Newly disclosed breaches of Microsoft and Hewlett-Packard Enterprise highlight the persistent threat posed by Midnight Blizzard, a notorious Russian cyber-espionage group.

Microsoft and Hewlett-Packard Enterprise (HPE) both recently disclosed that they suffered corporate email breaches at the hands of Russia's “Midnight Blizzard” hackers.

The group, which is tied to the Kremlin's SVR foreign intelligence, is specifically linked to SVR's APT 29 Cozy Bear, the gang that meddled in the United States 2016 presidential election, has conducted aggressive government and corporate espionage around the world for years, and was behind the infamous 2021 SolarWinds supply chain attack. While both HP's and Microsoft's breaches came to light within days of each other, the situation mainly illustrates the ongoing reality of Midnight Blizzard's international espionage activities and the lengths it will go to to find weaknesses in organizations' digital defenses.

“We shouldn't be surprised that Russian intelligence-backed threat actors, and SVR in particular, are targeting tech companies like Microsoft and HPE. With organizations that size, it would be a much bigger surprise to learn they weren't,” says Jake Williams, a former US National Security Agency hacker and current faculty member at the Institute for Applied Network Security.

HP Enterprise said in a US Securities and Exchange Commission submission posted on Wednesday that Midnight Blizzard gained access to its “cloud-based email environment” last year. The company first learned about the situation on December 12, 2023, but said that the attack began in May 2023. Hackers “accessed and exfiltrated data … from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions,” the company wrote in the SEC filing. HP Enterprise said the breach likely came about as the result of another incident, discovered in June 2023, in which Midnight Blizzard also accessed and exfiltrated company “SharePoint” files beginning as early as May 2023. SharePoint is a much-targeted cloud collaboration platform made by Microsoft that integrates with Microsoft 365.

“The accessed data is limited to information contained in the HPE users’ email boxes,” HP Enterprise spokesperson Adam Bauer told WIRED in a statement. “We continue to investigate and analyze these mailboxes to identify information that could have been accessed and will make appropriate notifications as required.”

Meanwhile, Microsoft said on Friday that it detected a system intrusion on January 12 tied to a November 2023 breach. The attackers targeted and compromised some historic Microsoft system test accounts that then allowed them to access “a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions.” From there the group was able to exfiltrate “some emails and attached documents.” Microsoft noted in its disclosure that the attackers appeared to be seeking information about Microsoft's investigations and knowledge of Midnight Blizzard itself.

“The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems,” the company wrote in its disclosure. “This attack does highlight the continued risk posed to all organizations from well-resourced nation-state threat actors like Midnight Blizzard.”

In an August 2022 report from the threat intelligence firm Mandiant, incident response leader Doug Bienstock wrote that the firm “continues to identify APT29 operations targeting the United States' (US) interests, and those of NATO and partner countries.” He noted that even though the hacking group is widely known, it has continued to be “extremely prolific” and returns to target certain victims multiple times over months or even years. “This persistence and aggressiveness are indicative of sustained interest in this information and strict tasking by the Russian Government,” Bienstock wrote, adding, “Mandiant has observed APT29 continue to demonstrate exceptional operational security and advanced tactics targeting Microsoft 365.”

While Midnight Blizzard is far from a new threat, researchers point out that it's always productive to have renewed attention on the issue of persistent state-backed espionage. Williams, of the Institute for Applied Network Security, also highlights the hackers' counterintelligence goals in the recent Microsoft breach—that Midnight Blizzard appeared to be specifically interested in learning what company executives know about their group and methods.

"I'm not surprised that the threat actors were observed looking for what information Microsoft had on them,” Williams says. “But it's a great piece of evidence to remind us that threat actors are regularly monitoring our own investigative efforts as defenders.”

Big-Name Targets Push Midnight Blizzard Hacking Spree Back Into the Limelight

From repeatedly crippling thousands of gas stations to setting a steel mill on fire, Predatory Sparrow’s offensive hacking has now targeted Iranians with some of history's most aggressive cyberattacks.

About eight minutes after 3 am on June 27, 2022, inside the Khouzestan steel mill near Iran's western coastline on the Persian Gulf, a massive lid lowered onto a vat of glowing, molten metal. Based on footage from a surveillance camera inside the plant, the giant vessel was several times taller than the two workers in gray uniforms and hardhats standing nearby, likely large enough to carry well over a hundred tons of liquid steel heated to several thousand degrees Fahrenheit.

In the video, the two workers walk out of frame. The clip jump-cuts forward 10 minutes. Then suddenly, the giant ladle is moving, swinging steadily toward the camera. A fraction of a second later, burning embers fly in all directions, fire and smoke fill the factory, and incandescent, liquid steel can be seen pouring freely out of the bottom of the vat onto the plant floor.

Written across the bottom of the video is a kind of disclaimer from Predatory Sparrow, the group of hackers who took credit for this cyber-induced mayhem and posted the video clip to their channel on the messaging service Telegram: “As you can see in this video,” it reads, “this cyberattack has been carried out carefully so to protect innocent individuals.”

A close watch of the video, in fact, reveals something like the opposite: Eight seconds after the steel mill catastrophe begins, two workers can be seen running out from underneath the ladle assembly, through the shower of embers, just feet away from the torrent of flaming liquid metal. “If they were closer to the ladle egress point, they would have been cooked,” says Paul Smith, the chief technology officer of industrial-focused cybersecurity firm SCADAfence, who analyzed the attack. “Imagine getting hit by 1,300-degrees-Celsius molten steel. That's instant death.”

A clip from a video posted by Predatory Sparrow hacker group showing the effects of its cyberattack on Khouzestan steel mill in Iran. Although the group claims in the video’s text to have taken care to protect “innocent individuals,” two steelworkers can be seen (circled in red) narrowly escaping the spill of molten metal and the resulting fire that the hackers triggered.

Predatory Sparrow via Telegram

The Khouzestan steel mill sabotage represents one of only a handful of examples in history of a cyberattack with physically destructive effects. But for Predatory Sparrow, it was just a part of a years-long career of digital intrusions that includes several of the most aggressive offensive hacking incidents ever documented. In the years before and after that attack—which targeted three Iranian steelworks, though only one intrusion successfully caused physical destruction—Predatory Sparrow crippled the country's railway system computers and disrupted payment systems across the majority of Iran's gas station pumps not once but twice, including in an attack last month that once again disabled point-of-sale systems at more than 4,000 gas stations, creating a nationwide fuel shortage.

In fact, Predatory Sparrow, which typically refers to itself in public statements by the Farsi translation of its name, Gonjeshke Darande, has been tightly focused on Iran for years, long before Israel's war with Hamas further raised tensions between the two countries. Very often the hackers target the Iranian civilian population with disruptive attacks that follow Iran's own acts of aggression through hacking or military proxies. The latest gas station attack, for instance, came after Iran-linked hackers compromised Israeli-made equipment at water utilities around the world and Iran-backed Houthi rebels launched missiles at Israel and attacked shipping vessels in the Red Sea. “Khamenei!” Predatory Sparrow wrote in Farsi on its Twitter feed, addressing Iran's supreme leader. “We will react against your evil provocations in the region.”

While Predatory Sparrow maintains the veneer of a hacktivist group—often affecting the guise of one that is itself Iranian—its technical sophistication hints at likely involvement from a government or military. US defense sources speaking to _The New York Times_ in 2021 linked the hackers to Israel. Yet some cybersecurity analysts who track the group say that even as it carries out attacks that fit most definitions of cyberwar, one of its hallmarks is restraint—limiting the damage it could cause while demonstrating it could have achieved more. Attempting to achieve an _appearance_ of restraint, at least, might be more accurate: The physical endangerment of at least two Khouzestan staffers in its steel mill attack represents a glaring exception to its claims of safety.

