The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Monday sanctioned two firms and four individuals for their involvement in malicious cyber activities on behalf of the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) from at least 2016 to April 2021.
This includes the front companies Mehrsam Andisheh Saz Nik (MASN) and Dadeh

U.S. Treasury Sanctions Iranian Firms and Individuals Tied to Cyber Attacks

Cybersecurity researchers have discovered an ongoing attack campaign that's leveraging phishing emails to deliver malware called SSLoad.
The campaign, codenamed FROZEN#SHADOW by Securonix, also involves the deployment of Cobalt Strike and the ConnectWise ScreenConnect remote desktop software.
"SSLoad is designed to stealthily infiltrate systems, gather sensitive

Researchers Detail Multistage Attack Hijacking Systems with SSLoad, Cobalt Strike

An exploit for the vulnerability allows unauthenticated attackers to escape a virtual file system sandbox to download system files and potentially achieve RCE.

Source: Andre Boukreev via Shutterstock

Virtual file transfer system provider CrushFTP and various security researchers are sounding the alarm about a sandbox escape flaw in the CrushFTP server that attackers already have exploited as a zero-day in attacks against organizations in the US.

CrushFTP is a multiprotocol, multiplatform, cloud-based file transfer server. The security vulnerability, tracked as CVE-2024-4040, is an improper input validation bug in the CrushFTP file transfer server version 11.1. The company unveiled and patched the flaw on April 19 with the release of version 11.1.0 of the product; however, there already were various reports of threat actors hammering the flaw with an existing exploit.

These attacks, which were potentially "politically motivated," were targeted in nature for intelligence gathering and detected at various US entities, according to Crowdstrike's threat hunters Falcon OverWatch and Falcon Intelligence, which published an advisory on Reddit.

**A Developing Attack Scenario for Cloud File Transfer**

The attack scenario is developing, with new research by Tenable published April 23 identifying more than 7,100 CrushFTP servers publicly accessible "based on a Shodan query in a Nuclei template created by h4sh," according to the report. However, "it's unclear how many of these systems are potentially vulnerable," Satnam Narang, a Tenable senior staff research engineer, noted in the post.

Attacks are likely to continue on unpatched servers given that a proof-of-concept (PoC) exploit for the flaw is now publicly available, posted April 23 to GitHub by the researcher who discovered and reported the flaw to CrushFTP, Simon Garrelou of Airbus Community Emergency Response Team (CERT), Narang added.

Other attackers also aim to benefit from all the attention in the flaw, by targeting users with fake PoCs, Narang wrote, noting there already is a repository posted to GitHub that directs users to a third-party site called SatoshiDisk, which requests a payment of 0.00735 bitcoin (around $513) for an alleged exploit.

"It is unlikely that the exploit code will work and we do not expect it to be malicious in nature," Narang wrote. "Instead, it is more likely that the attackers are seeking to make money from the interest in the exploit code for this vulnerability."

**CVE-2024-4040: Potential for RCE**

The vulnerability as described by the vendor is an arbitrary read flaw that allows an attacker with low privileges to escape the server's virtual file system (VFS) sandbox to access and download system files.

However, there is evidence that it is more to the flaw than has so far been reported, Rapid7 researchers noted in a blog post published on April 23.

"Although the vulnerability has been formally described as an arbitrary file read, Rapid7 believes that it can be more accurately categorized as a server-side template injection (SSTI)," Caitlin Condon, Rapid7's director of vulnerability intelligence, wrote in the post.

CVE-2024-4040 is a "fully unauthenticated flaw" and is easy to exploit; successful exploitation allows not only or arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution (RCE), she observed.

"Successful exploitation allows a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance," Condon wrote.

**Exploit Code Available**

The PoC exploit posted by Garrelou includes two scripts. The first, scan\_host.py, attempts to use the vulnerability to read files outside the sandbox, according to the GitHub post.

"If it succeeds, the script writes Vulnerable to standard output and returns with exit code 1," according to Garrelou. "If exploiting the vulnerability does not succeed, the script writes Not vulnerable and exits with status code 0."

The second script, scan\_logs.py, looks for indicators of compromise in a CrushFTP server installation directory and, upon finding them, will attempt to extract the IP that tried to exploit the server.

