, Lookout also found data indicating that an unidentified entity used the spyware for targeting in northeastern Syria.

“Google has been tracking the activities of commercial spyware vendors for years, and in that time we have seen the industry rapidly expand from a few vendors to an entire ecosystem,” TAG security engineer Clement Lecigne tells WIRED. “These vendors are enabling the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities in-house. But there is little or no transparency into this industry, that's why it's critical to share information about these vendors and their capabilities.”

TAG says it currently tracks more than 30 spyware makers that offer an array of technical capabilities and levels of sophistication to government-backed clients.

In their analysis of the iOS version, Google researchers found that attackers distributed the iOS spyware using a fake app meant to look like the My Vodafone app from the popular international mobile carrier. In both Android and iOS attacks, attackers may have simply tricked targets into downloading what appeared to be a messaging app by distributing a malicious link for victims to click. But in some particularly dramatic cases of iOS targeting, Google found that attackers may have been working with local ISPs to cut off a specific user's mobile data connection, send them a malicious download link over SMS, and convince them to install the fake My Vodafone app over Wi-Fi with the promise that this would restore their cell service.

Attackers were able to distribute the malicious app because RCS Labs had registered with Apple's Enterprise Developer Program, apparently through a shell company called 3-1 Mobile SRL, to obtain a certificate that allows them to sideload apps without going through Apple's typical AppStore review process.

Apple tells WIRED that all of the known accounts and certificates associated with the spyware campaign have been revoked. 

“Enterprise certificates are meant only for internal use by a company, and are not intended for general app distribution, as they can be used to circumvent App Store and iOS protections,” the company wrote in an October report about sideloading. “Despite the program’s tight controls and limited scale, bad actors have found unauthorized ways of accessing it, for instance by purchasing enterprise certificates on the black market.”

Project Zero member Ian Beer conducted a technical analysis of the exploits used in the RCS Labs iOS malware. He notes that the spyware uses a total of six exploits to gain access to surveil a victim's device. While five are known and publicly circulating exploits for older iOS versions, the sixth was an unknown vulnerability at the time it was discovered. (Apple patched that vulnerability in December.) That exploit took advantage of structural changes in how data flows across Apple's new generations of “coprocessors” as the company, and the industry overall, moves toward the all-in-one “system-on-a-chip” design.

The exploit isn't unprecedented in its sophistication, but Google researchers note that the RCS Labs spyware reflects a broader trend in which the surveillance-for-hire industry combines existing hacking techniques and exploits with more novel elements to gain the upper hand. 

“The commercial surveillance industry benefits from and reuses research from the jailbreaking community. In this case, three out of six of the exploits are from public jailbreak exploits,” TAG member Benoit Sevens says. “We also see other surveillance vendors reusing techniques and infection vectors initially used and discovered by cyber crime groups. And like other attackers, surveillance vendors are not only using sophisticated exploits but are using social engineering attacks to lure their victims in.”

The research shows that while not all actors are as successful or well known as a company like NSO Group, many small and midsize players together in a burgeoning industry are creating real risk for internet users worldwide.

Google Warns of New Spyware Targeting iOS and Android Users

After months of digging into privacy and security issues around these apps, I have some serious concerns.

Last year, like many new parents, I was walking the extreme tightrope of keeping my young child healthy _and_ happy. When my daughter left the stages of infancy into becoming a much more aware toddler, I decided that it was high time to put her in preschool. It was better than her staring at the same four walls of the living room while I contemplated the health risks over and over. After a few internet searches and some phone calls, I chose one that was close _and_ had spots open (which was pretty hard to obtain). When I started the enrollment process, I saw a flyer in the huge packet that immediately threw me into a new set of worries I didn’t want to deal with: “We also use Brightweel, a mobile application to log attendance, share milestones, and keep parents up to date on daily interactions.'”

I don’t know what goes through other parents’ minds at this point, but I do privacy- and security-oriented work as my day job at the Electronic Frontier Foundation, so I couldn’t help myself from looking at the security controls Brightwheel gave to me as a parent. This was my child’s data left up to some company. Don’t get me wrong, the app provided some comfort, allowing me to see my baby smiling, making friends, and enjoy riding bikes during outside playtime. _Especially_ in that first week when you aren’t there to oversee every aspect of their life for the first time. But looking at my account, I saw very few settings that said anything about security. There was a PIN code to check them in and out, but that was about it.