Predatory Sparrow is distinguished most of all by its apparent interest in sending a specific geopolitical message with its attacks, says Juan Andres Guerrero-Saade, an analyst at cybersecurity firm SentinelOne who has tracked the group for years. Those messages are all variations on a theme: If you attack Israel or its allies, we have the ability to deeply disrupt your civilization. “They're showing that they can reach out and touch Iran in meaningful ways,” Guerrero-Saade says. “They're saying, ‘You can prop up the Houthis and Hamas and Hezbollah in these proxy wars. But we, Predatory Sparrow, can dismantle your country piece by piece without having to move from where we are.’”

Here's a brief history of Predatory's short but distinguished track record of hyper-disruptive cyberattacks.

2021: Train Chaos

In early July of 2021, computers showing schedules across Iran's national railway system began to display messages in Farsi declaring the message “long delay because of cyberattack,” or simply “canceled,” along with the phone number of the office of Iran's Supreme Leader Ali Khamenei, as if to suggest that Iranians call the number for updates or to complain. SentinelOne's Guerrero-Saade analyzed the malware used in the attack, which he dubbed Meteor Express, and found that the hackers had deployed a three-stage wiping program that destroyed computers' file systems, locked out users, and then wiped the master boot record that machines use to locate their operating system when they start up. Iran's Fars radio station reported that the result of the cyberattack was “unprecedented chaos,” but it later deleted that statement.

Around the same time, computers across the network of Iran's Ministry of Roads and Urban Development were hit with the wiper tool, too. Analysis of the wiper malware by Israeli security firm CheckPoint revealed that the hackers had likely used different versions of the same tools years earlier while breaking into Iran-linked targets in Syria, in those cases under the guise of a hacker group named for the Hindu god of storms, Indra.

“Our goal of this cyber attack while maintaining the safety of our countrymen is to express our disgust with the abuse and cruelty that the government ministries and organizations allow to the nation,” Predatory Sparrow wrote in a post in Farsi on its Telegram channel, suggesting that it was posing as an Iranian hacktivist group as it claimed credit for the attacks.

2021: Gas Station Paralysis

Just a few months later, on October 26, 2021, Predatory Sparrow struck again. This time, it targeted point-of-sale systems at more than 4,000 gas stations across Iran—the majority of all fuel pumps in the country—taking down the system used to accept payment by gasoline subsidy cards distributed to Iranian citizens. Hamid Kashfi, an Iranian emigré and founder of the cybersecurity firm DarkCell, analyzed the attack but only published his detailed findings last month. He notes that the attack's timing came exactly two years after the Iranian government attempted to reduce fuel subsidies, triggering riots across the country. Echoing the railway attack, the hackers displayed a message on fuel pump screens with the Supreme Leader's phone number, as if to blame Iran's government for this gas disruption, too. “If you look at it from a holistic view, it looks like an attempt to trigger riots again in the country,” Kashfi says, “to increase the gap between the government and the people and cause more tension.”

The attack immediately led to long lines at gas stations across Iran that lasted days. But Kashfi argues that the gas station attack, despite its enormous effects, represents one where Predatory Sparrow demonstrated actual restraint. He inferred, based on detailed data uploaded by Iranian incident responders to the malware repository VirusTotal, that the hackers had enough access to the gas stations' payment infrastructure to have destroyed the entire system, forcing manual reinstallation of software at gas stations or even reissuing of subsidy cards. Instead, they merely wiped the point-of-sale systems in a way that would allow relatively quick recovery.

Predatory Sparrow even went so far as to claim on its Telegram account that it had emailed the vendor for the point-of-sale systems, Ingenico, to warn the company about an unpatched vulnerability in its software that could have been used to cause more permanent disruption to the payment system. (Curiously, an Ingenico spokesperson tells WIRED its security team never received any such email.)

Predatory Sparrow also wrote on Telegram that it had sent text messages to Iran's civilian emergency services, posting screenshots of its warnings to those emergency services to fuel up their vehicles prior to the attack. “You don't see that often, right?” Kashfi says. “They chose to do very clean, controlled damage.”

2022: Steel Mill Meltdown

In June of 2022, Predatory Sparrow carried out one of the most brazen acts of cybersabotage in history, triggering the spillage of molten steel at Iran's Khouzestan steel mill that caused a fire in the facility.

To prove that it had carried out the attack and had not merely claimed credit for an unrelated industrial accident, the hackers posted a screenshot to Telegram of the so-called human-machine interface, or HMI software, that the steelworks used to control its equipment. Paul Smith, the SCADAfence CTO who investigated the incident, quickly found a page on the website of the Iranian IT firm Irisa that listed the Khouzestan steel mill as one of its projects, matching the Irisa logo on the HMI screenshot.

Smith says he also found that both the HMI software and the surveillance camera that Predatory Sparrow used to record a video of its attack were connected to the internet and discoverable on Shodan, a search engine that catalogs vulnerable internet-of-things devices. Smith, who has a background working in steel mills, theorizes that the attack's damage was caused when the hackers used their access to the HMI to bypass a “degassing” step in the steel refining process that removes gases trapped in molten steel, which can otherwise cause explosions. He speculates that it was exactly that sort of explosion of gases trapped in the molten steel that caused the ladle to move and pour its contents on the factory floor.

A still from Predatory Sparrow’s video shows the Khouzestan steel mill prior to the hackers’ cyberattack…

Predatory Sparrow via Telegram

..then after the attack begins, as embers, fire and smoke fill the factory…

Predatory Sparrow via Telegram

…caused by a spill of burning liquid steel onto the factory floor, visible here.

Predatory Sparrow via Telegram

Predatory Sparrow touted in its video, which it posted to Telegram, that it had carried out the attack “carefully so to protect innocent individuals,” suggesting that it had monitored the surveillance footage to make sure no humans were in danger. Smith doesn't buy that claim. Even beyond the two Iranian steelworkers forced to run through flying embers, feet away from burning liquid metal, he argues that the viewer can't see who else might have been in harm's way. “You don't know if anyone was hurt,” Smith says.

The Khouzestan steel mill was just one of three steel facilities that Predatory Sparrow breached in its intrusions, though those operations weren't solely targeted at physical sabotage. A week later, the group also began to post tens of thousands of stolen emails from the three steel facilities—all of which faced Western sanctions—designed to demonstrate their ties to the Iranian military.

2023: Gas Station Paralysis, Redux

With tensions rising across the Middle East following Hamas' October 7 attacks in southern Israel and Israel's overwhelming military response in the Gaza Strip, perhaps it was inevitable that Predatory Sparrow would play a role in that burgeoning conflict. As Iran-backed Houthi rebels began to blockade shipping in the Red Sea—and as an Iran-linked hacker group calling itself CyberAveng3rs hacked water utilities across the US with anti-Israel messages—the group staged a December 18 rerun of its 2021 gas station attack, crippling point-of-sale systems at pumps at the majority of the country's filling stations.

While technical details of this latest attack are still scant, DarkCell's Hamid Kashfi says it appears to follow the same playbook as the 2021 hacking incident, albeit likely exploiting different security vulnerabilities in the equipment. Again, Predatory Sparrow posted messages it claimed to have sent to Iranian emergency services ahead of the disruption, in an attempt to limit harm. “As in our previous operations, this cyberattack was conducted in a controlled manner while taking measures to limit potential damage to emergency services,” reads a message from the group on Telegram.

Yet again, Predatory Sparrow also made clear its hacking was intended to carry a message. “This cyberattack comes in response to the aggression of the Islamic Republic and its proxies in the region,” another of the group’s messages reads. “Khamenei, playing with fire has a price.”

