Wired Security Spoken Edition

You'd think that mammography machines, radiology systems, and ultrasounds would maintain the strictest possible security hygiene. But new research shows that a whopping 83 percent of medical imaging devices run on operating systems that are so old they no longer receive any software updates at all. That issue is endemic to Internet of Things devices generally, many of which aren't designed to receive software improvements or offer only a complicated path to doing so. Learn about your ad choices: dovetail.prx.org/ad-choices

Since Russia’s stunning influence operations during the 2016 United States presidential race, state and federal officials, researchers, and tech companies have been on high alert for a repeat performance. With the 2020 election now just seven months away, though, newly surfaced social media posts indicate that Russia’s Internet Research Agency is adapting its methods to circumvent those defenses. Learn about your ad choices: dovetail.prx.org/ad-choices

Over the past few years, owners of cars with keyless start systems have learned to worry about so-called relay attacks, in which hackers exploit radio-enabled keys to steal vehicles without leaving a trace. Now it turns out that many millions of other cars that use chip-enabled mechanical keys are also vulnerable to high-tech theft. Learn about your ad choices: dovetail.prx.org/ad-choices

Opening email attachments from untrusted senders has long been one of the easiest ways to get hacked. But unlike other common security screw-ups—using "password" for your password, downloading pirated software from shady websites—there's no practical way for a modern human to avoid opening the occasional mystery-meat attachment. Now one technologist has produced a solution. Learn about your ad choices: dovetail.prx.org/ad-choices

This is a story about something that could have gone wrong on the internet this week but instead turned out mostly OK. How often can you say that? Around nine o’clock on the East Coast on Friday, February 28, bad news arrived on the doorstep of Let’s Encrypt. An arm of the nonprofit Internet Security Research Group, Let’s Encrypt is a so-called certificate authority that lets websites implement encrypted connections at no cost. Learn about your ad choices: dovetail.prx.org/ad-choices

As the novel coronavirus continues to propagate, phishing scams that pose as Covid-19 advice do as well. The trend started over a month ago, but it's only going to get worse. Abide by these tips to avoid them, and also please keep washing those hands. In non-pandemic news, researchers figured out how to clone the mechanical keys of tens of millions of cars from Toyota, Hyundai, and Kia, making theft a much simpler matter. Learn about your ad choices: dovetail.prx.org/ad-choices

A bipartisan pair of US senators today introduced long-rumored legislation known as the EARN IT Act. Meant to combat child sexual exploitation online, the bill threatens to erode established protections against holding tech companies responsible for what people do and say on their platforms. It also poses the most serious threat in years to strong end-to-end encryption. Learn about your ad choices: dovetail.prx.org/ad-choices

In 2003, security researchers Katie Moussouris and a colleague at enterprise security firm @stake—which would later be acquired by Symantec—found a bad flaw in an encrypted flash drive from Lexar. It was trivial to uncover the password that decrypted the drive's data. But when they tried to let Lexar know? "Things went wrong," says Chris Wyspol, who was also working at @stake at the time. Learn about your ad choices: dovetail.prx.org/ad-choices

For years, North Korea's Lazarus Group hackers have plundered and pillaged the global internet, scamming and infecting digital devices around the world for espionage, profit, and sabotage. One of their weapons of choice: a so-called loader that allows them to clandestinely run a diverse array of malware on targeted Macs with hardly a trace. But Lazarus didn't create the loader on its own. The group seems to have found it laying around online, and repurposed it to elevate their attacks. Learn about your ad choices: dovetail.prx.org/ad-choices

It was the RSA security conference in San Francisco this week, and the security industry descended on Moscone Center for days of handing out free stickers, demoing products, and presenting research. And the week was punctuated by fewer handshakes and more elbow bumps thanks to Covid-19. WIRED looked at research that North Korea is recycling Mac malware, and how it's indicative of booming malware reuse. Learn about your ad choices: dovetail.prx.org/ad-choices

