Peter's Quasi-Daily Blah-g

Early on August 16, a total of 23 local government organizations in Texas were hit by a coordinated ransomware attack. The type of ransomware has not been revealed, and Texas officials asserted that no state networks were compromised in the attack.

A spokesman for the Texas Department of Information Resources, or TDIR, told Ars that authorities are not ready to reveal the names of the entities affected, nor other details of the attack. State and federal agencies are in the midst of a response, and TDIR did not have information on whether any of the affected governmental organizations had chosen to pay the ransom.

But the TDIR did reveal that the ransomware came from a single source. “At this time, the evidence gathered indicates the attacks came from one single threat actor,” a spokesperson said. “Investigations into the origin of this attack are ongoing; however, response and recovery are the priority at this time.”

Response teams from TDIR, the Texas Division of Emergency Management, Texas Military Department, Department of Public Safety, and the Texas A&M University System’s Security Operations Center/Critical Incident Response Team SOC/CIRT are currently involved in the effort to bring systems back online, as are federal officials from the Department of Homeland Security, the FBI, FEMA, and other agencies.

This has been a particularly brutal year for ransomware thus far. While opportunistic attacks against consumers appear to be down from last year based on data from Malwarebytes, attacks against businesses and governments are up by 365 percent. IBM X-Force incident reporters have noted a more modest 116 percent increase in customer ransomware incidents. In July, the US Conference of Mayors reported that there have been 22 ransomware attacks on city, county, and state governments in the first six months of 2019. Those attacks include some notable incidents, such as the April attack on Albany, New York; RobbinHood ransomware attacks on Greenville, North Carolina, and the city of Baltimore; and the Ryuk ransomware attacks on three Florida municipal governments. In July, Ryuk hit Georgia’s court system and then Georgia’s state and capitol police.

The financial damage has been significant. Baltimore is still in the process of recovering, just sending out its first water bills since May and facing $18 million in direct costs and lost revenue. Elsewhere, two Florida cities paid out a total amounting to about $1 million worth of cryptocurrency to regain their data.

Go Big Or Go Home

The Texas attacks are the largest coordinated ransomware attacks seen against multiple local governments, but they’re not necessarily the first such attacks. Three school districts in northern Louisiana were hit by ransomware in a single incident in July. It’s not clear if the districts shared any network infrastructure. And a December 2018 attack struck multiple newspapers owned by Tribune Publishing after Ryuk ransomware spread across Tribune’s internal wide-area network.

Texas has also seen a number of isolated ransomware incidents in the past, especially in the form of attacks against its Independent School Districts (ISDs). In February, the Crosby ISD near Houston was the victim of a ransomware attack that took the district’s entire IT infrastructure down. And back in April 2016, 20 schools in the North East ISD were affected by a ransomware attack that encrypted 2.5 terabytes of data—which was eventually recovered from system backups.

This story originally appeared on Ars Technica.

More Great WIRED Stories

Though there are other authentication dongles out there, YubiKeys are largely the face of the physical two-factor authentication movement. Unfortunately, to date it’s also been unavailable for the most high-profile smartphone in the world. But today manufacturer Yubico is releasing the first Lightning port YubiKey for use with iPhones and iPads. It’s been a long time coming.

First announced in January, the Lightning YubiKey has been in the works for more than a year now. Yubico first needed to get Apple’s MFi certification—a license required for all Lightning devices—before it could start designing the product and getting third-party developers on board. The dongle, priced at $70, has a Lightning connector on one side and USB-C on the other side. That way it works with not only iPhones and iPads, but also MacBooks or any other USB-C device. Up until now, Yubico hasn’t had any offerings that could work with iOS devices, and even among competitors the only option was Bluetooth authentication dongles, which can be glitchy, need to be charged, and potentially introduce their own insecurities.

Though the Lightning YubiKey is finally here with Apple’s (mandatory) blessing, the company still hasn’t incorporated the underlying open authentication standard, FIDO 2, into its operating systems by default. As a result, the Lightning YubiKey can’t automatically work as an authentication token throughout your iOS experience. Each app needs to add compatibility individually through a new application programming interface. For today’s launch, you can use the new Lightning YubiKey with a number of password managers and authentication services, like 1Password​, LastPass​, and ​Okta. You can also sign in with the key on a number of websites through the ​Brave iOS browser app​.

Using the Lightning key is very similar to using other YubiKeys. You can link the key to an array of services and then plug it into your iPhone to log into their app. You can also use the USB-C end in the same way for other devices, including prominent Android phones like the Google Pixel and Samsung Galaxy S9. At launch, the dongle won’t work in the USB-C port of iPad Pros.

