The FCC wants car makers and wireless providers to make it harder for stalkers to use your car against you.

Most new model cars are not just cars anymore. With multiple digital systems, vehicles are increasingly plugged into web applications and digital processes. Some of them are basically smartphones on wheels.

Even if we assume these new features were all created with your convenience in mind, some of them can have some adverse effects on your privacy, and sometimes even your safety.

Addressing the use of connected cars to stalk, intimidate, and harass survivors of domestic violence, the Federal communications Commission (FCC) has issued a press release calling on carmakers and wireless companies to help ensure the independence and safety of domestic violence survivors.

Chairwoman Jessica Rosenworcel of the FCC said:

> “No survivor of domestic violence and abuse should have to choose between giving up their car and allowing themselves to be stalked and harmed by those who can access its data and connectivity.”

We have previously talked about cars spying on you, and the poor privacy policies that allow manufacturers to sell the data they gather for targeted advertising. We have also written about a federal judge that ruled it’s fine for car makers to intercept your text messages. But those are privacy concerns. Valid and serious, but on a different level from running the risk of being harassed by a jealous ex.

For readers focused on the privacy issues of connected cars, we can recommend the Mozilla report It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy. And when you are parting with a car in the US, you may want to look at the Privacy4Cars app that can provide a Vehicle Privacy Report and claims to be able to delete your data. You will need your Vehicle Identification Number (VIN).

The FCC also asked wireless service providers (AT&T, T-Mobile and Verizon) to describe their partnerships with car manufacturers, seeking information on how the wireless providers work with them and what their policies are for handling geolocation data provided by car manufacturers.

The FCC press release includes statistics showing that more than 12 million people each year are the victims of rape, physical violence, and stalking.

**Tips to keep a stalker from tracking your car**

Not all cars offer these options, and the tips may not apply to your situation, but here are some general tips for people that are afraid they are the target of a stalker:

*   Use the navigation app on your phone, rather than the one built into your car.
*   Do not store places you visit regularly in the car’s navigation.
*   Consider using a VPN when you connect to your car’s hotspot.
*   Find out which devices can access the car or its location data by using any “remote access” apps for the car and remove the devices that are not under your control.
*   Familiarize yourself with the car manufacturer’s privacy policy so you know where your data might be sent. To give you an idea, data might end up with advertisers, law enforcement, service providers, the car manufacturer and its dealers, tech giants like Apple, Google, and Amazon, connected service providers, and government agencies.
*   Keep the software updated to make sure your car is equipped with the latest protection against potential intrusions.
*   If the suspected stalker has been near your vehicle, inspect it thoroughly for trackers and other unfamiliar hardware.
*   Try not to travel alone and always park in a well-lit, busy area if you are concerned about your physical safety.
*   If you have a dashcam that uses cloud storage, check who has access to the images. They can be used to track your movements.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 FCC wants cars to make life harder for stalkers 

macOS suffers from an out-of-bounds write vulnerability in AppleVADriver when decoding mpeg2 videos.

macOS AppleVADriver Out-Of-Bounds Write

On Intel macOS, HEVC video decoding is performed in the AppleGVA module. Using fuzzing, researchers identified multiple issues in this decoder. The issues range from out-of-bounds writes, out-of-bounds reads and, in one case, free() on an invalid address. All of the issues were reproduced on macOS Ventura 13.6 running on a 2018 Mac mini (Intel based).

macOS AppleGVA Memory Handling

The U.S. Federal Trade Commission (FTC) on Tuesday prohibited data broker Outlogic, which was previously known as X-Mode Social, from sharing or selling any sensitive location data with third-parties.
The ban is part of a settlement over allegations that the company "sold precise location data that could be used to track people's visits to sensitive locations such as medical and

Privacy / Regulatory Compliance

The U.S. Federal Trade Commission (FTC) on Tuesday prohibited data broker **Outlogic**, which was previously known as **X-Mode Social**, from sharing or selling any sensitive location data with third-parties.

The ban is part of a settlement over allegations that the company "sold precise location data that could be used to track people's visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters."

The proposed order also requires it to destroy all the location data it previously gathered unless it obtains consumer consent or ensures the data has been de-identified or rendered non-sensitive as well as maintain a comprehensive list of sensitive locations and develop a comprehensive privacy program with a data retention schedule to prevent abuse.

