The Veterans Affairs’ VistA software has a vulnerability that could let an attacker “masquerade as a doctor,” a security researcher warns.

the U.S. Department of Veterans Affairs runs some interesting technology programs, but it's not known for being a flexible or nimble organization. And when it comes to electronic medical records, the VA has had a slow but high-stakes drama playing out for years. 

The department's records platform, VistA, first instituted in the late 1970s, is lauded as effective, reliable, and even innovative, but decades of underinvestment have eroded the platform. Multiple times throughout the 2010s, the VA has said it will replace VistA (short for Veterans Information Systems and Technology Architecture) with a commercial product, and the latest iteration of this effort is currently ongoing. In the meantime, however, security researchers are finding real security issues in VistA that could affect patient care. They want to disclose them to the VA and get the issues fixed, but they haven't found a way to do it because VistA itself is on death row.

At the DefCon security conference in Las Vegas on Saturday, Zachary Minneker, a security researcher with a background in health care IT, presented findings about a worrying weakness in how VistA encrypts internal credentials. Without an additional layer of network encryption (like TLS, which is now ubiquitous across the web), Minneker found that the home-brewed encryption developed for VistA in the 1990s to protect the connection between the network server and individual computers can be easily defeated. In practice, this could allow an attacker on a hospital's network to impersonate a health care provider within VistA, and possibly modify patient records, submit diagnoses, or even theoretically prescribe medications.

“If you were adjacent on the network without TLS, you could crack passwords, replace packets, make modifications to the database. In the worst-case scenario, you'd essentially be able to masquerade as a doctor,” Minneker tells WIRED. “This is just not a good access control mechanism for an electronic medical record system in the modern era.”

Minneker, who is a security engineer at the software-focused firm Security Innovation, only briefly discussed the findings during his DefCon talk, which was mostly focused on a broader security assessment of VistA and the database programming language MUMPS that underlies it. He has been attempting to share the finding with the VA since January through the department's vulnerability disclosure program and Bugcrowd third-party disclosure option. But VistA is out of scope for both programs. 

This may be because the VA is currently attempting to phase out VistA using a new medical records system designed by Cerner Corporation. In June, the VA announced that it would delay a general rollout of the $10 billion Cerner system until 2023, because pilot deployments have been plagued by outages and have led to almost 150 cases in which patients could potentially have been harmed. 

The VA did not return WIRED's multiple requests for comment about Minneker's findings or the broader situation with disclosing vulnerabilities in VistA. In the meantime, though, VistA is not only deployed across the VA health care system, it is also used elsewhere.

“There are all sorts of problems with the VA, but everybody loves VistA. It's one of the best EMRs in the world. It’s extremely flexible, whereas most EMRs are totally inflexible,” Minneker says. “And there are other hospitals that are running VistA that are not VA-related.”

Minneker did his assessment of VistA using an automated software-testing technique known as fuzzing, as well as manual code review. He was able to assess VistA's source code because the VA regularly posts a “Freedom of Information Act” version that includes all patches released for VistA.

Other researchers have attempted to raise awareness about the importance of securing MUMPS and VistA by investing more in the technology instead of less. At the open source software conference OSCON in 2010, health-care data researcher Fred Trotter argued that VistA shouldn't be written off, given its value.

“One of the things that really frustrates me with criticisms of MUMPS and VistA is, ‘It’s old software,’” Trotter said. “This is confusing to me because it’s not like an old dog. That dog won’t hunt anymore because it’s too old. Well, if software is merely old but still works really well, we have a name for that: It’s ‘stable.’”

The question for Minneker now is whether his presentation will spur public discussion about VistA security and illustrate the need to continue supporting and defending the massive system as long as it is in use.

“VistA is phenomenal, and it could be used more broadly instead of being decommissioned—it’s a beautiful dream,” Minneker says. “I just couldn't in good conscience be quiet about this problem.”

Flaw in the VA Medical Records Platform May Put Patients at Risk

Plus: Cisco gets hit by ransomware, Twilio gets phished, a new way to fight email spammers, and much more.

We’ve also looked at how new data rulings in Europe could stop Meta from sending data from the EU to the US, potentially prompting app blackouts across the continent. However, the decisions also have a wider impact: reforming US surveillance laws.

Also this week, a new phone carrier launched and it has a specific goal: protecting your privacy. The Pretty Good Phone Privacy or PGPP service, by Invisv, separates phone users from the identifiers linked to your device, meaning it can’t track your mobile browsing or link you to a location. The service helps to deal with a huge number of privacy problems. And if you want to enhance your security even more, here’s how to use Apple’s new Lockdown Mode in iOS 16.

But that’s not all. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

The Federal Trade Commission this week announced it has begun the process for writing new rules around data privacy in the United States. In a statement, FTC chair Lina Khan pressed the need for strong privacy rules that rein in the “surveillance economy” that she says is opaque, manipulative, and responsible for “exacerbating … inbalances of power.” Anyone can submit rules for the agency to consider between now and mid-October. And the FTC will hold a public “virtual event” on the issue on September 8.

Communications company Twilio said this week that “sophisticated” attackers successfully waged a phishing campaign that targeted its employees. The attackers sent text messages with malicious links and included words like “Okta,” the identity management platform that itself suffered a hack by the Lapsus$ hacker group earlier this year. Twilio later said that the scheme allowed the attackers to access the data of 125 customers. But the campaign didn’t stop there: Cloudflare later disclosed that it, too, was targeted by the attackers—although they were stopped by the company’s hardware-based multifactor authentication tools. As always, be careful what you click.