“We’re grateful that Apple is finally on board,” Yubico CEO Stina Ehrensvärd tells WIRED. “We want YubiKeys to be a seamless experience and for two-factor authentication to reach three billion people. So ideally we need to not have an iOS SDK, but for it to just auto-work in Apple products. But you have to start somewhere.”

More than a dozen other apps and services, including some heavy hitters Yubico declined to name, are on track to add support for the Lightning keys in their apps by the end of the year. And Apple has recently moved closer to fully adopting FIDO2. The company enabled the related open standard, WebAuthn, by default in macOS’s May Safari Technology Preview.

“We’ve really enjoyed working with Yubico on bringing this integration to 1Password on iOS and Mac,” says Jeffrey Goldberg, a product security officer at AgileBits, which makes 1Password. “We all know that people reuse passwords and that passwords can be captured in transit, say by phishing. Hardware tokens and password managers each tackle those problems in their own ways.”

Though finally debuting the Lightning key is a big triumph for Yubico, Ehrensvärd is already looking ahead. She imagines a world where servers or devices like routers and Internet of Things gadgets use FIDO2 and WebAuthn to offer multi-factor authentication without human involvement. And her hope is that more and more companies will expand the range of technologies that can support multi-factor authentication.

“If I could have an ask it would be that everything should move to NFC, because then authentication keys could work with any device,” she says, of the wireless, port-less standard near field communication. “I’ve heard rumors that iPhones might let authentication work with NFC. That would be great. We’re wide open to all possibilities.”

For now, at least you finally have the option of using some type of YubiKey with your iPhone for the first time.

More Great WIRED Stories

Smoking isn’t good for you. But e-cigarettes, with their sleek, USB bodies and mango-flavored cartridges, promised a sweeter, safer future. No tar, no combustion, no problem. But that picture is getting more complicated. Last week, the Centers for Disease Control (CDC) announced it is opening an investigation into the health effects of smoking e-cigarettes after nearly 100 teenagers in 14 states reported lung illnesses related to vaping. The cases, which were primarily reported among teenagers and young adults, were so severe that some patients were hospitalized and put on ventilators.

So a study out today in the journal Radiology comes not a moment too soon. In it, researchers show that inhaling e-cigarette vapor—just the vapor, without any nicotine or flavorings—has an immediate, negative impact on the vascular system.

E-cigarettes first appeared on the market in 2007 and in the years since, vaping among teens has skyrocketed. The CDC estimates that one in five high school students use e-cigarettes. From 2017 to 2018, e-cigarette use among teenagers increased by more than 75 percent, prompting the US Surgeon General to call it an “epidemic.”

Yet not much is known about the harms associated with e-cigarettes. Sure, nicotine is harmful even when it isn’t smoked: vaping nicotine is still highly addictive, can harm the development of adolescent brains, and can even cause seizures. But e-cigarettes contain more than nicotine, and the bulk of research so far has largely overlooked how these other ingredients affect users.

Researchers at the University of Pennsylvania’s Perelman School of Medicine simplified the question. They removed nicotine and flavorings and just looked at what inhaling that basic vapor does to a person’s blood vessels.

Using an MRI, the researchers examined the veins and arteries of 31 people before and after they took a few puffs of an e-cigarette. Their e-cigarettes contained only vape juice, a mixture consisting primarily of water and either glycerol or propylene glycol, which keep everything dissolved inside the cartridge. The test subjects—who were all between the ages of 18 and 35—were non-smokers and first-time vapers. But after taking 16 three-second puffs, the participants had worse circulation, stiffer arteries, and less oxygen in their blood. “The results of our study defeat the notion that e-cigarette vaping is harmless,” says Felix Wehrli, the study’s principal investigator.

Although glycerol and propylene glycol are considered safe to eat, they may not be safe to inhale. Wehrli’s study shows that when the chemicals are heated and inhaled, they end up passing through the lungs and into the arteries and veins that make up our vascular system. Once there, they irritate the epithelium, a thin layer of cells that lines blood vessels and helps regulate blood flow, blood clotting, and immune responses. The inflamed epithelium then alters how arteries expand and contract. “We did expect an effect, but we never thought the effect was as big as what we found,” says Wehrli. “It’s not just a little change we detect, it’s a major effect.”