**Patch Now for Full Protection**

The best way for organizations with CrushFTP present in their environment to mitigate the situation is to update their systems to the patched version of the product now, the company and security researchers alike advised.

Customers using a front-end demilitarized zone (DMZ) server to process protocols and connections in front of their main CrushFTP instance are afforded partial protection from exploit due to the protocol translation system used in the DMZ, according to CrushFTP.

"A DMZ, however, does not fully protect you, and you must update immediately," the company advised customers in its advisory. One of the factors complicating an organization's detection of exploitation of CVE-2024-4040 is that payloads "can be delivered in many different forms," Rapid7's Condon noted.

"When certain evasive techniques are leveraged, payloads will be redacted from logs and request history, and malicious requests will be difficult to discern from legitimate traffic," she wrote.

For this reason, Rapid7 recommends that CrushFTP customers harden their servers against administrator-level RCE attacks by enabling Limited Server mode with the most restrictive configuration possible. Condon added that they also should use firewalls wherever possible to aggressively restrict which IP addresses are permitted to access CrushFTP services.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Patch Now: CrushFTP Zero-Day Cloud Exploit Targets US Orgs

Just like you should check the quality of the ingredients before you make a meal, it's critical to ensure the integrity of AI training data.

Source: Nico El Nino via Shutterstock

COMMENTARY

Picture this: It's a Saturday morning, and you made breakfast for your family. The pancakes were golden brown and seemingly tasted OK, but everyone, including you, got sick shortly after eating them. Unbeknown to you, the milk that you used to make the batter expired several weeks ago. The quality of the ingredients impacted the meal, but everything looked fine on the outside.

The same philosophy can be applied to artificial intelligence (AI). Regardless of its purpose, AI's output is directly related to the quality of its input. As the popularity of AI continues to rise, security concerns around the data being fed into AI are coming into question.

A majority of today's organizations are integrating AI into business operations at some capacity — and threat actors are taking note. Over the past few years, a tactic known as AI poisoning has become increasingly prevalent. This new malicious practice involves injecting deceptive or harmful data into AI training sets. The tricky part about AI poisoning is that, despite the input being compromised, the output can initially continue as normal. It isn't until a threat actor gets a firm grip on the data and begins a full-fledged attack that deviations from the norm become obvious. The consequences range from slightly inconvenient to damaging a brand's reputation.

It's a risk affecting organizations of all sizes, even today's most prominent tech vendors. For example, over the past few years, adversaries launched several large-scale attacks to poison Google's Gmail spam filters and even turned Microsoft's Twitter chatbot hostile.

**Defending Against AI Data Poisoning**

Fortunately, organizations can take the following steps to shield AI technologies from potential poisoning.

*   Build a comprehensive data catalog. First, organizations should create a live data catalog that serves as a centralized repository of information that is being fed to its AI systems. Any time new data is added to AI systems, it should be tracked in this index. In addition, the catalog should be able to categorize the data flowing into AI systems by the who, what, when, where, why, and how to ensure transparency and accountability.
    
*   Develop a normal baseline for users and devices interacting with AI data. Once the security and IT teams have a solid understanding of all of the data in AI systems and who has access to it, it's important to develop a baseline of normal user and device behavior.
    

Compromised credentials are one of the easiest ways for cybercriminals to break into networks. All a threat actor has to do is either play a guessing game or buy one of the 24 billion username and password combinations available on the cybercriminal marketplace. Once they have access, a threat actor can easily maneuver their way into accessing AI training datasets.

By establishing user and device baseline behavior, security teams can easily detect abnormalities that might be indicative of an attack. Often, this helps stop a threat actor before an incident escalates into a full-blown data breach. For example, say you have an IT executive who typically works from the New York office and who oversees the AI data training sets. One day, it shows that he is active in another country and is adding large amounts of data to the AI. If your security team already has a baseline of user behavior, they can quickly tell that this is abnormal. Then security could either talk to the executive and verify that he was performing the action or, if he wasn't, temporarily disable his account until the alert is thoroughly investigated to prevent any further damage.

