Select Page
How a Catholic Group Doxed Gay Priests

How a Catholic Group Doxed Gay Priests

In a statement released a day before the investigation’s release, Jayd Henricks, the group’s president, said, “It isn’t about straight or gay priests and seminarians. It’s about behavior that harms everyone involved, at some level and in some way, and is a witness against the ministry of the church.”

No national US data privacy laws prohibit the sale of this kind of data.

On Wednesday, the District of Columbia’s health insurance exchange confirmed that it was working with law enforcement to investigate an alleged leak after a database containing personal information of about 170,000 individuals was offered for sale on a hacker forum popular with cybercriminals. The reported breach in DC Health Link, as the exchange is known, could expose sensitive personal data of lawmakers, their employees, and their families. Thousands of the exchange’s participants work in the US House and Senate, and a sample of the stolen data set reviewed by CyberScoop indicates that the victims of the breach also range from lobbyists to coffee shop employees. 

According to a letter to the head of the DC Health Benefit Exchange Authority from House Speaker Kevin McCarthy and Minority Leader Hakeem Jeffries, the FBI has apparently purchased some of the stolen data from the dark web. While the FBI had not yet determined the extent of the breach, according to the letter, “the size and scope of impacted House customers could be extraordinary.”

A report by Politico published March 7 details how Ring, Amazon’s home-surveillance company, handed law enforcement videos captured by an Ohio man’s 20 Ring cameras against his will. In December, the Hamilton Police Department sought a warrant for camera footage—including from inside the man’s house—while investigating his neighbor. According to the report, after he willingly providing video to the police that showed the street outside his home, police used the courts to access more footage against his will.

While law enforcement often seeks warrants for digital data, those warrants typically pertain to the subject of a particular investigation. However, as networked home surveillance cameras have become increasingly popular, sometimes blanketing city blocks, law enforcement is increasingly turning to individuals who are completely unaffiliated with a case to provide data. According to Politico, the lack of legal controls on what police can ask for opens the door for a bystander’s indoor home footage to be lawfully acquired by police.

Following Politico’s story, Gizmodo reported that a customer service agent for Ring told a concerned customer that the Politico story was a “hoax” perpetrated by a competitor. In response, an Amazon spokesperson told Gizmodo that the company does not in fact think the story was a hoax and the statement was the result of a misunderstanding on the part of the customer support agent. “We will ensure the agent receives the appropriate coaching,” the spokesperson said.

A former roommate of noted fabulist George Santos told federal authorities that the US congressman from Long Island, New York, had orchestrated a credit card skimming operation in Seattle in 2017. In a declaration submitted to authorities and obtained by Politico, the Brazilian man—convicted of credit card fraud and deported from the US—told the FBI, “Santos taught me how to skim card information and how to clone cards. He gave me all the materials and taught me how to put skimming devices and cameras on ATM machines.” 

According to the declaration, Gustavo Ribeiro Trelha met Santos in 2016 when he rented a room from him in his Florida apartment. There Santos reportedly taught Trelha how to use credit card cloning equipment and eventually flew him to Seattle to begin stealing financial information. “My deal with Santos was 50 percent for him, 50 percent for me,” Trelha wrote. 

The FBI Just Admitted It Bought US Location Data

The FBI Just Admitted It Bought US Location Data

The United States Federal Bureau of Investigation has acknowledged for the first time that it purchased US location data rather than obtaining a warrant. While the practice of buying people’s location data has grown increasingly common since the US Supreme Court reined in the government’s ability to warrantlessly track Americans’ phones nearly five years ago, the FBI had not previously revealed ever making such purchases. 

The disclosure came today during a US Senate hearing on global threats attended by five of the nation’s intelligence chiefs. Senator Ron Wyden, an Oregon Democrat, put the question of the bureau’s use of commercial data to its director, Christopher Wray: “Does the FBI purchase US phone-geolocation information?” Wray said his agency was not currently doing so, but he acknowledged that it had in the past. He also limited his response to data companies gathered specifically for advertising purposes. 