Over several months, I looked at the gigantic amount of data that was being shared and stored by this app every day. Diaper changes, story time pictures, nap times, etc. The more data about my daughter I saw, the more my worry grew.

By October 2021, I couldn’t sit on this any longer. I wouldn’t call myself a hacker by the definition in most people’s heads. But in this case, for my daughter’s sake, being a mother means doing everything in my power to keep her safe. So I began a months-long dive into the early education landscape of apps—and didn’t like what I found.

I am lucky in where I work. Some cold emails and a little networking later, a coworker (also a new parent being asked to use Brightwheel) and I finally got a meeting with an actual person at the company. The meeting was productive in the sense that Brightwheel seemed to understand the concerns but confirmed how woefully behind the entire industry was in privacy and security protections.

For example, a very basic and well-known protection measure is two-factor authentication. You know how some services now require you to enter a one-time code in addition to your password? That’s two-factor authentication, which gives an enormous bang for your buck in terms of security. It’s been spreading rapidly, and at least _offering_ it is pretty much an industry standard these days.

Brightwheel now has two-factor authentication available for all school or day care administrators and parents, but it is the only one to have done so. Which is bullshit.

Several of these companies don’t disclose what data they collect and where it goes. And what we’ve found is that what they do is, in some cases, track and share information in the way Facebook is also known to. That’s bad enough when it’s data about adults on a public social media site, but it’s horrifying when it’s information about a preschooler.

Figuring out the privacy and security issues around the app your child’s day care uses isn’t like researching how to sleep-train a baby or what high chair to use, where parents can easily find trusted sources of information. This information isn’t out there. Parents and administrators are being sold on convenience, but they aren’t given even the most basic tools to choose a secure app.

And for those of us who have the know-how to find these vulnerabilities and fix them, we’ve run into the problem of the companies not wanting to hear about it. As an ethical hacker, the thing I _planned_ to do was disclose what I found and wait 90 days for a response (a common security industry practice). Even there, I hit roadblocks.

Beyond not finding a way to contact them on their websites, I discovered that researchers based in Germany released a paper in March 2022 identifying security and privacy problems with 42 early education and day care management applications. In addition to outlining the vulnerabilities, the paper also explained that the researchers did their due diligence by ethically reporting the issues and had almost no response from the companies.

That’s unacceptable. If your company handles sensitive information, and researchers do the work of figuring out how to make your product more secure for you, not responding to them is a terrible practice.

I published my own research into these apps on EFF’s website, where you can dig into the technical details, but the major takeaway is that these services are not as secure as they can or should be.

Some very basic demands we have for all of these companies:

*   Make two-factor authentication available for all admins and staff.
*   Address known security vulnerabilities in mobile applications.
*   Disclose and list any trackers and analytics and how they are used.
*   Use hardened cloud server images. Additionally, put a process in place to continuously update out-of-date technology on those servers.
*   Lock down any public cloud buckets hosting children’s videos and photos. These should not be publicly available, and a child’s day care and parents should be the only ones able to access and see such sensitive data.

In addition, we would like to see it become standard for these apps to secure any messages sent between the schools and parents. End-to-end encryption would do that, and there’s no need for a server to be seeing the updates on a child’s life.

And finally, these companies need to monitor and proactively respond to reports of problems with their applications. It should not take a technologist who happens to work at a digital privacy organization and a coworker who happens to be a lawyer on these same issues cold-emailing and working contacts to get a meeting.

Being able to get daily updates on how your child is faring in day care is extremely comforting to a parent. It was for me. Unfortunately, that comfort was soon outweighed by the danger I found.

Parents Need to Know What’s Going On Inside Their Day Care Apps

The privacy-focused company's new Goggles tool allows users to weed out the noise—whatever that might mean.

Anyone can create or alter a Goggle. However, at the beta launch, Brave created eight different Goggles as examples. (It says these will be deleted once people create their own). These examples include Goggles to re-rank search results to remove copycat pages, removing search results from the top 1,000 websites, boosting content found on technical blogs, and more.

Pujol says that Brave created Goggles—which it first outlined in a 2021 white paper—to help remove biases from search results, including those in Brave’s search, and give people more choice. “Biases are everywhere: the underlying data, which sites are easier to crawl, which models are chosen, feature selection, presentation biases, popularity, the list can go on indefinitely,” Pujol says. It is very hard, if not impossible, to remove all biases from search results.

