Triton Malware Targets Industrial Safety Systems In the Middle East

Since Stuxnet first targeted and destroyed uranium enrichment centrifuges in Iran last decade, the cybersecurity world has waited for the next step in that digital arms race: Another piece of malicious software designed specifically to enable the damage or destruction of industrial equipment. That rare type of malware has now reappeared in the the Middle East. And this time, it seems to have the express intention of disabling the industrial safety systems that protect human life.

Security firm FireEye today has revealed the existence of Triton, a family of malware built to compromise industrial control systems. Although it’s not clear in what kind of industrial facility—or even what country—the sophisticated malware appeared in, it targets equipment that’s sold by Schneider Electric, often used in oil and gas facilities, though also sometimes read more

Apple Security Flaws Give Some Researchers Concern About Deeper Issues

All software has flaws, no matter how carefully you vet it. So the question isn’t how to write perfect code, but how to respond to mistakes as you find them. And while Apple has earned a strong reputation for security, a string of significant vulnerabilities in macOS and iOS have strained Apple’s safety net—and led some security researchers and developers to question whether the issues are systemic.

Take the release of Apple’s macOS High Sierra operating system at the end of September. Within ten days, the company had to fix two critical bugs. A third-party app could be used to steal credentials from the keychain, and the password hint for encrypted Apple File Systems volumes revealed passwords in plain text. Then, at the end of November, security researchers publicly announced that anyone could get root access to a Mac running High Sierra simply by typing the word “root”.

The bug was so glaring that Apple pushed a fix within a day, impressive speed for read more

The Mirai Botnet Was Part of a College Student Minecraft Scheme

The most dramatic cybersecurity story of 2016 came to a quiet conclusion Friday in an Anchorage courtroom, as three young American computer savants pleaded guilty to masterminding an unprecedented botnet—powered by unsecured internet-of-things devices like security cameras and wireless routers—that unleashed sweeping attacks on key internet services around the globe last fall. What drove them wasn’t anarchist politics or shadowy ties to a nation-state. It was Minecraft.

It was a hard story to miss last year: In France last September, the telecom provider OVH was hit by a distributed denial-of-service (DDoS) attack a hundred times larger than most of its kind. Then, on a Friday afternoon in October 2016, the internet slowed or stopped for nearly the entire eastern United States, as the tech company Dyn, a key part of the internet’s backbone, came under a crippling assault.

As the 2016 US presidential election drew near, fears began to mount that the so-called Mirai botnet might be the work of a nation-state practicing for an attack that would cripple the country as voters went to the polls. The truth, as made clear in that Alaskan courtroom Friday—and unsealed by the Justice Department on Wednesday—was even stranger: The brains behind Mirai were a 21-year-old Rutgers college student from suburban New Jersey and his two college-age friends from outside Pittsburgh and New Orleans. All three—Paras Jha, Josiah White, and Dalton Norman, respectively—admitted read more

Bots and Form Letters Make It Nearly Impossible to Find Real FCC Net Neutrality Comments

The Federal Communications Commissions’ public comment period on its plans to repeal net neutrality protections was bombarded with bots, memes, and input from people who don’t actually exist. The situation’s gotten so bad that FCC Commissioner Jessica Rosenworcel, as well as several members of Congress, including one Republican, have called for the FCC to postpone its December 14 net neutrality vote so that an investigation can take place.

The FCC seems unlikely to comply. According to an FCC spokesman, the FCC is zeroing in on legal arguments within those comments, effectively disregarding any outpouring of support for net neutrality from regular Joes. “The purpose of a rulemaking proceeding is to not to see who can dump the most form letters into a docket. Rather, it is to gather facts and legal arguments so that the Commission can reach a well-supported decision,” Brian Hart, the FCC’s head of media relations, tells WIRED. Now, the Commission is read more

Exclusive: Tracing ISIS’ Weapons Supply Chain—Back to the US

“Habibi! Aluminium!”

The call echoes through the courtyard of a trash-strewn home in Tal Afar, a remote outpost in northern Iraq. It is late September and still hot, the kind of heat that seems to come from all sides, even radiate up from the ground, and the city is empty except for feral dogs and young men with guns.

“Habibi!” Damien Spleeters shouts again, using the casual Arabic term of endearment to call out for Haider al-Hakim, his Iraqi translator and partner on the ground.

