Carbon Chemist

Tag: security

  • Andrew Tate’s ‘Educational Platform’ Was Hacked

    Andrew Tate’s ‘Educational Platform’ Was Hacked

    [ad_1]

    A joint investigation by WIRED, Bayerischer Rundfunk (BR), and Netzpolitik.org uncovered that US companies legally collecting digital ad data are enabling adversaries to cheaply track American military and intelligence personnel. A collaborative analysis of billions of location coordinates from a US-based data broker revealed detailed tracking of thousands of devices from sensitive US sites in Germany, including NSA facilities and bases reportedly housing US nuclear weapons.

    Elsewhere, social media giant Meta has disclosed for the first time its efforts to combat the forced-labor compounds driving the surge in pig butchering scams on its platforms. The company revealed that it has been quietly collaborating with global law enforcement, tech industry partners, and external experts for over two years to dismantle the crime syndicates behind these operations in Southeast Asia and the UAE. This year alone, Meta reports it has taken down more than 2 million accounts linked to scam compounds in Myanmar, Laos, Cambodia, the Philippines, and the UAE.

    At the Cyberwarcon security conference on Friday, the cybersecurity firm SpyCloud shared findings about publicly accessible black market services offering low-cost access to sensitive information on Chinese citizens, including phone numbers, banking details, hotel and flight records, and even real-time location data. According to the firm’s researchers, these services seem to obtain their data through insiders within Chinese surveillance agencies and government contractors, who sell their access. Also at the conference, cybersecurity firm Volexity uncovered that a Russian hacking group has reportedly developed a novel Wi-Fi-hacking technique that involves taking control of a nearby laptop and using it as a bridge to infiltrate a targeted Wi-Fi network. Dubbed a “nearest neighbor attack,” the method was uncovered during a 2022 investigation by the firm into a network breach of an unnamed Washington, DC. client. And finally, researchers explored how the US is calling out foreign influence campaigns faster than they ever have—but there’s plenty of room for improvement.

    That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

    Hacktivists have breached an online “educational platform” founded by the misogynistic right-wing influencer Andrew Tate reportedly revealing the email addresses of hundreds of thousands of users as well as the contents of the platforms’ private chat servers. Data from the hack, first reported by the Daily Dot, has now been published by the transparency nonprofit Distributed Denial of Secrets.

    Andrew Tate, the so-called “king of toxic masculinity,” is currently under house arrest in Romania and faces two separate criminal charges, including allegations of forming an organized criminal group and trafficking women across Romania, the UK, and the US.

    The compromised platform, a subscription-based service known as The Real World (formerly called Hustler’s University), describes itself as a “global community” focused on “personal growth.” According to its website, members receive expert training, mentorship, and access to a wide range of educational courses for around $50 per month.

    [ad_2]

    Source link

  • Russian Spies Jumped From One Network to Another Via Wi-Fi in an Unprecedented Hack

    Russian Spies Jumped From One Network to Another Via Wi-Fi in an Unprecedented Hack

    [ad_1]

    Only after the next intrusion, when Volexity managed to get more complete logs of the hackers’ traffic, did its analysts solve the mystery: The company found that the hijacked machine which the hackers were using to dig around in its customer’s systems was leaking the name of the domain on which it was hosted—in fact, the name of another organization just across the road. “At that point, it was 100 percent clear where it was coming from,” Adair says. “It’s not a car in the street. It’s the building next door.”

    With the cooperation of that neighbor, Volexity investigated that second organization’s network and found that a certain laptop was the source of the street-jumping Wi-Fi intrusion. The hackers had penetrated that device, which was plugged into a dock connected to the local network via Ethernet, and then switched on its Wi-Fi, allowing it to act as a radio-based relay into the target network. Volexity found that, to break into that target’s Wi-Fi, the hackers had used credentials they’d somehow obtained online but had apparently been unable to exploit elsewhere, likely due to two-factor authentication.

    Volexity eventually tracked the hackers on that second network to two possible points of intrusion. The hackers appeared to have compromised a VPN appliance owned by the other organization. But they had also broken into the organization’s Wi-Fi from another network’s devices in the same building, suggesting that the hackers may have daisy-chained as many as three networks via Wi-Fi to reach their final target. “Who knows how many devices or networks they compromised and were doing this on,” says Adair.