Elsewhere, enterprise technology giant Cisco disclosed that it became the victim of a ransomware attack. According to Talos, the company’s cybersecurity division, an attacker compromised an employee’s credentials after gaining access to a personal Google account, where they were able to access credentials synced from the browser. The attacker, identified as part of the Yanluowang ransomware gang, then “conducted a series of sophisticated voice phishing attacks” in an attempt to trick the victim into accepting a multifactor authentication request, which was ultimately successful. Cisco says the attacker was unable to gain access to critical internal systems and was eventually removed. However, the attacker claims to have stolen more than 3,000 files totaling 2.75 GB of data.

Meta’s WhatsApp is the world’s biggest end-to-end encrypted messaging service. While it may not be the best encrypted messenger—you’ll want to use Signal for the most protection—the app prevents billions of texts, photos, and calls from being snooped on. WhatsApp is now introducing some extra features to help improve people’s privacy on its app.

Later this month, you’ll be able to leave a WhatsApp group without notifying every member that you’ve left. (Only the group admins will be alerted). WhatsApp will also allow you to select who can and can’t see your “online” status. And finally, the company is also testing a feature that allows you to block screenshots on photos or videos sent using its “view once” feature, which destroys messages when they’ve been seen. Here are some other ways to boost your privacy on WhatsApp.

And finally, security researcher Troy Hunt is perhaps best known for his Have I Been Pwned website, which allows you to check whether your email address or phone number has been included in any of 622 website data breaches, totaling 11,895,990,533 accounts. (Spoiler: It probably has.) Hunt’s latest project is taking revenge on email spammers. He’s created a system, dubbed Password Purgatory, that encourages spammers emailing him to create an account on his website so they can work together to “truly empower real-time experiences.”

The catch? It’s not possible to meet all the password requirements. Each time a spammer tries to create an account, they’re told to jump through more hoops to create a proper password. For instance: “Password must end with dog” or “Password must not end in ‘!’” One spammer spent 14 minutes trying to create an account, attempting 34 passwords, before finally giving up with: catCatdog1dogPeterdogbobcatdoglisadog.

The Feds Gear Up for a Privacy Crackdown

An injection flaw allowed a researcher to access all files on a Mac. Apple issued a fix, but some machines may still be vulnerable.

Every time you shut down your Mac, a pop-up appears: “Are you sure you want to shut down your computer now?” Nestled under the prompt is another option most of us likely overlook: the choice to reopen the apps and windows you have open now when your machine is turned back on. Researchers have now found a way to exploit a vulnerability in this “saved state” feature—and it can be used to break the key layers of Apple’s security protections.

The vulnerability, which is susceptible to a process injection attack to break macOS security, could allow an attacker to read every file on a Mac or take control of the webcam, says Thijs Alkemade, a security researcher at Netherlands-based cybersecurity firm Computest who found the flaw. “It's basically one vulnerability that could be applied to three different locations,” he says.

After deploying the initial attack against the saved state feature, Alkemade was able to move through other parts of the Apple ecosystem: first escaping the macOS sandbox, which is designed to limit successful hacks to one app, and then bypassing the System Integrity Protection (SIP), a key defense designed to stop authorized code from accessing sensitive files on a Mac.

Alkemade—who is presenting the work at the Black Hat conference in Las Vegas this week—first found the vulnerability in December 2020 and reported the issue to Apple through its bug bounty scheme. He was paid a “pretty nice” reward for the research, he says, although he refuses to detail how much. Since then Apple has issued two updates to fix the flaw, first in April 2021 and again in October 2021.

When asked about the flaw, Apple said it did not have any comment prior to Alkemade’s presentation. The company’s two public updates about the vulnerability are light on detail, but they say the issues could allow malicious apps to leak sensitive user information and escalate privileges for an attacker to move through a system.

Apple’s changes can also be seen in Xcode, the company’s development workspace for app creators, a blog post describing the attack from Alkemade says. The researcher says that while Apple fixed the issue for Macs running the Monterey operating system, which was released in October 2021, the previous versions of macOS are still vulnerable to the attack.

There are multiple steps to successfully launching the attack, but fundamentally they come back to the initial process injection vulnerability. Process injection attacks allow hackers to inject code into a device and run code in a way that’s different to what was originally intended.

The attacks are not uncommon. “It's quite often possible to find the process injection vulnerability in a specific application,” Alkemade says. “But to have one that’s so universally applicable is a very rare find,” he says.

The vulnerability Alkemade found is in a “serialized” object in the saved state system, which saves the apps and windows you have open when you shut down a Mac. This saved state system can also run while a Mac is in use, in a process called App Nap.

When an application is launched, Alkemade says, it reads some files and tries to load them using an insecure version of the “serialized” object. “In all of Apple’s operating systems, these serialized objects are used all over the place, often for inter-process exchange of data,” the researcher writes in the blog post describing the attack. “The way the attack works is that you can create those files at the place another application will load them from,” Alkemade says. Essentially, a malicious “serialized object” is created and can make the system behave in ways it is not supposed to.

From here, Alkemade was able to escape the Mac app sandbox using the vulnerability—this was the first flaw that Apple fixed. By injecting the code into another application, it was possible to extend what the attack could do. Finally, Alkemade was able to bypass the System Integrity Protection that’s supposed to stop unauthorized code from reading or changing sensitive files. “I could basically read all of the files on the disk and also modify certain system files,” he says.