The FTC accused X-Mode Social and Outlogic of failing to establish adequate safeguards to prevent the misuse of such data by downstream customers. The development marks the first-ever ban on the use and sale of sensitive location data.

X-Mode, which first attracted attention in 2020 for selling location data to the U.S. military, works by offering precise location data that it collects from proprietary apps and third-party apps that incorporate its software development kit (SDK) into its apps. It's also said to have procured location data from other data brokers and aggregators.

Following the revelations in 2020, both Apple and Google urged app developers to remove the SDK from their apps or face a ban from their respective app stores.

"The raw location data that X-Mode/Outlogic has sold is associated with mobile advertising IDs, which are unique identifiers associated with each mobile device," the FTC said. "This raw location data is not anonymized, and is capable of matching an individual consumer's mobile device with the locations they visited."

The agency further said that the company, until May 2023, did not have any policies in place to remove sensitive locations from the location data it sold, not only putting users' privacy at risk, but also exposing them to potential discrimination, physical violence, emotional distress, and other harms.

The FTC also called out X-Mode for not being transparent about which entities would receive the data when a customer used a third-party app with its SDK and that it failed to ensure that these apps sought informed consumer consent to grant it permission to access their location information in the first place.

Lastly, X-Mode was alleged to have been negligent in honoring requests made by some Android users to opt out of tracking and personalized ads.

In a statement provided to news agency Reuters, Outlogic said it disagreed with the "implications" of the FTC announcement, and there was no finding it misused location data.

"I commend the FTC for taking tough action to hold this shady location data broker responsible for its sale of Americans' location data," U.S. Senator Ron Wyden said in a statement shared with The Hacker News.

"In 2020, I discovered that the company had sold Americans' location data to U.S. military customers through defense contractors. While the FTC's action is encouraging, the agency should not have to play data broker whack-a-mole. Congress needs to pass tough privacy legislation to protect Americans' personal information and prevent government agencies from going around the courts by buying our data from data brokers."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

FTC Bans Outlogic (X-Mode) From Selling Sensitive Location Data

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
This includes CVE-2023-27524 (CVSS score: 8.9), a high-severity vulnerability impacting the Apache Superset open-source data visualization software that could enable remote code execution.

Patch Management / Threat Intelligence

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

This includes CVE-2023-27524 (CVSS score: 8.9), a high-severity vulnerability impacting the Apache Superset open-source data visualization software that could enable remote code execution. It was fixed in version 2.1.

Details of the issue first came to light in April 2023, with Horizon3.ai's Naveen Sunkavally describing it as a "dangerous default configuration in Apache Superset that allows an unauthenticated attacker to gain remote code execution, harvest credentials, and compromise data."

It's currently not known how the vulnerability is being exploited in the wild. Also added by CISA are five other flaws -

*   **CVE-2023-38203** (CVSS score: 9.8) - Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
*   **CVE-2023-29300** (CVSS score: 9.8) - Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
*   **CVE-2023-41990** (CVSS score: 7.8) - Apple Multiple Products Code Execution Vulnerability
*   **CVE-2016-20017** (CVSS score: 9.8) - D-Link DSL-2750B Devices Command Injection Vulnerability
*   **CVE-2023-23752** (CVSS score: 5.3) - Joomla! Improper Access Control Vulnerability

It's worth noting that CVE-2023-41990, patched by Apple in iOS 15.7.8 and iOS 16.3, was used by unknown actors as part of Operation Triangulation spyware attacks to achieve remote code execution when processing a specially crafted iMessage PDF attachment.

Federal Civilian Executive Branch (FCEB) agencies have been recommended to apply fixes for the aforementioned bugs by January 29, 2024, to secure their networks against active threats.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CISA Flags 6 Vulnerabilities - Apple, Apache, Adobe , D-Link, Joomla Under Attack

By Owais Sultan
AI data marketplace Ta-da has announced the completion of a $3.5M funding round. A number of leading blockchain…
This is a post from HackRead.com Read the original post: Ta-da Raises $3.5M to Build Out Its AI Data Marketplace

AI data marketplace Ta-da has announced the completion of a $3.5M funding round. A number of leading blockchain VCs funded the project, which was incubated by Dubai-based Morningstar Ventures since 2021. The funds raised will be used to develop Ta-da’s infrastructure and to expand its operations.