    In fact, even after Volexity evicted the hackers from their customer’s network, the hackers tried again that spring to break in via Wi-Fi, this time attempting to access resources that were shared on the guest Wi-Fi network. “These guys were super persistent,” says Adair. He says that Volexity was able to detect this next breach attempt, however, and quickly lock out the intruders.

    Volexity had presumed early on in its investigation that the hackers were Russian in origin due to their targeting of individual staffers at the customer organization focused on Ukraine. Then in April, fully two years after the original intrusion, Microsoft warned of a vulnerability in Windows’ print spooler that had been used by Russia’s APT28 hacker group—Microsoft refers to the group as Forest Blizzard—to gain administrative privileges on target machines. Remnants left behind on the very first computer Volexity had analyzed in the Wi-Fi-based breach of its customer exactly matched that technique. “It was an exact one-to-one match,” Adair says.

    [ad_2]

    Source link

  • China’s Surveillance State Is Selling Citizen Data as a Side Hustle

    China’s Surveillance State Is Selling Citizen Data as a Side Hustle

    [ad_1]

    As further evidence of government surveillance insiders moonlighting in the data broker market, the SpyCloud researchers point to a leak earlier this year of communications and documents from I-Soon, a cyberespionage contractor to the Ministry of Public Security and the Ministry of State Security. In one leaked chat conversation, one employee of the company suggests to another that “I am just hear here to sell qb,” and “sell some qb yourself.” The SpyCloud researchers interpret “qb” to mean “qíngbào,” or “intelligence.”

    Given that the average annual salary in China, even at a state-owned IT company, is only around $30,000, the promise—however credible or dubious—of making nearly a third of that daily in exchange for selling access to surveillance data represents a strong temptation, the SpyCloud researchers argue. “These are not necessarily masterminds,” says Johnson. “They’re people with opportunity and motive to make a little money on the side.”

    That some government insiders are in fact cashing in on their access to surveillance data is to be expected amid China’s perpetual struggle against corruption, says Dakota Cary, a China-focused policy and cybersecurity researcher at cybersecurity firm SentinelOne, who reviewed SpyCloud’s findings. Transparency International, for instance, ranks China 76th in the world out of 180 countries in its Corruption Index, well below every EU country other than Hungary—with which it tied—including Bulgaria and Romania. Corruption is “prevalent in the security services, in the military, in all parts of the government,” says Cary. “It’s a top-down cultural attitude in the current political climate. It’s not at all surprising that individuals with this kind of data are effectively renting out the access they have as part of their job.”

    In their research, SpyCloud’s analysts went so far as to attempt to use the Telegram-based data brokers to search for personal information on certain high-ranking officials of the Chinese Communist Party and the People’s Liberation Army, individual Chinese state-sponsored hackers who have been identified in US indictments, and the CEO of cybersecurity company I-Soon, Wu Haibo. The results of those queries included a grab bag of phone numbers, email addresses, bank card numbers, car registration records, and “hashed” passwords—passwords likely obtained through a data breach that are protected with a form of encryption but sometimes vulnerable to cracking—for those government officials and contractors.

    In some cases, the data brokers do at least claim to restrict searches to exclude celebrities or government officials. But the researchers say they were usually able to find a workaround. “You can always find another service that’s willing to do the search and get some documents on them,” says SpyCloud researcher Kyla Cardona.

    The result, as Cardona describes it, is an even more unexpected consequence of a system that collects such vast and centralized data on every citizen in the country: Not only does that surveillance data leak into private hands, it also leaks into the hands of those who are watching the watchers.

    “It’s a double-edged sword,” says Cardona. “This data is collected for them and by them. But it can also be used against them.”

    [ad_2]

    Source link

  • Inside Clear’s ambitions to manage your identity beyond the airport

    Inside Clear’s ambitions to manage your identity beyond the airport

    [ad_1]

    The more Clear is able to reach into customers’ lives, the more valuable customer data it can collect. All user interactions and experiences can be tracked, the company’s privacy policy explains. While the policy states that Clear will not sell data and will never share biometric or health information without “express consent,” it also lays out the non-health and non-biometric data that it collects and can use for consumer research and marketing. This includes members’ demographic details, a record of every use of Clear’s various products, and even digital images and videos of the user. Documents obtained by OneZero offer some further detail into what Clear has at least considered doing with customer data: David Gershgorn writes about a 2015 presentation to representatives from Los Angeles International Airport, titled “Identity Dashboard—Valuable Marketing Data,” which “showed off” what the company had collected, including the number of sports games users had attended and with whom, which credit cards they had, their favorite airlines and top destinations, and how often they flew first class or economy. 