There is no evidence to date that the vulnerability has been exploited in the real world. However, the flaw shows how, in some instances, it may be possible for attackers to move through an entire operating system, increasingly being able to access more data. In the description for his talk, Alkemade says that as local security on macOS moves more toward an iOS model, this highlights that multiple parts of the system need to be reexamined.

A Single Flaw Broke Every Layer of Security in MacOS

The popular video meeting app makes it easy to keep the software up to date—but it also introduced vulnerabilities.

Many of us have been there: You fire up the Zoom app as you rush to join a meeting you’re already late for, and you’re hit with a prompt to download updates. If something like this has happened to you, you’re enrolled in Zoom's automatic update feature. 

Launched in its current form in November 2021 for Zoom’s Windows and Mac desktop apps, the feature aims to help users keep up with software patches. You enter your system password when you initially set up the feature, granting Zoom permission to install patches, then you never have to enter it again. Easy. But after noticing the feature, longtime Mac security researcher Patrick Wardle wondered whether it was a little too easy.

At the DefCon security conference in Las Vegas today, Wardle presented two vulnerabilities he found in the automatic update feature’s validation checks for the updates. For an attacker who already had access to a target Mac, the vulnerabilities could have been chained and exploited to grant the attacker total control of a victim’s machine. Zoom has already released fixes for both vulnerabilities, but onstage on Friday, Wardle announced the discovery of an additional vulnerability, one he hasn’t yet disclosed to Zoom, that reopens the attack vector.

“I was curious about exactly how they were setting this up. And when I took a look, it seemed on first pass that they were doing things securely—they had the right ideas,” Wardle told WIRED ahead of his talk. “But when I looked closer, the quality of the code was more suspect, and it appeared that no one was auditing it deeply enough.”

To automatically install updates after the user enters their password once, Zoom installs a standard macOS helper tool that Wardle says is widely used in development. The company set up the mechanism so only the Zoom application could talk to the helper. This way, no one else could connect and mess with things. The feature was also set up to run a signature check to confirm the integrity of the updates being delivered, and it specifically checked that the software was a new version of Zoom, so hackers couldn’t launch a “downgrade attack” by tricking the app into installing an old and vulnerable version of Zoom.

The first vulnerability Wardle found, though, was in the cryptographic signature check. (It’s a sort of wax-seal check to confirm the integrity and provenance of software.) Wardle knew from past research and his own software development that it can be difficult to truly validate signatures in the types of conditions Zoom had set up. Ultimately, he realized that Zoom’s check could be defeated. Imagine that you carefully sign a legal document and then put the piece of paper facedown on a table next to a birthday card that you signed more casually for your sister. Zoom’s signature check was essentially looking at everything on the table and accepting the random birthday card signature instead of actually checking whether the signature was in the right place on the right document. In other words, Wardle found that he could change the name of the software he was trying to sneak through to contain the markers Zoom was broadly looking for and get the malicious package past Zoom’s signature check.

“All you do is name your package in a certain way, and then you can fully bypass their cryptographic checks,” Wardle says.

In the second vulnerability Wardle found that, while Zoom had created a check to confirm that an update being delivered was a new version, he could get around this if he offered software that had passed the signature check directly to a flaw in how the updater app received software to distribute. Wardle found that using a Zoom tool known as updater.app, which facilitates Zoom’s actual update distribution, he could trick the distributor into accepting an old, vulnerable version of Zoom instead, after which an attacker could exploit old flaws to get full control.

“We have already resolved these security issues,” a Zoom spokesperson told WIRED in a statement. “As always, we recommend users keep up to date with the latest version of Zoom … Zoom also offers automatic updates to help users stay on the latest version.”

During his talk at DefCon, though, Wardle announced another Mac vulnerability he discovered in the installer itself. Zoom now conducts its signature check securely, and the company plugged the downgrade attack opportunity. But Wardle noticed that there is a moment after the installer verifies the software package—but before the package installs it—when an attacker could inject their own malicious software into the Zoom update, retaining all the privileges and checks that the update already has. Under normal circumstances, an attacker would be able to grab this opportunity only when a user is installing a Zoom update anyway, but Wardle found a way to trick Zoom into reinstalling its own current version. The attacker can then have as many opportunities as they want to attempt to insert their malicious code and gain the Zoom automatic update installer’s root access to the victim device.

“The main reason I looked at this is that Zoom is running on my own computer,” Wardle says. “There’s always a potential tradeoff between usability and security, and it’s important for users to install updates for sure. But if it’s opening this broad attack surface that could be exploited, that’s less than ideal.”

To exploit any of these flaws, an attacker would need to already have an initial foothold in a target’s device, so you’re not in imminent danger of having your Zoom remotely attacked. But Wardle’s findings are an important reminder to keep updating—automatically or not.

Zoom’s Auto-Update Feature Came With Hidden Risks on Mac

FBI agents reportedly searched Mar-a-Lago for “nuclear documents.” That can fall into one of these four categories.

Yesterday evening, _the_ _Washington Post_ broke the blockbuster news that FBI agents who searched former President Trump’s Mar-a-Lago residence on Monday were looking for “nuclear documents,” a phrase that immediately set off alarms inside national security circles. The nation’s nuclear systems and plans are considered among the most sensitive and most narrowly known secrets.

Trump denied the report, calling the “nuclear weapons issue” a “hoax.” But assuming the _Post_’s reporting is correct, what could such a vague phrase as “nuclear documents” mean, and what could we learn about such a category?

