Select Page
How a Catholic Group Doxed Gay Priests

How a Catholic Group Doxed Gay Priests

In a statement released a day before the investigation’s release, Jayd Henricks, the group’s president, said, “It isn’t about straight or gay priests and seminarians. It’s about behavior that harms everyone involved, at some level and in some way, and is a witness against the ministry of the church.”

No national US data privacy laws prohibit the sale of this kind of data.

On Wednesday, the District of Columbia’s health insurance exchange confirmed that it was working with law enforcement to investigate an alleged leak after a database containing personal information of about 170,000 individuals was offered for sale on a hacker forum popular with cybercriminals. The reported breach in DC Health Link, as the exchange is known, could expose sensitive personal data of lawmakers, their employees, and their families. Thousands of the exchange’s participants work in the US House and Senate, and a sample of the stolen data set reviewed by CyberScoop indicates that the victims of the breach also range from lobbyists to coffee shop employees. 

According to a letter to the head of the DC Health Benefit Exchange Authority from House Speaker Kevin McCarthy and Minority Leader Hakeem Jeffries, the FBI has apparently purchased some of the stolen data from the dark web. While the FBI had not yet determined the extent of the breach, according to the letter, “the size and scope of impacted House customers could be extraordinary.”

A report by Politico published March 7 details how Ring, Amazon’s home-surveillance company, handed law enforcement videos captured by an Ohio man’s 20 Ring cameras against his will. In December, the Hamilton Police Department sought a warrant for camera footage—including from inside the man’s house—while investigating his neighbor. According to the report, after he willingly providing video to the police that showed the street outside his home, police used the courts to access more footage against his will.

While law enforcement often seeks warrants for digital data, those warrants typically pertain to the subject of a particular investigation. However, as networked home surveillance cameras have become increasingly popular, sometimes blanketing city blocks, law enforcement is increasingly turning to individuals who are completely unaffiliated with a case to provide data. According to Politico, the lack of legal controls on what police can ask for opens the door for a bystander’s indoor home footage to be lawfully acquired by police.

Following Politico’s story, Gizmodo reported that a customer service agent for Ring told a concerned customer that the Politico story was a “hoax” perpetrated by a competitor. In response, an Amazon spokesperson told Gizmodo that the company does not in fact think the story was a hoax and the statement was the result of a misunderstanding on the part of the customer support agent. “We will ensure the agent receives the appropriate coaching,” the spokesperson said.

A former roommate of noted fabulist George Santos told federal authorities that the US congressman from Long Island, New York, had orchestrated a credit card skimming operation in Seattle in 2017. In a declaration submitted to authorities and obtained by Politico, the Brazilian man—convicted of credit card fraud and deported from the US—told the FBI, “Santos taught me how to skim card information and how to clone cards. He gave me all the materials and taught me how to put skimming devices and cameras on ATM machines.” 

According to the declaration, Gustavo Ribeiro Trelha met Santos in 2016 when he rented a room from him in his Florida apartment. There Santos reportedly taught Trelha how to use credit card cloning equipment and eventually flew him to Seattle to begin stealing financial information. “My deal with Santos was 50 percent for him, 50 percent for me,” Trelha wrote. 

The FBI Just Admitted It Bought US Location Data

The FBI Just Admitted It Bought US Location Data

The United States Federal Bureau of Investigation has acknowledged for the first time that it purchased US location data rather than obtaining a warrant. While the practice of buying people’s location data has grown increasingly common since the US Supreme Court reined in the government’s ability to warrantlessly track Americans’ phones nearly five years ago, the FBI had not previously revealed ever making such purchases. 

The disclosure came today during a US Senate hearing on global threats attended by five of the nation’s intelligence chiefs. Senator Ron Wyden, an Oregon Democrat, put the question of the bureau’s use of commercial data to its director, Christopher Wray: “Does the FBI purchase US phone-geolocation information?” Wray said his agency was not currently doing so, but he acknowledged that it had in the past. He also limited his response to data companies gathered specifically for advertising purposes. 