SentinelOne’s Guerrero-Saade argues that actions like the gas station cyberattacks suggest that Predatory Sparrow may be the first effective example of what cyber policy wonks refer to as “signaling”—using cyberattack capabilities to send messages designed to deter an adversary's behavior. That's because, he says, the group has combined a relatively restrained and discriminating approach to its politically motivated hacking with a clear demonstration of willingness to use its capabilities for broad effects—a willingness, he points out, that the United States’ hacking agencies, like the National Security Agency and Cyber Command, have often lacked.

“There’s no such thing as effective signaling if you can’t show credibly to the other person that not only do you _have_ the capability, but that you’re willing to use it,” Guerrero-Saade says.

Some cybersecurity researchers point to Predatory Sparrow, too, as a model of more responsible cyberwarfare, with a more careful regard for civilians. In the wake of the Israeli military’s killing of tens of thousands of Palestinian civilians and the displacement of millions more in its response to Hamas' October 7 massacre, however, any suggestion of restraint or discrimination from a hacker group that likely has Israeli government ties warrants skepticism.

Guerrero-Saade himself admits that the steel mill attack video, and in particular the two Iranian staffers’ apparent close call with death captured in it, raises questions of the cost of Predatory Sparrow’s “careful” style of attack.

“Is it perfect? Is it without casualties or concerns? Not at all,” Guerrero-Saade says. “I’m not saying I support it. But I am fascinated by it.”

How a Group of Israel-Linked Hackers Has Pushed the Limits of Cyberwar

The Amazon-owned home surveillance company says it is shuttering a feature in its Neighbors app that allows police to request footage from users. But it’s not shutting out the cops entirely.

Reached for comment, Markey’s office directed WIRED to the senator’s statement posted to X, in which he called the shuttering of the RFA tool “good.”

“I’ve been sounding the alarm for years on Amazon Ring’s privacy and security failures,” Markey added. “We cannot allow Americans' home security systems to become surveillance tools for law enforcement. We have to prevent Big Tech's web of surveillance systems from growing.”

Evan Greer, director of civil liberties advocacy group Fight for the Future and a vocal critic of Ring, called the company's decision today an “unequivocal victory” for those who have campaigned against the company’s surveillance network, but added in their statement that the move “only scratches the surface of addressing the harm done by Ring's dystopian business model.”

“We need laws. Local, state, and federal elected officials should ban these types of private surveillance partnerships entirely, and should impose strict limits on where homeowners and businesses can place cameras to ensure they are not violating their neighbors’ privacy and rights,” Greer said.

Ring’s Yarger tells WIRED that the decision to shut down the RFA tool was “purely internal” and cited that the company recently hired a new CEO, Liz Hamren, who took over in March 2023. “As you may know, we have a new Ring CEO and leader,” Yarger says. “As we look to the future of Neighbors, we’re focusing our resources on delivering new product and app experiences that we feel are a better fit with Ring’s vision and can better empower our customers to connect with each other, and stay informed by local government and public safety agencies.”

This shift, according to the company’s announcement today, includes the launch of “Ring Moments,” which encourages users to share content that inspires “joy and hope,” such as a video of a bear in a swimming pool or neighbors helping each other shovel snow.

For Ring users still concerned about police overreach, EFF’s Guariglia notes that there are several actions you can take, including enabling end-to-end encryption on your devices. “Be mindful of what your camera is pointed at and what video and audio it may collect from yourself, your family, and your neighbors,” he tells WIRED. “If possible, try to clear your camera’s recorded video/audio as often as is feasible. And most importantly, if police come and ask for your footage, request that they get a warrant.”

Ring Will Stop Giving Cops a Free Pass on Warrantless Video Requests

NSO Group, creator of the infamous Pegasus spyware, is spending millions on lobbying in Washington while taking advantage of the crisis in Gaza to paint itself as essential for global security.

On New Year’s Eve, NSO Group—the Israel-based company behind the Pegasus spyware, one of the world’s most sophisticated cyberweapons—quietly released a new transparency report.

The 27-page document is carefully worded—even apologetic—and is intended to demonstrate resilience, progress, and responsibility to further strengthen the company’s human rights compliance program. It claims the company has “opened 19 investigations into allegations of potential product misuse,” which resulted in the “suspension or termination” of six customer accounts. The document even has a dedicated section on journalists, a significant group among as many as 50,000 people worldwide who’ve been targeted by Pegasus, a list that also includes activists, heads of state, and other public figures in more than 50 countries.

NSO Group’s new transparency report—its first in more than two years—arrives amid an apparent push by the spyware vendor to revamp its tarnished image and reverse US regulations that have damaged its business. To achieve its goal, the cyber-intelligence firm is conducting a multimillion-dollar lobbying campaign that attempts to position the company’s spyware as essential for global security.

While an NSO spokesperson tells WIRED that the report “underscores the company’s ongoing commitment to human rights and adherence to ethical standards, while enabling its clients to keep the public safe,” those who have investigated the company’s practices express skepticism about its claims.

“It’s not a transparency report in any meaningful way,” says David Kaye, a University of California, Irvine law professor who has scrutinized the company’s policies as the United Nations special rapporteur on the promotion and protection of the right to freedom of opinion and expression. “It mainly repackages preexisting defenses and statements that NSO Group has put forward to promote its work and brand itself within the commercial spyware sector.”

NSO Group has only published one other transparency report, in June 2021, which civil society largely regarded as a missed opportunity to provide meaningful information about the alarming human rights impacts of its products. The latest transparency report arrives after several bumpy years for the company. In the aftermath of the 2021 Pegasus revelations, the United States government placed the spyware vendor on an Entity List in November 2021, meaning it cannot receive American investment without specific government approval. Subsequently, the company reportedly went into financial freefall, narrowly avoiding defaulting on $500 million in debt. According to Bloomberg, NSO management considered selling the business.

In August 2022, then CEO Shalev Hulio stepped down, naming COO Yaron Shohat as a successor while laying off 100 employees. Following a forced restructuring by its lenders, cofounder Omri Lavie emerged—via the Luxembourg-based Dufresne Holdings—as NSO’s new owner in May 2023. Amid this upheaval, US president Joe Biden issued an executive order, in March 2023, that prohibits federal departments and agencies from using commercial spyware. In June 2023, the White House issued a warning to US firms interested in acquiring NSO assets on the grounds that doing so could pose a counterintelligence threat to the US government.

Then Hamas attacked Israel. Since then, NSO has been in a position to tangibly demonstrate the value of tools like Pegasus in conflict situations. According to press reports, the cyber-intelligence firm has volunteered—along with Candiru, an NSO competitor that’s also blacklisted by the US—to help Israel’s security services track people kidnapped by Hamas.

“People from the government—both in Israel and outside of Israel—now understand much better why they are needed,” an insider with direct overview of NSO’s operations reportedly told Axios in November.

By seizing that opportunity, NSO appears to be trying to rebrand itself as being on the side of the “good guys,” make inroads with the Biden administration, and ultimately reverse the ban on its products. To succeed in its image-rehabilitation efforts, the spyware vendor has enlisted multiple public affairs consultancies and law firms, including government relations firm Chartwell Strategy Group and law firms Paul Hastings LLP, Steptoe, and Pillsbury Winthrop Shaw Pittman, according to lobbying disclosure documents. In the past three years, NSO had also enlisted the services of Bluelight Strategies and Cherie Blair’s Omnia Strategy in the UK.

“NSO Group engaged multiple firms, which is not uncommon but can be a reflection of the complexity of its influence efforts,” says Anna Massoglia, a researcher at the nonprofit OpenSecrets, which tracks US political spending. According to an OpenSecrets analysis of Lobbying Disclosure Act and Foreign Agents Registration Act filings, NSO has spent a total of $3.1 million in lobbying Washington since 2020. Of that, at least $897,000 was spent in 2023 alone, with payments for the final months of the year still being reported.