“Goggles will allow the creation of multiple universes within which users could search,” says Uri Gal, a professor of business information systems at the University of Sydney. Gal adds that the move is welcome in a search market that “has seen little innovation or competition” over the past couple of decades. “It would reduce the risk of people getting a single view of reality—or that portion of reality that they are interested in—that is created and maintained by a single platform (e.g. Google, Facebook) based on proprietary algorithms,” Gal says.

Brave knows that people may use Goggles to reinforce their worldview and filter subjects that align with their existing beliefs. At launch, both right- and left-leaning political Goggles have been created by AllSides, an American company that rates media organizations for their political bias. “We believe in freedom of speech, and as such, it is not for us to decide what is right or wrong,” Pujol says. “The person using Goggles is making a conscious act when applying a Goggle, and contrarian perspectives should be readily available. This explicitness alone is an improvement from the current landscape, where this kind of alteration is made without the user realizing it.”

Brave says it will treat Goggles the way as it does all web results and “not censor or police them,” unless it is required to do so legally, such as removing instances of child sexual abuse material.

But there are questions about how this will work in reality. “Exercising bias control is an action for the thoughtful,” says Bart Willemsen, a VP analyst focusing on privacy at Gartner, who adds that he is hopeful Goggles can have positive results. “In the abundance of information available, including dis- and malinformation, to correctly curate what is believed to be relevant and what not, or even untrue, is a huge task,” Willemsen says.

Despite Google’s dominance, there’s a flourishing market for alternative privacy-focused search engines, which claim not to track users or use their personal information for creepy ads. This includes Brave, which launched its search in beta last year. Among others—all with slightly different privacy claims and ways of working—are DuckDuckGo, StartPage, and Mojeek. (DuckDuckGo uses Bing to help power its search results, while StartPage is based on Google.) While billions of searches are made with Google alternatives each year, that’s still a drop in the ocean compared to Google’s dominance.

The search results that companies show, while being based on multiple factors, can prove controversial. Companies may face difficulties with the amplification of political content and issues around free speech. In October 2021, Twitter admitted its algorithm amplifies right-wing politicians more than left-wing ones. Recently, people on the far right have complained that DuckDuckGo limited Russian propaganda, although its results are partly provided by Microsoft’s Bing. In contrast, one 2019 study by Stanford University researchers found that Google’s search results didn’t favor either politician wing.

When Brave debuted its idea for Goggles in 2021, the company said it would open an offer to incorporate Goggles into any other search engine. So far, Pujol says, there haven’t been any conversations about this. And large changes to the status quo are unlikely. “I can’t see Google or any other major platform integrating user-defined Goggles,” Barnet says. “It would interfere with the way they personalize advertising to you and how they collect data on your activity to deliver that advertising. In other words, it would interfere with their business model.”

Brave Now Lets You Customize Search Results—for Better or Worse

Artificial intelligence use is booming, but it's not the secret weapon you might imagine.

From cyber operations to disinformation, artificial intelligence extends the reach of national security threats that can target individuals and whole societies with precision, speed, and scale. As the US competes to stay ahead, the intelligence community is grappling with the fits and starts of the impending revolution brought on by AI.

The US intelligence community has launched initiatives to grapple with AI’s implications and ethical uses, and analysts have begun to conceptualize how AI will revolutionize their discipline, yet these approaches and other practical applications of such technologies by the IC have been largely fragmented.

As experts sound the alarm that the US is not prepared to defend itself against AI by its strategic rival, China, Congress has called for the IC to produce a plan for integration of such technologies into workflows to create an “AI digital ecosystem” in the 2022 Intelligence Authorization Act.

The term AI is used for a group of technologies that solve problems or perform tasks that mimic humanlike perception, cognition, learning, planning, communication, or actions. AI includes technologies that can theoretically survive autonomously in novel situations, but its more common application is machine learning or algorithms that predict, classify, or approximate empiric-like results using big data, statistical models, and correlation.

While AI that can mimic humanlike sentience remains theoretical and impractical for most IC applications, machine learning is addressing fundamental challenges created by the volume and velocity of information that analysts are tasked with evaluating today.

At the National Security Agency, machine learning finds patterns in the mass of signals intelligence collects from global web traffic. Machine learning also searches international news and other publicly accessible reporting by the CIA's Directorate of Digital Innovation, responsible for advancing digital and cyber technologies in human and open-source collection, as well as its covert action and all-source analysis, which integrates all kinds of raw intelligence collected by US spies, whether technical or human. An all-source analyst evaluates the significance or meaning when that intelligence is taken together, memorializing it into finished assessments or reports for national security policymakers.

