This week marked the first-ever online-only Black Hat and Defcon security conferences, both of which still produced impactful work despite going remote. But before you dive into everything that’s broken, start off with a tale of perseverance that starts with the private keys needed to recover $300,000 of bitcoin trapped in an old zip file.
Dutch researchers figured out how to mess with traffic lights across at least 10 cities in the Netherlands. At most they could have caused a few traffic jams—not multicar pileups—but it’s an important reminder about the potential fragility of connected city infrastructure. Also fragile: a file type known as Symbolic Link, which gave Apple hacker Patrick Wardle the foothold he needed to compromise macOS in a since-patched vulnerability chain. After months of qualifying rounds, the US Air Force’s Hack-a-Sat finals arrived, albeit remotely thanks to the Covid-19 pandemic. And speaking of satellites, hackers have built cheap ground stations that allow anyone to intercept their transmissions. Neat!
We also took a look at how IoT botnets made from high-wattage machines like home appliances could potentially be used to game the energy markets. Decades-old flaws in email protocols make it possible for anyone to hide their true identity, a scary thought given the prevalence of high-stakes phishing attacks. And hackers took over dozens of subreddits Friday, plastering their pages with MAGA imagery and comments.
We talked to former national intelligence official Sue Gordon about how to prevent the next “Cyber 9/11.” We explained why the Trump administration’s TikTok obsession is just a distraction. And we looked at how Chinese hackers have run roughshod over Taiwan’s semiconductor industry, hitting at least seven companies in what researchers are calling Operation Skeleton Key.
Incognito mode might not mean what you think it means. Online retailers are using dirty design tricks to get you to buy more. Voting equipment makers are finally coming around to the idea of making their tech more secure. And while still in beta, iOS 14 is catching data-hungry apps swiping more than they should.
And there’s more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there.
This week, the National Security Agency shared a three-page primer on how to limit your location data exposure. They would know! As a baseline it’s a healthy reminder that your smartphone feeds on your location and that a lot of unscrupulous, invisible parties try to sell and obtain it. But it also provides some actually useful advice, especially if this isn’t a topic you’ve given much thought to already.
In addition to turning off location services on your device, the NSA says, you should turn off Bluetooth and Wi-Fi whenever you’re not using them. For extra caution, turn on Airplane Mode whenever you’re not actively using your phone. Turn off or decline location-sharing permissions for apps whenever possible—including your browser—or at the very least limit their ability to check your location to when you have the app open. Reset your phone’s advertising ID at least weekly to confound the ad networks that track you—we have our own guide on how to do that here. Don’t use iOS and Android’s FindMy or FindMyDevice features, and consider using a trusted VPN provider.