“To my knowledge, we do not currently purchase commercial database information that includes location data derived from internet advertising,” Wray said. “I understand that we previously–as in the past–purchased some such information for a specific national security pilot project. But that’s not been active for some time.” He added that the bureau now relies on a “court-authorized process” to obtain location data from companies. 

It’s not immediately clear whether Wray was referring to a warrant—that is, an order signed by a judge reasonably convinced a crime has occurred—or another legal device. Nor did Wray indicate what motivated the FBI to end the practice. 

In its landmark Carpenter v. United States decision, the Supreme Court held that government agencies accessing historical location data without a warrant were violating the Fourth Amendment’s guarantee against unreasonable searches. But the ruling was narrowly construed. Privacy advocates say the decision left open a glaring “loophole” that allows the government to simply purchase whatever it cannot otherwise legally obtain. US Customs and Border Protection (CBP) and the Defense Intelligence Agency are among the list of federal agencies known to have taken advantage of this loophole. 

The Department of Homeland Security, for one, is reported to have purchased the geolocations of millions of Americans from private marketing firms. In that instance, the data were derived from a range of deceivingly benign sources, such as mobile games and weather apps. Beyond the federal government, state and local authorities have been known to acquire software that feeds off cellphone-tracking data. 

Asked during the Senate hearing whether the FBI would pick up the practice of purchasing location data again, Wray replied: “We have no plans to change that, at the current time.”

Sean Vitka, a policy attorney at Demand Progress, a nonprofit focused on national security and privacy reform, says the FBI needs to be more forthcoming about the purchases, calling Wray’s admission “horrifying” in its implications. “The public needs to know who gave the go-ahead for this purchase, why, and what other agencies have done or are trying to do the same,” he says, adding that Congress should also move to ban the practice entirely. 

You Can’t Trust App Developers’ Privacy Claims on Google Play

You Can’t Trust App Developers’ Privacy Claims on Google Play

It’s basically impossible to keep track of what all your mobile apps are doing and what data they share with whom and when. So over the past couple of years, Apple and Google have both added mechanisms to their app stores meant to act as a sort of privacy nutrition label, giving users some insight into how apps behave and what information they may share. These transparency tools, though, are populated with self-reported information from app developers themselves. And a new study focused on the Data Safety information in Google Play indicates that the details developers are providing are often inaccurate.

Researchers from the nonprofit software group Mozilla looked at the Data Safety information of Google Play’s top 40 most-downloaded apps and rated these privacy disclosures as “poor,” “needs improvement,” or “OK.” The assessments were based on the degree to which the Data Safety information did or did not align with the information in each app’s privacy policy. Sixteen of the 40 apps, including Facebook and Minecraft, received the lowest grade for their Data Safety disclosures. Fifteen apps received the middle grade. These included the Meta-owned apps Instagram and WhatsApp, but also the Google-owned YouTube, Google Maps, and Gmail. Six of the apps were awarded the highest grade, including Google Play Games and Candy Crush Saga.

“When you land on Twitter’s app page or TikTok’s app page and click on Data Safety, the first thing you see is these companies declaring that they don’t share data with third parties. That’s ridiculous—you immediately know something is off,” says Jen Caltrider, Mozilla’s project lead. “As a privacy researcher, I could tell this information was not going to help people make informed decisions. What’s more, a regular person reading it would most certainly walk away with a false sense of security.”

Google mandates that all app developers submitting to Google Play complete the Data Safety form. The rationale is that the developers are the ones who have the information on how their product handles data and interacts with other parties, not the app store that facilitates distribution. 

“If we find that a developer has provided inaccurate information in their Data Safety form and is in violation of the policy, we will require the developer to correct the issue to comply. Apps that aren’t compliant are subject to enforcement actions,” Google told the Mozilla researchers. The company did not address questions from WIRED about the nature of these enforcement actions or how often they have been taken.

Google refutes the researchers’ methodology, though. “This report conflates company-wide privacy policies that are meant to cover a variety of products and services with individual Data Safety labels, which inform users about the data that a specific app collects,” the company says in a statement. “The arbitrary grades Mozilla Foundation assigned to apps are not a helpful measure of the safety or accuracy of labels given the flawed methodology and lack of substantiating information.”