After its seed round led by Morningstar Ventures which also participated in its follow-up, the project received fresh capital injection led by layer 1 blockchain protocol MultiversX and investors such as GBV Capital, XVentures, NxGen and Spark Digital Capital. 

In addition to helping expand its AI data marketplace, funds will be allocated towards enhancing Ta-da’s marketing and communication and growing its team. It will also support the commission of security audits to verify the integrity of its protocol independently.

Ta-da was founded to solve the problem of high-quality AI data being difficult and expensive to obtain. This has prevented AI companies from realizing their full potential. By providing a competitive marketplace where businesses can acquire reliable datasets, Ta-da enables AI innovation to flourish.

In addition to meeting the needs of AI companies, Ta-da supports individuals who can earn tokens by recording and checking voice data. Using a gamified web3 app, Ta-da allows “checkers” to perform microtasks and to be rewarded for the data they validate.

To support the launch of its native app, and support a thriving marketplace for AI data, Ta-da will hold an IDO on xLaunchpad, the official token launchpad of MultiversX. 

Ta-da is the brainchild of Vivoka, a successful startup that develops speech recognition solutions. CEO William Simonin is a serial entrepreneur while his brother Hasheur, founder of Meria.com and one of the leading web3 influencers in France. Other members of its advisory board include Luc Julia (creator of Apple’s Siri) and Morningstar Ventures’ CEO Danilo Carlucci.

The market for AI data is predicted to experience a 25% CAGR over the next decade, transforming it into a $109B economy by 2023. By gamifying data collection and distribution, Ta-da aims to capture a slice of this rapidly growing sector while unlocking new incentives for web3 users.

****About Ta-da****

Ta-da crowdsources data verification, allowing individuals to check datasets and participate in a thriving AI economy. While gamifying AI data and expanding use cases for web3 technology, Ta-da allows businesses to access affordable datasets. This ensures AI companies can leverage verified data to build transformative applications that will change the world.

Ta-da Raises $3.5M to Build Out Its AI Data Marketplace

Gentoo Linux Security Advisory 202401-11 - Multiple vulnerabilities have been found in Apache Batik, the worst of which could result in arbitrary code execution. Versions greater than or equal to 1.17 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-11  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Apache Batik: Multiple Vulnerabilities  
     Date: January 07, 2024  
     Bugs: #724534, #872689, #918088  
       ID: 202401-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Apache Batik, the worst of  
which could result in arbitrary code execution.

Background  
==========

Apache Batik is a Java-based toolkit for applications or applets that  
want to use images in the Scalable Vector Graphics (SVG) format for  
various purposes, such as display, generation or manipulation.

Affected packages  
=================

Package         Vulnerable    Unaffected  
--------------  ------------  ------------  
dev-java/batik  < 1.17        >= 1.17

Description  
===========

Multiple vulnerabilities have been discovered in Apache Batik. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Apache Batik users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-java/batik-1.17"

References  
==========

[ 1 ] CVE-2018-8013  
      https://nvd.nist.gov/vuln/detail/CVE-2018-8013  
[ 2 ] CVE-2019-17566  
      https://nvd.nist.gov/vuln/detail/CVE-2019-17566  
[ 3 ] CVE-2020-11987  
      https://nvd.nist.gov/vuln/detail/CVE-2020-11987  
[ 4 ] CVE-2022-38398  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38398  
[ 5 ] CVE-2022-38648  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38648  
[ 6 ] CVE-2022-40146  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40146  
[ 7 ] CVE-2022-41704  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41704  
[ 8 ] CVE-2022-42890  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42890  
[ 9 ] CVE-2022-44729  
      https://nvd.nist.gov/vuln/detail/CVE-2022-44729  
[ 10 ] CVE-2022-44730  
      https://nvd.nist.gov/vuln/detail/CVE-2022-44730

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-11

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-11

Apple may be found negligent in an Airtags stalking lawsuit, but it has made improvements that may help potential victims

Each year, an estimated 13.5 million people in the US are victim to stalking. This is a worrying fact stated in the introduction of a lawsuit against Apple brought by stalking victims who charge that AirTags empowered their abusers.

