In a week that Covid-19 continued its invasion of the White House, the biggest security questions continue to center on Donald Trump himself. With just a few weeks remaining until the election, the president continues to question the integrity of the process, which in turn threatens to undermine faith in the democratic process. But don't worry, we also have stories about hacking and such!
Apple's T2 chip exists to add an extra layer of security to the company's Mac line. Which is why it's especially unfortunate that it has an unfixable flaw that leaves it vulnerable to hackers. There are serious limitations on what attackers could actually do and how they could do it, but still, not ideal! Also not ideal: A Chinese-speaking hacker group has been caught repurposing an especially sneaky tool that was first disclosed years ago as part of a leak of the Italy-based Hacking Team spyware company. That's a lot of information to process for one sentence, but suffice it to say you don't want UEFI exploits landing in criminal hands, which appears to have happened here.
In better news, we took a look at how Google keeps its "Smart Replies" feature safe now that it's been added to Android's ubiquitous Gboard keyboard. And while Android ransomware has picked up some alarming new tricks, it's still not a major threat—unless you're downloading outside of the official Play Store for some reason. (Don't do that.)
The central figure in an alleged poker cheating scandal that WIRED wrote about in the October issue has filed a defamation lawsuit against a dozen named defendants. Poker pro Mike Postle is seeking $330 million in damages.
And there's more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there.
John McAfee Indicted by the Justice Department and Sued by the SEC
John McAfee is no stranger to exotic forms of trouble. This week, the authorities finally caught up with the antivirus pioneer, arresting him in Spain in connection with tax-evasion charges. His extradition remains pending. The Securities and Exchange Commission has also sued McAfee, alleging that he promoted initial coin offerings on Twitter without disclosing that he'd been paid $23 million to do so. And yes, the SEC complaint does reference McAfee's infamous 2017 pledge that he would "eat [his] own dick on national television" if the price of bitcoin didn't hit $500,000 in three years. (He later revised the target to a million dollars.)
A 'Smart' Chastity Lock Had a Bug That Could Have Trapped Users Forever
Not everything needs to connect to the internet, particularly not chastity-promoting devices like the Qiui Cellmate. Researchers this week came public with a bug that could have allowed a hacker to permanently lock the devices from anywhere in the world. The company eventually released a new API that solved the problem for new users, but taking the old API offline would lock any current users in the device forever, barring some delicate bolt-cutter work. Which means longtime Cellmate owners are still in a bit of a pickle.
The US Took Down 92 Domains Iran Used to Spread Disinformation
For all the focus that Russia's hacking and disinformation efforts get in the US, it's important to remember that other countries have stepped up their game as well. Iran stands out among them, particularly after a recent takedown of disinformation-spreading domains included four sites that officials say targeted the US. The sites posed as domestic news outlets and focused on sharing pro-Iran stories. The rest of the sites followed a similar rubric, focusing instead on Western Europe, the Middle East, and Southeast Asia.
Iranian Hackers Are Exploiting a Very Bad Bug
Many, many security researchers warned that the so-called ZeroLogon vulnerability was very extremely not good, and that you should patch as soon as possible so that hackers don't wreak havoc on your systems. If you didn't heed that warning, well, good luck out there! Microsoft has already spotted an Iranian hacker group exploiting ZeroLogon in active campaigns.
Sam's Club Members Hit With Credential Stuffing Attacks
Sam's Club, the Walmart-owned spin on Costco, has begun requiring its customers to reset their passwords, after the company detected a credential-stuffing attack in September. This doesn't mean that Sam's Club itself was breached, but rather that attackers were looking for opportunities to take advantage of anyone reusing a password that had been exposed at some point from some other company's breach. If you're a Sam's Club member, reset that password. If you're a human on the internet, start using a password manager asap.