John Strand breaks into things for a living. As a penetration tester, he gets hired by organizations to attack their defenses, helping reveal weaknesses before actual bad guys find them. Normally, Strand embarks on these missions himself, or deploys one of his experienced colleagues at Black Hills Information Security. But in July 2014, prepping for a pen test of a South Dakota correctional facility, he took a decidedly different tack. He sent his mom. In fairness, it was Rita Strand's idea. Learn about your ad choices: dovetail.prx.org/ad-choices

As Richard Grenell, the current US ambassador to Germany, starts his second day on the job as the nation’s acting director of national intelligence, his arrival also marks the ouster of not only his predecessor, Joseph Maguire, but reportedly also of DNI principle executive Andrew Hallman. By the end of the day, almost all of the roles created after 9/11 literally to prevent the next 9/11 will be either vacant or lack permanent appointees. Learn about your ad choices: dovetail.prx.org/ad-choices

Distributing malware by attaching tainted documents to emails is one of the oldest tricks in the book. It's not just a theoretical risk—real attackers use malicious documents to infect targets all the time. So on top of its anti-spam and anti-phishing efforts, Gmail expanded its malware detection capabilities at the end of last year to include more tailored document monitoring. And it's working. Learn about your ad choices: dovetail.prx.org/ad-choices

At 10:28 pm on November 1, an image of an unknown and classified Pokémon appeared in a Discord group. Gigantamax Machamp, the megasized version of the body-builder Pokémon, was slated to appear in the then-unreleased games Pokémon Sword and Pokémon Shield. Within minutes, JPEGs of it were posted to 4chan. Then, on a dedicated Pokémon Reddit. It wasn’t long until 300 URLs were hosting it. Learn about your ad choices: dovetail.prx.org/ad-choices

This week was filled with wide-scale calamity. Hundreds of millions of PCs have components whose firmware is vulnerable to hacking—which is to say, pretty much all of them. It's a problem that's been known about for years, but doesn't seem to get any better. Likewise, Bluetooth implementation mistakes in seven SoC—system on chips—have exposed at least 480 internet of things devices to a range of attacks. Learn about your ad choices: dovetail.prx.org/ad-choices

If there’s one line intelligence officials have stuck to about Russian interference in US elections, it’s that it never stopped. Not after the 2016 election, not after the 2018 midterms, and certainly not now, well into the 2020 primary season. Which is why it should be no great surprise that, as the Washington Post first reported Friday, US officials warned Bernie Sanders that Russia is “attempting to help” his presidential campaign. Learn about your ad choices: dovetail.prx.org/ad-choices

Bluetooth is used in everything from speakers to implanted pacemakers, which means that Bluetooth-related vulnerabilities can affect a dizzying array of devices. In the latest instance, a newly discovered round of 12 Bluetooth bugs potentially exposes more than 480 devices to attack, including fitness trackers, smart locks, and dozens of medical tools and implants. Learn about your ad choices: dovetail.prx.org/ad-choices

YouTube Gaming has been clawing its way into streaming platform Twitch’s market share for months. But new data retrieved by WIRED suggests that YouTube Gaming also has a serious problem with scammers and cheat-makers—and lots and lots of bots. In January, all seven of the most-watched YouTube Gaming channels weren’t run by happy gamers livestreaming the game du jour. Learn about your ad choices: dovetail.prx.org/ad-choices

That laptop on your desk or server on a data center rack isn't so much a computer as a network of them. Its interconnected devices—from hard drives to webcams to trackpads, largely sourced from third parties—have their own dedicated chips and code as well. Learn about your ad choices: dovetail.prx.org/ad-choices

West Virginia and Oregon have both recently deployed mobile a voting app called Voatz to facilitate absentee voting. But Voatz now turns out to have major security flaws, according to researchers from the Massachusetts Institute of Technology—including vulnerabilities that could let a hacker manipulate results. The newly unearthed bugs could allow an attacker to reveal someone's votes, block votes from being submitted, or even manipulate them. Learn about your ad choices: dovetail.prx.org/ad-choices