The lobbying efforts have primarily focussed on pro-Israel Republicans—but not exclusively. “Foreign agents working for NSO Group have also recently reported contacting officials at the Executive Office of the President and Congress as part of these efforts,” says Massoglia.

On November 7, Paul Hastings LLP sent a letter on behalf of NSO to request an urgent meeting with US secretary of state Antony Blinken and other State Department officials, emphasizing that “the ongoing security situation in Israel and the Middle East—and worldwide—once again highlight the necessity and urgency of employing cyber intelligence technology.”

So far, NSO’s efforts to fall back into Washington’s good graces appear to have had little effect. “Despite their pressure, these campaigns have only had varying influence,” says Steven Feldstein, a senior fellow at the Carnegie Endowment for International Peace. “The harms from spyware are well known, and there are only so many ways companies can spin the benefits of software that is inherently intrusive and rights-violating.”

According to a senior Biden administration official who spoke to Politico in November, any changes to the US government’s sanction policy on NSO Group are unlikely. “Without a change to this rule, NSO’s future \[US\] market potential is very, very constrained,” says Feldstein. Still, NSO needs to invest in lobbying, public relations, and transparency exercises to carry on doing business globally.

“NSO’s business model depends on chasing new customers and proliferating spyware for profit. That’s the growth model, and it will inevitably put spyware in the hands of abusers. And they show no signs of abandoning it,” says John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab who has been instrumental in exposing NSO Group’s products. “By the way, the last time NSO published a transparency report, it was followed by years of abuse scandals.”

While in the US, the Entity List “has sent shivers to larger spyware companies regarding potential consequences for bad behavior,” Feldstein says that there are ways to get around it, such as by working exports through Europe and other countries with more lax export control rules. For example, Cyprus is the only member of the EU that does not participate in the Wassenaar Arrangement, a multilateral export control regime signed by 42 countries that aims to control the sale of arms and technologies including spyware.

Weak legislation at the EU level also allows spyware to spread. The European Media Freedom Act (EMFA), which passed a preliminary vote in December, clearly states that EU member states may deploy spyware under certain conditions. Digital rights defenders have stressed that the retention of the national security exemption in the provisional agreement text enables EU governments to potentially deploy spyware against journalists outside the protective framework of EU law.

“EMFA is not perfect, but it at least tries to limit the deployment of such tools,” EU lawmaker Hannah Neumann tells WIRED. She adds that many members of the European Parliament’s inquiry committee on spyware, of which she was also part, “were frustrated” that the European Commission has not put forward a legislative proposal on how to fix loopholes.

Worth an estimated $12 billion as of 2022, the global spyware industry is likely to continue to do everything it can to stay in business. “As pressure has grown to curtail spyware companies, this has caused them to push even harder to maintain their markets,” says Carnegie’s Feldstein.

Even if high-profile firms like NSO Group were put out of business—admittedly an unlikely outcome—this would still not shut down the spyware market. Feldstein believes that this would instead hasten decentralization and increase opportunities for boutique firms to fill in the gap. “As long as the demand and money are there,” he says, “firms will seek these contracts.”

Notorious Spyware Maker NSO Group Is Quietly Plotting a Comeback

The company says it wants to protect you from “viruses.” Experts are skeptical.

Last Thursday, HP CEO Enrique Lores addressed the company's controversial practice of bricking printers when users load them with third-party ink. Speaking to CNBC Television, he said, "We have seen that you can embed viruses in the cartridges. Through the cartridge, \[the virus can\] go to the printer, \[and then\] from the printer, go to the network."

That frightening scenario could help explain why HP, which was hit this month with another lawsuit over its Dynamic Security system, insists on deploying it to printers.

To investigate, I turned to Ars Technica senior security editor Dan Goodin. He told me that he didn't know of any attacks actively used in the wild that are capable of using a cartridge to infect a printer.

Goodin also put the question to Mastodon, and cybersecurity professionals, many with expertise in embedded-device hacking, were decidedly skeptical.

HP’s Evidence

Unsurprisingly, Lores' claim comes from HP-backed research. The company's bug bounty program tasked researchers from Bugcrowd with determining if it's possible to use an ink cartridge as a cyberthreat. HP argued that ink cartridge microcontroller chips, which are used to communicate with the printer, could be an entryway for attacks.

As detailed in a 2022 article from research firm Actionable Intelligence, a researcher in the program found a way to hack a printer via a third-party ink cartridge. The researcher was reportedly unable to perform the same hack with an HP cartridge.

Shivaun Albright, HP's chief technologist of print security, said at the time:

> A researcher found a vulnerability over the serial interface between the cartridge and the printer. Essentially, they found a buffer overflow. That’s where you have got an interface that you may not have tested or validated well enough, and the hacker was able to overflow into memory beyond the bounds of that particular buffer. And that gives them the ability to inject code into the device.

Albright added that the malware “remained on the printer in memory” after the cartridge was removed.

HP acknowledges that there's no evidence of such a hack occurring in the wild. Still, because chips used in third-party ink cartridges are reprogrammable (their “code can be modified via a resetting tool right in the field,” according to Actionable Intelligence), they’re less secure, the company says. The chips are said to be programmable so that they can still work in printers after firmware updates.

HP also questions the security of third-party ink companies' supply chains, especially compared to its own supply chain security, which is ISO/IEC-certified.

So HP did find a theoretical way for cartridges to be hacked, and it's reasonable for the company to issue a bug bounty to identify such a risk. But its solution for this threat was announced _before_ it showed there could be a threat. HP added ink cartridge security training to its bug bounty program in 2020, and the above research was released in 2022. HP started using Dynamic Security in 2016, ostensibly to solve the problem that it sought to prove exists years later.

Further, there's a sense from cybersecurity professionals that Ars spoke with that even if such a threat exists, it would take a high level of resources and skills, which are usually reserved for targeting high-profile victims. Realistically, the vast majority of individual consumers and businesses shouldn't have serious concerns about ink cartridges being used to hack their machines.

Whose Job Is It to Make HP Printers Secure?

With Dynamic Security, HP claims to be providing a response to cyberthreats against ink cartridges. But its response is to inconvenience customers rather than beef up HP printers to be invulnerable to remote code execution via ink cartridges.

In response to Bugcrowd's research, HP issued a security update in 2022. Despite this, Albright claimed at the time that it still wasn’t safe for customers to use third-party ink because HP could “never guarantee that every interface with a non-HP cartridge on our device will be free of bugs and security vulnerabilities.”

Even if it's theoretically possible for hackers to leverage ink cartridges, it's a minimal concern, and there are far more pressing security threats to printers than third-party ink. Many easier ways exist for a diligent hacker to get into a printer user's network, including by exploiting unfixed software vulnerabilities.

Further, with HP firmware updates becoming associated with printers suddenly not working, we've seen reports of users avoiding printer updates and encouraging others to do the same, which could result in users rejecting important security updates.

An HP spokesperson declined to comment on these matters.

The Real Focus: Protecting IP

Lores' initial response to CNBC Television's question about the lawsuit may be telling. The CEO responded to dictated consumer complaints by highlighting HP's own needs:

> It's important to protect our IP. There is a lot of IP that we build in the inks of the printers, in the printers themselves ... And what we’re doing is, when we identify cartridges that are violating our IP, we stop the printer from work\[ing\].

When HP first announced Dynamic Security in 2016, it claimed that the feature would deliver "the best consumer experience" and protect customers from cartridges "that infringe on our IP." Eight years and several abrupt firmware updates later, the former seems like it has taken a backseat to the latter.

Lores told CNBC Television that non-HP ink can create "all sort\[s\] of issues," saying that printers may stop working if a customer uses ink that is not "designed" to work with HP printers.

