Plus: spyware-wrapped ads, TikTok GDPR breach, Elon Musk investigation, and more.
China-linked hackers are increasingly moving beyond espionage into the troubling realm of power grid attacks. Threat researchers at security software company Symantec released new evidence this week that a Chinese hacking group known as APT41 infiltrated an Asian country’s power grid. Some details of the latest intrusion echo an attack on India’s power grid in 2021, suggesting it was the work of the same hackers.
In Argentina, a scandal is unfolding in Buenos Aires over the use of facial recognition software. Although the law requires authorities to limit searches of known fugitives, the judge’s inquiry found the system was used to find people who were not wanted for any crime. In other cases, mistakes led police to arrest or question the wrong people. While Buenos Aires is trying to bring the system back online after a legal ruling ordered it shut down, the failure shows how dangerous facial recognition can be even with laws in place.
Facial recognition isn’t the only artificial intelligence system being used by governments in disturbing new ways. Like others, U.S. state and local governments are beginning to use generative AI tools like ChatGPT. So far, there is no consensus on how to use this technology. Some US states, such as Maine, have temporarily banned its use entirely due to cybersecurity concerns, while others use it to write speeches and social media posts.
Meanwhile, the U.S. Senate is getting educated on artificial intelligence. About 60 senators participated in closed-door briefings this week, where they heard from major tech CEOs including Elon Musk, Mark Zuckerberg and Sam Altman, as well as civil liberties advocates and statements from artificial intelligence ethics experts. The Senate has been learning about artificial intelligence and its many issues for much of the year, and will hold another forum on AI innovation later this year. Despite these cramming sessions, some lawmakers question whether they are any closer to responsibly addressing AI issues.
Finally, a cyberattack targeting MGM Casino continues to wreak havoc on its resort guests nearly a week after the attack began. While attacks against large casino companies inevitably attract high attention, the group behind this attack, Alphv, has a long history of targeting schools and hospitals, and the consequences of these attacks are far more serious.
That’s not all. Each week, we round up security and privacy news that we don’t cover in depth ourselves. Click on the title to read the full story and stay safe.
You need to update your browser and a lot of other things
Unless you have updated your browser in the past few days, it may contain a critical flaw. The recently disclosed vulnerability exists in a WebP code library called libwebp, which encodes and decodes images in the widely used WebP format. The flaw, commonly known as a “heap buffer overflow,” can be exploited using a specially crafted malicious image, allowing an attacker to run malicious code on the target device. Google said the vulnerability has been widely exploited.
The libwebp vulnerability was initially identified as a zero-day vulnerability in the Google Chrome browser earlier this week. It affects browsers built with Chromium, including Chrome, Mozilla’s Firefox, Microsoft Edge, Opera, Brave, and others. It also affects apps like Telegram, 1Password, Thunderbird, and Gimp. A patch for this flaw is now available, so keep an eye out for updates.
Spyware companies are using ads to hack into phones
Malicious online ads (also known as “malvertising”) have been around for many years. Now, they’re going pro. Several Israeli companies are developing exploits that exploit weaknesses in technical mechanisms to bombard you with online ads, haaretz reporting, allowing attackers to track people and hack their devices. The vulnerability exploits the online ad bidding process, in which bots compete in real time for specific ad spots on web pages. Taking advantage of the fraction of a second before an ad slot fills up, these companies have figured out how to show you ads that reportedly contain “advanced spyware.” While there’s no quick fix to stop the spread of this malware, there are some simple steps you can take to protect yourself: Use an ad blocker.
TikTok fined €345 million for violating children’s privacy
European data regulators this week fined TikTok 345 million euros ($368 million) for violating laws related to the privacy of underage users. Ireland’s Data Protection Commission (DPC) said the company breached the GDPR by failing to make child users’ accounts private by default. The DPC also said TikTok’s “Family Pair” feature, which enables adults to control a child’s account settings, does not ensure that the adult with access to the feature is a parent or guardian. TikTok said it opposed the fine because before the investigation began, the company had updated its settings to make the accounts of anyone under 16 private by default.
Musk’s Starlink outage in Crimea draws US Senate scrutiny
Covertly interfering with U.S. allies’ war plans proved unpopular in Washington.The U.S. Senate Armed Services Committee has launched an investigation into Elon Musk’s conduct Decide Do not enable Starlink satellite communications in Crimea until Ukraine launches a military attack on Russian forces. The move, first revealed in author Walter Isaacson’s new biography of Musk, prompted several Democratic senators to write to Defense Secretary Lloyd Austin asking him to explain what actions the Pentagon has taken or plans to take. to “prevent further dangerous interference by Musk.”
“SpaceX is a prime contractor and an important industry partner. [DOD] and the recipient of billions of dollars in taxpayer funds,” the letter reads. “We are concerned about SpaceX’s ability and willingness to disrupt service at the whim of Mr. Profit is the purpose and I am deeply worried. “
FTC fines background check company $5.8 million over data accuracy issues
Even if your record is spotless, passing a background check can be one of the most stressful parts of finding a new job or apartment. We’ve got bad news: The information used to assess your eligibility may be inaccurate. The Federal Trade Commission (FTC) this week announced a $5.8 million fine against background check providers TruthFinder and Instant Checkmate for “failing to ensure maximum accuracy of consumer reports” in violation of the Fair Credit Reporting Act. The FTC alleges that these companies “made millions of dollars” by selling subscription services that alerted people when “criminal records” were found in background checks, “when those records were nothing more than a traffic ticket.” The company also showed off “Remove” and “Flag as Inaccurate” buttons, which the FTC said “did not function as advertised.”
Months after TruthFinder and Instant Checkmate confirmed data breaches, regulators issued stern warnings to the two companies. In January, hackers leaked an April 2019 database backup stolen from the company, exposing the personal information of millions of customers.