    Clear representatives emphasized to MIT Technology Review that the company “does not share or sell information without consent,” though they “had nothing to add” in response to a question about whether Clear can or does aggregate data to derive its own marketing insights, a business model popularized by Facebook. “At Clear, privacy and security are job one,” spokesperson Ricardo Quinto wrote in an email. “We are opt-in. We never sell or share our members’ information and utilize a multilayered, best-in-class infosec system that meets the highest standards and compliance requirements.” 

    Nevertheless, this influx of customer data is not just good for business; it’s risky for customers. It creates “another attack surface,” Gilliard warns. “This makes us less safe, not more, as a consistent identifier across your entire public and private life is the dream of every hacker, bad actor, and authoritarian.”

    A face-based future for some

    Today, Clear is in the middle of another major change: replacing its use of iris scans and fingerprints with facial verification in airports—part of “a TSA-required upgrade in identity verification,” a TSA spokesperson wrote in an email to MIT Technology Review

    For a long time, facial recognition technology “for the highest security purposes” was “not ready for prime time,” Seidman Becker told Swisher and Goode back in 2017. It wasn’t operating with “five nines,” she added—that is, “99.999% from a matching and an accuracy perspective.” But today, facial recognition has “significantly improved” and the company has invested “in enhancing image quality through improved capture, focus, and illumination,” according to Quinto.

     Clear says switching to facial images in airports will also further decrease friction, enabling travelers to verify their identity so effortlessly it’s “almost like you don’t really break stride,” Peddy says. “You walk up, you scan your face. You walk straight to the TSA.” 

    The move is part of a broader shift toward facial recognition technology in US travel, bringing the country in line with practices at many international airports. The TSA began expanding facial identification from a few pilot programs this year, while airlines including Delta and United are also introducing face-based boarding, baggage drops, and even lounge access. And the International Air Transport Association, a trade group for the airline industry, is rolling out a “contactless travel” process that will allow passengers to check in, drop off their bags, and board their flights—all without showing either passports or tickets, just their faces. 

    a crowd of people with their faces obscured by a bright glow

    NEIL WEBB

    Privacy experts worry that relying on faces for identity verification is even riskier than other biometric methods. After all, “it’s a lot easier to scan people’s faces passively than it is to scan irises or take fingerprints,” Senator Jeff Merkley of Oregon, an outspoken critic of government surveillance and of the TSA’s plans to employ facial verification at airports, said in an email. The point is that once a database of faces is built, it is potentially far more useful for surveillance purposes than, say, fingerprints. “Everyone who values privacy, freedom, and civil rights should be concerned about the increasing, unchecked use of facial recognition technology by corporations and the federal government,” Merkley wrote.

    [ad_2]

    Source link

  • Anyone Can Buy Data Tracking US Soldiers and Spies to Nuclear Vaults and Brothels in Germany

    Anyone Can Buy Data Tracking US Soldiers and Spies to Nuclear Vaults and Brothels in Germany

    [ad_1]

    Nearly every weekday morning, a device leaves a two-story home near Wiesbaden, Germany, and makes a 15-minute commute along a major autobahn. By around 7 am, it arrives at Lucius D. Clay Kaserne—the US Army’s European headquarters and a key hub for US intelligence operations.

    The device stops near a restaurant before heading to an office near the base that belongs to a major government contractor responsible for outfitting and securing some of the nation’s most sensitive facilities.

    For roughly two months in 2023, this device followed a predictable routine: stops at the contractor’s office, visits to a discreet hangar on base, and a lunchtime trip to the base’s dining facility. Twice in November of last year, it made a 30-minute drive to the Dagger Complex, a former intelligence and NSA signals processing facility. On weekends, the device could be traced to restaurants and shops in Wiesbaden.

