This week started with Apple, Microsoft, and Google all patching a bunch of zero-day vulnerabilities, which means that you hopefully set aside a little time on Tuesday to update all of your devices. If not? Go ahead and do it now. We'll wait!
OK, welcome back. At the end of the week, Apple and Google both removed an opposition voting app from their app stores in Russia at the request of the Kremlin. As far as precedents go, it's not great, as authoritarian regimes exert increasing pressure on tech giants who are too entrenched to leave their markets in protest. Russia in particular has been testing the limits, but India and China aren't far behind.
A new app available in Iran helps people fight back against that sort of censorship by letting them encrypt messages even during an internet blackout. Called Nahoft, the app can turn messages into a random jumble of Farsi, or even embed them in an image, to avoid detection by the Iranian regime.
You can now ditch the password on your Microsoft account. “Zero trust” is the most important cybersecurity concept in years; unfortunately, no one agrees on what it means. Think there might be hidden files on your phone or computer? Here's how to find them. And Anonymous leaked a big ol' trove of data from Epik, the domain registrar that has attracted several far-right clients.
And there's more! Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories, and stay safe out there.
Three former US intel operatives admitted this week that they hacked into US computer networks on behalf of the United Arab Emirates, in a deal to avoid prosecution. They'll instead have to pay cumulative fines of $1.69 million, and they are barred from seeking a US security clearance in the future, which should severely limit their job prospects. Or maybe not that severely; one of the trio currently works as chief information officer of ExpressVPN, which has stood by him throughout a sustained backlash. For the full story on the US citizens who helped UAE hack, be sure to read the Reuters story that first exposed "Project Raven" back in 2019.
A busy week for the Justice Department! A Pakistani man was sentenced to 12 years in prison for an elaborate, prolonged scheme that resulted in the unlocking of nearly 2 million phones. First he bribed AT&T employees to get them to unlock phones, which he would then resell. After AT&T foreclosed that plan by changing its unlocking procedures, he bribed an employee to install malware inside a call center.
Based in Austin, Texas, Exodus Intelligence is a so-called zero day broker, a firm that sells information about vulnerabilities in software that the developers don't know about—and therefore can't fix—and the exploits required to compromise them. Typically it sells the exploits to government agencies only, but it also maintains a running list of vulnerabilities that anyone can subscribe to. As Forbes reported exclusively this week, it appears that the Indian government used its access to that feed to find soft spots in networks in Pakistan and China and attempted to compromise them. Exodus has since cut off India's access, but the damage has been done.
Using public records requests, nonprofit education news site The 74 dug deep into one Minneapolis school district's use of remote monitoring software on its students. What it found wasn't pretty: an invasive program that notifies school officials about content in a student's personal files, online conversations, and browsing activity. And while remote learning has ebbed at this point in the pandemic, the use of surveillance software has not.