**Taking Responsibility of AI Training Sets**

Just like you should check the quality of the ingredients before you make a meal, it's critical to ensure the integrity of AI training data. AI intelligence is intricately linked to the quality of data it processes. Implementing guidelines, policies, monitoring systems, and improved algorithms plays a pivotal role in ensuring the safety and effectiveness of AI. These measures safeguard against potential threats and empower organizations to harness the transformative potential of AI. It is a delicate balance where organizations must learn to leverage AI's capabilities, while remaining vigilant in the face of the ever-evolving threat landscape.

**About the Author(s)**

CISO, Exabeam

Tyler Farrar is the Chief Information Security Officer (CISO) at Exabeam. He graduated from the United States Naval Academy in 2012, and received his Bachelor of Science in Aerospace Engineering. Tyler continued his education at Robert H. Smith School of Business, where he earned a Master of Business Administration in Accounting and Finance.

Fortify AI Training Datasets From Malicious Poisoning

By Owais Sultan
Central limit order book (CLOB) decentralized exchange Dexalot has announced it is launching on Arbitrum. The move marks…
This is a post from HackRead.com Read the original post: Dexalot Announces Launch of Its Central Limit Order Book DEX on Arbitrum

Central limit order book (CLOB) decentralized exchange Dexalot has announced it is launching on Arbitrum. The move marks the first step in Dexalot’s expansion beyond the Avalanche ecosystem.

Dexalot operates its existing CLOB exchange on a dedicated application-specific chain, which was launched in February 2023. The decision to expand Dexalot’s trading infrastructure to Arbitrum will bring a suite of powerful features to users of the Ethereum L2.

The design of its CLOB is materially different from conventional AMM DEXes, delivering a user experience that is more akin to using a CEX. Dexalot enables users to place orders at specific price points (limit orders), removing price slippage and achieving greater capital efficiency for traders. Additionally, Dexalot provides transparent order visibility, superior prices, and deep liquidity with gas fees that are a fraction of a penny. 

The launch of Dexalot on Arbitrum will give users of the L2 access to such features, many of which were previously unavailable on the network. It will also give Arbitrum projects a reliable platform on which to launch native tokens. Because all orders are placed on-chain with no custodial risk, Dexalot maintains the strong decentralization that is inherent to Arbitrum’s design.

Tim Shan, Dexalot’s COO said: “We are very excited to expand Dexalot’s multichain order book with commingled liquidity to the Arbitrum community.  This is a major milestone for the Dexalot team, and we are very proud to achieve on Arbitrum.”

Peter Haymond, Senior Partnerships Manager at Arbitrum added: “Dexalot’s Central Limit Order Book on Arbitrum promises fairer pricing, deeper liquidity, and enhanced capital efficiency. Offering a centralized exchange-like experience will move DeFi closer to mass adoption.” 

Since launch, Dexalot has processed over $1.1B in transaction volume. Its Arbitrum launch is expected to significantly boost these volumes while providing a safer and more secure trading experience. In the process, it will reinforce Arbitrum’s status as the preeminent L2 for advanced on-chain trading.

****About Dexalot****

Dexalot is a revolutionary decentralized exchange that brings the traditional centralized exchange look and feel to a decentralized on-chain application. Its Central Limit Order Book DEX represents an inclusive and transparent environment where Dexalot users can trade crypto securely and efficiently, with no slippage or custody risk.

Learn more: dexalot.com

Dexalot Announces Launch of Its Central Limit Order Book DEX on Arbitrum

The US Senate has approved a bill that will ban TikTok, unless it finds a new owner, bringing it one step closer to being signed into law.

The US Senate has approved a bill that would effectively ban TikTok from the US unless Chinese owner ByteDance gives up its share of the immensely popular app.

Social video platform TikTok has experienced explosive growth since it first appeared in 2017, and is now said to have well over 1.5 billion users, with an estimated 170 million of them in the US.

Essentially, the bill says that TikTok has to find a new owner that is not based in a foreign adversarial country within the next 180 days or face a ban until it does comply. President Biden has committed to sign it into law as soon as it reaches his desk.

Since 2020, several governments and organizations have banned, or considered banning, TikTok from their staff’s devices, but a complete ban of an internet app would be a first in the US.

