As summer winds down, researchers warned this week about systemic vulnerabilities in mobile app infrastructure, as well as a new iOS security flaw and one in TikTok. And new findings about ways to exploit Microsoft’s Power Automate tool in Windows 11 show how it can be used to distribute malware, from ransomware to keyloggers and beyond.
The anti-Putin media network February Morning, which runs on the communication app Telegram, has taken on a crucial role in the underground resistance to the Kremlin. Meanwhile, the “California Age-Appropriate Design Code” passed the California legislature this week with major potential implications for the online privacy of kids and everyone.
Plus, if you’re ready to take a more radical step to protect your privacy on mobile, and feel like a badass while doing it, we’ve got a guide to setting up and using burner phones.
But wait, there’s more! Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.
The data broker Fog Data Science has been selling access to what it claims are billions of location data points from over 250 million smartphones to local, state, and federal law enforcement agencies around the US. The data comes from tech companies and cell phone towers and is collected in the Fog Reveal tool from thousands of iOS and Android apps. Crucially, access to the service is cheap, often costing local police departments less than $10,000 per year, and investigations by the Associated Press and Electronic Frontier Foundation found that law enforcement sometimes pulls location data without a warrant. The EFF conducted its investigation through more than 100 public records requests filed over several months. “Troublingly, those records show that Fog and some law enforcement did not believe Fog’s surveillance implicated people’s Fourth Amendment rights and required authorities to get a warrant,” the EFF wrote.
An unprotected database containing information on millions of faces and license plates was exposed and publicly accessible in the cloud for months until it was finally protected in mid-August. TechCrunch linked the data to Xinai Electronics, a tech company based in Hangzhou in eastern China. The company develops authentication systems for accessing spaces like parking garages, construction sites, schools, offices, or vehicles. It also touts additional services related to payroll, employee attendance and performance tracking, and license plate recognition. The company has a massive network of cameras deployed across China that record face and license plate data. Security researcher Anurag Sen alerted TechCrunch to the unprotected database, which also exposed names, ages, and resident ID numbers in face data. The exposure comes just months after an enormous database from the Shanghai police leaked online.
Montenegro authorities said on Wednesday that a gang called “Cuba” targeted its government networks with a ransomware attack last week. The gang also claimed responsibility for the attack on a dark-web site. Montenegro’s National Security Agency (ANB) said the group is linked to Russia. The attackers reportedly deployed a malware strain dubbed “Zerodate” and infected 150 computers in 10 Montenegrin government agencies. It is unclear whether the attackers exfiltrated data as part of the hack. The United States Federal Bureau of Investigation is sending investigators to Montenegro to aid in analyzing the attack.
On Monday, the US Federal Trade Commission announced it is suing the data broker Kochava for selling geolocation data harvested from apps on “hundreds of millions of mobile devices.” The data could be used, the FTC said, to track people’s movements and reveal information about where they go, including showing visits to sensitive locations. “Kochava’s data can reveal people’s visits to reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities,” the agency wrote. “The FTC alleges that by selling data tracking people, Kochava is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence.” The lawsuit aims to stop Kochava from selling sensitive location data, and the agency is requesting that the company delete what it already has.
In August, the prolific ransomware gang Cl0p hacked South Staff Water, a water supply company in the UK. The gang said it even had access to SSW’s industrial control network, which handles things like water flow. The hackers published screenshots allegedly showing their access to water supply control panels. Experts told Motherboard that it appears the hackers really could have meddled with the water supply, underscoring the risks when critical infrastructure networks aren’t adequately siloed from regular business networks. “Yes, there was access, but we made only screenshots,” Cl0p told Motherboard. “We do not harm people and treat critical infrastructure with respect. … We didn’t really go into it because we didn’t want to harm anyone.” SSW said in a statement, “This incident has not affected our ability to supply safe water.”
