It’s been a week since the world avoided a potentially catastrophic cyberattack. On March 29, Microsoft developer Andres Freund disclosed his discovery of a backdoor in XZ Utils, a compression tool widely used in Linux distributions and thus countless computer systems worldwide. The backdoor was inserted into the open source tool by someone operating under the persona “Jia Tan” after years of patient work building a reputation as a trustworthy volunteer developer. Security experts believe Jia Tan is the work of a nation-state actor, with clues largely pointing to Russia, although definitive attribution for the attack is still outstanding.
In early 2022, a hacker operating under the name “P4x” took down the internet of North Korea, after the country’s hackers had targeted him. This week, WIRED revealed P4x’s true identity as Alejandro Caceres, a 38-year-old Colombian American. Following his successful attack on North Korea, Caceres pitched the US military on a “special forces”-style offensive hacking team that would carry out operations similar to the one that made P4x famous. The Pentagon eventually declined, but Caceres has launched a startup, Hyperion Gray, and plans to further pursue his controversial approach to cyberwarfare.
In mid-February, millions of people lost internet access after three undersea cables in the Arabian Sea were damaged. Some blamed Houthi rebels in Yemen, who had been attacking ships in the region, but the group denied it had sabotaged the cables. But the rebel attacks are still likely to blame—albeit, in a bizarre way. A WIRED analysis of satellite images, maritime data, and more found that the cables were likely damaged by the trailing anchor of a cargo ship that the Houthi rebels had bombed. The ship drifted for two weeks before finally sinking, crossing paths with the cables at the time they were damaged.
The myth that Google Chrome’s Incognito mode provides adequate privacy protections can finally be put to rest. As part of a settlement over Google’s Incognito privacy claims and practices, the company has agreed to delete “billions” of records collected while users browsed in Incognito mode. It will also further clarify how much user data can be collected by Google and third parties while Incognito is enabled, and take further steps to protect user privacy. There are other privacy-focused browsers that can replace Chrome. But if you’re still using it, make sure to update it to patch some serious security flaws.
But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
A 58-year-old hospital systems administrator pleaded guilty this week to US federal charges after he was caught using another man’s name for more than 30 years. Matthew David Keirans allegedly stole the identity of William Woods in 1988, when the two men worked at a hot dog cart in Albuquerque, New Mexico, according to the US Attorney’s Office for the Northern District of Iowa. Over the decades, Keirans obtained employment, bank accounts, loans, and insurance, and paid taxes, under the Woods name. Keirans even had a child whose last name is Woods.
The real William Woods, meanwhile, reportedly learned that someone else was using his identity in 2019. At the time, Woods was unhoused and living in Los Angeles. He contacted a bank where “William Woods” had an account, providing his real Social Security card and California ID card to prove his identity. However, he could not answer the security questions to gain access. The bank called Keirans—who was pretending to be Woods—and Keirans convinced the bank employee that the real Woods should not have access to the accounts. The Los Angeles Police Department then arrested the real Woods and charged him with identity theft after Keirans provided officers with false documents and information.
In a nightmarish twist, during judicial proceedings, the real Woods accurately maintained that “William Donald Woods” was his true identity, prompting the court to order him to a mental institution. The real Woods ultimately spent 428 days in jail and 147 days in a mental hospital before his release.
David Kushner
Andy Greenberg
Andy Greenberg
Louise Matsakis
The real Woods then continued to work to regain his true identity, eventually contacting authorities after learning that Keirans worked at a hospital in Iowa City. Investigators later confirmed the real Woods’ identity after obtaining a DNA test. Confronted with the evidence, Keirans confessed to a series of crimes and now faces a maximum sentence of 32 years in prison, a $1.25 million fine, and five years of supervised release.
The White-House mandated Cyber Safety Review Board issued a scathing report against Microsoft this week, accusing the tech giant of failing to stop a “preventable” intrusion by China-backed hackers of hundreds of Microsoft Exchange Online email accounts. To gain access to email accounts belonging to 22 organizations and 500 individuals worldwide, the hackers, known as Storm-0558, stole a Microsoft cryptographic key. The CSRB report chastises the company for failing to detect “the compromise of its cryptographic crown jewels,” inadequate security practices, and a “corporate culture that deprioritized both enterprise security investments and rigorous risk management,” among a “cascade” of other defeats.
The report also found that Microsoft still does not know how Storm-0558 obtained its key, accusing the company of making false statements after it initially claimed that the key was accidentally included in an April 2021 “crash dump.” The company has since updated its explanation of the intrusion to say that it still does not know how the hackers obtained the key. The CSRB issued 25 recommended steps that Microsoft—a major government contractor whose systems protect highly sensitive information—should take to better protect its systems.
The owner of the website Tedium received legal threats from a nonexistent “law firm” charging the publication with a copyright violation. In reality, the “lawyers” behind the complaint were AI-generated. They accused Tedium of using a photograph without the owner’s consent, and a “copyright infringement” notice offered to supposedly settle the matter, if only Tedium would agree to properly credit the photo’s “owner” and link out to their website. This was a backlink scam meant to boost the SEO ranking of the fake copyright holder’s page. The scam was strengthened by a group of AI-generated characters: a team of young, “skilled lawyers” allegedly specializing in creative rights and commercial law.
There is an internal battle happening in the US Congress over the future of a struggling spy program known as Section 702 and the commercial deals that US intelligence agencies have negotiated in recent years with global data brokers. These brokers sell information that government agents usually need a warrant to obtain. The UK owner of LexisNexis, an “amalgam of publishers and data brokers, woven together into a single information behemoth” has hired a Washington, DC, lobbying firm to converse with federal lawmakers about “potential privacy, data security, breach notification, data broker, and FISA reform legislation.” Politico has reported that the company, RELX, utilized the firm, Venable, to battle privacy legislation aiming to restrict the kinds of personal data that companies can sell to law enforcement.
New York City mayor Eric Adams is escalating his campaign against subway violence by planning to test weapons scanners that state they use artificial intelligence to detect if commuters are carrying blades and firearms. Documents acquired by Hell Gate show what Adams did not reveal at a press conference last week: that data already in the city’s possession indicates the technology is only occasionally useful. Once police officers allowed to carry firearms were taken out of one study at a Bronx hospital, the scanners were found to be accurate less than 1 percent of the time. (All in all, more than 85 percent of the time, the scanners falsely suspected New Yorkers who were actually unarmed.) This move by Adams comes after New York governor Kathy Hochul’s deployment of hundreds of National Guard soldiers in the city’s subway systems. Adams initially addressed a series of homicides and stabbings across the city in March by sending hundreds of police officers underground to search commuters’ bags at well over 100 subway stations—a tactic that sparked resistance from several locals this week who destroyed ticket machines and disabled security cameras at a midtown station to protest the surveillance surge.