This week, Venmo took a long overdue step toward privacy by eliminating its global social feed in its latest redesign. That's good! Now you can no longer witness an endless stream of complete strangers sending money to and from one another. But privacy advocates say that until Venmo makes every transaction private by default, it's still a liability for users who may not realize they have to dig through the settings to hide their Venmo lives from others.
Amnesty International and a consortium of researchers and media organizations this week published a major investigation into the NSO Group, and Israel-based spyware vendor. The report alleges that governments have used NSO Group malware to spy on activists, journalists, politicians, and executives; the NSO Group issued multiple denials. Security researchers, meanwhile, see the revelations as evidence that they need more visibility into iOS and Android to better spot attacks like this, and prevent them going forward.
In another global team-up this week, nations around the world detailed years of aggressive hacking behavior from China, including indictments from the US Department of Justice. While China has historically focused on espionage, its increasing reliance on criminal contractors in recent years has led to more reckless campaigns.
Speaking of reckless, remember that absurdly widespread ransomware attack that hit at the beginning of the month? Just shy of three weeks later, IT management firm Kaseya finally got its hands on universal a decryption tool, meaning that any victims who still hadn't already recovered their data through backups or other means can finally breathe easy. At least, until the next ransomware scare. We also took a look at Space Jam: A New Legacy and the bad lessons it's teaching the youth about AI.
And there's more. Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories, and stay safe out there.
A very good catch by Motherboard and Twitter user @dox_gay this week: news sites like The Washington Post, New York magazine, and more inadvertently displayed pornography on older pages. (And yes, that includes a handful of old WIRED stories.) The culprit? A video platform called Vidme that operated from 2014 to 2017, whose domain was since purchased by an adult site called 5 Star Porn HD. Web pages that had a Vidme player embedded from when the service was viable began showing thumbnails of graphic sexual content instead of whatever had originally been there. As Motherboard also notes, it's an amusing example of a serious problem: the rotting infrastructure of the internet at large.
Chromebook owners may have found themselves unable to log into their devices this week. A bug introduced in a recent update made it so that the cloud-based laptops wouldn't accept passwords on the log-in screen, leaving users locked out indefinitely. Not great! But what makes it even worse is that the bug apparently comes down to a single, tiny typo. Some Chrome OS programmer somewhere left out an “&” in a conditional statement, none of their colleagues caught it, and chaos ensued. Google pulled the bad update quickly, and a fix is rolling out now, but that's little comfort to the Chromebook owners who were affected.
Twitter this week disclosed that very, very, very, very, very few of its users actually take advantage of two-factor authentication. Only 2.3 percent, to be precise. This is not great! Two-factor can't stop every attack, but it provides a huge security upgrade for not much extra hassle, on a platform that suffers account takeover epidemics on a regular basis. You can even use an authentication app instead of your phone number, an even more secure and easy to manage method. If you're one of the 97.7 percent of active Twitter users not using two-factor, please take 90 seconds out of your day to set it up.
Remember how we were just saying that China has historically focused on espionage? That's still true. But a troubling alert from the FBI and the Department of Homeland Security this week indicates that the country's hackers have at least considered more disruptive attacks. From around 2011-2013, they probed nearly two dozen US pipeline companies, and not just for intellectual property. “This activity was ultimately intended to help China develop cyberattack capabilities against US pipelines to physically damage pipelines or disrupt pipeline operations,” the alert reads. It's the sort of behavior you've come to expect from Russia or ransomware hooligans, but less so China. Fortunately, the incidents were years ago; the hope is that it doesn't revisit those plans.