Broadly speaking, the US intelligence and defense communities would possess four different categories of files that might be considered “nuclear documents”: nuclear weapon science and design; other countries’ nuclear plans, including the nuclear systems and command of allied nations (UK, France) and adversaries (Russia, China, North Korea, Iran), as well as countries whose nuclear programs exist in a more gray zone (Israel, India, Pakistan); details on the United States’ own nuclear weapons and deployments; and details on US nuclear command & control procedures, known in Pentagon parlance as NC2.

Each category of these documents would carry with it some unique classification peculiarities. And all of them exist at the so-called Above Top Secret level, because a simple Top Secret clearance on its own isn’t enough to access the files.

Security classification procedures really began only in the 20th century, and were codified during the Cold War into three standard levels of classification: Confidential, Secret, and Top Secret, each carrying with it increased levels of control, storage, and more intensive background checks.

Under US law, Top Secret is specifically used to denote “national security information or material which requires the highest degree of protection” and information where, if disclosed, “could reasonably be expected to cause exceptionally grave damage” to national security. Day-to-day, almost anything interesting that the US intelligence or military does exists at that “Top Secret” level. Many US intelligence and military personnel will joke that “confidential” and “secret” information is rarely much more interesting or informed than reading the day’s newspapers.

The wide tranche of operations and intelligence that technically counts as Top Secret means that nearly all sensitive positions in the US government—including FBI agents, many military personnel, and most intelligence officers and analysts—come with a Top Secret clearance and background check standard. All told, according to research conducted by _The Washington Post_ in the wake of 9/11, nearly a million Americans possess Top Secret clearances.

We’ve known since February that Donald Trump apparently took numerous documents from the White House, including documents classified at the Top Secret level. But the reporting this week has added two new wrinkles, both of which hint that the stuff hidden in Mar-a-Lago was even more sensitive.

That’s because virtually all the truly interesting secrets inside the US government aren’t just Top Secret, but come with additional levels of security clearance and special “need to know” access that restrict them even more tightly.

Nuclear science and design files, for instance, are uniquely classified as “Restricted Data.” These files are historically accessed through what’s known as a Q Clearance, a special background check and access protocol. (And yes, the Q Clearance is the “Q” in QAnon, a reference to that anonymous figure’s supposed clearance inside the US government.)

The Restricted Data designation was created by the Atomic Energy Act at the dawn of the Cold War and is now run by the Department of Energy, which oversees the nation’s nuclear weapon stockpiles and development. As nuclear historian Alex Wellerstein explained on Twitter today, the goal was to build a classification outside of the defense establishment that would allow scientific knowledge more flexibility than simply military applications.

“TS/RD” files are what’s known as “born classified,” in that, unlike other classified intelligence or scientific work, they are presumed to be highly classified from the moment of their creation. Effectively, rather than opting into classification, nuclear design and science have to opt out.

Meanwhile, NC2 documents—think documents relating to how the presidential nuclear football operates or how nuclear launch procedures would unfold—have historically had their own classification known as Extremely Sensitive Information (ESI), which again requires special access rights.

Some of the reporting around the Mar-a-Lago search, by ABC News’s Jonathan Karl and others, says that the FBI raid also pertained to what are known as Special Access Programs (SAPs), another unique classification category that usually deals with the most sensitive covert operations and technical capabilities of intelligence and defense systems. (The intelligence community has its own equivalent of the military’s SAPs, which are known as CAPs, or Controlled Access Programs.)

SAPs require someone to be “read into” the program specifically—meaning, they need to have a specific “need to know,” and the documents are carefully tracked to see who has read them and where they’re stored. Usually, individuals are “read into” an SAP in what amounts to a mini-ceremony of sorts, one that involves meeting with a specially cleared security officer and signing a specific nondisclosure agreement for that SAP. Over the course of an official’s career, the SAPs that they’re allowed access to are carefully tracked.

Beyond SAPs, which focus on capabilities, there’s another category of classified information known as SCI, “Sensitive Compartmented Information.” This designation is usually used for protecting what intelligence officials call “sources and methods.” Those could include the identity of a highly placed asset in a foreign government, for instance, or how the NSA has managed to technically penetrate a foreign military’s communication networks. According to _Newsweek_’s William Arkin, at least some of the documents sought in the FBI search related to “sources and methods.” And _The Wall Street Journal_ reported this afternoon that a list of items removed from Mar-a-Lago includes “various classified/TS/SCI documents.”

SAPs and SCI are known by their own codenames. For example, the long-standing classification for our satellite reconnaissance was TALENT KEYHOLE, so documents protected by it were labeled “TS/SCI TALENT KEYHOLE.” (FBI Director Christopher Wray, who presumably was part of the team that signed off on this week’s Mar-a-Lago search, was a bit player in the Bush administration showdown over one of the best known and most infamous recent SAPs, STELLAR WIND, an NSA wiretapping program created after 9/11.)

Interestingly, for the purposes of the Mar-a-Lago search, SAPs can also protect nuclear research and development as well as the highly secret and protected presidential and military NC2 communication systems, which are known by their own special clearance, YANKEE WHITE.

There are additional levels of document classification restriction the US government uses to show what can be shared with whom: ORCON, which means Originator Controlled, prohibits information from being shared outside of the department or agency where that document was created; NOFORN prohibits information from being shared with any foreign officials; and REL TO FVEY means that the information can be released to countries and officials that are part of the Five Eyes intelligence alliance along with the US: the UK, Canada, New Zealand, and Australia.

Almost regardless of the specifics, any of these “nuclear” categories—SCI, SAP, ESI, RD—denote and protect the most sensitive documents in the entire US government, and penalties for even an inadvertent security breach can be harsh.