“To my knowledge, we do not currently purchase commercial database information that includes location data derived from internet advertising,” Wray said. “I understand that we previously–as in the past–purchased some such information for a specific national security pilot project. But that’s not been active for some time.” He added that the bureau now relies on a “court-authorized process” to obtain location data from companies. 

It’s not immediately clear whether Wray was referring to a warrant—that is, an order signed by a judge reasonably convinced a crime has occurred—or another legal device. Nor did Wray indicate what motivated the FBI to end the practice. 

In its landmark Carpenter v. United States decision, the Supreme Court held that government agencies accessing historical location data without a warrant were violating the Fourth Amendment’s guarantee against unreasonable searches. But the ruling was narrowly construed. Privacy advocates say the decision left open a glaring “loophole” that allows the government to simply purchase whatever it cannot otherwise legally obtain. US Customs and Border Protection (CBP) and the Defense Intelligence Agency are among the list of federal agencies known to have taken advantage of this loophole. 

The Department of Homeland Security, for one, is reported to have purchased the geolocations of millions of Americans from private marketing firms. In that instance, the data were derived from a range of deceivingly benign sources, such as mobile games and weather apps. Beyond the federal government, state and local authorities have been known to acquire software that feeds off cellphone-tracking data. 

Asked during the Senate hearing whether the FBI would pick up the practice of purchasing location data again, Wray replied: “We have no plans to change that, at the current time.”

Sean Vitka, a policy attorney at Demand Progress, a nonprofit focused on national security and privacy reform, says the FBI needs to be more forthcoming about the purchases, calling Wray’s admission “horrifying” in its implications. “The public needs to know who gave the go-ahead for this purchase, why, and what other agencies have done or are trying to do the same,” he says, adding that Congress should also move to ban the practice entirely. 

Twitter’s Two-Factor Authentication Change ‘Doesn’t Make Sense’

Twitter’s Two-Factor Authentication Change ‘Doesn’t Make Sense’

Twitter announced yesterday that as of March 20, it will only allow its users to secure their accounts with SMS-based two-factor authentication if they pay for a Twitter Blue subscription. Two-factor authentication, or 2FA, requires users to log in with a username and password and then an additional “factor” like a numeric code. Security experts have long advised that people use a generator app to get these codes. But receiving them in SMS text messages is a popular alternative, so removing that option for unpaid users has left security experts scratching their heads.

Twitter’s two-factor move is the latest in a series of controversial policy changes since Elon Musk acquired the company last year. The paid service Twitter Blue—the only way to get a blue verified checkmark on Twitter accounts now—costs $11 per month on Android and iOS and less for a desktop-only subscription. Users being booted off of SMS-based two-factor authentication will have the option to switch to an authenticator app or a physical security key.

“While historically a popular form of 2FA, unfortunately, we have seen phone-number based 2FA be used—and abused—by bad actors,” Twitter wrote in a blog post published yesterday evening. “So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers.”

In a July 2022 report about account security, Twitter said that only 2.6 percent of its active users have any type of two-factor authentication enabled. Of those users, nearly 75 percent were using the SMS version. Almost 29 percent were using authenticator apps and less than 1 percent had added a physical authentication key.

SMS-based two-factor authentication is insecure because attackers can hijack targets’ phone numbers or use other techniques to intercept the texts. But security experts have long emphasized that using SMS two-factor is significantly better than not having a second authentication factor enabled at all. 

Increasingly, tech giants like Apple and Google have eliminated the option for SMS two-factor and transitioned users (typically over many months or years) to other forms of authentication. Researchers worry that Twitter’s policy change will confuse users by giving them so little time to complete the transition and making SMS two-factor seem like a premium feature.

“The Twitter blog is right to point out that two-factor authentication that uses text messages is frequently abused by bad actors. I agree that it is less secure than other 2FA methods,” says Lorrie Cranor, director of Carnegie Mellon’s usable privacy and security lab. “But if their motivation is security, wouldn’t they want to keep paid accounts secure too? It doesn’t make sense to allow the less secure method for paid accounts only.”  

While the company says its changes to two-factor will roll out in mid-March, Twitter users with SMS two-factor turned on started encountering a pop-up overlay screen yesterday that advised them to remove two-factor entirely or switch to “the authentication app or security key methods.” 