    The individual carrying this device likely isn’t a spy or high-ranking intelligence official. Instead, experts believe, they’re a contractor who works on critical systems—HVAC, computing infrastructure, or possibly securing the newly built Consolidated Intelligence Center, a state-of-the-art facility suspected to be used by the National Security Agency.

    Whoever they are, the device they’re carrying with them everywhere is putting US national security at risk.

    A joint investigation by WIRED, Bayerischer Rundfunk (BR), and Netzpolitik.org reveals that US companies legally collecting digital advertising data are also providing the world a cheap and reliable way to track the movements of American military and intelligence personnel overseas, from their homes and their children’s schools to hardened aircraft shelters within an airbase where US nuclear weapons are believed to be stored.

    A collaborative analysis of billions of location coordinates obtained from a US-based data broker provides extraordinary insight into the daily routines of US service members. The findings also provide a vivid example of the significant risks the unregulated sale of mobile location data poses to the integrity of the US military and the safety of its service members and their families overseas.

    We tracked hundreds of thousands of signals from devices inside sensitive US installations in Germany. That includes scores of devices within suspected NSA monitoring or signals-analysis facilities, more than a thousand devices at a sprawling US compound where Ukrainian troops were being being trained in 2023, and nearly 2,000 others at an air force base that has crucially supported American drone operations.

    A device likely tied to an NSA or intelligence employee broadcast coordinates from inside a windowless building with a metal exterior known as the “Tin Can,” which is reportedly used for NSA surveillance, according to agency documents leaked by Edward Snowden. Another device transmitted signals from within a restricted weapons testing facility, revealing its zig-zagging movements across a high-security zone used for tank maneuvers and live munitions drills.

    [ad_2]

    Source link

  • Bitfinex Hacker Gets 5 Years for $10 Billion Bitcoin Heist

    Bitfinex Hacker Gets 5 Years for $10 Billion Bitcoin Heist

    [ad_1]

    In perhaps the most adorable hacker story of the year, a trio of technologists in India found an innovative way to circumvent Apple’s location restrictions on AirPod Pro 2s so they could enable the earbuds’ hearing aid feature for their grandmas. The hack involved a homemade Faraday cage, a microwave, and a lot of trial and error.

    On the other end of the tech-advancements spectrum, the US military is currently testing an AI-enabled machine gun that is capable of auto-targeting swarms of drones. The Bullfrog, built by Allen Control Systems, is one of several advanced weapons technologies in the works to combat the growing threat of cheap, small drones on the battlefield.

    The US Department of Justice announced this week that an 18-year-old from California has admitted to making or orchestrating more than 375 swatting attacks across the United States.

    Then, of course, there’s the Donald Trump of it all. This week, we published a practical guide to protecting yourself from government surveillance. WIRED has covered the dangers of government surveillance for decades, of course. But when the president-elect is explicitly threatening to jail his political enemies—whoever that may be—now’s probably a good time to brush up on your digital best practices.

    In addition to potential dragnet surveillance of US citizens, US Immigration and Customs Enforcement started ramping up its surveillance arsenal the day after Trump won reelection. Meanwhile, experts are expecting the incoming administration to roll back cybersecurity rules instituted under president Joe Biden while taking a harder line against adversarial state-sponsored hackers. And if all this political upheaval has you in the mood to protest, beware: An investigation copublished by WIRED and The Marshall Project found that mask bans instituted in several states add a complicated new layer to exercising freedom of speech.

    And that’s not all. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

    In August 2016, approximately 120,000 bitcoin—at the time worth around $71 million—were stolen in a hack on the Bitfinex cryptocurrency exchange. Then in 2022, as the value of cryptocurrency had rocketed skywards, law enforcement officials in New York arrested husband and wife Ilya Lichtenstein and Heather Morgan in relation to the hack and laundering the much-inflated $4.5 billion of stolen cryptocurrency. (At the time, $3.6 billion of the funds were recouped by law enforcement investigators.)

    This week, after pleading guilty in 2023, Lichtenstein was sentenced to five years of jail time for conducting the hack and laundering the profits. With subsequent cryptocurrency spikes and additional seizures related to the hack, the US government has now been able to recover more than $10 billion in assets. A series of operational security failures by Lichtenstein made much of the illicit cryptocurrency easy for officials to seize, but investigators also applied sophisticated crypto-tracing methods to unpick how the funds had been stolen and subsequently moved around.

