The 2024 US presidential election is entering its final stretch, which means state-backed hackers are coming out of the shadows to interfere in their own unique ways. That includes Iran’s APT42, a hacker group linked to Iran’s Islamic Revolutionary Guard Corps, which Google’s Threat Analysis Group says is aimed at nearly a dozen people associated with the presidential campaigns of Donald Trump and Joe Biden (now Kamala Harris).
The Rolling disaster is a data broker breach and background check company National Public Data are just getting started. Although the company’s breach occurred months ago, it only publicly acknowledged it on Monday after someone posted what it claimed were “2.9 billion records” of people in the United States, United Kingdom, and Canada, including names, physical addresses, and Social Security numbers. But ongoing analysis of the data suggests the story is much more complicated—as are the risks.
You can now add bike shifters and gym lockers to the list of things that can be hacked. Security researchers revealed this week that Shimano’s Di2 wireless shifting may be vulnerable to various radio attackscould allow someone to change a driver’s gear remotely or prevent them from changing gear at a crucial moment in a race. Meanwhile, other researchers have found that it could Extract administrator keys for electronic lockers used in gyms and offices worldwidepotentially allowing criminals to access every locker in the same location.
If you have a Google Pixel phone, don’t let it out of your sight: An unpatched vulnerability in a hidden Android app called Showcase.apk could give an attacker deep access to your device. Exploiting the vulnerability would require physical access to the target device, but the researchers at iVerify who discovered it say it could also be possible through other vulnerabilities. Google says it plans to release a fix “in the coming weeks,” but that wasn’t enough for data analytics company and US military contractor Palantir, which will stop using all Android devices due to what it believes is an insufficient response from Google.
But that’s not all. Each week, we’ll round up security and privacy news that we didn’t cover in depth. Click on the headline to read the full story. And stay safe.
A U.S. federal appeals court ruled last week that so-called geofencing warrants violate Fourth Amendment protections against unreasonable searches and seizures. Geofencing warrants allow police to demand that companies like Google hand over a list of every device that was in a certain location at a certain time. The U.S. Fifth Circuit Court of Appeals rule on August 9 that geofence warrants are “absolutely prohibited under the Fourth Amendment” because “they never includes a specific user to be identified, just a time and geographical location where any user is identified maybe appear after a search.” In other words, they are the unconstitutional expedition that privacy and civil liberties advocates have long asserted.
Google, which collects the location histories of tens of millions of US residents and is the most frequent target of geofence warrants, announced late last year that it would change the way it stores location data in a way that would make geofence warrants more difficult. may no longer return the data they once did.. But the issue is still legally unsettled: The 5th Circuit Court of Appeals’ ruling only applies to law enforcement in Louisiana, Mississippi, and Texas. Plus, because of weak U.S. privacy laws, police could simply buy the data and skip the cumbersome warrant process altogether. The appellants in the case heard by the 5th Circuit Court of Appeals are no better off: The court found that the police used the geofence warrant in “good faith” when it was issued in 2018, so they can still use the evidence they collected.
The Committee on Foreign Investment in the United States (CFIUS) fined Germany’s T-Mobile a record $60 million this week for mishandling data during its integration with U.S.-based Sprint after the two companies merged in 2020. According to CFIUS“T-Mobile failed to take appropriate measures to prevent unauthorized access to certain sensitive data,” in violation of the National Security Agreement the company signed with the committee, which assesses the national security implications of foreign business deals with U.S. companies. T-Mobile said in a statement that technical issues impacted “information shared from a small number of law enforcement information requests.” While the company claimed to have acted “promptly” and “timely,” CFIUS said T-Mobile “failed to promptly report certain incidents of unauthorized access to CFIUS, delaying the Committee’s efforts to investigate and mitigate any potential harm.”
The 12-year saga of Kim Dotcom’s prosecution moved forward this week with New Zealand’s attorney general approving a U.S. request to extradite the controversial businessman. Dotcom created the file-sharing service Megaupload, which U.S. authorities say was used for widespread copyright infringement. The U.S. seized Megaupload in 2012 and prosecuted Dotcom on charges related to extortion, copyright infringement and money laundering. Dotcom has denied any wrongdoing but failed in his attempt to block the extradition. in 2017 and has been fighting it ever since. Despite the attorney general’s decision, Dotcom has sworn in a posted on X to stay in the country where he has been a legal resident since 2010. “I love New Zealand,” he wrote. “I am not leaving.”
The The growing evil of deepfake porn—explicit images of people digitally “undressing” without their consent—may have finally hit a major legal hurdle. San Francisco Deputy City Attorney Yvonne Meré—and the City of San Francisco by extension—have filed a lawsuit against 16 of the most popular “deepfake” websites. These sites and apps allow people to create explicit deepfake images of virtually anyone, but they are increasingly being used by boys to create sexual abuse material against underage female classmates. While some states have criminalized the creation and distribution of AI-generated sexual abuse material against minors, Meré’s lawsuit actually seeks to shut down the sites entirely.