For a long time now, TikTok has been battling to convince politicians that it operates independently of ByteDance, which allegedly has deep ties to the Chinese Communist Party (CCP). For example, TikTok has repeatedly claimed the Chinese government has never demanded access to US data and that TikTok would not comply if it did.

While ByteDance denies any direct links to the Chinese Communist Party, a former executive at TikTok’s parent company claimed in court documents that the CCP had access to TikTok data, despite US storage of the data. The allegations came up in a wrongful dismissal lawsuit filed in May of 2023 in the San Francisco Superior Court.

The Electronic Frontier Foundation (EFF), an international non-profit digital rights group based in the US, says it opposes this bill, mainly because it is afraid that TikTok will not be the last app to face this type of ban.

TikTok also encouraged its users and creators to express their opposition to the bill. Last week, the social media company said the bill would:

> “Trample the free speech rights of 170 million Americans, devastate seven million businesses, and shutter a platform that contributes $24 billion to the US economy, annually.”

Chinese officials reportedly said the government would “firmly oppose” any forced sale of TikTok because it would “seriously undermine the confidence of investors from various countries, including China, to invest in the United States.”

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

 TikTok comes one step closer to a US ban 

By Waqas
Update Windows Now or Get Hacked: Microsoft Warns of Actively Exploited Vulnerability!
This is a post from HackRead.com Read the original post: Russian APT28 Exploiting Windows Vulnerability with GooseEgg Tool

Hackers exploiting a critical Windows flaw (CVE-2022-38028) in the Print Spooler service. Patch immediately to block APT28 (Forest Blizzard and Fancy Bear) attacks & protect your system!

Microsoft issued a security warning about a critical vulnerability (CVE-2022-38028) in the Windows Print Spooler service that attackers are actively exploiting. This vulnerability allows attackers to escalate privileges on a compromised system, potentially granting them complete control.

The vulnerability resides in how the Print Spooler processes JavaScript code. By manipulating a specific file, attackers can execute malicious code with administrator privileges.

Microsoft attributes these attacks to the APT28 hacking group (also known as Fancy Bear or Forest Blizzard) which is using a custom malware tool called GooseEgg. While the exact timeframe for GooseEgg’s activity is unknown, Microsoft has observed it being operational since at least June 2020.

> Microsoft has identified longstanding activity by the Russian-based threat actor we track as Forest Blizzard using a custom tool we call GooseEgg to exploit CVE-2022-38028 in the Windows Print Spooler service to elevate permissions and steal credentials: https://t.co/YKHvxqJa61
> 
> — Microsoft Threat Intelligence (@MsftSecIntel) April 22, 2024

Targets of these attacks include organizations in North America, Western Europe, and Ukraine across various sectors such as government, non-governmental organizations (NGOs), education, and transportation.

To mitigate this risk, Microsoft strongly recommends that all users install the security patch they released in October 2022. This patch addresses the vulnerability and prevents attackers from exploiting it.

While Microsoft offers temporary mitigation steps for those who cannot patch immediately, patching remains the most effective way to address this vulnerability and protect your system.

Nevertheless, it’s crucial to consistently update your Windows systems with the latest security patches, as this is the most effective defence against vulnerabilities. Additionally, exercise caution when interacting with attachments or links, particularly in emails from unfamiliar sources, as phishing attempts are a prevalent method used by attackers to compromise systems.

It is also important to know that the Cybersecurity and Infrastructure Security Agency (CISA) has also flagged CVE-2022-38028 as a high-risk vulnerability, given its ongoing exploitation.

1.  Microsoft Executives’ Emails Breached by Russia Hackers
2.  Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation
3.  Russian Operatives Expose German Military Webex Conversations
4.  Russian Midnight Blizzard Hackers Breached Microsoft Source Code
5.  Russian Hackers Hit Mail Servers in Europe for Political, Military Intel

Russian APT28 Exploiting Windows Vulnerability with GooseEgg Tool

By Waqas
Popular keyboard apps leak user data! Citizen Lab reports 8 out of 9 Android IMEs expose keystrokes. Change yours & protect passwords!
This is a post from HackRead.com Read the original post: Popular Keyboard Apps Leak User Data: Billion Potentially Exposed

Citizen Lab investigated the security of cloud-based pinyin keyboard apps and found that eight out of nine vendors transmitted user keystrokes in an insecure manner. This means keystrokes could be intercepted by eavesdroppers on the network.

