a new one The John Deere tractor’s escape was shown at the Defcon safety conference in Las Vegas on Saturday, drawing attention to the power of the right-to-maintenance movement as it continues to gain momentum in the United States. At the same time, as malware continues to proliferate, researchers are developing extended tools for detecting spyware on Windows, Mac, and Linux computers.
This week, WIRED took a deep dive into the Posey family, which used the Freedom of Information Act to learn more about the Department of Defense and increase transparency, making millions in the process. Researchers have discovered a potentially critical flaw in the Department of Veterans Affairs’ VitA electronic medical record system that isn’t easily fixed.
If you need some digital safety and privacy items to protect yourself this weekend, we’ve got tips on how to create a secure folder on your phone, how to set up and use the Signal encrypted messaging app most securely, and Android 13 privacy tips Data is kept exactly where you want it, not where you don’t need it.
there are more. Every week, we highlight stories that we don’t cover in depth ourselves. Click on the title below to read the full story. And stay safe outside.
Janet Jackson’s classic “Rhythm Nation” may be from 1989, but it’s still at the top of the charts — and some hard drives. This week, Microsoft shared details of a vulnerability in a widely used 5400-RPM laptop hard drive sold around 2005. Just play “Rhythm Nation” on or near the vulnerable laptop and the disk will crash and crash the laptop. Spinning disk hard drives have been increasingly phased out in favor of solid-state drives, but they still exist in many devices around the world. The bug has its own CVE bug tracking number, which is one of the natural resonant frequencies created by motion in the hard drive due to Rhythm Nation’s inadvertent creation. With such a classic jam, who wouldn’t be thrilled with it? Microsoft said the manufacturer of the drive developed a special filter for the audio processing system that detects and suppresses frequencies as the song plays. Audio hackers manipulating speakers, grabbing information leaked from vibrations, or exploiting resonant frequency vulnerabilities are not often found in research, but are an interesting area.
When cloud services company Twilio announced its breach last week, one of its customers that suffered a knock-on effect was secure messaging service Signal. Twilio supports Signal’s device authentication service. When a Signal user enrolls a new device, Twilio is the provider that sends an SMS text with a code for the user to enter into Signal. Once they breached Twilio, the attackers could initiate a Signal device exchange, read code from an SMS sent to the real account owner, and then take control of the Signal account. The Secure Messaging Service said hackers targeted its 1,900 users and specifically searched three of them. Motherboard security reporter Lorenzo Franceschi-Bicchierai’s Signal account is a small part of that. Signal was built so that attackers couldn’t view Franceschi-Bicchierai’s message history or contacts by compromising his account, but they could impersonate him and send new messages from his account.
TechCrunch published an investigation into a group of spyware applications in February that all shared back-end infrastructure and exposed targeted data due to shared vulnerabilities. These apps, including TheTruthSpy, are invasive to begin with. But they also inadvertently exposed the phone data of hundreds of thousands of Android users due to an infrastructure vulnerability, TechCrunch reported. This week, though, TechCrunch released a tool that victims can use to check if their device has been compromised by spyware and take back control. “In June, a source provided TechCrunch with a cache of files dumped from TheTruthSpy’s internal web server,” wrote TechCrunch’s Zack Whittaker. “The file cache includes a list of every Android device that was compromised by any spyware application in TheTruthSpy’s network prior to April 2022, which is likely when the data was dumped. There isn’t enough information in the leaked list for TechCrunch Identify or notify the owner of an infected device. That’s why TechCrunch built this spyware finder.”
Domain Logistics, a distribution company that works with Ontario Cannabis Stores (OCS) in Canada, was hacked on Aug. 5, limiting OCS’ ability to process orders and deliver weed products to stores and customers across Ontario. OCS said there was no evidence that customer data was compromised in the attack on Domain Logistics. OCS also said that cybersecurity consultants are investigating the incident. Customers in Ontario can order online from the government-supported OCS. The company also distributes to approximately 1,330 licensed cannabis stores in the province. “Out of an abundance of caution to protect OCS and its customers, the decision has been made to close Domain Logistics’ operations until a full forensic investigation can be completed,” OCS said in a statement.