Of course, third-party ink manufacturers would have you believe that their ink is meant to work with the printer brands on its products' boxes. But depending on the quality of the product, you might find inconsistent results with third-party ink cartridges.

While brand recognition and reliability could be good reasons for someone to opt for an HP-brand cartridge over a third party's, such decisions are typically left to customers, not forced via firmware updates. Companies like HP can expect to be rewarded for superior products, support, and warranties, but customers who would rather risk quality to save money would prefer to have options.

HP Wants Printing to Be a Subscription

It's clear that HP's tactics are meant to coax HP printer owners into committing to HP ink, which helps the company drive recurring revenue and makes up for money lost when the printers are sold. Lores confirmed in his interview that HP loses money when it sells a printer and makes money through supplies.

But HP's ambitions don't end there. It envisions a world where all of its printer customers also subscribe to an HP program offering ink and other printer-related services. "Our long-term objective is to make printing a subscription. This is really what we have been driving," Lores said.

HP has been largely focused on pushing its monthly ink subscription program, Instant Ink, over the years. In December, HP CFO Marie Myers noted that subscription models like Instant Ink can bring "20 percent uplift on the value of that customer because you're locking that person" in. In its most recent financial report, HP named Instant Ink one of its "key growth areas."

When asked about concerns that HP is driving up the price of printer ink, Lores told CNBC Television, "This is part of the business model that has been developed over time," noting that HP printer boxes disclose which printers use Dynamic Security. HP's website also notes which printers use Dynamic Security.

But even if you have that information, it's unclear whether an HP printer will immediately work with third-party ink. HP sells printers that work with third-party ink now, but the company says it may update them in the future to "block cartridges using a non-HP chip or modified or non-HP circuitry from working in the printer, including cartridges that work today."

Who’s Investing in Whom?

HP has faced numerous lawsuits in relation to blocking device functionality due to third-party ink and has paid out millions as a result. So why is it still continuing down this road? That might be partially explained by the company's perspective on the vendor-customer relationship.

When people buy an HP printer, they consider it an investment. But HP thinks that when you buy a printer, the company is investing in you.

As Lores put it:

> This is something we announced a few years ago that our goal was to reduce the number of what we call unprofitable customers. Because every time a customer buys a printer, it's an investment for us. We're investing \[in\] that customer, and if this customer doesn’t print enough or doesn’t use our supplies, it’s a bad investment.

HP expects customers who already gave it money for a printer to continue paying the company for years. HP customers expect their purchase to pay off in the long term without stipulations on ink branding. If HP can't find a way to make printer customers feel like their purchase is a benefit rather than a commitment to giving HP money regularly, people may eventually stop thinking that HP printers are a worthy investment.

When reached for comment, an HP spokesperson told Ars, in part, that HP "offers a wide range of printing products and solutions for customers to choose from, including Instant Ink" and "regularly" expands its offerings "to create more value" for customers.

You can watch CNBC Television's interview below:

_This story originally appeared on_ _Ars Technica._

HP CEO Says They Brick Printers That Use Third-Party Ink Because of … Hackers

Apple’s iOS 17.3 introduces Stolen Device Protection to iPhones, which could stop phone thieves from taking over your accounts. Here’s how to enable it right now.

Apple today launched a new tool for iPhones to help reduce what a thief with your phone and passcode can access. The feature, called Stolen Device Protection, adds extra layers of protection to your iPhone when someone tries to access or change sensitive settings on your device. If someone tries to access passwords stored in Apple’s keychain, for instance, they won’t be able to unless they also use a fingerprint or the phone’s face recognition to prove they’re the legitimate owner.

You don't need to look far to find stories of stolen phones. In London, a phone is stolen every six minutes. Subreddits are littered with people having their phones snatched by thieves. In some of the most extreme cases, crooks can also take the passcodes—forcibly, or by peering over someone’s shoulder—and then steal a phone and unlock it. Social media accounts, passwords, and financial data can all be put at risk.

Stolen Device Protection is included with iOS 17.3, the latest iteration of Apple’s mobile operating system, which was released today. The feature should be high on your list to enable. It better protects your data—without you having to do anything—and has the potential to disrupt thieves. The move from Apple, according to cybersecurity experts, is a positive one and adds to the protections that already accompany passcodes.

The stolen iPhone protection is “likely to act as another barrier and put more pressure on thieves when targeting victims,” says Jake Moore, a global cybersecurity adviser at security firm Eset and a former police computer crime investigator. “Selling phones will always be big business among organized crime groups, but criminals will just need to work harder on their craft now.”

When you turn on Stolen Device Protection, Apple puts extra limits on some settings when your iPhone isn’t at a familiar location, such as your home or work. If someone unlocks your phone and tries to change these settings, they’ll have to use Face ID or Touch ID. So if a thief has your phone and passcode, they won’t be able to change the settings unless they have your biometric information too, which is not straightforward to clone and fool the systems that power them.

These extra checks will appear when someone tries to access passwords or passkeys you’ve saved in iCloud’s keychain, use payment methods saved in Safari, turn off Lost Mode, erase your phone, use your phone in the setup of a new Apple device, apply for a new Apple Card, view your Apple Card’s virtual number, or transfer money with Apple Cash.

There’s also a second layer of checks for even more sensitive information. If your phone is not at a familiar location, Apple will also put in place a one-hour “security delay” after using your biometrics. When this one-hour delay is up, your biometrics are needed again to change the settings. (Your iPhone will still be accessible during this hour.)

This hour delay applies to attempts to change your Apple ID password, sign out of Apple ID, or update Apple ID account security settings, such as removing a trusted device. The delay is also in place if someone tries to remove Face ID or Touch ID accounts, change your iPhone passcode, reset your settings, disable the Find My tool, and turn off Stolen Device Protection itself. If a thief has your phone, there’s a chance they’ll want to change these settings quickly to either take over your phone or online accounts, and the delay may reduce their ability to do so. Moore says the extra hour’s delay adds a “greatly appreciated layer of security.”

Turning on the iPhone’s Stolen Device Protection is simple—it’s just one small toggle in your phone’s settings. You need to make sure your iPhone is updated to iOS 17.3. Open the **Settings** app, scroll to **Face ID & Passcode**, then to **Stolen Device Protection**, and turn the switch on.

With the new feature, Apple is increasingly relying on biometrics, through Touch ID and Face ID, as a way of proving the person with your phone is actually you. “Apple now has a decade of experience with biometrics on hundreds of millions of devices, and its confidence in them seems to be growing,” says Mark Stockley, a cybersecurity expert at security firm Malwarebytes. Traditionally, he says, a password or passcode has been the option that’s turned to when biometrics fail to work. With this new feature, the roles are being reversed, indicating a greater trust in the technologies. “This could be a step towards a passcode-less future,” Stockley says.

While Stolen Device Protection is a step forward, it doesn’t protect everything on your phone if a thief gets hold of it and your passcode. It’s worth making sure your data is backed up, and some apps, such as WhatsApp, will allow you to add another (ideally different) passcode or PIN, on top of your phone’s passcode, before allowing someone into the apps.

Broadly speaking, if your iPhone is stolen—beyond contacting the cops—you’ll also want to visit Apple’s iCloud to take back control of your device. “Start by changing your Apple ID password and ticking the option to sign you out of devices and websites you’re currently logged in to,” Stockley says. Then, within iCloud’s Find Devices settings, you can mark your phone as lost and remotely wipe it. Hopefully, Stolen Device Protection’s features will never need to come to your rescue, but for every person who turns it on, it makes thieves’ lives just that little bit harder.

Apple iOS 17.3: How to Turn on iPhone's New Stolen Device Protection

Police around the US say they're justified to run DNA-generated 3D models of faces through facial recognition tools to help crack cold cases. Everyone but the cops thinks that’s a bad idea.