AirTags are marketed as trackers that allow you to easily find lost belongings like keys and luggage. If you lose an object, you can find the AirTag in the Find My app on another Apple device. The tracker transmits its location via Ultra Wideband technology which is more accurate than Bluetooth when it comes to determining exact location. Since the tracker shares its location with the Apple devices of others, you can also find your AirTag over large distances.

AirTags are relatively cheap ($29), small (1.29”/3.19 cm) and can run for about a year before they need the battery replaced. This makes them an ideal tool for stalkers—they just need to attach one to something that they expect you to keep with you.

An important part of a negligence claim is whether the manufacture could have foreseen the issue—in this case, the stalking issue. This shouldn’t be a problem since lots of people were screaming from the rooftops that Apple was basically putting out a product for stalkers.

From the suit:

> “Prior to and upon the AirTag’s release, advocates and technologists urged the company to rethink the product and to consider its inevitable use in stalking. In response, Apple heedlessly forged ahead, dismissing concerns and pointing to mitigation featured that it claimed rendered the devices ‘stalker proof.'”

One plaintiffs’ lawyer argued that Apple did not make it possible, at the time the victim was stalked, for people being followed to locate an unwanted AirTag.

When the judge asked what Apple could have done better, the lawyer acknowledged that Apple has since made many fixes, but victims should have been alerted they were being subjected to unwanted tracking more quickly.

**How do the improvements Apple made help victims?**

Since AirTags were introduced, Apple has made some changes that can help potential stalking victims.

The most important one is that someone is now able to find out if an AirTag that they don’t own is moving with them over time.

On iPhones and iPads this is enabled by default, but it doesn’t hurt to check, especially if somoene may have had access to your device.

To make sure these options are enabled:

*   Go **to Settings** **\> Privacy & Security** > **Location Services**: Location Services should be on
*   Under **Location Services** > **System Services** > **Find My iPhone/iPad**: Significant Locations should be on.
*   Under **Settings** you also need to make sure you’re not in **Airplane Mode** and **Bluetooth** is on.
*   Open the **Find My** app, open the **Me** tab, and make sure **Tracking Notifications** are turned on.

If an unknown AirTag is following you, you’ll see an alert like this:

In the Find My app, you’ll be able to see how long the AirTag has been with you and you can use the Play Sound option to have the tracker emit a noise, which can help you find it.

For Android owners, Google has created a similar anti-stalking feature. Please note that the path to find the appropriate settings may vary with vendors and Android versions, but this should give you a good idea:

*   Select **Settings** \> **Safety and emergency** \> **Unknown tracker alerts**. Here you can allow alerts and do a manual scan for nearby trackers.

An unknown tracker alert is sent when someone else’s tracker device is separated from them and detected to be traveling with you and out of Bluetooth range from the owner. You can trigger any found AirTag to make a sound and you’ll be able to see how long it’s been with you on a map.

There are plans to broaden the scope of the tracker alerts besides AirTags. Companies including Samsung, Tile, Chipolo, Eufy, and Pebblebee have expressed interest in supporting this technology.

We’ll keep an eye on the lawsuit and let you know how it progresses.

 AirTags stalking lawsuit alleges Apple&#8217;s negligence in protecting victims 

Researchers have found flaws in the way SMTP servers handle messages, allowing them to send spoofed emails to and from targets.

SMTP smuggling is a technique that allows an attacker to send an email from pretty much any address they like. The intended goal is email spoofing—sending emails with false sender addresses. Email spoofing allows criminals to make malicious emails more believable.

Let’s take a closer look at what it is exactly, and how cybercriminals can use it.

The first thing we need to look at is the Simple Mail Transfer Protocol (SMTP), a protocol that allows the exchange of emails. Mail servers and other message transfer agents use SMTP to send and receive mail messages.

SMTP is very much a protocol that has developed over time since it became the standard for always-online servers in the 1980s.

Basically, an email is written using software like Microsoft Outlook or Apple Mail and is then handed over to an SMTP server. The server looks up the appropriate mail server for the domain in the recipient’s address—the part on the right side of the @ symbol, and sends the mail to that server.

It sometimes takes a few steps, but if all goes well the email will be received by the SMTP server that handles the mail for the recipient. This server may deliver the messages directly to storage, or forward it over a network using SMTP before it reaches the recipient.

