November 3, 2024:
With just days to go until the 2024 presidential election in the United States, WIRED reported on documents that revealed US government assessments about multiple components of election security and stability. First obtained by the national security transparency nonprofit Property of the People, one report distributed by the US Department of Homeland Security in October assessed that financially motivated cybercriminals and ideologically motivated hacktivists are more likely than state-backed hackers to attack US election infrastructure. Another government memo warned of the risk to the election of insider threats, noting that such internal malfeasance “could derail or jeopardize a fair and transparent election process.”
With so much at stake in a hyper-polarized and combative climate, US elections have become increasingly militarized, with bulletproof glass, drones, defensive blockades, and snipers protecting election offices, and election officials bracing for the possibility of violent attacks. A WIRED investigation also revealed a successful CIA hack of Venezuela’s military payroll system that was part of a clandestine Trump administration effort to overthrow the country’s autocratic president, Nicolás Maduro.
In other cybersecurity news, WIRED did a deep dive into the firewall vendor Sophos’ five-year turf war to try to remove Chinese hackers running espionage operations on some vulnerable devices—and keep them out. And researchers warn that a “critical” zero-click vulnerability in a default photo app on Synology network-attached storage devices could be exploited by hackers to steal data or infiltrate networks.
As always, there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
A Disney employee who was fired from the company and still had access to its passwords allegedly hacked into the software used by Walt Disney World’s restaurants, according to reporting by 404 Media and Court Watch. A criminal complaint against Michael Scheuer claims he repeatedly accessed the third-party menu-creation system created for Disney and changed menus, including changing fonts to Windings—the font made up entirely of symbols.
“The fonts were renamed by the threat actor to maintain the name of the original font, but the actual characters appeared as symbols,” the criminal complaint says. “As a result of this change, all of the menus within the database were unusable because the font changes propagated throughout the database.”
The allegations aren’t limited to whimsical font vandalism, however. The federal complaint also details how Scheuer allegedly changed menu listings to say that foods with peanuts in them were safe for people with allergies, tried to log into Disney employees’ accounts, locked 14 employees out of their accounts by trying to log in with an automated script, and maintained a folder of personal information about employees and turned up at one person’s home. A lawyer representing Scheuer did not comment on the allegations.
For the past few years, infostealers have become a popular tool of choice for hackers, from cybercriminals trying to make money to sophisticated nation state groups. The malware, which is often bundled into pirated software, uses web browsers to collect usernames and passwords, cookies, financial information, and other data you enter into your computer. This week, cops around the world took down the Redline infostealer, which has been used to grab more than 170 million pieces of information and has been linked to large-scale hacks. An almost identical infostealer called Meta was also disrupted. As part of Operation Magnus, US officials identified Russian national Maxim Rudometov as being behind the development of Redline. As TechCrunch reports, Rudometov was identified following a series of operational security errors, including reusing online handles and emails across social media apps and other websites. In its criminal complaint, the US Department of Justice pointed out Rudometov’s dating profile, which apparently has “liked” 89 other users and received no likes in return.
In January 2018, it emerged that GPS data from running and cycling app Strava could expose secret military locations and the movements of people exercising around them. Officials warned that it was a clear security risk. Years later, many seemingly haven’t paid attention. French newspaper Le Monde has revealed in a series of stories that US Secret Service agents are leaking their data through the fitness app, allowing the movements of Joe Biden, Donald Trump, and Kamala Harris to be tracked. Security staff linked to French president Emmanuel Macron and Russian president Vladimir Putin are similarly exposing their movements. Those exposing their data used public profiles and often posted runs starting or finishing at the locations they were staying during official trips. Included in the leaks were bodyguards linked to Putin who were running near a palace the Russian leader has denied owning.
Italian prosecutors placed four people under house arrest and revealed they are investigating at least 60 others after an intelligence firm in the country allegedly hacked government databases and gathered information on more than 800,000 people. Intelligence company Equalize allegedly gathered information about some of Italy’s most prominent politicians, entrepreneurs, and sports stars, Politico reported. It is alleged that the information accessed included bank transactions, police investigations, and more. The hacked information was reportedly sold or potentially used as part of extortion attempts, with those behind the scheme allegedly earning €3.1 million. The scandal, which has enraged Italian politicians, may also be wider than just its impact in Italy, with the latest reports suggesting Equalize counted Israeli intelligence and the Vatican as clients.