In fact, open source is key to the adoption of AI technologies by the intelligence community. Many AI technologies depend on big data to make quantitative judgments, and the scale and relevance of public data cannot be replicated in classified environments.

Capitalizing on AI and open source will enable the IC to utilize other finite collection capabilities, like human spies and signals intelligence collection, more efficiently. Other collection disciplines can be used to obtain the secrets that are hidden from not just humans but AI, too. In this context, AI may supply better global coverage of unforeseen or non-priority collection targets that could quickly evolve into threats.

Meanwhile, at the National Geospatial-Intelligence Agency, AI and machine learning extract data from images that are taken daily from nearly every corner of the world by commercial and government satellites. And the Defense Intelligence Agency trains algorithms to recognize nuclear, radar, environmental, material, chemical, and biological measurements and to evaluate these signatures, increasing the productivity of its analysts.

In one example of the IC’s successful use of AI, after exhausting all other avenues—from human spies to signals intelligence—the US was able to find an unidentified WMD research and development facility in a large Asian country by locating a bus that traveled between it and other known facilities. To do that, analysts employed algorithms to search and evaluate images of nearly every square inch of the country, according to a senior US intelligence official who spoke on background with the understanding of not being named.

While AI can calculate, retrieve, and employ programming that performs limited rational analyses, it lacks the calculus to properly dissect more emotional or unconscious components of human intelligence that are described by psychologists as system 1 thinking.

AI, for example, can draft intelligence reports that are akin to newspaper articles about baseball, which contain structured non-logical flow and repetitive content elements. However, when briefs require complexity of reasoning or logical arguments that justify or demonstrate conclusions, AI has been found lacking. When the intelligence community tested the capability, the intelligence official says, the product looked like an intelligence brief but was otherwise nonsensical.

Such algorithmic processes can be made to overlap, adding layers of complexity to computational reasoning, but even then those algorithms can’t interpret context as well as humans, especially when it comes to language, like hate speech.

AI’s comprehension might be more analogous to the comprehension of a human toddler, says Eric Curwin, chief technology officer at Pyrra Technologies, which identifies virtual threats to clients from violence to disinformation. “For example, AI can understand the basics of human language, but foundational models don’t have the latent or contextual knowledge to accomplish specific tasks,” Curwin says.

“From an analytic perspective, AI has a difficult time interpreting intent,” Curwin adds. “Computer science is a valuable and important field, but it is social computational scientists that are taking the big leaps in enabling machines to interpret, understand, and predict behavior.”

In order to “build models that can begin to replace human intuition or cognition,” Curwin explains, “researchers must first understand how to interpret behavior and translate that behavior into something AI can learn.”

Although machine learning and big data analytics provide predictive analysis about what might or will likely happen, it can’t explain to analysts how or why it arrived at those conclusions. The opaqueness in AI reasoning and the difficulty vetting sources, which consist of extremely large data sets, can impact the actual or perceived soundness and transparency of those conclusions.

Transparency in reasoning and sourcing are requirements for the analytical tradecraft standards of products produced by and for the intelligence community. Analytic objectivity is also statuatorically required, sparking calls within the US government to update such standards and laws in light of AI’s increasing prevalence.

Machine learning and algorithms when employed for predictive judgments are also considered by some intelligence practitioners as more art than science. That is, they are prone to biases, noise, and can be accompanied by methodologies that are not sound and lead to errors similar to those found in the criminal forensic sciences and arts.

“Algorithms are just a set of rules, and by definition are objective because they’re totally consistent,” says Welton Chang, cofounder and CEO of Pyrra Technologies. With algorithms, objectivity means applying the same rules over and over. Evidence of subjectivity, then, is the variance in the answers.

“It’s different when you consider the tradition of the philosophy of science,” says Chang. “The tradition of what counts as subjective is a person's own perspective and bias. Objective truth is derived from consistency and agreement with external observation. When you evaluate an algorithm solely on its outputs and not whether those outputs match reality, that’s when you miss the bias built in.”

Depending on the presence or absence of bias and noise within massive data sets, especially in more pragmatic, real-world applications, predictive analysis has sometimes been described as “astrology for computer science.” But the same might be said of analysis performed by humans. A scholar on the subject, Stephen Marrin, writes that intelligence analysis as a discipline by humans is “merely a craft masquerading as a profession.”