Simplified, the process looks like this:

Image courtesy of SEC Consult

Image courtesy of SEC Consult

Image courtesy of SEC Consult

Since SMTP lacks authentication it used to be extremely easy to spoof a sender address. Several safeguards emerged to stop this:

*   SPF (Sender Policy Framework): This uses DNS records to indicate to receiving mail servers which IP addresses are authorized to send mail for a given domain. So this still leaves the work to the receiving server.
*   DKIM (Domain Key Identified Mail): This method signs outgoing emails using a private key. Receiving servers validate the sender using the sending server’s public key,.
*   DMARC (Domain-based Message Authentication, Reporting, and Conformance): DMARC verifies if the email’s “From” domain aligns with SPF checks and/or DKIM signatures. Thus, the DMARC check fails if there is a mismatch between the MAIL FROM and the From domain where otherwise the SPF check would pass. Unfortunately DMARC is not very widely used.

**SMTP smuggling**

SMTP smuggling takes advantage of inconsistencies in the way that proxy servers and firewalls handle SMTP traffic.

Traditionally, the end of data in an SMTP conversation is indicated by a sequence <CR><LF>.<CR><LF> (CR LF stands for Carriage Return and Line Feed, which are standard text delimiters) which can also be written as \r\n.\r\n.

Researchers published about two types of SMTP smuggling, inbound and outbound. They started working from the question, what happens if outbound and inbound SMTP servers interpret the end-of-data sequence (<CR><LF>.<CR><LF>) differently?

If you can tell one server the email ends here and the other one that the full packet ends later, you can create a compartment in which you can smuggle more data.

So, the researchers started testing by putting a <LF>.<LF>  sequence in the middle of sent packages. And they found that outbound SMTP servers have different methods of dealing with it, including:

*   Dot-stuffing (Escaping the single dot with another dot):  <LF>..<LF> 
*   Replacing it with a <CR><LF> 
*   Encoding it (e.g., via quoted-printable): =0A.=0A 
*   Removing the entire sequence 
*   Not sending the message 
*   Or do nothing at all

By testing, which included sending specially constructed messages from and to different email providers, the researchers were able to find combinations that allowed them to send two email messages in one package. The sequence <LF>.<CR><LF> turned out to be effective on a custom SMTP server called NemesisSMTPd which is in use by email services provided by Ionos (e.g. GMX) which accounts for about a million hosted domains.

Image courtesy of SEC Consult

Some vendors (Microsoft and GMX) were quick to fix the vulnerabilities that facilitated SMTP smuggling, but the researchers urge companies using the also affected Cisco Secure Email product to manually update their vulnerable default configuration. The Cisco flaw affects more than 40,000 vulnerable instances and allows an attacker to send spoofed emails to high-value targets, such as Amazon, PayPal, eBay, and the IRS.

The recommendation by the researchers tells organizations using Cisco Secure Email Gateway (on premises) or Cisco Secure Email Cloud Gateway (cloud) to change the default settings of “CR and LF Handling” from “Clean” to “Allow,” citing Cisco guidelines to help administrators understand the change that should be made.

That may sound counterproductive, but this setting passes e-mails with bare carriage returns or line feeds on to the actual e-mail server (Cisco Secure Email Gateway is just a gateway), which only interprets <CR><LF>.<CR><LF> as end-of-data sequence. So, if you don’t want to receive spoofed e-mails with valid DMARC checks, we highly recommend changing your configuration.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Explained: SMTP smuggling 

Plus: Russia hacks surveillance cameras as new details emerge of its attack on a Ukrainian telecom, a Google contractor pays for videos of kids to train AI, and more.

It’s been nearly two years since Russia’s invasion of Ukraine, and as the grim milestone looms and winter drags on, the two nations are locked in a grueling standoff. In order to “break military parity” with Russia, Ukraine’s top general says that Kyiv needs an inspired military innovation that equals the magnitude of inventing gunpowder to decide the conflict in the process of advancing modern warfare.

If you made some New Year’s resolutions related to digital security (it’s not too late!), check out our rundown of the most significant software updates to install right now, including fixes from Google for nearly 100 Android bugs. It’s close to impossible to be completely anonymous online, but there are steps you can take to dramatically enhance your digital privacy. And if you’ve been considering turning on Apple’s extra-secure Lockdown Mode, it’s not as hard to enable or as onerous to use as you might think.