A new report by Citizen Lab has uncovered critical security vulnerabilities in popular keyboard apps, potentially exposing the keystrokes of nearly a billion users to eavesdroppers.

The report, titled “The not-so-silent type: Vulnerabilities across keyboard apps reveal keystrokes to network eavesdroppers,” investigates cloud-based pinyin input method editors (IMEs) used on a vast majority of Android devices in China.

Researchers analyzed keyboard apps from nine major vendors: Baidu, Honor, Huawei, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. Alarmingly, they found vulnerabilities in eight of these apps that could allow attackers to steal users’ keystrokes as they type.

The report details various weaknesses in how these apps transmit data. Some apps, like Samsung Keyboard, send keystrokes completely unencrypted, making them easy for anyone snooping on the network to intercept. Others rely on flawed encryption methods that can be cracked.

The ease of eavesdropping varies depending on the app. In some cases, a malicious actor on the same Wi-Fi network could steal your data. Even more concerning, some vulnerabilities are exploitable by entirely passive eavesdroppers, who can intercept data without needing any interaction from the user.

The report highlights Huawei as the only vendor whose keyboard app did not exhibit these vulnerabilities. This offers some peace of mind for Huawei users but leaves a significant number of users potentially exposed.

Citizen Lab estimates that the combined market share of Baidu, Sogou (mentioned in a previous report by Citizen Lab), and iFlytek represents over 95% of the third-party IME market in China, translating to roughly one billion users at risk.

This security lapse has serious consequences. Keystrokes can contain sensitive information like passwords, credit card details, and private messages. If intercepted, this data could be used for identity theft, financial fraud, and other malicious activities.

Nevertheless, the report shows the importance of using secure keyboard apps. Users should prioritize apps with a strong reputation for security and that encrypt user data properly. Additionally, it’s recommended to avoid using sensitive information on public Wi-Fi networks.

Researchers urge app developers to address these vulnerabilities immediately by implementing strong encryption methods and secure data transmission protocols.

1.  AI Model Listens to Typing, Compromising Sensitive Data
2.  Keyboard app collecting users data after 31M records leaked online
3.  Intel removes remote Android keyboard app rather than fixing its flaws
4.  Chinese Keyboard Developer Spies on User Through Built-in Keylogger
5.  Android Emoji keyboard app makes millions with unauthorized purchases

Popular Keyboard Apps Leak User Data: Billion Potentially Exposed

Internal emails suggest that the company continued to provide gunshot data to police in cities where its contracts had been canceled.

When Mayor Brandon Johnson announced in February that Chicago would stop using the gunshot-detection system known as ShotSpotter by year’s end, local activists were elated.

Ever since 2021, when the police fatally shot 13-year-old Adam Toledo while responding to a ShotSpotter alert, the Stop ShotSpotter Campaign has been pressuring the city to ditch the technology. Johnson’s decision not to renew the Windy City’s contract with ShotSpotter was seen as the culmination of the campaign’s efforts.

But ending the contract may not be enough to remove the company’s more than 2,500 sensors from neighborhoods on the city’s South and West Sides, where they’re disproportionately located. Internal emails reviewed by _South Side Weekly_ and WIRED suggest that ShotSpotter keeps its sensors online and, in some instances, provides gunshot-detection alerts to police departments in cities where its contracts have expired or been canceled. The emails raise new questions about whether the more than 2,500 sensors in Chicago will be turned off and removed, regardless of Johnson’s decision.

“We continue to focus on serving the City of Chicago with our critical gunshot detection technology service during our contractual term,” a ShotSpotter spokesperson wrote in a statement. “Nothing has changed regarding our singular purpose to close the public safety gap by enabling law enforcement agencies globally to more efficiently and effectively respond to incidents of criminal gunfire … where gunshot wound victims’ lives are in the balance.”