Analysts in the US intelligence community are trained to use structured analytic techniques, or SATs, to make them aware of their own cognitive biases, assumptions, and reasoning. SATs—which use strategies that run the gamut from checklists to matrixes that test assumptions or predict alternative futures—externalize the thinking or reasoning used to support intelligence judgments, which is especially important given the fact that in the secret competition between nation-states not all facts are known or knowable. But even SATs, when employed by humans, have come under scrutiny by experts like Chang, specifically for the lack of scientific testing that can evidence an SAT’s efficacy or logical validity.

As AI is expected to increasingly augment or automate analysis for the intelligence community, it has become urgent to develop and implement standards and methods, which are both scientifically sound and ethical for law enforcement and national security contexts. While intelligence analysts grapple with how to match AI’s opacity to the evidentiary standards and argumentation methods required for the law enforcement and intelligence contexts, the same struggle can be found in understanding analysts’ unconscious reasoning, which can lead to accurate or biased conclusions.

The Power and Pitfalls of AI for US Intelligence

Microsoft's legacy browser may be dead—but its remnants are not going anywhere, and neither are its lingering security risks.

After years of decline and a final wind-down over the past 13 months, on Wednesday Microsoft confirmed the retirement of Internet Explorer, the company’s long-lived and increasingly notorious web browser. Launched in 1995, IE came preinstalled on Windows computers for almost two decades, and like Windows XP, Internet Explorer became a mainstay—to the point that when it was time for users to upgrade and move on, they often didn’t. And while last week’s milestone will push even more users off the historic browser, security researchers emphasize that IE and its many security vulnerabilities are far from gone.

In the coming months, Microsoft will disable the IE app on Windows 10 devices, guiding users instead to its next-generation Edge browser, first released in 2015. The IE icon will still remain on users’ desktops, though, and Edge incorporates a service called “IE mode” to preserve access to old websites built for Internet Explorer. Microsoft says it will support IE mode through at least 2029. Additionally, IE will still work for now on all supported versions of Windows 8.1, Windows 7 with Microsoft’s Extended Security Updates, and Windows Server, though the company says it will eventually phase IE out in these, too.  

Seven years after the debut of Edge, industry analysis indicates that Internet Explorer may still hold more than half a percent of the total global browser market share. And in the United States, that share may be closer to as much as 2 percent.

“I do think we’ve made progress, and we probably won’t see as many exploits against IE in the future, but we will still have remnants of Internet Explorer for a long time that scammers can take advantage of,” says Ronnie Tokazowski, a longtime independent malware researcher. “Internet Explorer as the browser will be gone, but there are still pieces that exist.”

For something that’s been around as long as IE, backward compatibility is difficult to balance with the desire for a clean slate. “We haven’t forgotten that some parts of the web still rely on Internet Explorer’s specific behaviors and features,” Sean Lyndersay, the general manager of Microsoft Edge Enterprise, wrote in an IE retrospective on Wednesday, pointing to IE mode.

But he added that there was a real need to start over with Edge rather than trying to salvage IE. “The web has evolved and so have browsers,” he wrote last week. “Incremental improvements to Internet Explorer couldn’t match the general improvements to the web at large, so we started fresh.”

Microsoft says it will still support IE’s underlying browser engine, known as “MSHTML,” and it has its eye on versions of Windows still “used in critical environments.” But Maddie Stone, a researcher for Google’s Project Zero vulnerability hunting team, points out that hackers are still exploiting IE vulnerabilities in real-world attacks.

“Since we began tracking in-the-wild 0-days, Internet Explorer has had a pretty consistent number of 0-days each year. 2021 actually tied 2016 for the most in-the-wild Internet Explorer 0-days we’ve ever tracked, even though Internet Explorer’s market share of web browser users continues to decrease,” she wrote in April, referring to previously unknown vulnerabilities, called zero-days. “Internet Explorer is still a ripe attack surface for initial entry into Windows machines, even if the user doesn’t use Internet Explorer as their internet browser."

In her analysis, Stone particularly noted that while the number of new IE vulnerabilities Project Zero has detected has remained fairly constant, attackers have shifted over the years to increasingly target the MSHTML browser engine through malicious files like tainted Office documents. This could mean that neutering the IE application won’t immediately change attack trends that are already in motion.

Given how difficult it has been to rein in Internet Explorer at all, Microsoft and IE users around the world have certainly come a long way. But for a browser that’s supposed to be dead, IE still very much loads with the living.

Source

Wired