of The U.S. Immigration and Customs Enforcement Agency (ICA) has misused law enforcement databases to blacklist their romantic partners, neighbors and business associates, WIRED revealed exclusively this week. New information obtained through records requests shows that hundreds of ICE employees and contractors have faced investigations since 2016 for attempting to obtain unauthorized access to medical, biometric and environmental information. The revelations raise more questions about ICE’s safeguards over people’s sensitive information.
ESET security researchers have discovered that old corporate routers are full of company secrets. After the organization purchased and analyzed old routers, they contained numerous login details for the company’s VPNs, hashed root administrator passwords, and who the previous owners were. The data makes it easy to simulate the business that originally had a router. Sticking to account security: The race to replace all your passwords with passwords is entering a chaotic new phase. Adopting the new technology will face challenges to get off the ground.
The supply chain breach of 3CX, a VoIP service provider hacked by North Korean hackers, is drawing attention and the attack appears to be more complex than initially believed. Google-owned security firm Mandiant said 3CX was initially affected by a supply chain attack before the software was used to further distribute the malware.
Also this week, it was revealed that the notorious Lockbit ransomware group is working on malware that aims to encrypt Macs. To date, most ransomware has focused on machines running Windows or Linux, not devices made by Apple. If LockBit succeeds, it could open a new frontier for ransomware—but, for now, it doesn’t seem like ransomware works.
With the rise of generative AI models like ChatGPT and Midjourney, we’ve looked at how to protect against AI-powered fraud. And right-wing commentator Matt Walsh said the hacker who hacked the Twitter account did so “because they were bored”.
But that’s not all. Each week we collect stories that we haven’t covered in depth ourselves. Click on headlines to read full stories. And stay safe out there.
Car thieves use a series of small hacking devices to break into and steal vehicles, sometimes hidden in Nokia 3310 phones or Bluetooth speakers. This week, a report from Motherboard detailed how criminals are using a control area network (CAN) injection attack to steal cars without finding their keys. Security researchers say criminals must first remove the car’s headlights and then connect the hacking device with two cables. Once connected, it can send fake messages to the car that appear to be from the car’s wireless keys, allowing it to be locked and started.
According to Motherboard, the hacking devices are being sold online and through Telegram channels for between $2,700 and $19,600, which can be quite small when trying to steal luxury cars. Security researchers at Kanis Labs have detailed the first case after a car was stolen using the technique. Advertisements say the devices can work on vehicles made by Toyota, BMW and Lexus. The security researchers say that encrypting the traffic sent via CAN messages can help stop the attacks.
In recent years, NSO Group’s Pegasus spyware has been used to target political leaders, activists and journalists around the world, with experts describing the technology as being as powerful as the best hackers. In response to sophisticated spyware, Apple released Lockdown Mode last year, which adds extra security to iPhones and limits how successful spyware can be. Now, a new study by the University of Toronto’s Citizen Lab has confirmed that Apple’s security measures are working. Cases reviewed by Citizen Lab show that iPhones running Lockdown Mode have limited NSO software-related hacking attempts and sent notifications to the phone’s owners. The research found three new “zero-click” exploits that could affect iOS 15 and iOS 16 targeting members of Mexican civil society. Lockdown mode caught one of these attacks instantly.
After OpenAI released GPT-4 in March, people clamored to get their hands on the text generation system. This perhaps unsurprisingly includes cybercriminals. Security firm analysts have found a growing market for selling access lists for GPT-4. The company said that since early March, “stolen chat GPT accounts have seen an increase in conversations and transactions.” This includes criminals exchanging premium ChatGPT accounts and logging into accounts by guessing email logins and passwords. The effort could in theory help people in Russia, Iran and China access OpenAI systems currently blocked in those nations.
Vladimir Putin Communications from Elon Musk’s Starlink satellite system. As of 2011 The Washington Post, the Russian Tobol system appears to be more advanced than previously thought, although it is not clear whether it actually intercepts Internet connections. Analysts initially believed that TOBOL was designed for defensive purposes, but later concluded that it could also be used for offensive purposes, sending signals from Earth to orbiting satellites.
For the past four years, politicians in the United Kingdom have been drafting laws designed to regulate the Internet—first disguised as the Online Harm Act, which has evolved into the Online Safety Bill. It’s been a particularly messy process—trying to deal with the often confusing online activity—but the impact on end-to-end encryption has tech companies worried. This week, WhatsApp, Signal and the companies behind five other encrypted chat apps signed an open letter saying UK plans could effectively ban the encryption that keeps billions of people’s conversations private and secure. (Only the sender and receiver can see end-to-end encrypted messages; the companies that own the messages do not have access). The companies said in the letter: “The legislation poses an unprecedented threat to the privacy, safety and security of every UK citizen and those with whom they interact around the world, and will embolden hostile governments seeking to enact cat laws.” .