Classified documents—and even just conversations about classified information—are never supposed to leave the special reading and conference rooms designed by the US government, known as SCIFs, or Sensitive Compartmented Information Facilities, which are sealed, windowless, specially built, and shielded to be impenetrable to electronic eavesdropping. (The US government even has special Airstream trailers modified to be portable SCIFs for Defense Department VIPs that travel aboard military cargo planes. And when high-level officials like the president travel, security officials build portable SCIFs inside hotel rooms.)

The Justice Department regularly prosecutes those who mishandle or incorrectly take classified documents out of such secure facilities.

Here’s What Trump’s ‘Nuclear Documents’ Could Be

The State Department organization has called for people to share details about five key members of the hacking group.

Since the Conti ransomware strain emerged in 2020, its operators have caused havoc around the world. They have used it to cripple hospitals, attack governments, and extort countless businesses. These criminal hackers have targeted more than 1,000 organizations, earning over $180 million last year alone. Now, the US government is upping its fight against the group, identifying members of the gang for the first time and aiming to expose their potential ties to the Russian state.

Today, the Rewards for Justice mission, an organization within the US State Department that handles national security rewards, is announcing new bounties of up to $10 million for anyone who provides useful information about individual members of Conti. Specifically, the agency has called for people to share details about five key members of the Conti group: actors using the handles Professor, Reshaev, Tramp, Dandis, and Target.

Rewards for Justice has also published an alleged photo of the person believed to be Target. In the picture, a middle-aged man is wearing a hat with ear flaps, a black T-shirt, and a dark-colored jacket. It is one of the first times that the potential real-world identity of a member of the Conti gang has been publicly exposed.

Illustration: Rewards for Justice/US Department of State

“Today marks the first time that the US government has publicly identified a Conti operative,” says a State Department official who asked not to be named and did not provide any more information about Target’s identity beyond the picture. “That photo is the first time the US government has ever identified a malicious actor associated with Conti,” they say, adding they are looking for information ranging from names of the individuals to their physical locations to their vacation and travel plans. (Many cybercriminals based in Russia will not travel abroad due to fears of arrest.)

The move from the State Department signifies Conti’s uniquely dangerous role in the world of ransomware. Often known as Wizard Spider, or part of the wider Trickbot cybercrime syndicate, the group is run and organized like any small- or medium-sized business. Earlier this year, Conti’s innermost secrets were exposed by a Ukrainian cybersecurity researcher who published 60,000 of its internal messages after Conti backed Vladimir Putin’s full-scale invasion of Ukraine. The leaked information has been dubbed the Conti Files.

Conti and the wider Trickbot group are thought to have more than 100 different members, each working within individual departments. According to their leaked chats, they ask for holiday time off, are paid regularly, and are professional in their approach to extorting victims. The leaks even showed that the group has tried to develop a cryptocurrency payments platform. When Conti attacked the Costa Rican government earlier this year—disrupting more than 30,000 medical appointments—a separate $10 million reward was issued.

The Rewards for Justice program is separate from other rewards programs across the US and focuses on national security issues, such as foreign election interference and North Korean hacking groups. “\[Conti\] is viewed as a national security threat because we believe, and we are seeking more information to confirm, that they are associated with a foreign government,” the state department official says. “They have been involved in malicious cyberactivity against our critical infrastructure. We view them as a national security threat.”

Many members of Conti are believed to be based in Russia or surrounding regions. For years, the Kremlin has largely turned a blind eye to cybercriminals based in the country, making it a home base for several ransomware groups. The leaked Conti Files revealed that some high-level members of the gang appear to have connections to the Russian state and security services. Members of the group have chatted about working on “political” subjects and knowing members of the Russian hacking group Cozy Bear, also known as Advanced Persistent Threat 29.

“Conti has publicly acknowledged its connection with foreign governments, specifically its support of the Russian government,” says US Air Force major Katrina Cheesman, a spokesperson for the Cyber National Mission Force. “Based on its ties to Conti and other indicators, it is assessed that the leadership of the organized crime group known as Wizard Spider likely have a connection to government entities inside of Russia,” Cheesman adds.

Since the Conti Files were leaked in early March, multiple cybersecurity firms have pored over the documents. It is believed that Professor, who is included in the reward program’s call for information and is also involved in Trickbot, oversees much of the ransomware deployment and is a “significant player” in the operation, according to security experts. In other cases, several online monikers used by actors of the Conti group may, in fact, refer to the same person.

Aside from the Conti Files, there have been other leaks from the wider cybercrime syndicate. Earlier this year, a Twitter account called Trickleaks started posting the alleged names and personal details of Trickbot members. The doxxing, which has not been independently verified but is believed to be at least partly accurate, shows photos of alleged members and their social media accounts, passport details, and more.

Jeremy Kennelly, a senior manager in financial crime analysis at cybersecurity firm Mandiant, says that continued action against Conti and Trickbot is “critical” in helping prevent ransomware groups from making money and attacking businesses. “Stripping anonymity from key players, offering bounties, seizing illicit funds, and making public declarations of intent are important actions that may help to increase the real and perceived risks of engaging in ransomware operations and may ultimately lead to a chilling effect among some criminal actors and/or organizations,” Kennelly says.

The Rewards for Justice officials say that they will be publishing their call for information about the Conti members in multiple languages and urge people to get in touch via a Tor link. All of the tips they receive will be verified, and any lead must pass multiple steps before a payment is made. They say it is theoretically possible that multiple $10 million rewards could be issued. The officials are specifically targeting Russian-language online spaces, saying the reward details will be posted to Russian social network VK and also hacking forums.

