[ad_1]
A major coordinated disclosure this week drew attention to the importance of prioritizing security in the design of graphics processing units (GPUs). The researchers published details about “LeftoverLocals” vulnerability in multiple mainstream GPU brands and models(including chips from Apple, Qualcomm and AMD) that could be exploited to steal sensitive data, such as responses from artificial intelligence systems. Meanwhile, new findings from cryptocurrency tracking company Chainalysis show how Stablecoins pegged to the value of the US dollar were instrumental in cryptocurrency-based scams. and the evasion of sanctions last year.
The US Federal Trade Commission reached a settlement earlier this month with data broker X-Mode (now Outlogic) over its sale of location data collected from phone apps to the US government and other clients. While the move was hailed by some as a historic privacy victory, it also illustrates the limitations of the FTC and the US government’s data privacy enforcement power and the ways many companies can avoid scrutiny and consequences. for failing to protect consumer data.
The US Internet Provider Comcast Xfinity may collect data about customers’ personal lives for personalized ads, including information about your political beliefs, race, and sexual orientation. If you are a customer, we have tips for opting out-As far as possible. And if you need a good long read for the weekend, we have the story of How a 27-year-old cryptography grad student systematically debunked the myth that Bitcoin transactions are anonymous.. The piece is an excerpt from WIRED writer Andy Greenberg’s nonfiction thriller. Trackers in the Dark: The Global Hunt for Cryptocurrency Crime LordsAvailable this week in paperback.
And there is more. Every week, we round up the security and privacy news that we don’t analyze or cover in depth ourselves. Click on the headlines to read the full stories and stay safe.
On Friday, the U.S. Cybersecurity and Infrastructure Security Agency issued a emergency directive require federal agencies to apply patches two vulnerabilities which are being actively exploited in the popular Ivanti Connect Secure and Policy Secure VPN devices. CISA Deputy Executive Director Eric Goldstein told reporters that CISA has notified all federal agencies that are running a version of the products, making “about” 15 agencies that have applied mitigations. “We are not assessing significant risk to the federal enterprise, but we know the risk is not zero,” Goldstein said. He added that investigations are underway into whether any federal agencies have been compromised in the attackers’ massive exploitation spree.
Analysis indicates that multiple actors have been searching for and exploiting vulnerable Ivanti devices to gain access to the networks of organizations around the world. The activity began in December 2023, but has intensified in recent days as news of the vulnerabilities and a proof of concept emerged. Researchers at security firm Volexity say that at least 1,700 Connect Secure devices have been compromised across the board. Both volexity and Mandiant see evidence that at least part of the exploitation activity is motivated by espionage. CISA’s Goldstein said Friday that the US government has not yet attributed any exploitation activity to particular actors, but that “the exploitation of these products would be consistent with what we have seen from PRC actors such as Typhoon Volt in the past.”
Ivanti Connect Secure is a rebrand of the Ivanti series of products known as Pulse Secure. The vulnerabilities in that VPN platform were Notoriously exploited in a series of high-profile digital breaches in 2021 carried out by Chinese state-backed hackers.
Microsoft said Friday that it detected a system intrusion on Jan. 12 that it attributes to the Russian state-backed actor known as Midnight Blizzard or APT 29 Cozy Bear. The company says it has fully remediated the breach, which began in November 2023 and used “password spray” attacks to compromise historical system test accounts that, in some cases, allowed the attacker to infiltrate “a very small percentage of Microsoft corporate email accounts. , including members of our senior leadership team and employees in our legal, cybersecurity and other functions.” With this access, the Cozy Bear hackers were able to leak “some emails and attached documents.” Microsoft notes that the attackers appeared to be seeking information about Microsoft’s investigations into the group itself. “The attack was not the result of a vulnerability in Microsoft products or services,” the company wrote. “To date, there is no evidence that the threat actor had access to customer environments, production systems, source code, or artificial intelligence systems. We will notify customers if any action is required.”
Gift card scams in which attackers trick victims into buying gift cards from them are a long-standing problem, but a new report from ProPublica shows how Walmart has been particularly negligent in addressing the problem. For a decade, the retailer has dodged pressure from both regulators and authorities to more closely scrutinize gift card sales and money transfers and expand employee training that could prevent customers from being deceived and exploited by bad actors. ProPublica conducted dozens of interviews and reviewed internal documents, court records and public records in its analysis.
“They were worried about money. That’s it,” Nick Alicea, former fraud team leader for the U.S. Postal Inspection Service, told ProPublica. Walmart defended its efforts, saying it has stopped more than $700 million in suspicious money transfers and refunded $4 million to victims of gift card fraud. “Walmart offers these financial services while working hard to keep our customers safe from fraudulent third parties,” the company said in a statement. “We have a robust anti-fraud program and other controls to help stop scammers and other criminals who may use the financial services we offer to harm our customers.”
As Myanmar rebel groups violently oppose the country’s military government, human trafficking and the abuses it fuels pig slaughter scams is exacerbating the conflict. Scams have skyrocketed in recent years, carried out not only by bad actors but also by a workforce of forced laborers who have often been kidnapped and held against their will. In one case this fall, a group of rebel groups in Myanmar known as the Three Brotherhoods Alliance took control of 100 military posts in Shan State in the north of the country and seized several towns throughout of the border with China, promising to “eradicate telecommunications fraud and scam networks.” and its sponsors across the country, including in areas along the China-Myanmar border.”
The UN estimates there may be up to 100,000 people held in scam centers in Cambodia and 120,000 in Myanmar. “I’ve been working in this space for over 20 years and, to be honest, we’ve never seen anything like what we’re seeing now in Southeast Asia in terms of large numbers of people,” Rebecca Miller, regional trafficking program director of people at the UN Office on Drugs and Crime, he told Vox.
In new research, Consumer Reports and The Markup collected three years of archived Facebook data from 709 users of the social network to assess which data brokers and other organizations are tracking and monitoring them. Analyzing the data, the journalists discovered that a total of 186,892 companies sent data on 709 people to Facebook. On average, each of those users received information sent to Facebook about them from 2,230 companies. However, the number varied. Some users had less than average while others had more than 7,000 companies tracking them and providing information to the social network.