It is unclear what will happen if users do not disable SMS two-factor by the new deadline. The in-app message to users implies that people who still have SMS two-factor turned on when the change officially happens on March 20 will be locked out of their accounts. “To avoid losing access to Twitter, remove text message two-factor authentication by March 19, 2023,” the notification says. But Twitter’s blog post says that two-factor will simply be disabled on March 20 if users don’t adjust it before then. “After 20 March 2023, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method,” the company wrote. “At that time, accounts with text message 2FA still enabled will have it disabled.”

Googling for Software Downloads Is Extra Risky Right Now

Googling for Software Downloads Is Extra Risky Right Now

If you heard rumblings this week that Netflix is finally cracking down on password sharing in the United States and other markets, you heard wrong—but only for now. The company told WIRED that while it plans to make an announcement in the next few weeks about limiting account sharing, nothing has happened yet. Meanwhile, lawmakers in Congress are eager to overhaul systems for dealing with secret US government data as classified documents keep turning up in the wrong places.

We did a deep dive this week into a ransomware attack that crippled the digital infrastructure of London’s Hackney Council. The assault happened more than two years ago, but it was so impactful that the local authority is still working to recover. A project that’s looking far into the future, meanwhile, is developing prototype pursuit satellites for real-world testing that could someday be used in space battles.

In other military news from the skies, we examined the situation with the apparent Chinese spy balloon over the US and the pros and cons of using balloons as espionage tools. And if you want to improve your personal digital security this weekend, we’ve got a roundup of the most important software updates to install right away, including fixes for Android and Firefox vulnerabilities.

Plus, there’s more. Each week we round up the stories we didn’t cover in-depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

If you’re looking for legit software downloads by searching Google, your clicks just got riskier. The spam- and malware-tracking nonprofit Spamhaus says it has detected a “massive spike” in malware spread via Google Ads in the past two months. This includes “malvertizing” that appears to be authentic downloads of tools like Slack, Mozilla’s Thunderbird email client, and the Tor Browser. Security firm SentinelOne further identified a handful of malicious loaders spread through Google Ads, which researchers collectively dubbed MalVirt. They say MalVirt loaders are used to distribute malware like XLoader, which an attacker can use to steal data from an infected machine. Google told Ars Technica in a statement that it is aware of the malvertizing uptick. “Addressing it is a critical priority, and we are working to resolve these incidents as quickly as possible,” the company said.

The Federal Trade Commission this week issued its first-ever fine under the Health Breach Notification Rule (HBNR). Online pharmacy GoodRx was ordered to pay a $1.5 million fine for allegedly sharing its users’ medication data with third parties like Meta and Google without informing those users of the “unauthorized disclosures,” as is required under the HBNR. The FTC’s enforcement action follows investigations by Consumer Reports and Gizmodo into GoodRx’s data-sharing practices. In addition to violating the HBNR, GoodRx misrepresented its claims of HIPAA compliance, the FTC alleges. GoodRx claims it fixed the issues at the heart of the FTC’s complaint years ago and rejects any admission of guilt. “We do not agree with the FTC’s allegations and we admit no wrongdoing,” a spokesperson told Gizmodo. “Entering into the settlement allows us to avoid the time and expense of protracted litigation.” 

Microsoft this week announced that it had disabled accounts of threat actors who managed to get verified under the Microsoft Cloud Partner Program. Posing as legitimate businesses, the threat actors used their verified account status to create malicious OAuth applications. “The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting permissions to the fraudulent apps,” Microsoft said in a blog detailing the issue. “This phishing campaign targeted a subset of customers primarily based in the UK and Ireland.” The company says the people behind the phishing attacks likely used their access to steal emails and that it has notified all victims.

Researchers at the security firm Saiflow this week exposed two vulnerabilities in versions of the open source protocol used in the operation of many electric-vehicle charging stations, called the Open Charge Point Protocol (OCPP). By exploiting vulnerable instances of the OCPP standard, which is used to communicate between chargers and management software, an attacker could take over a charger, disable groups of chargers, or siphon off electricity from a charger for their own use. Saiflow says it’s working with EV charger companies to mitigate the risks of the vulnerabilities.