In recent weeks, Conti’s activities have dwindled, as it is believed the group is attempting to rebrand following the leak of its internal chats. However, many of the members are still thought to be active and involved in other cybercrime efforts. These kinds of ransomware attacks can have a huge impact on businesses and wider society.

“While these are not state-sponsored groups, they routinely carry out attacks as impactful as any nation-state group, and they need to be treated as such,” says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. “This likely won’t lead to the arrest of members of Conti, unless any of them are dumb enough to step foot outside of Russia. The intelligence that might be gathered through this reward could prove to be invaluable.”

The US Offers a $10M Bounty for Intel on Conti Ransomware Gang

The Zero Day Initiative has found a concerning uptick in security updates that fail to fix vulnerabilities.

The whole purpose of vulnerability disclosure is to notify software developers about flaws in their code so they can create fixes, or patches, and improve the security of their products. But after 17 years and more than 10,000 vulnerability disclosures, the Zero Day Initiative is calling out a “disturbing trend” at the Black Hat security conference in Las Vegas today and announcing a plan to apply some counterpressure.

ZDI, which has been owned by the security firm Trend Micro since 2015, is a program that buys vulnerability findings from researchers and handles disclosure to vendors. In exchange, Trend Micro, which makes an antivirus tool and other defense products, gets a wealth of information and telemetry that it can use to track research and hopefully protect its customers. The group estimates that it has handled roughly 1,700 disclosures so far this year. But ZDI says that from its bird’s eye view, the quality of vendor patches overall has been slipping in recent years. 

More and more often, the group buys a bug from a researcher, it gets patched, and soon afterward ZDI is buying another report about how to bypass the patch, sometimes with multiple rounds of patching and circumvention. ZDI also says it has noticed a worrying trend of companies disclosing less specific information about vulnerabilities in their public security alerts, making it more difficult for users around the world to assess how serious a vulnerability is and formulate patch prioritization—a real concern for big institutions and critical infrastructure.

 “Over the last few years, we’ve really noticed that the quality of security patches has noticeably declined,” says ZDI member Dustin Childs. “There’s no accountability for having incomplete or faulty patches.”

ZDI researchers say that bad patches happen for a variety of reasons. Figuring out how to fix software flaws can be a nuanced and delicate process, and sometimes companies lack the expertise or haven’t made the investment to generate elegant solutions to these important problems. Organizations may be rushing to close bug reports and clear their slate and may not take the time needed to conduct “root cause” or “variant" analysis and assess underlying issues so deeper problems can be comprehensively fixed.

Regardless of the reason, bad patches are a real concern. At the end of June, Google’s Project Zero bug-hunting team reported that of the novel vulnerabilities being exploited in the wild it has tracked so far in 2022, at least half are variants of previously patched flaws.

“A combination of things over time has led us to believe that we actually have a more serious problem than most people understand,” says Brian Gorenc, who runs ZDI. 

Like other organizations heavily involved in disclosure, including Project Zero, ZDI gives developers a deadline for how long they have to issue a patch before details about the vulnerability in question get published publicly. ZDI’s standard deadline is 120 days from disclosure. But in reaction to the epidemic of bad patches, today the group is announcing a new set of deadlines for bugs that have been previously patched. 

Depending on the severity of the flaw, how easy it is to bypass the patch, and how likely ZDI thinks it is that the vulnerability will be exploited by attackers, the group will now set deadlines of 30 days for critical flaws, 60 days for bugs where the existing patch provides some protection, and 90 days for all other cases. The move follows a tradition of using public disclosure as an important point of leverage—one of the few that security proponents have—to spur necessary improvements in how developers handle high-stakes software flaws that potentially impact users around the world.

“The weaponization of failed patches in various vulnerabilities is absolutely being used in the wild right now,” ZDI’s Childs says. “It’s a real problem that has real consequences to the user, and we’re trying to incentivize vendors to get it right the first time.”

Sloppy Software Patches Are a ‘Disturbing Trend’

The company says an expansion of privacy features in Messenger is unrelated to a high-profile Nebraska abortion case.

A Nebraska woman and her 17-year-old daughter are facing felony and misdemeanor charges related to allegedly performing an abortion after 20 weeks, which has long been illegal in the state, and concealing a body. Reports from _The Lincoln Journal Star_ and _Motherboard_ revealed this week that law enforcement collected evidence for the charges in part by soliciting data from Meta with a warrant that ordered the company to hand over records from the 17-year-old's Messenger chat histories. While Meta was complying with a lawful court order, the company would not have been able to produce the chats had the participants been using end-to-end encryption, a feature Meta has long promised to turn on for all users by default.

Meanwhile, in a move that Meta says is totally unrelated, the social media giant announced this morning that it is testing expansions of end-to-end encrypted messaging on Messenger.

The company has been promising full-scale default deployment of the privacy feature since 2016. CEO Mark Zuckerberg even committed in 2019 to implement end-to-end encryption across all of its chat apps. But the company has faced technical and political challenges that have delayed the full rollout year after year, forcing Meta to fall back on gradual, incremental steps instead. The social giant currently says that it is driving toward a “global rollout of default end-to-end encryption for personal messages and calls in 2023."