In other words, Google is saying that the Mozilla researchers misunderstood the scope of the privacy policies they were looking at or even consulted the wrong policies entirely. But the researchers say the privacy policies they used in their analysis are the exact policies each app developer links to on Google Play, indicating that they apply to the apps in question.

Googling for Software Downloads Is Extra Risky Right Now

Googling for Software Downloads Is Extra Risky Right Now

If you heard rumblings this week that Netflix is finally cracking down on password sharing in the United States and other markets, you heard wrong—but only for now. The company told WIRED that while it plans to make an announcement in the next few weeks about limiting account sharing, nothing has happened yet. Meanwhile, lawmakers in Congress are eager to overhaul systems for dealing with secret US government data as classified documents keep turning up in the wrong places.

We did a deep dive this week into a ransomware attack that crippled the digital infrastructure of London’s Hackney Council. The assault happened more than two years ago, but it was so impactful that the local authority is still working to recover. A project that’s looking far into the future, meanwhile, is developing prototype pursuit satellites for real-world testing that could someday be used in space battles.

In other military news from the skies, we examined the situation with the apparent Chinese spy balloon over the US and the pros and cons of using balloons as espionage tools. And if you want to improve your personal digital security this weekend, we’ve got a roundup of the most important software updates to install right away, including fixes for Android and Firefox vulnerabilities.

Plus, there’s more. Each week we round up the stories we didn’t cover in-depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

If you’re looking for legit software downloads by searching Google, your clicks just got riskier. The spam- and malware-tracking nonprofit Spamhaus says it has detected a “massive spike” in malware spread via Google Ads in the past two months. This includes “malvertizing” that appears to be authentic downloads of tools like Slack, Mozilla’s Thunderbird email client, and the Tor Browser. Security firm SentinelOne further identified a handful of malicious loaders spread through Google Ads, which researchers collectively dubbed MalVirt. They say MalVirt loaders are used to distribute malware like XLoader, which an attacker can use to steal data from an infected machine. Google told Ars Technica in a statement that it is aware of the malvertizing uptick. “Addressing it is a critical priority, and we are working to resolve these incidents as quickly as possible,” the company said.

The Federal Trade Commission this week issued its first-ever fine under the Health Breach Notification Rule (HBNR). Online pharmacy GoodRx was ordered to pay a $1.5 million fine for allegedly sharing its users’ medication data with third parties like Meta and Google without informing those users of the “unauthorized disclosures,” as is required under the HBNR. The FTC’s enforcement action follows investigations by Consumer Reports and Gizmodo into GoodRx’s data-sharing practices. In addition to violating the HBNR, GoodRx misrepresented its claims of HIPAA compliance, the FTC alleges. GoodRx claims it fixed the issues at the heart of the FTC’s complaint years ago and rejects any admission of guilt. “We do not agree with the FTC’s allegations and we admit no wrongdoing,” a spokesperson told Gizmodo. “Entering into the settlement allows us to avoid the time and expense of protracted litigation.” 

Microsoft this week announced that it had disabled accounts of threat actors who managed to get verified under the Microsoft Cloud Partner Program. Posing as legitimate businesses, the threat actors used their verified account status to create malicious OAuth applications. “The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting permissions to the fraudulent apps,” Microsoft said in a blog detailing the issue. “This phishing campaign targeted a subset of customers primarily based in the UK and Ireland.” The company says the people behind the phishing attacks likely used their access to steal emails and that it has notified all victims.

Researchers at the security firm Saiflow this week exposed two vulnerabilities in versions of the open source protocol used in the operation of many electric-vehicle charging stations, called the Open Charge Point Protocol (OCPP). By exploiting vulnerable instances of the OCPP standard, which is used to communicate between chargers and management software, an attacker could take over a charger, disable groups of chargers, or siphon off electricity from a charger for their own use. Saiflow says it’s working with EV charger companies to mitigate the risks of the vulnerabilities.

