The world's cybersecurity woes can feel like a sideshow when physical violence is being inflicted on protesters in most major US cities.
But those conflicts overlap. That's why we at WIRED published a guide to keeping yourself and your devices safe from digital surveillance while you protest. We also reported on how "nonlethal" crowd control weapons pose a serious danger to protesters, and how the 1033 program created by the National Defense Authorization Act allowed police to inherit hand-me-down military equipment. The result has been armored military vehicles in our neighborhoods and police who look ready to storm Fallujah rather than encounter peaceful protestors armed with water bottles.
In non-mass-revolution news, Zoom's decision to add end-to-end encryption only to paying customers' accounts—after initially claiming it offered the feature to everyone—raised the hackles of privacy advocates. Facebook rolled out long-overdue privacy features that let you move posts en masse to a private archive. Google's Chrome, too, is adding privacy and security features, like enhanced "safe browsing" designed to warn users about phishing sites, and a password manager that automatically checks your passwords against collections of leaked user credentials. Riot Games launched the long-awaited first-person-shooter game Valorant—whose lack of moderation on users immediately led to a toxic environment for female players. Pandemic sheltering-in-place appears to have led to a boom in dark web weed sales. And the Pentagon is using a bot to find software vulnerabilities before the bad guys do.
Record numbers of people are downloading Signal to send encrypted messages; if you're one of them (and you should be), here's how to get the most out of the app.
But that's not all. Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there.
Google's Threat Analysis Group said on Thursday that a China-linked hacking group known as APT 31 or Zirconium has targeted Joseph Biden's presidential campaign staff with phishing attacks, and that the Iran-linked actor APT 35 or Charming Kitten has been launching phishing attacks against Donald Trump's campaign. Shane Huntley, who leads TAG, said the researchers have not seen signs that these assaults were successful. Google sent warnings to impacted users about the behavior and also informed federal law enforcement. Microsoft issued a similar warning in October that APT 35 was targeting the Trump campaign. The activity is also in keeping with Russia's actions ahead of the 2016 United States presidential election in which Russian hackers launched highly consequential phishing attacks against campaigns and political organizations.
The leaderless hacktivist collective known as Anonymous hasn't been much of a force to be reckoned with since 2011 or so, when it rampaged across the internet in a so-called "summer of lulz." But as Movement for Black Lives protests grew over the past week, someone self-identifying as Anonymous has raised its flag again. News outlets picked up new threats from the group against Donald Trump and the Minneapolis Police Department, which is responsible for the killing of George Floyd that set off a new wave of demonstrations. A collection of email addresses and passwords of Minneapolis police officers published by the group, however, turned out to be old credentials picked out of previous hacker dumps. The group's new actions seemed to have amounted to a short-lived distributed denial-of-service attack on the Minneapolis Police website.
High above the ubiquitous helicopters hovering over US cities during the current protests, military planes usually used in Iraq and Afghanistan were also watching the dissent below. Tech news site Motherboard reviewed data from ADS-B Exchange, a repository of air traffic control information, and found evidence that a RC-26B military-style reconnaissance aircraft was circling Las Vegas. The FBI also deployed small Cessna aircraft, which the Freedom of the Press Foundation believes likely carried devices known as "dirtboxes," airborne versions of the IMSI catcher systems that impersonate cell phone towers to intercept users' communications and track the identities of protestors.
Last year Apple introduced a universal sign-in feature that third-party developers can embed in their services so users can authenticate with their existing Apple accounts rather than set up an additional account. The tool has a number of privacy-geared features, but researcher Bhavuk Jain found a vulnerability that allowed him to generate Apple ID login tokens to take over third-party app accounts. The bug is now fixed, and Apple awarded Jain $100,000 for the finding as part of its expanded bug bounty program. Jain says that Apple reviewed its "Sign in with Apple" logs to determine that the bug was not exploited prior to his discovery. "Though this bug was a bit nasty, I still think 'Sign in with Apple' is good and robust," Jain told WIRED.