Security News This Week: The US Emergency Alert System Has Dangerous Flaws

Plus: A crypto-heist extravaganza, a peek at an NSO spyware dashboard, and more.
Red emergency light glowing bright
Photograph: mgstudyo/Getty Images

Cryptocurrency tracing has become a key tool for police investigating everything from fraud and ransomware to child abuse. But its accuracy may soon be put to the test.

This week, we reported on new court filings from the legal team representing Roman Sterlingov, who’s been in jail for 15 months, accused of laundering $336 million in cryptocurrency as the alleged owner and operator of dark-web crypto mixer Bitcoin Fog. Sterlingov not only maintains he is innocent, but his defense attorney claims that the blockchain analysis that served as evidence that Sterlingov set up Bitcoin Fog is flawed.

Elsewhere, we highlighted Microsoft’s newly bolstered Morse bug-hunting team, which aims to catch flaws in the company’s software before they cause problems for the company’s 1 billion users. We dove into the spectacular failure of a new post-quantum encryption algorithm. We listed all the big security updates you need to be on top of from July, and we detailed all the data that Amazon’s Ring cameras collect about you.

Finally, a new report from cybersecurity company Mandiant found an attack on Albania’s government has the hallmarks of state-sponsored Iranian hacking—a notable moment of escalation in the history of cyberwar, given that Albania is a NATO member. And we got into the weeds of a Slack error that exposed hashed passwords for five years.

But that’s not all. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

This is not a test. Software used to transmit US government-issued emergency alerts on television and radio contains flaws that could allow an attacker to broadcast false messages, according to the Federal Emergency Management Agency and the security researcher who found the vulnerabilities. The company that makes the software, Digital Alert Systems, has issued patches, and FEMA has alerted the TV and radio networks that use the software to update their devices immediately. Of course, patches may not be universally adopted, leaving the system at risk. There’s no evidence that an attacker has exploited the flaws so far. But considering the mayhem false emergency alerts can cause, we’ll just have to hope that it stays that way.

One major theft of cryptocurrency in a week would be bad, and this week saw two. First, thanks to a flaw in the Nomad bridge—a type of application that lets users move digital tokens across blockchains that are prime hacker targets—“hundreds” of people were able to steal a collective $190 million in cryptocurrencies. Nomad now says that anyone who returns 90 percent of the funds they swiped will be considered a “white hat” and can keep the remaining 10 percent as a bounty. Some $22 million of the stolen funds had been recovered so far.

The second crypto hack of the week came just a day later, on Tuesday night, with hackers draining around 8,000 “hot” wallets (cryptocurrency storage apps that are connected to the internet) connected to the Solana ecosystem, allowing them to steal around $5 million worth of crypto. Solana said in a tweet that the exploit was due to a bug in “software used by several software wallets popular among users of the network,” not the Solana network or its cryptography.

It’s one thing to be told what NSO Group’s spyware can do, but it’s quite another to see it for yourself. Reporters at Israel’s Haaretz got their hands on never-before-seen screenshots of Syaphan, a prototype of NSO’s now-infamous Pegasus spyware, which has retained much of the look and functionality of its precursor. The screenshots show that operators have the ability to access call logs and messages and remotely enable cameras and microphones to turn an infected device into a real-time spying tool.

Government use of Pegasus and other spyware has resulted in a growing number of scandals, particularly in Europe. Yesterday, Panagiotis Kontoleon, the head of Greece’s intelligence service, and Grigoris Dimitriadis, general secretary of the prime minister’s office, resigned. Their departures follow a complaint filed by Nikos Androulakis, the head of the socialist PASOK party, who alleged that his phone had been targeted by Predator spyware created by Cytrox, which is based in neighboring North Macedonia. Greece’s prime minister’s office maintains, however, that the resignations and the spyware allegations are unconnected. “In no case does it have anything to do with Predator (spyware), to which neither he nor the government are in any way connected, as has been categorically stated,” it said in a statement.

Remember a few months ago when everyone was mad at DuckDuckGo? Well, that thing you were angry about has now been (mostly) fixed, according to the company. Back in May, security researcher Zach Edwards found that DuckDuckGo’s privacy browsers—not its search engine, for which the company is better known—allowed some third-party Microsoft tracking scripts. DuckDuckGo, which has a partnership with Microsoft, says it has expanded its 3rd-Party Tracker Loading Protection to include 21 more domains, thus blocking nearly all instances of Microsoft tracking scripts on websites accessed via its mobile DuckDuckGo Privacy Browser or while using its Privacy Essentials extension, which can be used with all major browsers. However, DuckDuckGo will still allow advertisers to track clicks only from DuckDuckGo through scripts from the bat.bing.com domain (but block them in all other contexts). Is it perfect? No—even DuckDuckGo admits that. But it’s still a privacy improvement over mainstream browsers and search engines.