Healthy blood vessels naturally widen and constrict to regulate how much blood is flowing through the body. When Wehrli and his colleagues examined three arteries in the leg, heart, and brain, they found that vaping constricted each one by more than 30 percent. That meant that blood wasn’t flowing as quickly as it was prior to inhaling the vapor. The researchers also found that vaping reduced the amount of oxygen in the blood by 20 percent, and made the walls of the blood vessels more rigid and stiff, a symptom often associated with cardiovascular diseases like hypertension and stroke. Other studies have found similar results in animals, but this is the first such finding in human subjects. “It’s really stunning,” says Sven Jordt, who studies e-cigarettes at Duke University but who was not involved in this study.

An ill-functioning epithelium can have major impacts on your health. Over time, inflammation can cause plaque to collect in blood vessels, a condition known as atherosclerosis that can lead to heart attack or stroke. The effects seen in this study, however, were short-lived. The participants regained their normal vascular function in a couple of hours. One puff won’t cause serious, chronic disease, but pull on a vape a few times every hour—or go through a whole cartridge in a day—and the outcomes could be different.

Like many laboratory tests, the parameters of this study didn’t exactly match the real world. In an emailed statement Juul, the San Francisco-based e-cigarette company that controls more than 70 percent of the US market, points out that the study “called for a forced puffing regime that is unrealistically high in volume with very limited time between puffs.”

It’s also true that these vascular responses aren’t unique to smoking. Lots of behaviors and environmental factors can trigger blood vessels to constrict, without causing harm. “A host of other activities, including exercise and caffeine use, have been shown to impact vascular activity acutely, but these short-term changes don’t necessarily have any long-term prognostic value,” says Gregory Conley, president of the American Vaping Association, an organization that promotes vaping products.

But while the long-term impact of this research is unknown, it does add to a growing body of evidence on the harms of e-cigarettes. Some studies have shown that vape juice is chemically unstable and that while the cartridges sit on the shelf, reactions in the liquid can create toxic chemicals. Another study shows e-cigarettes cause wheezing and yet another found that vaping is associated with emphysema and chronic bronchitis.

“Inhaling chemicals into your lungs is dangerous,” says Erika Sward, a spokesperson for the American Lung Association, which does not recommend that anyone use e-cigarettes. For those looking to quit smoking, the ALA recommends using FDA-approved medications, patches, gums, or counseling programs, rather than turning to e-cigarettes. “E-cigarettes are guilty until proven innocent and we are very much in the guilty stage,” says Sward.

The scientific evidence is mounting, but it is not keeping up with the growth of the e-cigarette market. On Monday a regulatory filing showed that Juul raised another $325 million to expand its business worldwide.

More Great WIRED Stories

In the span of one week, three US cities suffered mass shootings: Gilroy, California; El Paso, Texas; and Dayton, Ohio. Occurring in such rapid succession, the incidents rocked the country. But it was far from the first time that a rash of mass shootings seemed to strike, a data trail that’s led some researchers to argue there’s something contagious about them.

“What you notice in a contagion model is that the events will cluster together, unusually closely in time, more so than you would expect from a model that just assumes that they kind of happen randomly,” says Sherry Towers, a mathematician at Arizona State University.

Towers studies the spread of diseases as well as behavior or sentiment, such as the culture of fear that arose around Ebola in the US in 2014. And in 2015, she and her coauthors published one of the first papers demonstrating that mass shootings also acted like a contagion.

Because there is no federal database on mass shootings, Towers and her collaborators relied on databases from private groups, specifically USA Today and the Brady Campaign. They divided the data into three sets: mass killings where four or more people were killed (176 out of 232 incidents involved firearms), school shootings, and mass shootings where three or more people were shot but fewer than four people were killed (to avoid overlap with the first set). The researchers then compared this data, which included events from 1998 to 2013, to a mathematical model of a contagion.

For school shootings and mass killings, the contagion model explained the data better than simply assuming the events were random. The third set of data, events where fewer than four people were killed, showed no significant evidence of being contagious. There was evidence of contagion, however, among school shootings, regardless of death count.

Towers suggests that the three groups receive different amounts of media coverage, which could explain the discrepancy. Mass killings and school shootings tend to generate extensive coverage, while smaller-scale tragedies don’t always get as much attention. (Though it’s not an iron-clad distinction; the Gilroy shooting, which ended with three people dead plus the shooter, garnered significant media attention.)

“Even low-casualty-count school shootings can get national media, because I think it speaks to parents’ fears about their children going off to school,” Towers says. It was the lack of contagion among shooting events only reported in local news outlets that got her thinking. “That’s what led us to hypothesize that media may be playing a role.”

