This week I saw the first known appearance of malware written specifically for Apple’s M1 processors, in inevitable development, but still somewhat worrying, especially considering the short time it took the crooks to adjust to the new ARM-based architecture. Fortunately, this week Apple also released its latest Platform Security Guide, which should help researchers and security companies protect themselves against the biggest and latest threats from macOS and iOS.
International hacking was also in the news this week. France linked Russia’s destructive Sandworm hackers to a campaign that exploited an IT monitoring tool by Centreon, a company based there. And the Justice Department indicted three North Korean hackers this week, alleging their involvement in a series of muggings and scams that include the 2014 attack on Sony Pictures and $ 1.3 billion attempted theft.
Elsewhere, we took a look at how to avoid phishing scams and how Parler went back online, despite having been hacked by the big tech companies. We publish the last installment of 2034, a novel that looks at a future fictional war with China that looks very real. And you should take some time this weekend to read this excerpt from Nicole Perlroth’s book That’s how they tell me the world ends, which examines the unlikely and previously untold origins of the so-called zero-day bugs market.
And there’s more! Each week, we gather all the news that we do not cover in depth. Click on the headlines to read the full stories. And stay safe outside.
To be extremely clear, the technique we’re about to explain for sites to track you on the web – even if you clear your cache or use an incognito window – is one that researchers have discovered, not necessarily one that sites are actually using, especially not to scale. (Then again, there’s not much that these analytics companies don’t do.) The technique works by focusing on favicons, the little icon that your browser displays to represent the site you’re on. Since most browsers store these favicons separately from their browsing history and cookies, the traditional means of avoiding tracking, such as using a private mode or clearing the cache, do not affect them. Which, in turn, means, according to researchers at the University of Illinois at Chicago, that the sites can use a unique series of favicons to identify and track you on the web, whatever happens. Chrome, Safari and Edge are currently vulnerable to the attack, although Google and Apple have said they are investigating this.
LastPass has long been a favorite password manager, partly thanks to its relatively generous free level, which has so far worked on mobile and traditional computers. However, starting on March 16, you will have to choose one or the other for free and unlimited access, or pay the LastPass Premium or LastPass families. This is understandably frustrating for existing users, but it also puts LastPass in line with many of its competitors. You still have many free options at your disposal, including choosing WIRED Bitwarden. And no matter what, it’s a good reminder that everyone needs a password manager, even if it costs a few dollars a month.
The Clubhouse social audio network is in vogue among a certain subset of Silicon Valley doyenne. But as security researchers expand their reach, they raise a number of concerns about their privacy and security measures. The Stanford Internet Observatory took a close look specifically at the Clubhouse’s relationship with China and didn’t like what it found. The researchers found that the Clubhouse uses a Shanghai-based company for part of its back-end infrastructure, transmits user IDs and room IDs in plain text and may inadvertently expose its raw audio to the Chinese government. Combined with the app’s aggressive capture of your contact list, it’s probably best not to enter the beta until it resolves some of your security issues.
John Deere has been a focal point of the right to fix movement, given its refusal to allow farmers to fix their own tractors when high-tech components fail. In response to the growing reaction, the company promised in 2018 to give its customers the tools they need to be self-reliant. But a nonprofit investigation by the United States Public Interest Research Group found that little or no progress was made in this regard. In general, farmers still do not have access to the tools and diagnostics they need to deal with software malfunctions and other malfunctions associated with John Deere’s proprietary technology. Meanwhile, legislation on the right to repair has gained momentum in dozens of states. It seems that this may be the only way to enable farmers to repair the equipment they have the way they want it.
More great stories from WIRED