Websites that you a visit can reveal (almost) everything about you. If you search for health information, read about syndicates, or research details about certain types of crime, then you can potentially give away a huge amount of details about yourself that a malicious actor could use against you. Researchers this week detailed a new attack, using basic web functions, that can expose anonymous users online. The hack uses common web browser features—included in every major browser—and CPU functions to analyze whether you’re logged into services like Twitter or Facebook and subsequently identify you.
Elsewhere, we detailed how the Russian “hacktivist” group Killnet attacks countries that supported Ukraine but were not directly involved in the war. Killnet has launched DDoS attacks against official government websites and companies in Germany, the United States, Italy, Romania, Norway and Lithuania in recent months. And that’s just one of the pro-Russian hacktivist groups wreaking havoc.
We also looked at a new privacy scandal in India where donors to non-profit organizations gave their data and information to the police without their consent. We also looked at the new “Retbleed” attack that can steal data from Intel and AMD chips. We previewed the ongoing committee hearings on January 6—and predicted what’s to come.
But that’s not all. Each week we round up news that we haven’t published or covered in detail. Click on the headlines to read the full stories. And stay safe out there!
Amazon-owned Ring has built relationships with the police over the years. By early 2021, Amazon had formed more than 2,000 partnerships with police and fire departments across the U.S., building a massive surveillance network with officials who could search for videos to help with investigations. In the UK, Ring has partnered with police forces to provide cameras to local residents.
This week, Amazon admitted to handing over footage captured by Ringo cameras to police without their owners’ permission. As first reported by Politico, Ring provided tapes to law enforcement officials on at least 11 occasions this year. This is the first time the company has admitted to passing on data without consent or a warrant. The move will raise further concerns about Ringo’s cameras, which have been criticized by campaign groups and lawmakers for infringing on people’s privacy and the ubiquity of surveillance technology. In response, Ring says it does not give anyone “unfettered” access to customer data or video, but can release data without permission in emergency situations where there is an imminent threat of death or serious injury to a person.
In 2017, the Vault 7 leak exposed the CIA’s most secretive and powerful hacking tools. Files released by WikiLeaks showed how the agency was able to hack Mac computers, your router, your TV and a whole host of other devices. Investigators soon pointed the finger at Joshua Schulte, a hacker in the CIA’s Operations Support Branch (OSB), who was responsible for finding exploits that could be used in CIA missions. Schulte has now been found guilty of leaking the Vault 7 files to Wikileaks and potentially faces decades in prison. Following an earlier mistrial in 2018, Schulte was found guilty this week of all nine charges against him. A few weeks before his second trial, The New Yorker published this comprehensive feature that explores Schulte’s dark history and how the CIA’s OSB operates.
Hackers linked to China, Iran and North Korea have targeted journalists and media outlets, according to new research from security firm Proofpoint. In addition to efforts to compromise journalists’ official accounts, Proofpoint says, multiple Iranian hacking groups posed as journalists and tried to trick people into handing over their online account information. The Iranian-linked group Charming Kitten sent detailed interview requests to its potential hacking targets, and they also attempted to impersonate multiple Western media outlets. “This social engineering tactic successfully exploits the human desire for recognition and is used by APT actors seeking to target academics and foreign policy experts around the world, possibly in an effort to gain access to sensitive information,” says Proofpoint.
In any company or organization, things will go wrong from time to time. These are usually lost phones, security passes and files that are occasionally mistakenly left at bus stops. Losing any of these items can open up security risks if devices are unsecured or if sensitive information is released. Desktop computers are less likely to be lost—unless you’re from the FBI. According to FBI records obtained by VICE Motherboardthe agency lost 200 desktop machines between July and December 2021. Body armor parts and night vision scopes were also lost, or in some cases stolen.
Scams don’t get much more elaborate than this. This week the police in India busted a fake “Indian Premier League” cricket tournament. A group of alleged fraudsters set up a fake league in the western Indian state of Gujarat and hired young men to play cricket matches, posing as professional teams while broadcasting live matches for people to bet on. According to police, the group hired a fake commentator, created on-screen graphics showing real-time scores and played audience sounds downloaded from the Internet. To hide the fact that the matches took place on a farm instead of a large stadium, the video only showed close-ups of the action. The police said they caught the gang while the quarter-final match was being played. Police believe the gang potentially ran multiple leagues and planned to expand into a volleyball league. The video of the match is worth watching.