    Aside from the brazen scale of the heist, Lichtenstein and Morgan gained online prominence and ridicule after their arrests due to a series of Forbes articles written by Morgan and rap videos posted to YouTube under the name of “Razzlekhan.” Morgan, who also pleaded guilty, is due to be sentenced on November 18.

    Scammers are increasingly adopting AI as part of their criminal toolkits—using the technology to create deepfakes, translate scripts, and make their operations more efficient. But artificial intelligence is also being turned against the scammers. British telecoms firm Virgin Media and its mobile operator O2 have created a new “AI granny” that can answer phone calls from scammers and keep them talking. The system uses different AI models, according to The Register, that listen to what a scammer says and respond immediately. In one case, the company says it kept a scammer on the line for 40 minutes and has fed others fake personal information. Unfortunately, the system (at least at the moment) can’t directly answer calls made to your phone; instead, O2 created a specific phone number for the system, which the company says it has managed to get placed in lists of numbers that scammers call.

    In a new legal strategy for those attempting to hold commercial spyware vendors responsible, lawyer Andreu Van den Eynde, who was allegedly hacked with NSO Group spyware, is directly accusing two of the company’s founders, Omri Lavie and Shalev Hulio, and one of its executives, Yuval Somekh, of hacking crimes in a lawsuit. The Barcelona-based human rights nonprofit Iridia announced this week that it filed the complaint in a Catalan court. Van den Eynde was reportedly a victim of a hacking campaign that used NSO’s notorious Pegasus spyware against at least 65 Catalans. Van den Eynde and Iridia originally sued NSO Group in a Barcelona court in 2022 along with affiliates Osy Technologies and Q Cyber Technologies. “The people responsible for NSO Group have to explain their concrete activities,” a legal representative for Iridia and Van den Eynde wrote in the complaint, which was written in Catalan and translated by TechCrunch.

    Research published this week by the mobile device management firm Jamf found that hackers who have been linked to North Korea have been working to implant malware inside macOS applications built with a particular open-source software development kit. The campaigns focused on cryptocurrency-related targets and involved infrastructure similar to systems that have been used by North Korea’s notorious Lazarus Group. It’s unclear if the activity resulted in actual victim compromise or if it was still in a testing phase.

    Financially motivated and state-backed hackers have less occasion to use malware targeting Apple’s Mac computers than hacking tools that infect Microsoft Windows or Linux desktops and servers. So when Mac malware crops up, it’s typically a niche point, but it can also be a revealing indicator of trends and priorities among hackers.

    [ad_2]

    Source link

  • More Spyware, Fewer Rules: What Trump’s Return Means for US Cybersecurity

    More Spyware, Fewer Rules: What Trump’s Return Means for US Cybersecurity

    [ad_1]

    Trump is also unlikely to continue the Biden administration’s campaign to limit the proliferation of commercial spyware technologies, which authoritarian governments have used to harass journalists, civil-rights protesters, and opposition politicians. Trump and his allies maintain close political and financial ties with two of the most prolific users of commercial spyware tools, Saudi Arabia and the United Arab Emirates, and he showed little concern about those governments’ human-rights abuses in his first term.

    “There’s a high probability that we see big rollbacks on spyware policy,” says Steven Feldstein, a senior fellow in the Carnegie Endowment for International Peace’s Democracy, Conflict, and Governance Program. Trump officials are likely to care more about spyware makers’ counterterrorism arguments than about digital-rights advocates’ criticisms of those tools.

    Spyware companies “will undoubtedly receive a more favorable audience under Trump,” Feldstein says—especially market leader NSO Group, which is closely affiliated with the Trump-aligned Israeli government.

    Dubious Prospects

    Other Biden cyber initiatives are also in jeopardy, even if their fates are not as clear.

    Biden’s National Cybersecurity Strategy emphasized the need for greater corporate responsibility, arguing that well-resourced tech firms must do more to prevent hackers from abusing their products in devastating cyberattacks. Over the past few years, CISA launched a messaging campaign to encourage companies to make their products “secure by design,” the Justice Department created a Civil Cyber-Fraud Initiative to prosecute contractors that mislead the government about their security practices, and White House officials began considering proposals to make software vendors liable for damaging vulnerabilities.