For now, though, the company continued the slow march today, saying that it is testing a group of new encryption-related features and initiatives. This week, Meta will expand the number of chats between certain people that automatically have end-to-end encryption turned on. This means those users won't have to opt-in to enable the protection. Similarly, the company says that it will “soon” broaden the number of users who can opt into end-to-end encryption on Instagram Direct Messenger. 

Beginning this week, Meta is also testing a “secure storage” feature for end-to-end encrypted chats, so users can back up their messages in case they lose a device or get a new one and want to restore their chat history. The company says this secure backup feature will be the default for end-to-end encrypted chats on Messenger with the option to lock the backups with a PIN or a generated code. Users will also be able to opt-out of the backups and turn the feature off.

When asked directly whether the timing of the announcement was related to revelations about the Nebraska case, Meta spokesperson Alex Dziedzan told WIRED, “This is not a response to any law enforcement requests.” He added, “We've had this date in the diary for months, but the short notice is because Messenger product teams have been finalizing the tests that are going live. These tests will start \[Thursday\]. We want people to hear about these tests from us before they see changes in the app.”

Dziedzan also cited a talk Meta engineers are giving at the Crypto academic cryptography conference in Santa Barbara this weekend as a reason for the timing.  

Meta said in a statement on Tuesday that it received warrants related to the Nebraska case on June 7, before the United States Supreme Court released its decision in the _Dobbs v. Jackson_ reproductive rights case. The company added that the warrants it received did not mention abortion and that they came with non-disclosure orders that have since been lifted.

For privacy advocates, though, the Nebraska case clearly illustrates the value and the stakes of deploying default end-to-end encryption.

“Having end-to-end encrypted communications by default has never been more important,” says Riana Pfefferkorn, a research scholar at the Stanford Internet Observatory. “Making it work for billions of people across multiple services is a daunting challenge, and Meta has to proceed carefully to make sure they get it right. But from the war in Ukraine to a teenage girl in Nebraska who needed abortion care, we’ve seen how strong encryption—or the lack thereof—can make a huge difference in the lives of real people.”

Meta Just Happens to Expand Messenger's End-to-End Encryption

The Raspberry Pi-powered device can scan for phones around you. If it keeps spotting the same one, it’ll send you an alert.

Matt Edmondson, a federal agent with the Department of Homeland Security for the last 21 years, got a call for help last year. A friend working in another part of government—he won’t say which one—was worried that someone might have been tailing them when they were meeting a confidential informant who had links to a terrorist organization. If they were being followed, their source’s cover may have been blown. “It was literally a matter of life and death,” Edmondson says.

“If you’re trying to tell whether you’re being followed, there are surveillance detection routes,” Edmondson says. If you’re driving, you can change lanes on a freeway, perform a U-turn, or change your route. Each can help determine whether a car is following you. But it didn’t feel like enough, Edmondson says. “He had those skills, but he was just looking for an electronic supplement,” Edmondson explains. “He was worried about the safety of the confidential informant.”

After not finding any existing tools that could help, Edmondson, a hacker and digital forensics expert, decided to build his own anti-tracking tool. The Raspberry Pi-powered system, which can be carried around or sit in a car, scans for nearby devices and alerts you if the same phone is detected multiple times within the past 20 minutes. In theory it can alert you if a car is tailing you. Edmondson built the system using parts that cost around $200 in total, and will present the research project at the Black Hat security conference in Las Vegas this week. He’s also open-sourced its underlying code.

The anti-tracking tool is made up of a Raspberry Pi, wireless signal detectors, and a battery pack.

Photograph: Matt Edmondson

In recent years there’s been an explosion in the number of ways people can be tracked by domestic abusers, stalkers, or those in the murky world of government-backed espionage. Tracking can either be software- or hardware-based. Stalkerware and spyware that can be installed directly on people’s phones can give attackers access to all your location data, messages, photos, videos, and more, while physical trackers—such as Apple’s AirTags—have been used to track where people are in real time. (In response to criticism, Apple has added some anti-tracking tools to AirTags.)

A quick search online reveals plenty of tracking tools, which are easy to buy. “There’s so much out there to spy on people, and so little to help people who are wondering whether they're being spied on,” Edmondson says.

The homemade system works by scanning for wireless devices around it and then checking its logs to see whether they also were present within the past 20 minutes. It was designed to be used while people are on the move rather than sitting in, say, a coffee shop, where it would pick up too many false readings.

The anti-tracking tool, which can sit inside a shoebox-sized case, is made up of a few components. A Raspberry Pi 3 runs its software, a Wi-Fi card looks for nearby devices, a small waterproof case protects it, and a portable charger powers the system. A touchscreen shows the alerts the device produces. Each alert may be a sign that you are being tailed.

The device runs Kismet, which is a wireless network detector, and is able to detect smartphones and tablets around it that are looking for Wi-Fi or Bluetooth connections. The phones we use are constantly looking for wireless networks around them, including networks they’ve connected to before as well as new networks.

Edmondson says Kismet makes a record of the first time it sees a device and then the most recent time it was detected. But to make the anti-tracking system work, he had to write code in Python to create lists of what Kismet detects over time. There are lists for devices spotted in the past five to 10 minutes, 10 to 15 minutes, and 15 to 20 minutes. If a device appears twice, an alert flashes up on the screen. The system can show a phone’s MAC address, although this is not much use if it’s been randomized. It can also record the names of Wi-Fi networks that devices around it are looking for—a phone that’s trying to connect to a Wi-Fi network called Langley may give some clues about its owner. “If you have a device on you, I should see it,” he says. In an example, he showed WIRED that a device was looking for a network called SAMSUNGSMART.