The 37 million customers exposed by the most recent T-Mobile hack may not be the only people impacted by the breach. Google this week informed customers of the Google Fi mobile service that hackers had obtained “limited” account information, including phone numbers, SIM serial numbers, and information about their accounts. The hackers did not access payment information, passwords, or the contents of communications, like text messages. Still, it’s possible the information could have been used for SIM swap attacks. TechCrunch reports that the intrusion was detected by Google Fi’s “primary network provider,” which noticed “suspicious activity relating to a third-party support system.” The timing of the hack, which comes two weeks after the latest T-Mobile breach, suggests the two are related. 

Welcome to the Era of Internet Blackouts

Welcome to the Era of Internet Blackouts

The Iranian government’s latest attempts in recent months to stifle protests through internet blackouts, digital curfews, and content blocking have presented a particularly extreme example of how far regimes can go in restricting digital access. But a new report from the internet infrastructure company Cloudflare, released today, highlights the stunning global prevalence of connectivity disruptions and their increasing relevance to people and organizations all around the world.

In 2022, Cloudflare began publishing reports that compile its internal observations about government internet blackouts and notable outages worldwide. As a content delivery network that also provides digital resiliency services, the company sees an array of signals when a chunk of the internet goes dark. For example, Cloudflare can assess internet protocol requests, like those for the routing system Border Gateway Protocol or the internet address book Domain Name System, to get insight into how a government executed a shutdown and where in the internet backbone it implemented the connectivity blocking.

The specific geopolitical context and technical nuances of different digital disruptions can make it difficult, or unhelpful, to make granular comparisons of disparate incidents. But Cloudflare, which operates in more than 100 countries and interconnects with more than 10,000 network providers, is using its vantage point and visibility into the global internet to track broader trends and offer a sense of scale about how pervasive internet shutdowns have become.

“There’s an increasing use of shutdowns as a means of controlling communication,” says David Belson, Cloudflare’s head of data insight and a longtime researcher of internet disruptions. “There are single points of failure for internet connectivity, and things that are outside of your control can impact your business, your organization, your individual collaborations. So if you are someone in a position of responsibility, you may have to start factoring that into your risk matrix and thinking about particular steps to ensure that your presence on the internet and the work you do on the internet remains uninterrupted.”

The new report, which looks at incidents from the fourth quarter of 2022, concluded that activity related to internet disruptions was actually lower, or “a little bit less active,” as Belson puts it, than previous quarters of last year. Still, the report listed intentional shutdowns and disruptions in Bangladesh, Cuba, Iran, Kenya, Pakistan, Sudan, and Ukraine, along with the United states, where Moore County, North Carolina, dealt with multiday internet outages thanks to assailants who shot at two electrical substations, causing power outages. In Ukraine and Iran particularly, Cloudflare’s reporting was a continuation of ongoing monitoring and incidents.

An internet shutdown imposed by the Cuban government on October 1 was a continuation of shutdowns that began at the end of September in an attempt to curtail protests. The uprisings came in response to a hurricane that caused power outages on the island nation and a widespread feeling among the public that the Cuban government botched the recovery.

The report also highlights an accidental October cable cut in the UK’s Shetland Islands as well as technical failures in Australian, Haiti, and Kyrgyzstan.

“The interesting thing about internet shutdowns is that we typically don’t see governments shutting down electricity or water or gas. They target the internet because they see shutting down the flow of information as a vital thing to do,” says John Graham Cumming, Cloudflare’s chief technical officer. “For a lot of us the internet is an essential utility that we can’t live without. These things really do have an impact, including an economic impact.”

Graham Cumming and Belson note that they see increasing government reliance in many places on digital curfews and intermittent, recurring shutdowns—a trend that seems very likely to continue. It has even become common in some countries to impose connectivity blackouts for a few hours a day during university exams, purportedly to reduce the possibility of students cheating. And in places like Ukraine, where connectivity outages are driven by persistent, wartime attacks on critical infrastructure, the impacts are unrelenting and serve as a particularly sobering illustration of this new digital normal.