    That corporate-accountability push is unlikely to receive strong support from the incoming Trump administration, which is almost certain to be stocked with former business leaders hostile to government pressure.

    Henry Young, senior director of policy at the software trade group BSA, predicts that the secure-by-design campaign will “evolve to more realistically balance the responsibilities of governments, businesses, and customers, and hopefully eschew finger pointing in favor of collaborative efforts to continue to improve security and resilience.”

    A Democratic administration might have used the secure-by-design push as a springboard to new corporate regulations. Under Trump, secure-by-design will remain at most a rhetorical slogan. “Turning it into something more tangible will be the challenge,” the US cyber official says.

    Chipping Away at the Edges

    One landmark cyber program can’t easily be scrapped under a second Trump administration but could still be dramatically transformed.

    In 2022, Congress passed a law requiring CISA to create cyber incident reporting regulations for critical infrastructure operators. CISA released the text of the proposed regulations in April, sparking an immediate backlash from industry groups that said it went too far. Corporate America warned that CISA was asking too many companies for too much information about too many incidents.

    [ad_2]

    Source link

  • These Guys Hacked AirPods to Give Their Grandmas Hearing Aids

    These Guys Hacked AirPods to Give Their Grandmas Hearing Aids

    [ad_1]

    The group, which has a mixture of hardware and software skills and first detailed their hack as part of a technology collective called Lagrange Point, say a couple of dozen people have contacted them asking for help with their AirPods. “We’ve got a huge amount of interest from folks in India who have these AirPods or whose grandparents need them and they’ve not been able to use them,” Jayasimha says. Others have documented the same issue in social media posts.

    The researchers demonstrated that they could bypass Apple’s geographic restrictions with a set of AirPods Pro 2 connected to a 10th generation Wi-Fi-only iPad. They note that it would be possible to do the workaround on an iPhone or iPad connected to a mobile carrier as well, but it would be more involved.

    To find the workaround, the researchers first looked at the different ways that iOS establishes where a device is in the world. For Wi-Fi-only devices, there are a few checks. The server looks at which Apple Store region the device is connected to, as well as the timezone, language, and region the device is set to. Additionally, the operating system sends a simple web request to an Apple web service that then responds with the country code of the country the device appears to be in based on the location associated with its IP address.

    The researchers first tried manually changing the time zone and region settings for the iPad, but it ultimately wasn’t clear whether this impacted their ability to hide the iPad’s true location. When masking the iPad’s IP address so it would appear to be connected in the United States didn’t work, the researchers assessed other metrics the device might be using to establish its geographic location. It turns out that iOS also examines Wi-Fi “Service Set Identifiers” or SSIDs that help devices connect to the right Wi-Fi network when there are many network signals in the air—like in an apartment building or at a coffee shop.

    The operating system also uses GPS triangulation and device identifier “MAC addresses” of nearby devices, including routers, to establish a device’s location. In other words, even if a person in Bangalore uses a proxy to make it seem like their iPad has a US-based IP address, all the nearby routers and devices are associated with India-located IP addresses that give the real location away.

    [ad_2]

    Source link

  • The WIRED Guide to Protecting Yourself From Government Surveillance

    The WIRED Guide to Protecting Yourself From Government Surveillance

    [ad_1]

    “If you’re trying to not be tracked, not having a phone is often the easiest,” Sandvik says. “Leave it at home.”

    For most people most of the time, though, this solution isn’t practical. You can put your devices in airplane mode or turn them off completely to limit connectivity. But to be totally certain that everything is off the grid, you can put your devices in special pouches or cases known as Faraday bags that block all electromagnetic signals going to or coming from a device. Faraday bags allow you to carry your devices while keeping them from exposing your location; for example, concealing your whereabouts on a given afternoon or the route you took to get to a destination. The downside of Faraday bags is the device must stay in the bag to protect your privacy, so it takes planning to use them effectively. Removing your phone means that the (location) cat is out of the bag.

    Financial Privacy

    Financial surveillance is among the most powerful tracking tools in the government’s arsenal. Credit card payments or other transactions linked to your bank account are essentially transparent to any law enforcement agency that demands them.

    That “follow the money” form of surveillance also has a relatively simple analog defense: dollar bills. “Forensic accounting is a thing,” warns Holmes. “So yeah, use cash.”