To stop the system from detecting your own phone or those of other people traveling with you, it has an “ignore” list. By tapping one of the device’s onscreen buttons, it’s possible to “ignore everything that it has already seen.” Edmondson says that in the future, the device could be modified to send a text alert instead of showing them on the screen. He is also interested in adding the capability to detect tire-pressure monitoring systems that could show recurring nearby vehicles. A GPS unit could also be added so you can see where you were when you were being tracked, he says.

“It’s purely designed to try to tell you that you’re seeing something now that you were also seeing a few minutes ago,” Edmondson says. “This isn’t designed to follow people in any way, shape, or form.” The hacker says he lives near the desert, so he tested the system in his car while driving around places where nobody else was, carrying multiple phones with him that could be detected by the tool. Edmondson says he believes the tool can be effective, since even spies working for a government still carry devices.“You still have your phone in your pocket,” he says. “You still have your phone on the seat sitting next to you, or in the center console.”

Edmondson has no plans to make the device into a commercial product, but he says the design could easily be copied and reused by anyone with some technical knowledge. Many of the parts involved are easy to obtain or may be lying around the homes of people in tech communities.

Ultimately, he says, the tech community needs to take tech-enabled tracking and surveillance more seriously. “It was really kind of disheartening and depressing to look at the ratio of tools to spy on people versus tools to help you not get spied on,” he says, adding that a person close to him has been the victim of a stalker in the past. In the case of his clandestine friend in another government department, the anti-tracking device was useful. “It was really designed to help someone who came to me asking for help,” he says. Fortunately for Edmondson’s friend (and his source), they used it in the real world, and the device didn’t find anyone following them.

This Anti-Tracking Tool Checks If You’re Being Followed

Before the flagship phone ever landed in users’ hands, the security team thoroughly hacked it by finding bugs and developing exploits.

When Google launched the Pixel 6 and 6 Pro in October 2021, key features included its custom Tensor system-on-a-chip processor and the security benefits of its onboard Titan M2 security chip. But with so much new equipment launching at once, the company needed to be extra careful that nothing was overlooked or went wrong. At the Black Hat security conference in Las Vegas today, members of the Android red team are recounting their mission to hack and break as much as they could in the Pixel 6 firmware before launch—a task they accomplished. 

The Android red team, which primarily vets Pixel products, caught a number of important flaws while attempting to attack the Pixel 6. One was a vulnerability in the boot loader, the first piece of code that runs when a device boots up. Attackers could have exploited the flaw to gain deep device control. It was particularly significant because the exploit could persist even after the device was rebooted, a coveted attack capability. Separately, the red teamers also developed an exploit chain using a group of four vulnerabilities to defeat the Titan M2, a crucial finding, given that the security chip needs to be trustworthy to act as a sort of sentry and validator within the phone.

“This is the first proof of concept ever to be publicly talked about getting end-to-end code execution on the M2 Titan chip,” Farzan Karimi, one of the red team leads, told WIRED ahead of the talk. “Four vulnerabilities were chained to create this, and not all of them were critical on their own. It was a mixture of highs and moderate severity that when you chain them together creates this impact. The Pixel developers wanted a red team to focus these types of efforts on them, and they were able to patch the exploits in this chain prior to release.”

The researchers say that the Android red team prioritizes not just finding vulnerabilities but spending time developing real exploits for the bugs. This creates a better understanding of how exploitable, and therefore critical, different flaws really are and sheds light on the range of possible attack paths so the Pixel team can develop comprehensive and resilient fixes.

Like other top red teams, the Android group uses an array of approaches to hunt for bugs. Tactics include manual code review and static analysis, automated methods for mapping how a codebase functions, and looking for potential problems in how the system is set up and how different components interact. The team also invests significantly in developing tailored “fuzzers” that it can then hand off to teams across Android to catch more bugs while development is first going on.

“A fuzzer is basically a tool that throws malformed data and junk at a service to get it to crash or reveal some security vulnerability,” Karimi says. “So we build these fuzzers and hand them off so other teams can continuously run them throughout the year. It’s a really nice thing that our red team has accomplished outside of finding bugs. We’re really institutionalizing fuzzing.”

The idea across Android, in general, is to bake security assessments and improvements into the development process as early as possible to avoid costly mistakes later. In the Black Hat talk, the researchers will also be highlighting some of the types of bugs they are most focused on looking for to try to stay ahead of trends in attacker exploitation.

For example, the researchers have been hunting for vulnerabilities in the cellular communication tech that’s baked into Pixels and every smartphone. “We’re actively invested in that area, and what I can say is that it’s 100 percent worth the effort,” Karimi says. And he adds that the biggest type of vulnerability the group has its eye on right now is “race condition” bugs, in which attackers take advantage of the sequence or timing of an uncontrollable event and inject themselves into a software interaction at the opportune time to gain unintended system access.

“Imagine you’re setting up a profile on a … smartwatch,” Karimi says. “Maybe the system tries to run commands and the attacker injects their own commands during that process to submit or execute malicious code that they control. We’re thinking about unique ways to tackle this.”

In part, the red team’s job is to set priorities and bet on the right security horses to protect Pixel users around the world.

“Pixel 6 was a complete transformation of prior generation phones, and it was our job to red team it and secure it,” Karimi says. “We were looking at all this attack surface and testing what we felt is at most risk within about a year and half of time. There are 100 things you have to look at, and they’re all high priority. So you have to be selective about what’s the lowest level of effort for an attacker to abuse and start with that.”

Source

Wired