In 2017, detectives working a cold case at the East Bay Regional Park District Police Department got an idea, one that might help them finally get a lead on the murder of Maria Jane Weidhofer. Officers had found Weidhofer, dead and sexually assaulted, at Berkeley, California’s Tilden Regional Park in 1990. Nearly 30 years later, the department sent genetic information collected at the crime scene to Parabon NanoLabs—a company that says it can turn DNA into a face.

Parabon NanoLabs ran the suspect’s DNA through its proprietary machine learning model. Soon, it provided the police department with something the detectives had never seen before: the face of a potential suspect, generated using only crime scene evidence.

The image Parabon NanoLabs produced, called a Snapshot Phenotype Report, wasn’t a photograph. It was a 3D rendering that bridges the uncanny valley between reality and science fiction; a representation of how the company’s algorithm predicted a person could look given genetic attributes found in the DNA sample.

The face of the murderer, the company predicted, was male. He had fair skin, brown eyes and hair, no freckles, and bushy eyebrows. A forensic artist employed by the company photoshopped a nondescript, close-cropped haircut onto the man and gave him a mustache—an artistic addition informed by a witness description and not the DNA sample.

In a controversial 2017 decision, the department published the predicted face in an attempt to solicit tips from the public. Then, in 2020, one of the detectives did something civil liberties experts say is even more problematic—and a violation of Parabon NanoLabs’ terms of service: He asked to have the rendering run through facial recognition software.

“Using DNA found at the crime scene, Parabon Labs reconstructed a possible suspect’s facial features,” the detective explained in a request for “analytical support” sent to the Northern California Regional Intelligence Center, a so-called fusion center that facilitates collaboration among federal, state, and local police departments. “I have a photo of the possible suspect and would like to use facial recognition technology to identify a suspect/lead.”

The detective’s request to run a DNA-generated estimation of a suspect’s face through facial recognition tech has not previously been reported. Found in a trove of hacked police records published by the transparency collective Distributed Denial of Secrets, it appears to be the first known instance of a police department attempting to use facial recognition on a face algorithmically generated from crime-scene DNA.

It likely won’t be the last.

For facial recognition experts and privacy advocates, the East Bay detective’s request, while dystopian, was also entirely predictable. It emphasizes the ways that, without oversight, law enforcement is able to mix and match technologies in unintended ways, using untested algorithms to single out suspects based on unknowable criteria.

“It’s really just junk science to consider something like this,” Jennifer Lynch, general counsel at civil liberties nonprofit the Electronic Frontier Foundation, tells WIRED. Running facial recognition with unreliable inputs, like an algorithmically generated face, is more likely to misidentify a suspect than provide law enforcement with a useful lead, she argues. “There’s no real evidence that Parabon can accurately produce a face in the first place,” Lynch says. “It’s very dangerous, because it puts people at risk of being a suspect for a crime they didn’t commit.”

It is unknown whether the Northern California Regional Intelligence Center honored the East Bay detective’s request. The NCRIC did not respond to WIRED’s requests for comment about the outcome of the detective's facial recognition request. Captain Terrence Cotcher of the East Bay Regional Park District PD would not comment on the identification request, citing what he describes as an active homicide investigation. However, the executive director of the NCRIC, Mike Sena, told The Markup in 2021 that whenever the fusion center gets facial recognition requests, it will run a search.

For Parabon NanoLabs, if the department ran the predicted face through facial recognition, it isn’t just a violation of the company’s terms of service—it’s a terrible idea.

Parabon NanoLabs, founded in 2008, primarily focuses on forensic genetic genealogy services for law enforcement, a process that involves comparing DNA data with profiles in genealogy databases to locate potential suspects or victims. In 2012, the company received a grant from the US Department of Defense’s Defense Threat Reduction Agency to explore DNA phenotyping, predicting a person's appearance based only on their DNA. According to a 2020 article in _Nature_, the DOD was initially interested in developing phenotyping technology to re-create the faces of people who made improvised explosive devices, using traces of DNA left on the bomb fragments. Parabon pitched an ambitious method that involved machine learning to receive its grant.

Ellen Greytak, the director of bioinformatics at Parabon NanoLabs, says the company uses machine learning to build predictive models “for each part of the face.” The models are trained on the DNA data of more than 1,000 research volunteers and paired with 3D scans of their faces. Each scanned face, Greytak says, has 21,000 phenotypes—observable physical traits—that their models crunch in order to figure out how parts of a DNA sample affect a face’s appearance.

Parabon says it can confidently predict the color of a person's hair, eyes, and skin, along with the amount of freckles they have and the general shape of their face. These phenotypes form the basis of the face renderings the company generates for law enforcement. Parabon’s methods have not been peer-reviewed, and scientists are skeptical about how feasible predicting face shape even is.

In response to questions about the technology's accuracy, Parabon NanoLabs vice president Paula Armentrout tells WIRED that, while the details of its methods are not public, the company has presented its work at conferences and has tested its technology on thousands of samples. She adds that the company posts on its website “every single composite that is publicly disclosed by a customer, so people can draw their own conclusions about how well our technology works.”

Greytak characterizes the company’s face predictions as something more like a description of a suspect than an exact replica of their face. “What we are predicting is more like—given this person’s sex and ancestry, will they have wider-set eyes than average,” she says. “There’s no way you can get individual identifications from that.”

When Parabon NanoLabs launched its face-prediction service around 2015, its terms of service did not explicitly ban clients from using predictions with facial recognition. Soon after launching, however, the company’s law enforcement clients started asking about the viability of running phenotype-generated faces through facial recognition tools. “We were surprised when we heard this,” Greytak says. “It’s just not the intended purpose of the composite images.” In 2016, the company added a clause to its terms prohibiting customers from using facial recognition on its Snapshot Phenotype Reports. However, Armentrout tells WIRED that the company “does not have a way to ensure compliance” with its TOS.

Eight years later, after generating scores of face predictions for law enforcement, some of Parabon NanoLabs’ clients see little reason to not consider using face recognition on these algorithmically generated faces. Officers at all of the departments that WIRED contacted say it should at least be an option.

Jason McDonald is a detective with the Aurora, Colorado, police department’s Major Crime-Homicide Unit. In 2016, his department asked Parabon to use DNA found on the scenes of four 1984 homicides to predict the face of a suspect. McDonald tells WIRED that he believes that running a predicted face through facial recognition could be “justified” and “possibly a useful tool.”

Detective Edward Silver of the St. Clair County Sheriff’s Department in Michigan agrees. His department used Parabon NanoLabs in 2021 to generate the face of a woman whose severely burned body was found in a dumpster in 2003. Silver tells WIRED that he believes the Snapshot Phenotype Reports are accurate enough for facial recognition software.

Representatives from sheriff's offices in Lake County, Florida, and DeKalb County, Illinois, also say they would consider using Parabon NanoLabs’ predicted faces with facial recognition tools. Sheriff Andrew Sullivan of the DeKalb County Sheriff’s Office says in an email that “if there was DNA evidence that was used in the development of Snapshot, yes, we would use that information to try and develop any lead that we had further to solve any homicide.”

Haley Williams, a communications manager with the Boise Police Department in Idaho, tells WIRED in an email that the decision to use facial recognition with an algorithmically generated face would be made on a “case-by-case” basis. She added, however, that the department would “never rely solely on any one piece of evidence and would only use it as a tool to help direct us to other leads or evidence.”

“These are decades-old cases that we have been working,” says a cold-case detective who asked not to be named because they are not authorized to speak to the media. “I know that the Parabon face isn’t perfect, but why wouldn’t we use every tool available to us to try and catch a killer?” Asked if he tried facial recognition with the predicted face, the detective declined to answer, but says, “the family deserves to know that we tried everything.”

