Apple and Meta provided user data to hackers posing as police

0

Ipsa scientia potestas iswrote the 16th century philosopher and statesman Sir Frances Bacon in his 1597 work, Meditations Sacrae. Knowledge itself is power. The aphorism, cliché as it is, takes on a palpable truth in times of war.

Just ask the residents of Mariupol, a city in southeastern Ukraine where devastating Russian attacks have cut off the flow of information in and out of town. Meanwhile, in Russia, the government has banned Facebook and Instagram as part of its crackdown on news without state approval. But as we explained this week, building a Chinese-style splinternet is far more difficult than the Kremlin would like to admit.

We explored the power of information – and the power of keeping information secret – further this week with a look at a new idea for creating digital cash in the US – no, not Bitcoin or any other cryptocurrency. Real digital cash that, most importantly, has the same built-in privacy as the bills in your current wallet. We also dove into the pitfalls of knowing where your children and other loved ones are at all times through the use of tracking apps, which you should probably stop using. And after last week’s approval of the Digital Markets Act in Europe, we analyzed the delicate task of forcing encrypted messaging apps to work together as required by law.

To round things out, we put our gloves on some leaked internal documents that shed new light on the Okta hack of the Lapsus$ extortion gang. And we looked at how researchers used a decommissioned satellite to broadcast pirate TV shows.

But that’s not all, friends. Read below for the rest of the week’s top security stories.

In one of the most creative schemes we’ve seen recently, hackers allegedly tricked Apple and Meta into handing over sensitive user data, including names, phone numbers and IP addresses, reports Bloomberg. The hackers did this by exploiting so-called Emergency Data Requests (EDRs), which police use to access data when someone is in potentially immediate danger, such as an abducted child, and which do not require the signature of a judge. Civil liberties watchdogs have long criticized that EDRs are ripe for law enforcement abuse, but this is the first time we’ve heard of hackers using the data privacy loophole to steal data from law enforcement agencies. people.

According to security journalist Brian Krebs, hackers gained access to police systems to send the fraudulent EDRs, which, due to their urgent nature, would be difficult for tech companies to verify. (Apple and Meta told Bloomberg they have systems in place to validate police requests.) Adding another layer to the saga: Some of the hackers involved in these scams later became part of the Lapsus group. $, Bloomberg and Krebs reported, which is in the news again this week for other reasons.

Following the arrest and release last week of seven youngsters in the UK linked to the series of high-profile hacks and extortion attempts by Lapsus$, City of London Police announced on Friday that she had charged two teenagers, a 16-year-old and a 17-year-old, in connection with the gang’s crimes. Each teenager faces three counts of unauthorized computer access and one count of fraud. The 16-year-old also faces “one count of causing a computer to perform a function to secure unauthorized access to a program,” police said. Due to strict confidentiality rules in the UK, the teenagers have not been publicly named.

Despite the narrative that Russia did not use its hacking power in its unprovoked war against Ukraine, mounting evidence shows that this is not true. First, Viasat released new details about the attack on its network at the start of Russia’s war on Ukraine in late February, which took some Ukrainian military communications offline and tens of thousands of people in across Europe. Viasat too confirmed an analysis by SentinelLabs, which found that attackers were using modem-erasing malware known as AcidRain. According to the researchers, this malware may have “developmental similarities” to another malware, VPNFilter, which US national intelligence has linked to Russian hacker group GRU Sandworm.

Then came the biggest cyberattack since Russia started its war. Ukrainian State Service of Special Communications announcement On Monday, internet provider Ukrtelecom suffered a “powerful” cyber attack on its core infrastructure. While SSSC said Ukrtelecom was able to fend off the attack and begin recovery, internet monitoring service NetBlock said on Twitter that he has witnessed a “connectivity collapse” nationwide.

Internet-connected “Wyze Cam” cameras have been exposed for nearly three years, thanks to a vulnerability that could have allowed attackers to remotely access video and other images stored on the devices’ memory cards. Such vulnerabilities are unfortunately not unusual in Internet of Things devices, including IP cameras in particular. The situation was particularly significant, however, as researchers from Romanian security firm Bitdefender have been trying to disclose the vulnerability to Wyze and get the company to release a patch since March 2019. It’s unclear why researchers haven’t not make the results public. sooner, as is standard in vulnerability disclosure after three months, to draw more attention to the situation. Wyze released patches for the flaw on January 29 for its V2 and V3 cameras. However, the company no longer supports its V1 camera, which is also vulnerable. The bug is exploitable remotely, but not directly on the open internet. Attackers should first compromise the local network the camera is on before targeting the Wyze vulnerability itself.


More Great WIRED Stories

Share.

Comments are closed.