The Top 30 Vulnerabilities Include Plenty of Usual Suspects

WIRED published this week a disturbing report about real warships being manipulated by an unknown criminal to their exact locations. In the past few months, hundreds of vessels appeared to have crossed into disputed waters while they were actually hundreds of miles away. AISHub and MarineTraffic have both reported fake AIS tracking data as the source of this misinformation. Although it's not clear who or how they pulled it off, it is dangerously close to powder-kegs in Crimea as well as elsewhere.A pair of researchers released this week a tool that searches every website for low-hanging fruits vulnerabilities, such as SQL injections or cross-site scripting. The results are not only searchable but also public. The second iteration, called Punkspider, is actually the second. It was shut down by the first version after many complaints to their hosting provider. Punkspider's future is uncertain because of many of the same criticisms.Apple claims it is the most privacy-friendly major technology company, and it has proven that claim with numerous accomplishments. We took a look at this week's major step towards consumer privacy that Apple is not taking. It implemented global privacy controls that would allow Safari and iOS users to stop all tracking.Our UK colleagues spoke to Coconut Kitty, a cam girl who uses digital effects to appear younger online. It could be the future for adult content in many ways. This has potential repercussions that go far beyond the One Fan account.There's more. Every week, we bring you all the security news WIRED hasn't covered in depth. To read the complete stories, click on the headlines. Stay safe out there.The top 30 most exploited vulnerabilities were compiled by law enforcement agencies from the US, UK and Australia in a joint advisory. The list contains a lot of vulnerabilities that were publicly disclosed years ago. Every flaw on the list can be patched by anyone who wants it. We've seen it time and time again that many companies take too long to update their software. This could be due to a lack of know-how or resources. Remote code execution is a serious problem. Companies don't want that.Doxcy, an app that appeared to be a dice-rolling game gave access to Netflix and Amazon Prime content for anyone who downloaded it. Gizmodo asked Apple to remove the app from the App Store. However, it is likely that you shouldn't have downloaded it anyway as it was full of ads and probably mishandled your data. Overall, it's better to pay for a subscription.Iran's train system was attacked by hackers in July. The hackers posted messages on screens suggesting that passengers contact the office of Supreme Leader Khamenei for help. SentinelOne's closer inspection revealed that the malware was a wiper and was not intended to hold data hostage. Meteor, the malware that researchers called it, was likely to be from a new threat actor and had a lack of polish. This is a good thing for anyone they choose to target.Amnesty International, along with more than a dozen others, released last week a report about how authoritarian governments used spyware from the NSO Group in spying on journalists and political opponents. The Israeli government visited the offices of the well-known surveillance vendor in Israel shortly after. NSO Group has denied repeatedly the Amnesty International report. But domestic pressure seems to have increased after names such as Emmanuel Macron, the French president, were listed on a list purportedly being spyware targets.Friday's Justice Department disclosure revealed that Cozy Bear, hackers responsible for the SolarWinds hack, and other sophisticated espionage campaign, also broke into at most one email account of 27 US Attorney offices in the US last year. Eighty percent of the email accounts in four New York-based US attorney offices were compromised. They likely had access to sensitive information that the Russian government would use responsibly.Here are more great WIRED stories