The 37 million customers exposed by the most recent T-Mobile hack may not be the only people impacted by the breach. Google this week informed customers of the Google Fi mobile service that hackers had obtained “limited” account information, including phone numbers, SIM serial numbers, and information about their accounts. The hackers did not access payment information, passwords, or the contents of communications, like text messages. Still, it’s possible the information could have been used for SIM swap attacks. TechCrunch reports that the intrusion was detected by Google Fi’s “primary network provider,” which noticed “suspicious activity relating to a third-party support system.” The timing of the hack, which comes two weeks after the latest T-Mobile breach, suggests the two are related. 

Russians Hacked JFK Airport Taxi Dispatch in Line-Skipping Scheme

Russians Hacked JFK Airport Taxi Dispatch in Line-Skipping Scheme

We at WIRED are winding down for the year and gearing up for what is sure to be an eventful 2023. But 2022 isn’t going down without a fight. 

This week, following a new surge in mayhem at Twitter, we dove into exactly why the public needs real-time flight tracking, even if Elon Musk claims it’s the equivalent of doxing. The crucial transparency this publicly available data provides far outweighs the limited privacy value that censoring would give to the world’s rich and powerful. Unfortunately, Musk’s threats of legal action against the developer of the @ElonJet tracker are having broader chilling effects. 

Meanwhile, Iran’s internet blackouts—a response to widespread civil rights protests—are sabotaging the country’s economy, according to a new assessment from the US Department of State. Due to heavy sanctions on Iranian entities, the exact economic impact of Tehran’s internet blackouts is difficult to calculate. But experts agree it’s not good. 

You may have encountered the Flipper Zero in a recent viral TikTok video—but don’t believe everything you see. WIRED’s Dhruv Mehrotra got his hands on the palm-size device, which packs an array of antennas that allow you to copy and broadcast signals from all types of devices, like RFID chips, NFC cards, and more. We found that while the Flipper Zero can’t, say, make an ATM spill out money, it allows you to do plenty of other things that could get you into trouble. But mostly, it allows you to see the radio-wave-filled world around you like never before.

But that’s not all. Each week, we round up the security stories we didn’t cover in-depth ourselves. Click on the headlines to read the full stories. And stay safe out there. 

Between long hours, medallion costs, and the rise of Uber and Lyft, the life of a New York City cab driver is hard enough. Now it seems that Russian hackers—and a couple of their enterprising partners in Queens—were trying to get their own cut of those drivers’ fares.

According to prosecutors, two Queens men, Daniel Abayev and Peter Leyman, worked with Russian hackers to gain access to the taxi dispatch system for New York’s JFK airport. They then allegedly created a group chat where drivers could secretly pay $10 to skip the sometimes hours-long line to be assigned a pickup—about a fifth of the $52 flat fee passengers pay for rides from the airport to elsewhere in NYC. The indictment against the two men doesn’t name the Russians or detail exactly how they gained access to JFK’s dispatch system. But it notes that since 2019, Abayev and Leyman allegedly schemed to get access to the system by multiple methods, including bribing someone to insert a USB drive with malware into one of the dispatch operators’ computers, gaining unauthorized access to their systems via Wi-Fi, and stealing one of their tablet computers. “I know that the Pentagon is being hacked,” Abayev wrote to his Russian contacts in November 2019, according to the indictment. “So, can’t we hack the taxi industry[?]” 

Before the scheme was shut down, prosecutors say it was enabling as many as a thousand fraudulent line-skips a day for drivers, 

It’s hardly a secret that Cyber Command, the more cyberattack-focused sister organization to the NSA, is frequently engaged in “hunting forward,” as Cybercom director Paul Nakasone has described it. That means hacking foreign hackers preemptively to disrupt their operations, often in advance of an event like a US election. So perhaps it’s no surprise, as The Washington Post reports, that Cybercom targeted Russian and Iranian hackers throughout the 2022 midterm elections. It’s not clear exactly how those hackers were disrupted, but one official told the Post that the operations typically go after the basic tools the hackers use to operate, including their computers, internet connections, and malware. In some cases, that foreign malware is discovered by Cybercom abroad and shared with potential targets in the US to make it more easily detected. 