Spleeters is a field investigator for Conflict Armament Research (CAR), an international organization funded by the European Union that documents weapons trafficking in war zones. He is 31 years old, with a 1980s Freddie Mercury mustache and tattoos covering thin arms that tan quickly in the desert sun. In another context, he’d be mistaken for a hipster barista, not an investigator who has spent the past three years tracking down rocket-­propelled grenades in Syria, AK-47-style rifles in Mali, and hundreds of other weapons read more

Security News This Week: Apple Patches a Very Bad iOS HomeKit Bug

Political turmoil and hijinks abounded this week, but there were plenty of security antics playing out online, too. Researcher Sabri Haddouche released a suite of tricks and tools, collectively called Mailsploit, that allow you to send perfectly spoofed messages from more than a dozen popular email clients. The flaws open up endless phishing possibilities. And speaking of phishing, new research shows a spike in the use of HTTPS web encryption on phishing sites. Attackers want the green padlock that comes with HTTPS to make their phishing sites look more legitimate and persuasive to potential victims. At least the ad blocker Ghostery is working on using artificial intelligence to catch—and block—new types of ad-trackers more quickly.

Meanwhile, a group of Iranian hackers has been probing critical infrastructure companies as part of institutional intrusions dating back to 2014, according read more

Smartphone Security 101: Key Steps From PINs to Permissions

Hackers can threaten your smartphone in lots of ways, and if you want (or need) to lock it down completely, ironclad protection gets a little complicated. Fortunately, you can take some quick and easy steps to make big improvements to your mobile security. They don’t eliminate all risk, but they’re a solid baseline for any smartphone owner.

Set a Strong PIN

The first step in any mobile defense plan is to lock your smartphone so no one can get into it if it’s lost, stolen, or left alone for a few minutes. While it’s convenient to leave your device unlocked, the security risks far outweigh the benefit. The easiest solution for most people, if your smartphone offers it, is to use a fingerprint or face scanner to lock your device; that way it only takes a touch or a glance to get back in.

Keep in mind that those sensors can be fooled, albeit with a lot of effort. And during an read more

How to Sweep For Bugs and Hidden Cameras

If you’re facing targeted security threats, your problems run deeper than spyware on your devices. You need to check your physical spaces as well—your home, hotel room, office, and so on—for hidden cameras, mics, and other eavesdropping tools that someone may have planted. That means performing regular “technical surveillance counter measures” inspections. In other words? Checking for bugs.

“Hackers bug lots of places, including some people wouldn’t think of,” says Jill Johnston, president of KJB Security Products, a security and surveillance device wholesaler. “Tanning beds, dressing rooms, bathrooms, hidden cameras in an Airbnb, on your car, in your house. You want to be able to scan a room and feel safe.”

Look Around, Look Around

First, take a close look at your surroundings. Carefully check for anything new or out of place, and listen to your gut about whether anything seems off. You don’t have to see the bug itself; installing eavesdropping devices can read more

The Grand Tor: How to Go Anonymous Online

Fifteen years have passed since a couple of MIT grads and a Navy-funded researcher first built The Onion Router, or Tor, a wild experiment in granting anonymity to anyone online. Today, Tor has millions of users. The original project has been endlessly hacked on, broken, and fixed again. While imperfect, it remains the closest thing to a cloak of anonymity for internet users with a high sensitivity to surveillance, without needing serious technical chops. And it’s stronger and more versatile than ever before.

Tor protects your identity online—namely your IP address—by encrypting your traffic in at least three layers and bouncing it through a chain of three volunteer computers chosen among thousands around the world, each of which strips off just one layer of encryption before bouncing your data to the next computer. All of that makes it very difficult for anyone to trace your connection from origin to destination—not the volunteer computers relaying your information, not your read more

What To Do If You’ve Been Doxed

There are few more toxic practices online than doxing, the distribution of someone’s personal information across the internet against their will. It’s all too common, though, deployed regularly and devastatingly as a means to harass and intimidate. The practice is not limited to public—or briefly internet famous—figures either. Anyone can be a victim, at any time.

Doxing is an effective tool for bad actors, because the internet can cough up a shocking amount of publicly available information about practically anyone. And while there’s no perfect defense against it, there are ways you can prepare for it—and help mitigate the fallout. WIRED spoke with Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, a prominent digital rights group, about what the average person can do to deal with doxing.

WIRED: Who should be concerned about doxing? Does everyone need to be prepared, even if they don’t think they’re at specific risk?

Eva read more