Economists Michael Jetter and Jay Walker, of the University of Western Australia and Old Dominion University, respectively, reached the same conclusion in a working paper published last year. Using statistics, they found that the amount of news coverage on mass shootings could predict the number of shootings in the week following.

They showed, among other things, that media coverage of mass shootings decreased when they overlapped with natural disasters, and that it was subsequently less likely for shootings to occur in the following week, even when considering different definitions of “mass shooting” (in terms of deaths or people shot). Jetter had previously studied the relationship between terrorists and news coverage of terrorism, and found the correlation to be similar.

“Many of these people want fame,” Jetter says. “In manifestos by some of these shooters, they say, ‘I want to be famous, and I want to be recognized, I want to be feared.’ We found a way to test for that empirically, and the results seem to confirm that if you give them that room in the media, then you just encourage others.”

At least one shooter explicitly cited the media as a motivator. In 2015, a man fatally shot nine people at a community college in Oregon before shooting himself. He noted in a blog post the media attention given to mass shooters, saying they “are all alone and unknown, yet when they spill a little blood, the whole world knows who they are. A man who was known by no one, is now known by everyone. His face splashed across every screen, his name across the lips of every person on the planet, all in the course of one day.”

Sheriff John Hanlin of Douglas County, Oregon, where the shooting took place, declared in a press conference that he would not name the shooter.

“I will not give him the credit he probably sought prior to this horrific and cowardly act,” Hanlin said. “Media will get the name confirmed in time. But you will never hear me mention his name. We would encourage media and the community to avoid using it … he in no way deserves this.”

The sheriff’s words sparked a small debate in the media about whether journalists have a responsibility to name the shooter, show his face, or quote from his manifesto. Media guidelines for reporting on another type of tragedy, suicides, have been in place for years; they include not providing excessive details of the method used and adding information about help lines and other resources to the article. Research has shown that suicides, too, can spread like a contagion depending on how they are covered, but a consensus has yet to emerge among media organizations about how to handle mass shootings.

Part of the problem is the lack of research on gun violence in the US, says Paul Perrin, a psychologist at Virginia Commonwealth University. The Centers for Disease Control and Prevention, which would be responsible for initiating such work, has been under the shadow of a legislative rider called the Dickey Amendment since 1996; it effectively has prevented the agency from funding research into gun violence.

“This is a huge gap,” Perrin says. “It’s a travesty that the federal government is unwilling to fund any kind of epidemiological research on shooting contagion.” This month, the House of Representatives approved a 2020 appropriations package that allots $50 million to gun research, and Senate minority leader Charles Schumer recently announced he will call upon President Trump to reallocate $5 billion in border wall funding to preventing white supremacist extremism and gun violence, as well as CDC research. Both of these proposals require approval by the Republican-controlled Senate.

Jonathan Ivy, a behavior analyst at Pennsylvania State University, Harrisburg, suggests several guidelines for reporting on mass shootings. These include not naming the shooter, avoiding in-depth descriptions of their rationale, decreasing the duration of news coverage after a shooting, and not providing unnecessary accounts of the shooter’s actions before, during, or after a shooting.

“When we create these spectacles out of these tragic situations,” Ivy says, “that can actually act as a signal to somebody who has similar motivations, that ‘perhaps this is a very effective way to communicate my message,’ or ‘this is a way that I can achieve some kind of desired end.'”

The answer to how to cover these tragedies is likely complex. The media also has a responsibility to inform the public, of course; mass shootings are a matter of public safety. Many journalists are likely to consider it worth reporting, for example, that the El Paso shooter was motivated by a perceived “invasion” of Hispanic people.

Ivy doesn’t have an answer, but he believes that it’s “so important” for journalists to be thinking more about these questions. “I think there is a very fine line that distinguishes what is newsworthy information versus detail that perhaps adds additional context but doesn’t really add anything to the story,” he says. “I would think that there’s a balance that could be struck in presenting that in a very matter-of-fact way but not over-emphasizing the role of a manifesto or what’s said.”

Similarly, Perrin argues that a shared fascination with understanding the mind of the shooter perpetuates some media coverage. Audience demand drives more coverage. “When you create these psychological profiles through the media, it really creates these antiheroes,” he says.

The data on mass shootings is small and lacking compared to that on suicides, so news outlets have less research to lean on when weighing how to report on mass shootings. But with the evidence on contagiousness stacking up, the media’s role as a vector of infection is becoming harder to ignore.

More Great WIRED Stories