Security News This Week: A Ransomware Group Hit the DC Police—Then Pivoted to Extortion

Warrantless searches, tracking troops, and more of the week’s top security news.
DCPD
Photograph: Joel Carillet/Getty Images

It's been a busy week. There's a lot to catch up on. But before you continue reading, please take a minute to make sure you've updated your iPhone to iOS 14.5. And once you have, use its new AppTrackingTransparency feature to tell Facebook and other companies to stop following your activity across other apps and websites. In fact, they all now have to give you the option, like it or not. When they do? Opt out.

That wasn't the only significant Apple update this week. On Monday the company also pushed out a patch for a macOS vulnerability that hackers had been actively exploiting to spread adware to Macs. The underlying flaw wasn't in macOS security safeguards, but rather in the logic of the operating system itself, and it would have let nearly any software sneak through. Security researchers also pointed out how Apple's handy AirDrop feature leaks email addresses and phone numbers—but no fix is in sight for that one yet.

VPN hacks have increasingly threatened corporations in recent years, especially as more of the workforce has gone remote. The issue has come to a head, with flaws in Pulse Secure VPN leading to hacks of government agencies, financial institutions, and more high-value targets, likely by several state-sponsored Chinese groups. It's still not as bad a situation as ransomware, which a new coalition hopes to tackle through a good old-fashioned public-private partnership. Which, well, good luck!

IRS investigators tracked down and arrested the alleged administrator of Bitcoin Fog, the longest-running cryptocurrency laundering service on the dark web. And Google's fancy cookie-killing project is facing pushback in the European Union.

And there's more! Each week we round up all the news WIRED didn’t cover in depth. Click on the headlines to read the full stories. And stay safe out there.

It's been a wild week or so for the ransomware group Babuk. First they claim to have stolen 250 GB of data from the Metropolitan Police Department, including some that could expose informants. Then they say they're going to retire altogether. Then they revise that claim to say they're just quitting the ransomware part to focus on extortion full-time. What a journey! In truth, you can see a lot of ransomware trends converging in their little roller coater: increasingly outrageous targets, a focus on stealing data rather than encrypting it, and constant press releases that try to provide a veneer of professionalism. 

In what qualifies as both a heartwarming story of ingenuity and a maddening indictment of the US health care system, a security researcher scored a $50,000 bug bounty just hours after digging for vulnerabilities to help pay for heart surgery his unborn daughter will need when she arrives. He and a friend who helped find the bug put a portion of the money toward a GoFundMe account that eventually topped $31,000.

In the course of its operations, the NSA keeps track of a massive trove of foreign communications. The FBI has apparently been dipping into that cookie jar in search of links to racially motivated domestic terrorists without first obtaining a warrant. The Daily Beast reports that a judge on the Foreign Intelligence Surveillance Court castigated the agency for violating its standards dozens of times. 

The problem of location data being widely available to both law enforcement and private actors has long been established. But The Wall Street Journal this week looked at how the sort of information collected by apps and passed on to third-party brokers can also be used to identify the locations and movements of US troops. The report looks at activity in Syria, specifically, from a few years ago, since the US has since withdrawn from the country. But it sheds troubling light on just how much data even the most locked-down smartphone users give away on a daily basis.


More Great WIRED Stories