If you’re just not quite ready to say goodbye to 2023, take a look back at WIRED’s highlights (or lowlights) of the most dangerous people on the internet last year and the worst hacks that upended digital security.

But wait, there's more! Each week, we round up the security and privacy news we didn’t break or cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

23andMe said at the beginning of October that attackers had infiltrated some of its users' accounts and abused this access to scrape personal data from a larger subset of users through the company's opt-in social sharing service known as DNA Relatives. By December, the company disclosed that the number of compromised accounts was roughly 14,000 and admitted that personal data from 6.9 million DNA Relatives users had been impacted. Now, facing more than 30 lawsuits over the breach—even after tweaking its terms of service to make legal claims against the company more difficult—the company said in a letter to some individuals that “users negligently recycled and failed to update their passwords following … past security incidents, which are unrelated to 23andMe.” This references 23andMe’s long-standing assessment that attackers compromised the 14,000 user accounts through “credential stuffing,” the process of accessing accounts using usernames and passwords compromised in other data breaches from other services that people have reused on multiple digital accounts. “Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the company wrote in the letter.

“Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events,” Hassan Zavareei, one of the lawyers representing victims who received the letter, told TechCrunch. “23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing—especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform.”

Russia’s war—and cyberwar—in Ukraine has for years produced novel hybrids of hacking and physical attacks. Here’s another: Ukrainian officials this week said that they had blocked multiple Ukrainian civilians’ security cameras that had been hacked by the Russian military and used to target recent missile strikes on the capital of Kyiv. Ukraine’s SBU security service says the Russian hackers went so far as to redirect the cameras and stream their footage to YouTube. According to the SBU, that footage then likely aided Russia’s targeting in its bombardment on Tuesday of Kyiv, as well as the Eastern Ukrainian city of Kharkiv, with more than a hundred drones and missiles that killed five Ukrainians and injured well over a hundred. In total, since the start of Russia’s full-scale invasion of Ukraine in February 2022, the SBU says it’s blocked about 10,000 security cameras to prevent them from being hijacked by Russian forces.

Last month, a Russian cyberattack hit the telecom firm Kyivstar, crippling phone service for millions of people across Ukraine and silencing air raid warnings amid missile strikes in one of the most impactful hacking incidents since Russia’s full-scale invasion began. Now, Illia Vitiuk, the cyber chief of Ukraine’s SBU security service, tells Reuters that the hackers accessed Kyivstar’s network as early as March 2023 and laid in wait before they “completely destroyed the core” of the company in December, wiping thousands of its machines. Vitiuk added that the SBU believes the attack was carried out by Russia’s notorious Sandworm hacking group, responsible for most of the high-impact cyberattacks against Ukraine over the last decade, including the NotPetya worm that spread from Ukraine to the rest of the world to cause $10 billion in total damage. In fact, Vitiuk claims that Sandworm attempted to penetrate a Ukrainian telecom a year earlier but the attack was detected and foiled.

This week in creepy headlines: 404 Media’s Joseph Cox discovered that a Google contractor, Telus, has offered parents $50 to upload videos of their children’s faces, apparently for use as machine learning training data. According to a description of the project Telus posted online, the data collected from the videos would include eyelid shape and skin tone. In a statement to 404, Google said that the videos would be used in the company’s experiments in using video clips as age verification and that the videos would not be collected or stored by Telus but rather by Google—which doesn’t quite reduce the creep factor. “As part of our commitment to delivering age-appropriate experiences and to comply with laws and regulations around the world, we’re exploring ways to help our users verify their age,” Google told 404 in a statement. The experiment represents a slightly unnerving example of how companies like Google may not simply harvest data online to hone AI but may, in some cases, even directly pay users—or their parents—for it.

A decade ago, Wickr was on the short list of trusted software for secure communications. The app’s end-to-end encryption, simple interface, and self-destructive messages made it a go-to for hackers, journalists, drug dealers—and, unfortunately, traders in child sexual abuse materials—seeking surveillance-resistant conversations. But after Amazon acquired Wickr in 2021, it announced in early 2023 that it would be shutting down the service at the end of the year, and it appears to have held to that deadline. Luckily for privacy advocates, end-to-end encryption options have grown over the past decade, from iMessage and WhatsApp to Signal.

Tag

#apple