An organizer who’s been active in the push to cancel ShotSpotter’s contract in Chicago wasn’t surprised that the company has continued to work with police behind the scenes in cities where contracts have ended.

“I think it’s exactly what cops and corporations do,” says Nathan Palmer, an organizer with the Stop ShotSpotter Campaign and Black Youth Project 100. “Especially when we’re thinking about Chicago, it would benefit ShotSpotter to keep the mics up and working so that they can also throw lobbying money at whoever’s gonna oppose Mayor Brandon Johnson in the next election.”

ShotSpotter, which rebranded as SoundThinking in 2023, has a customer base of roughly 170 cities, according to its most recent filing with the US Securities and Exchanges Commission. Chicago is not the first to deem the ShotSpotter technology not worth the cost. (By the time the city’s contract extension ends in November, ShotSpotter will have cost Chicago more than $57 million since then-mayor Rahm Emanuel inked a comprehensive deal with the company in 2018.)

San Antonio, San Diego, and Dayton, Ohio, have all joined a growing list of cities that have publicly cut ties with ShotSpotter. Confidential company emails reviewed by the _Weekly_ and WIRED, however, indicate that the company never completely pulled its technology out of some cities.

An October 2023 email sent to John Fountain, a director of field and network operations at SoundThinking who left the company in December, described how the company continued to secretly offer its help to police in cities where contracts had lapsed. The email, which addressed a shortage of sensors in a city with an active contract, apparently referred to Clark Dunson, SoundThinking’s director of systems engineering.

“I would like to imagine we can pull some \[sensors\] from an old coverage area … Maybe San Diego and Indianapolis,” wrote the sender, whose name was redacted. “Last time we looked to remove sensors from an old coverage area I know Clark flipped out since we still work with police using those sensors (which I did not know).”

A spokesperson for SoundThinking declined to answer detailed questions about what services the company has provided to police departments after contracts are up and instead emailed a statement. “SoundThinking believes this confidential information was illegally disclosed by ex-employees and is currently pursuing civil and criminal remedies against the private parties responsible,” the statement read. “Due to this ongoing litigation, we cannot comment specifically on the leaked materials; however, we will continue to object to the use of our stolen data and reinforce the safety and privacy risks of disclosing individual sensor locations.”

ShotSpotter is suing two former employees who the company alleges posted confidential company information on Twitter after one was fired in November.

In February, WIRED reported ShotSpotter sensor locations based on leaked company data showing more than 25,000 microphones arrayed across the globe. Those maps revealed active sensors remained in both San Diego and Indianapolis. The Indianapolis Metropolitan Police recently told the _Indianapolis Star_ that it does not have a contract with the company after piloting technology from three different gunshot-detection companies in 2022.

“The evaluation of whether or not gunshot detection technology system is right for Indianapolis is still ongoing,” a police spokesperson told the _Star_. The statement added that the department believed it was ShotSpotter’s responsibility to remove its sensors.

ShotSpotter doesn’t sell its sensors to cities. Instead, the company uses a software-as-service model, billing cities for the software and applications that allow police to access ShotSpotter alerts. When a contract expires, the company apparently doesn’t always retrieve its sensors.

An email from Fountain dated from December 2022 estimated that there were a “few hundred sensors still installed” in San Diego and that they are “active even if the market isn’t.”

Fountain again noted that removing any sensors from San Diego would require Clark Dunson’s approval. “Clark is really pushy and he likes to tinker around with those coverage area\[s\] but I imagine we can pull a few here and there,” he wrote.

In August 2023, Dunson sent an internal email that said ShotSpotter had been providing “test alerts” to police in San Diego and San Antonio. “As a last resort we can pull sensors away from San Diego or San Antonio if needed but Lee \[Lim, a SoundThinking tech-support engineer\] has been working with the PD in those areas giving test alerts and tracking down detections for them.”

The San Diego Police Department denied that sensors in that city are active or collecting any data. SDPD also claimed to have never asked the company for help with gunshot detections in any incidents involving homicides or shootings.

“At this time, there is no contract and there is no plan to move forward with the company,” a spokesperson for the department wrote in an email. San Diego and ShotSpotter entered into an agreement that allows the company to leave its sensors on city property. “However, as of September 2021, the equipment is deactivated, cannot collect any data, and is inoperable.”