Lynch, of the Electronic Frontier Foundation, tells WIRED that while she is sympathetic to detectives wanting to bring closure for the family, the risks of misidentification with this use case are too great. “I think it goes to show a complete misunderstanding about the high-risk errors of facial recognition,” Lynch says. “It’s surprising to me that cops think this kind of technology will produce leads that they can actually use.”

Phenotyping is often a last resort that departments try only after they’ve exhausted other leads. According to Parabon NanoLabs, the majority of cases it works on do not actually get to the facial composite stage. “I joke that my phenotyping can tell you if your suspect has blue eyes, but my genealogist can tell you the guy’s address,” Greytak says.

The fact that law enforcement investigators consider using these predictions in conjunction with facial recognition speaks to a general lack of oversight over investigatory tools, experts say. There are no federal rules that limit the types of images police can use with face recognition software, and it’s up to both the police departments and the facial recognition vendor to implement and enforce safeguards.

According to a report released in September by the US Government Accountability Office, only 5 percent of the 196 FBI agents who have access to facial recognition technology from outside vendors have completed any training on how to properly use the tools. The report notes that the agency also lacks any internal policies for facial recognition to safeguard against privacy and civil liberties abuses.

In the past few years, facial recognition has improved considerably. In 2018, when the National Institute of Standards and Technology tested face recognition algorithms on a mug shot database of 12 million people, it found that 99.9 percent of searches identified the correct person. However, the NIST also found disparities in how the algorithms it tested performed across demographic groups.

Crucially, the NIST tested these algorithms only with high-quality images like driver's license and passport photos; law enforcement is often less discerning. A 2019 report from Georgetown’s Center on Privacy and Technology written by Clare Garvie, a facial recognition expert and privacy lawyer, found that law enforcement agencies nationwide have used facial recognition tools on images that include blurry surveillance camera shots, manipulated photos of suspects, and even composite sketches created by traditional artists.

According to an internal New York Police Department presentation cited by Garvie in her report, NYPD detective Tom Markiewicz wrote in 2018 that the department has tried running face recognition on forensic sketches and found that “sketches do not work.” In another infamous example that Garvie cites in her report, a detective from the NYPD’s Facial Identification Section, after noting that a suspect looked like the actor Woody Harrelson, put a photo of the actor through the department’s facial recognition tool.

“Because modern facial recognition algorithms are trained neural networks, we just don’t know exactly what criteria the systems use to identify a face,” Garvie, who now works at the National Association of Criminal Defense Lawyers, tells WIRED. “Daisy chaining unreliable or imprecise black-box tools together is simply going to produce unreliable results,” she says.

“We should know this by now.”

Cops Used DNA to Predict a Suspect’s Face—and Tried to Run Facial Recognition on It

Software flaws were allegedly hidden from lawyers of wrongly convicted UK postal workers.

Fujitsu software bugs that helped send innocent postal employees to prison in the UK were known "right from the very start of deployment," a Fujitsu executive told a public inquiry today.

"All the bugs and errors have been known at one level or not, for many, many years. Right from the very start of deployment of the system, there were bugs and errors and defects, which were well-known to all parties," said Paul Patterson, co-CEO of Fujitsu's European division.

That goes back to 1999, when the Horizon software system was installed in post offices by Fujitsu subsidiary International Computers Limited. From 1999 to 2015, Fujitsu's faulty accounting software aided in the prosecution and conviction of more than 900 sub-postmasters and postmistresses who were accused of theft or fraud when the software wrongly made it appear that money was missing from their branches.

Some innocent people went to prison, while others were forced to make payments to the UK Post Office to cover the supposed shortfalls. So far, "only 93 convictions have been overturned and thousands of people are still waiting for compensation settlements," a BBC report said.

Post Office Lawyers Allegedly Rewrote Fujitsu Witness Statements

During the prosecutions, courts hearing cases against postal employees "were not told of 29 bugs identified as early as 1999 in the system it built," _The Guardian_ wrote in a summary of Patterson's testimony today. The article said:

> "When bugs were acknowledged, witness statements from Fujitsu staff due to be heard in court were then edited by the Post Office as it sought to maintain the line that the system was working well as it pursued innocent people through the courts.
> 
> Paul Patterson agreed that both organizations had failed the accused. "I am surprised that that detail was not included in the witness statements given by Fujitsu staff to the Post Office and I have seen some evidence of editing witness statements by others," he said.
> 
> Asked by the lead counsel of the public inquiry, Jason Beer KC, whether he agreed that this was shameful, Patterson, who has worked at the company for 14 years, said: “That would be one word I would use. Shameful and appalling. My understanding of how our laws work in this country, is that all of the evidence should have been put in front of the subpostmasters that the Post Office was relying on to prosecute them.”

A Financial Times article said that the public inquiry "heard in December last year that the Post Office's lawyers had rewritten Fujitsu witness statements."

The FT article also said the Post Office, which used prosecution powers available to private corporations in the UK, obtained 700 of the 900 convictions. The other convictions came in cases brought by Scottish prosecutors. The scandal may lead to reforms of the private prosecution system that lets organizations take people to court.

Bugs Were Understood “Way Back to 1999”

Earlier this week, Patterson told UK Parliament members that "Fujitsu would like to apologize for our part in this appalling miscarriage of justice. We were involved from the very start. We did have bugs and errors in the system and we did help the Post Office in their prosecutions of the sub-postmasters. For that we are truly sorry."

Patterson also told Parliament members that Fujitsu has "a moral obligation" to contribute to the compensation for victims.

Patterson testified today in a different setting, answering questions from lawyers representing victims. One of those lawyers, Flora Page, asked Patterson, "Did nobody historically make that pretty obvious connection between very poor code going out into operation and then very poor data coming out and through the litigation support service?"

Patterson answered, "Whether people made that connection or not, what is very evident... is that that connection and understanding about what was going on and where was it, was understood by certainly Fujitsu and certainly understood by Post Office way back to 1999. It's all about what you do with that information... that is a question for this inquiry."

Post Office Minister Kevin Hollinrake, the MP for Thirsk and Malton, told the BBC that his "number one priority" is to "try and get compensation and get answers for people."

"You've had marriages fail, people commit suicide, an horrendous impact on people's lives," he said. "It's perfectly reasonable that the public should demand people are held to account and that should mean criminal prosecutions wherever possible." The UK government also has plans for a new law to "swiftly exonerate and compensate" people who were falsely convicted.

_This story originally appeared on_ _Ars Technica._

Fujitsu Bugs That Sent Innocent People to Prison Were Known ‘From the Start’

Plus: Microsoft says attackers accessed employee emails, Walmart fails to stop gift card fraud, “pig butchering” scams fuel violence in Myanmar, and more.

A major coordinated disclosure this week called attention to the importance of prioritizing security in the design of graphics processing units (GPUs). Researchers published details about the “LeftoverLocals” vulnerability in multiple brands and models of mainstream GPUs—including Apple, Qualcomm, and AMD chips—that could be exploited to steal sensitive data, such as responses from AI systems. Meanwhile, new findings from the cryptocurrency tracing firm Chainalysis show how stablecoins that are tied to the value of the US dollar were instrumental in cryptocurrency-based scams and sanctions evasion last year.

The US Federal Trade Commission reached a settlement earlier this month with the data broker X-Mode (now Outlogic) over its sale of location data gathered from phone apps to the US government and other clients. While the action was hailed by some as a historic privacy win, it also illustrates the limitations of the FTC and the US government's data privacy enforcement power and the ways in which many companies can avoid scrutiny and consequences for failing to protect consumers' data.

The US internet provider Comcast Xfinity may gather data about customers' personal lives for personalized ads, including information about their political beliefs, race, and sexual orientation. If you're a customer, we've got advice for opting out—to the extent that's possible. And if you need a good long read for the weekend, we have the story of how a 27-year-old cryptography graduate student systematically debunked the myth that bitcoin transactions are anonymous. The piece is an excerpt from WIRED writer Andy Greenberg's nonfiction thriller _Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency_, out this week in paperback.

