Security News This Week: Sites Have a Sneaky New Way to Track You Across the Web

Plus: A LastPass rate change, Clubhouse concerns, and more of the week's top security news.
A browser with an eye in place of the favicon.
The favicons in your browser could wind up giving you away.Illustration: Elena Lacey

This week saw the first known appearance of malware written specifically for Apple's M1 processors, in inevitable but still somewhat concerning development, especially given how little time it took the bad guys to adjust to the new ARM-based architecture. Fortunately, this week Apple also put out its latest Platform Security Guide, which should help security researchers and companies protect against the latest and greatest macOS and iOS threats.

International hacking made the news this week as well. France tied Russia's destructive Sandworm hackers to a campaign that exploited an IT monitoring tool from Centreon, a company based there. And the Department of Justice indicted three North Korean hackers this week, alleging their involvement in a sweeping series of heists and scams that includes the 2014 assault against Sony Pictures and attempted thefts totally $1.3 billion.

Elsewhere, we took a look at how to avoid phishing scams and how Parler got back online despite being cut off by the big tech companies. We published the latest installment of 2034, a novel that looks at a fictional future war with China that feels all too real. And you should set aside some time this weekend to read this excerpt from Nicole Perlroth's This Is How They Tell Me the World Ends, which looks at the unlikely and previously untold origins of the market for so-called zero-day bugs.

And there's more! Each week we round up all the news we didn’t cover in depth. Click on the headlines to read the full stories. And stay safe out there.

To be extremely clear, the technique that we're about to explain for sites to track you across the web—even if you clear your cache or use an incognito window—is one that researchers found, not necessarily one that sites are actually using, especially not at scale. (Then again, there's not much these analytics companies won't do.) The technique works by focusing on favicons, the little icon that your browser displays to represent the site you're on. Because most browsers store those favicons separately from your browsing history and cookies, traditional means of avoiding tracking like using a private mode or clearing your cache don't affect them. Which in turn means, according to researchers from the University of Illinois, Chicago, that sites could use a unique series of favicons to identify you and track you across the web no matter what. Chrome, Safari, and Edge are all currently vulnerable to the attack, although Google and Apple have both said they're looking into it.

LastPass has long been one of the go-to password managers, in part thanks to its relatively generous free tier, which has until now worked across mobile and traditional computers. As of March 16, though, you'll have to pick one or the other for free unlimited access, or pony up for LastPass Premium or LastPass Families. This is understandably frustrating for existing users, but also brings LastPass in line with many of its competitors. You still have plenty of free options at your disposal, though, including WIRED pick Bitwarden. And no matter what, it's a good reminder that everyone needs a password manager, even if it costs you a few bucks a month.

The audio social network Clubhouse is all the rage among a certain subset of Silicon Valley doyenne. But as it broadens its reach, security researchers have raised a host of concerns about its privacy and security measures. The Stanford Internet Observatory took a close look specifically at Clubhouse's relationship with China, and didn't like what it found. Researchers found that Clubhouse uses a Shanghai-based company for part of its back-end infrastructure, transmits user IDs and room IDs in plain text, and may inadvertently expose its raw audio to the Chinese government. Combined with the app's aggressive grab of you contact list, it's probably best not to get in on the beta until it resolves some of its security issues. 

John Deere has long been a focal point of the right to repair movement, given its refusal to let farmers fix their own tractors when high-tech components go down. In response to the growing backlash, the company promised in 2018 to give its customers the tools they need to be self-sufficient. But an investigation by the nonprofit US Public Interest Research Group found that little if any progress had been made to that effect. Farmers by and large still don't have access to the tools and diagnostics that they need to address software malfunctions and other breakdowns associated with John Deere's proprietary technology. Meanwhile, right to repair legislation has  gained momentum across dozens of states. It appears that may be the only way to empower farmers to fix the equipment they own the way they want to.


More Great WIRED Stories