    For those seeking more convenient or long-distance transactions, payment apps like Paypal, Venmo, and Cash App may seem slightly more cash-like than a credit card or check, but in fact are just as vulnerable to law enforcement data requests as any bank. Cryptocurrency may appear to be a tempting alternative. But despite the long-running mythical reputation of cryptocurrency as anonymous cash for the internet, bitcoin and most other cryptocurrencies offer no real privacy, given the ease of tracing bitcoin transactions on its blockchain and the difficulty of buying or selling cryptocurrency from a cryptocurrency exchange that complies with US know-your-customer laws.

    Some cryptocurrencies like Monero and Zcash do offer privacy properties that make them vastly more difficult to trace than other cryptocurrencies—at least in theory. Mixer services like the Ethereum-based Tornado Cash, too, promise to blend users’ coins with those of others to complicate the task of following the money. Still, given the ongoing advances in cryptocurrency tracing—and the indelible evidence of any security slipup that public blockchains make available to the cats in that cat-and-mouse game—it’s far safer to stick with cash whenever possible.

    A Note on Burner Phones

    Burner phones, or prepaid phones that aren’t connected to any of your credit cards or digital accounts, can be a useful tool for protecting your location data and other information. They are meant to have no traceable connection to you and to be used for a limited time. In other words, they are meant to provide anonymity.

    The advantage to using burner devices is that you don’t need to worry as much about the personal information they are collecting or inadvertently leaking while you use them because the devices are not linked to you. They merely show that someone is going here and there or that someone has, say, planned to meet someone else at 8 pm on the park benches. Over time, though, if you, use the device to communicate often, log into any digital accounts that are associated with you from the device, give a burner number to people who don’t use burners themselves, or bring it to a location associated with you while it’s on, like your house, the phone could quickly be linked to you.

    [ad_2]

    Source link

  • Auto-Rebooting iPhones Are Causing Chaos for Cops

    Auto-Rebooting iPhones Are Causing Chaos for Cops

    [ad_1]

    Maybe you already heard, but Donald Trump will be president of the United States again. The far-right is celebrating by calling for mass executions. The left is responding with their own election conspiracy theories. Convicted January 6 rioters are banking on a pardon. And women who oppose Trump have frankly had enough.

    Ahead of Election Day, WIRED found that an “election integrity” app made by True the Vote, a right-wing group that helped popularize election denialism around the 2020 election, was leaking the emails of its users. In one instance it revealed an election officer in California who appeared to be engaged in illegal voter suppression.

    Disinformation and other forms of election interference have been a major issue since Russia’s hack of the Democratic National Committee in the lead-up to the 2016 election. But 2024 appears to have been the worst yet, with US officials warning that Russia had amplified its efforts to unprecedented levels.

    In non-election news, Canadian authorities arrested Alexander “Connor” Moucka, who is accused of hacking a slew of Snowflake cloud storage customers earlier this year. Security experts who’ve long followed the exploits of a hacker who went by the handle Waifu—whom authorities say is Moucka—believe him to be “one of the most consequential threat actors of 2024.”

    A federal judge in Michigan sentenced Richard Densmore to 30 years in prison after he pleaded guilty to sexually exploiting a child. Densmore was highly active in 764, an online criminal network that the FBI now considers to be a “tier one” terrorism threat.

    Finally, in WIRED’s first story published in partnership with 404 Media, reporter (and 404 co-owner) Joseph Cox took a deep dive into the world of infostealer malware—the same kind used in all those Snowflake account breaches Moucka is accused of committing.

    And that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

    Some iPhones that police have in their possession for forensic examination are suddenly rebooting themselves, making it more difficult for investigators to access their contents, reports 404 Media. Police use tools like Cellebrite to essentially hack into phones, but this is typically done when a device is in the so-called After First Unlock (AFU) state. Once they reboot, iPhones are put into Before First Unlock (BFU), which makes them much harder to access with forensic tools.

    According to a document obtained by 404, police believed the sudden reboots stemmed from the fact that the devices run iOS 18, Apple’s new mobile operating system. The police suspected that iOS 18 contains a secret feature that allowed the impacted devices, all of which were in airplane mode, to communicate with other nearby iPhones, which sent “a signal to devices to reboot after so much time had transpired since device activity or being off network,” the document reads.

    [ad_2]

    Source link