The 2024 US presidential election is entering its final stretch, which means state-backed hackers are slipping out of the shadows to meddle in their own special way. That includes Iranâs APT42, a hacker group affiliated with Iranâs Islamic Revolutionary Guard Corps, which Googleâs Threat Analysis Group says targeted nearly a dozen people associated with Donald Trumpâs and Joe Bidenâs (now Kamala Harrisâ) campaigns.
The rolling disaster that is the breach of data broker and background-check company National Public Data is just beginning. While the breach of the company happened months ago, the company only acknowledged it publicly on Monday after someone posted what they claimed was â2.9 billion recordsâ of people in the US, UK, and Canada, including names, physical addresses, and Social Security numbers. Ongoing analysis of the data, however, shows the story is far messierâas are the risks.
You can now add bicycle shifters and gym lockers to the list of things that can be hacked. Security researchers revealed this week that Shimanoâs Di2 wireless shifters can be vulnerable to various radio-based attacks, which could allow someone to change a riderâs gears remotely or prevent them from changing gears at a crucial moment in a race. Meanwhile, other researchers found that itâs possible to extract the administrator keys to electronic lockers used in gyms and offices around the world, potentially giving a criminal access to every locker at a single location.
If you use a Google Pixel phone, donât let it out of your sight: An unpatched vulnerability in a hidden Android app called Showcase.apk could give an attacker the ability to gain deep access to your device. Exploiting the vulnerability may require physical access to a targeted device, but researchers at iVerify who discovered the flaw say it may also be possible through other vulnerabilities. Google says it plans to release a fix âin the coming weeks,â but thatâs not good enough for data analytics firm and US military contractor Palantir, which will stop using all Android devices due to what it believes was an insufficient response from Google.
But thatâs not all. Each week, we round up the security and privacy news we didnât cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
A US federal appeals court ruled last week that so-called geofence warrants violate the Fourth Amendmentâs protections against unreasonable searches and seizures. Geofence warrants allow police to demand that companies such as Google turn over a list of every device that appeared at a certain location at a certain time. The US Fifth Circuit Court of Appeals ruled on August 9 that geofence warrants are âcategorically prohibited by the Fourth Amendmentâ because âthey never include a specific user to be identified, only a temporal and geographic location where any given user may turn up post-search.â In other words, theyâre the unconstitutional fishing expedition that privacy and civil liberties advocates have long asserted they are.
Google, which collects the location histories of tens of millions of US residents and is the most frequent target of geofence warrants, vowed late last year that it was changing how it stores location data in such a way that geofence warrants may no longer return the data they once did. Legally, however, the issue is far from settled: The Fifth Circuit decision applies only to law enforcement activity in Louisiana, Mississippi, and Texas. Plus, because of weak US privacy laws, police can simply purchase the data and skip the pesky warrant process altogether. As for the appellants in the case heard by the Fifth Circuit, well, theyâre no better off: The court found that the police used the geofence warrant in âgood faithâ when it was issued in 2018, so they can still use the evidence they obtained.
The Committee on Foreign Investment in the US (CFIUS) fined German-owned T-Mobile a record $60 million this week for its mishandling of data during its integration with US-based Sprint following the companiesâ merger in 2020. According to CFIUS, âT-Mobile failed to take appropriate measures to prevent unauthorized access to certain sensitive data,â in violation of a National Security Agreement the company signed with the committee, which assesses the national security implications of foreign business deals with US companies. T-Mobile said in a statement that technical issues impacted âinformation shared from a small number of law enforcement information requests.â While the company claims to have acted âquicklyâ and âin a timely manner,â CFIUS claims T-Mobile âfailed to report some incidents of unauthorized access promptly to CFIUS, delaying the Committeeâs efforts to investigate and mitigate any potential harm.â
The 12-year saga that is the prosecution of Kim Dotcom inched forward this week with the New Zealand justice minister approving the USâs request to extradite the controversial entrepreneur. Dotcom created the file-sharing service Megaupload, which US authorities say was used for widespread copyright infringement. The US seized Megaupload in 2012 and indicted Dotcom on charges related to racketeering, copyright infringement, and money laundering. Dotcom has denied any wrongdoing but lost an attempt to block the extradition in 2017 and has been fighting it ever since. Despite the justice ministerâs decision, Dotcom vowed in a post on X to remain in the country where heâs been a legal resident since 2010. âI love New Zealand,â he wrote. âIâm not leaving.â
The growing scourge of deepfake pornographyâexplicit images that digitally âundressâ people without their consentâmay have finally hit a major legal roadblock. San Franciscoâs chief deputy city attorney, Yvonne Meréâand the City of San Francisco by extensionâhas filed a lawsuit against the 16 most popular ânudificationâ websites. These sites and apps allow people to make explicit deepfake images of virtually anyone, but they have increasingly been used by boys to make sexual abuse material of their underage female classmates. While several states have criminalized the creation and distribution of AI-generated sexual abuse material of minors, Meréâs lawsuit effectively seeks to shut down the sites entirely.