And there's more. Each week, we round up the security and privacy news we didn’t break or cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

On Friday, the US Cybersecurity and Infrastructure Security Agency issued an emergency directive requiring federal agencies to patch two vulnerabilities that are being actively exploited in the popular VPN appliances Ivanti Connect Secure and Policy Secure. CISA's executive assistant director, Eric Goldstein, told reporters that CISA has notified every federal agency that is running a version of the products, amounting to “around” 15 agencies that have applied mitigations. “We are not assessing a significant risk to the federal enterprise, but we know that risk is not zero,” Goldstein said. He added that investigations are ongoing into whether any federal agencies have been compromised in the attackers' mass exploitation spree.

Analysis indicates that multiple actors have been hunting for and exploiting vulnerable Ivanti devices to gain access to organizations' networks around the world. The activity began in December 2023, but it has ramped up in recent days as word of the vulnerabilities and a proof of concept have emerged. Researchers from the security firm Volexity say that at least 1,700 Connect Secure devices have been compromised overall. Both Volexity and Mandiant see evidence that at least some of the exploitation activity is motivated by espionage. CISA's Goldstein said on Friday that the US government has not yet attributed any of the exploitation activity to particular actors, but that “exploitation of these products would be consistent with what we have seen from PRC \[People's Republic of China\] actors like Volt Typhoon in the past.”

Ivanti Connect Secure is a rebrand of the Ivanti product series known as Pulse Secure. Vulnerabilities in that VPN platform were notoriously exploited in a rash of high-profile digital breaches in 2021 carried out by Chinese state-backed hackers.

Microsoft said on Friday that it detected a system intrusion on January 12 that it is attributing to the Russian state-backed actor known as Midnight Blizzard or APT 29 Cozy Bear. The company says it has fully remediated the breach, which began in November 2023 and used “password spraying” attacks to compromise historic system test accounts that, in some cases, then allowed the attacker to infiltrate “a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions.” With this access, Cozy Bear hackers were then able to exfiltrate “some emails and attached documents.” Microsoft notes that the attackers appeared to be seeking information about Microsoft's investigations into the group itself. “The attack was not the result of a vulnerability in Microsoft products or services,” the company wrote. “To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required.”

Gift card scams in which attackers trick victims into purchasing gift cards for them are a long-standing issue, but new reporting from ProPublica shows how Walmart has been particularly remiss in addressing the problem. For a decade, the retailer has skirted pressure from both regulators and law enforcement to more closely scrutinize gift card sales and money transfers and expand employee training that could save customers from being tricked and exploited by bad actors. ProPublica conducted dozens of interviews and reviewed internal documents, court filings, and public records in its analysis.

“They were concerned about the bucks. That’s all,” Nick Alicea, a former fraud team leader for the US Postal Inspection Service, told ProPublica. Walmart defended its efforts, claiming that it has stopped more than $700 million in suspicious money transfers and refunded $4 million to victims of gift card fraud. “Walmart offers these financial services while working hard to keep our customers safe from third-party fraudsters,” the company said in a statement. “We have a robust anti-fraud program and other controls to help stop scammers and other criminals who may use the financial services we offer to harm our customers.”

As rebel groups in Myanmar violently oppose the country's military government, the human trafficking and abuse fueling pig butchering scams is exacerbating the conflict. The scams have exploded in recent years, carried out not just by bad actors, but by a workforce of forced laborers who have often been kidnapped and are being held against their will. In one case this fall, a collection of rebel groups in Myanmar known as the Three Brotherhood Alliance took control of 100 military outposts in the country's northern Shan state and seized several towns along the border with China, vowing to "eradicate telecom fraud, scam dens and their patrons nationwide, including in areas along the China-Myanmar border.”

The UN estimates that there may be as many as 100,000 people held in scam centers in Cambodia and 120,000 in Myanmar. “I’ve worked in this space for over 20 years and to be honest, we’ve never seen anything like what we’re seeing now in Southeast Asia in terms of the sheer numbers of people,” Rebecca Miller, regional program director for human trafficking at the UN Office on Drugs and Crime told Vox.

In a new investigation, _Consumer Reports_ and The Markup crowdsourced three years of archived Facebook data from 709 users of the social network to assess which data brokers and other organizations are tracking and monitoring them. In analyzing the data, reporters found that a total of 186,892 companies sent data about the 709 individuals to Facebook. On average, each of those users had information sent to Facebook about them by 2,230 companies. The number varied, though. Some users had less than the average while others had more than 7,000 companies tracking them and providing information to the social network.

US Agencies Urged to Patch Ivanti VPNs That Are Actively Being Hacked

One of America’s largest internet providers may collect data about your political beliefs, race, and sexual orientation to serve personalized ads.

Your internet service provider could have a good idea of who you’re planning to vote for in the 2024 election as well as the gender of the last person you slept with—and it’s saving that information for later. Major internet providers, like Comcast’s Xfinity, stockpile more revealing data than users might initially realize.

For example, Xfinity customers are automatically opted in to allow the company to store sensitive personal information. This could include your “race, ethnicity, political affiliations, or philosophical beliefs,” according to Xfinity’s website. Your sexual orientation, immigration status, biometric info, and precise location are also considered to be sensitive data. While Comcast does not sell this info, the company does use sensitive data in a variety of ways, like to serve up personalized ads and recommendations.

There are many reasons to be anxious about this kind of data collection. Xfinity itself was recently hacked; the personal data of over 30 million customers was stolen in October of last year, yet the breach was revealed by the company to users two months after the fact. (Definitely change your Xfinity password right now, and turn on two factor-authentication if you haven’t already.)

The good news is that you can take steps to opt out of Comcast’s data storage—although there are limitations on how far the privacy options go. Also, if you live in a state with supplemental privacy legislation, then you might have the right to request and receive more details about your collected data.

How to Change Your Sensitive Personal Information Settings

You don’t have to log in to the Xfinity website with your username and password to make this settings change, but be forewarned: You will be asked to fork over your email, phone number, and location.

Start by visiting Xfinity’s Privacy Center and scrolling down to **Review your privacy preferences**. Then, click on **Manage your information** and skim through all the available options to get a better grasp on your choices. Find the **Sensitive personal information preferences** section, and choose **Review settings**.

This next step was sometimes quite slow to load during my testing, so a little patience might be necessary. When it eventually pops up, fill out the form and click **Continue**. You may be asked to confirm the provided address. Finally, after all that clicking, locate the toggle labeled **Storage and usage of sensitive personal information** that appears on the last page and switch it off.

It’s worth pointing out a crucial caveat from Comcast about how the setting works. The catch is that this toggle impacts the use of your personal data only in Comcast’s advertising, marketing, and recommendations systems. “Even when off, we may still use your sensitive personal information for certain purposes, including to provide your Services, security purposes, and fraud monitoring,” reads a disclaimer right below the toggle. While some data collection may be necessary to operate basic services, the lack of accessible, granular control over what’s stored is disappointing.

Depending on where you live in the US, you can learn more about what Comcast stores and scrub it. In the following five states, you have the right to receive more details about the data Xfinity collects about you: California, Colorado, Connecticut, Utah, and Virginia. By residing here, you have the right to receive details about the gathered data and have personal info deleted. Your right to correct inaccurate info is codified in all of these states as well, except for Utah.

Anyone can technically fill out the form and make the request regardless of location, but you might not receive a real answer if you live somewhere without the legal protections. Even in the states where you are legally covered, be prepared to wait. Comcast may take up to a month to process requests from Xfinity customers, and will notify you if the process ends up stretching out even longer.

Source

Wired