But emails the _Weekly_ and WIRED obtained via a California Public Records Act request show that ShotSpotter stayed in touch with SDPD for more than 15 months after the city’s contract expired in September 2021. In those emails, ShotSpotter support staff routinely address SDPD as a “ShotSpotter Customer.”

These weren’t just mass marketing emails that all customers past and present are frequently subjected to. The emails we obtained show that in October 2021, after the contract had lapsed, ShotSpotter also provided an SDPD officer with an “investigative lead summary” about a shooting in San Diego, including the precise location and the number of rounds detected, upon SDPD’s request.

ShotSpotter also sent SDPD emails updating the department about routine scheduled maintenance in October 2022 and how the company planned to address the “extremely high volume of fireworks activities” around New Year’s Day in 2023.

“Despite our efforts, we may occasionally miss a gunshot in error,” wrote Dinh Nguyen, a technical support engineer at ShotSpotter, in a December 2022 email to SDPD. “You may also experience some delays in the publication of incidents.”

ShotSpotter is not on a list of surveillance technologies the SDPD is required to frequently publish as a part of a sweeping surveillance ordinance passed by the San Diego City Council in August 2022 and amended in January of this year.

A San Diego councilmember whose district includes several of the neighborhoods where ShotSpotter sensors were installed in 2016 said that their “office is aware of the ShotSpotter situation” via a spokesperson. In July 2021, the then-District Four councilmember requested the city remove sensors from his district, which helped scuttle the contract renewal.

“A request to remove such \[sensors\] has been forwarded to the San Diego Police Department and the mayor’s office,” a spokesperson for current District Four councilmember Henry L. Foster III (who was sworn in in April) wrote in an email to the _Weekly_ and WIRED. “Devices that have not been approved in accordance with the Surveillance Ordinance should not be installed and or operational by the City of San Diego or third party.”

San Diego mayor Todd Gloria’s office did not respond to requests for comment.

In 2021, San Diego’s city council pulled a scheduled vote on a four-year extension to ShotSpotter from its agenda, effectively sunsetting the city’s agreement with the company. Although Gloria’s office said in statements at the time that it would bring the extension back up in the city council, there is no indication that it did.

Based on a map of the secret locations of every ShotSpotter sensor in the country published by WIRED, there are still about 30 active sensors in San Diego, most of which are clustered near UC San Diego’s La Jolla campus and the Scripps Institution of Oceanography.

When asked to comment on whether SDPD receives and responds to ShotSpotter alerts from these active sensors, a spokesperson for the department directed questions to the UCSD police. UCSD did not respond to requests for comment.

The _Weekly_ and WIRED requested emails sent between San Antonio Police Department and ShotSpotter dated after the city’s contract with ShotSpotter expired in the fall of 2017. In March, the SAPD filed an appeal with the Texas attorney general, seeking to have the responsive records withheld under a laundry list of exemptions provided for by the state’s public records act. The police provided sealed records to the Texas AG to review. The AG is expected to decide whether to release the records by May.

SAPD said that after the contract lapsed, the department never asked ShotSpotter for assistance, and no arrests were made based on detections provided by the company.

Records produced in response to a separate public records request show that ShotSpotter sent four-term San Antonio mayor Ron Nirenbergt at least two marketing emails months after the city council voted not to include ShotSpotter in its budget for the upcoming fiscal year. The company does not appear to have communicated with his office after November 2018, however. Nirenberg’s office did not respond to requests for comment.

“To me it sounds like, on their part, another strategic business decision, and that’s what they’re doing in every city,” says Palmer, the Stop ShotSpotter organizer. “It sounds like a business decision, because they don’t actually care about public safety.”

_This story was copublished in collaboration between_ Southside Weekly _and_ WIRED.

ShotSpotter Keeps Listening for Gunfire After Contracts Expire

Security vulnerabilities uncovered in cloud-based pinyin keyboard apps could be exploited to reveal users' keystrokes to nefarious actors.
The findings come from the Citizen Lab, which discovered weaknesses in eight of nine apps from vendors like Baidu, Honor, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. The only vendor whose keyboard app did not have any security

Latest News