While foreign hacking of US elections has waned since its peak in 2016—when Russia hacked the Democratic National Committee, Clinton campaign, and many other targets—it has by no means disappeared. Cybersecurity firm Mandiant reported this week that the Russian military intelligence agency the GRU appears to have targeted election websites with distributed denial-of-service attacks during the midterm elections, despite Cyber Command’s efforts.

On Monday, federal prosecutors charged two men—one from Wisconsin, the other from North Carolina—for allegedly participating in a swatting scheme that, over a one-week span, targeted the owners of more than a dozen compromised Ring home security door cameras.  According to the indictment, Kya Christian Nelson, 21, and James Thomas Andrew McCarty, 20, used login credentials from leaked Yahoo accounts to access Ring accounts from individuals around the country. The defendants then allegedly phoned in false reports to law enforcement claiming to dispatchers that a violent incident was taking place at the victim’s house, and then they livestreamed the police response to the hoax. In several of the incidents, the two men taunted responding police officers and victims through the microphone of the Ring device, according to the indictment.

Nelson, who went by the alias “ChumLul,” is currently incarcerated in Kentucky in an unrelated case. McCarty, who went by the alias “Aspertaine,” was arrested last week on federal charges filed in the District of Arizona. Nelson and McCarty are both charged with conspiring to intentionally access computers without authorization. Nelson has also been charged with two counts of intentionally accessing a computer without authorization and two counts of aggravated identity theft. If convicted, they could each face up to five years in prison, with Nelson facing an additional seven years for the additional charges.

In March 2017, Netflix tweeted a simple message: “Love is sharing a password.” Now, five years later, that sentiment is coming to the end of its life. According to a Wall Street Journal report this week, the streaming service plans to clamp down on password sharing in early 2023. Netflix has been testing ways to stop households in Latin America from sharing passwords throughout 2022, and the report suggests it is ready to expand the measures. Netflix says more than 100 million viewers watch its TV shows and movies using other people’s passwords, and it wants to convert those views into cash. “Make no mistake, I don’t think consumers are going to love it right out of the gate,” the Journal reports Netflix co-CEO Ted Sarandos telling investors earlier this year. Elsewhere, the UK government’s Intellectual Property Office said it believes sharing passwords for online streaming services could breach copyright laws. It is unlikely anyone would ever be prosecuted, though.

The Roomba J7 home robot uses “PrecisionVision Navigation” to avoid objects in your home—such as piles of clothes on the floor or accidental piles of dog crap. The robot is partly able to do this using a built-in camera and computer vision. However, as MIT Technology Review reported this week, gig economy workers in Venezuela posted photos from the robots online—including one image of a woman on the toilet. The photos and videos were captured by a development version of the J7 robot in 2020 and shared with a startup that contracts workers to label the images, helping to train computer vision systems. Those using the development machines had agreed for their data to be shared. Roomba maker iRobot, which is being purchased by Amazon, said it is ending its contract with the startup that leaked the images and is investigating what happened. However, the incident highlights some of the potential privacy risks with the vast data sets that are used to train artificial intelligence applications.

All Kelly Conlon wanted to do was watch the Rockettes with her daughter’s Girl Scout troop. But thanks to a face recognition system run by Madison Square Garden Entertainment, Conlon was summarily kicked out of Radio City Music Hall because she was unknowingly banned from the venue. The issue, according to MSG Entertainment, is that Conlon is an attorney at a law firm that’s currently engaged in litigation against the company. (Conlon said she is not personally involved in that litigation.) “They knew my name before I told them. They knew the firm I was associated with before I told them. And they told me I was not allowed to be there,” Conlon told NBC New York. MSG Entertainment, meanwhile, defended the attorney’s expulsion as necessary to avoid an “inherently adverse environment.” The episode adds to concerns over the use of face-recognition tech, which remains so underregulated that a corporation can use it to punish its enemies. Happy holidays!