like the summer wind This week, researchers warned of systemic vulnerabilities in mobile app infrastructure, as well as a new iOS security flaw and a flaw in TikTok. New findings on ways to exploit Microsoft’s Power Automate tool in Windows 11 show how it can be used to distribute malware ranging from ransomware to keyloggers and more.
February Morning, an anti-Putin media network that runs on the messaging app Telegram, has played a key role in the underground resistance to the Kremlin. Meanwhile, the California Age-appropriate Design Code passed the California Legislature this week, with significant potential implications for children and everyone’s online privacy.
Plus, if you’re ready to take more aggressive steps to protect your privacy on your mobile device and feel like a badass while doing so, we’ve got a guide to setting up and using your burner phone.
But wait, there’s more! Every week, we highlight stories that we don’t cover in depth ourselves. Click the title below to read the full story. And stay safe outside.
Data broker Fog Data Science has been selling access to what it claims is billions of location data points from more than 250 million smartphones to local, state and federal law enforcement agencies across the United States. The data comes from tech companies and cell towers, and is collected from thousands of iOS and Android apps through the Fog Reveal tool. Crucially, using the service is cheap, often costing local police departments less than $10,000 a year, and an investigation by The Associated Press and the Electronic Frontier Foundation found that law enforcement sometimes operates without a warrant. Extract location data. The EFF conducted its investigation through more than 100 public records requests submitted over several months. “Disturbingly, these records indicate that Fog and some law enforcement did not believe Fog’s surveillance involved people’s Fourth Amendment rights and required authorities to obtain search warrants,” EFF wrote.
An unprotected database containing information on millions of faces and license plates was exposed and publicly accessible in the cloud for months until it was finally secured in mid-August. TechCrunch linked the data with Xinai Electronics, a tech company based in Hangzhou, eastern China. The company develops authentication systems for accessing spaces such as parking lots, construction sites, schools, offices or vehicles. It also advertises other services related to payroll, employee attendance and performance tracking, and license plate recognition. The company has deployed a vast network of cameras in China to record facial and license plate data. Security researcher Anurag Sen alerted TechCrunch to an unprotected database that also exposed names, ages and national ID numbers in facial data. This comes just months after a huge database of Shanghai police was leaked online.
Montenegrin authorities said Wednesday that a gang known as “Cuba” carried out a ransomware attack on its government network last week. The gang also claimed responsibility for attacks on the dark web. The Montenegrin National Security Service (ANB) said the group was linked to Russia. Attackers reportedly deployed a malware called “Zerodate” and infected 150 computers at 10 Montenegrin government agencies. It is unclear whether the attackers leaked the data as part of the hack. The FBI is sending investigators to Montenegro to help analyze the attack.
On Monday, the U.S. Federal Trade Commission announced that it was suing data broker Kochava for selling geolocation data collected from apps on “hundreds of millions of mobile devices.” The FTC said the data can be used to track people’s movements and reveal information about where they are going, including showing visits to sensitive locations. “Cochava’s data could reveal visits to reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities,” the agency wrote. data, Kochava enables others to identify individuals and exposes them to threats of stigma, stalking, discrimination, unemployment and even physical violence.” The lawsuit seeks to stop Kochava from selling sensitive location data, and the agency asks the company to delete its existing The data.
In August, the prolific ransomware gang Cl0p compromised South Staff Water, a UK water company. The gang said it even had access to SSW’s industrial control network, which handles things like water flow. Hackers posted screenshots that allegedly showed them accessing the water supply control panel. Experts told Motherboard that it seemed possible that hackers could actually interfere with the water supply, highlighting the risks when critical infrastructure networks are not sufficiently isolated from regular business networks. “Yes, there is access, but we only made screenshots,” Cl0p told Motherboard. “We don’t hurt people and respect critical infrastructure. … We didn’t really go into it because we didn’t want to hurt anyone.” SSW said in a statement, “This incident has not impacted our ability to provide security. The ability to use water.”
