†Ipsa scientia potestas est,” wrote 16th-century philosopher and statesman Sir Frances Bacon famously in his 1597 work, Meditationes Sacrae. Knowledge itself is power. Aphorism, no matter how cliché, acquires a tangible truth in wartime.
Just ask the people of Mariupol, a city in southeastern Ukraine where Russia’s devastating attacks have cut the flow of information in and out of the city. Meanwhile, the government in Russia has banned Facebook and Instagram amid its crackdown on news without the stamp of approval from the state. But as we explained this week, building an entire Chinese-style splinternet is much harder than the Kremlin would like to admit.
This week, we further explored the power of information — and the power to keep information secret — with a look at a new idea for creating digital money in the US — no, not Bitcoin or any other cryptocurrency. Real digital money that, crucially, has the same privacy built-in as the accounts in your actual wallet. We’ve also dived into the pitfalls of knowing where your kids and other loved ones are at any given time through the use of tracking apps, which you should probably stop. And after the Digital Markets Act passed in Europe last week, we analyzed the tricky case of forcing encrypted messaging apps to work together, as required by law.
To wrap things up, we’ve taken a closer look at some leaked internal documents that shed new light on the Okta hack of the racketeering gang Lapsus$. And we looked at how researchers used a decommissioned satellite to broadcast hacker TV.
But that’s not all, folks. Read on below for the rest of the week’s top security stories.
In one of the more creative tricks we’ve seen recently, hackers reportedly duped Apple and Meta into handing over sensitive user data, including names, phone numbers and IP addresses, Bloomberg reports. The hackers did this by using so-called emergency data requests (EDRs), which the police use to access data when someone is potentially in immediate danger, such as an abducted child, and which does not require a judge’s signature. Civil liberty watchdogs have long criticized EDRs ripe for abuse by law enforcement, but this is the first time we’ve heard of hackers using the data privacy loophole to steal people’s data.
According to security journalist Brian Krebs, the hackers gained access to police systems to transmit the fraudulent EDRs, which are difficult for tech companies to verify due to their urgent nature. (Both Apple and Meta told Bloomberg they have systems in place to validate police requests.) Adding another layer to the saga: Some of the hackers involved in these scams later became part of the Lapsus$ group, reported both Bloomberg and Krebs, who are in the news again this week for completely different reasons.
Following the arrest and release of seven young people in the UK last week in connection with a string of high-profile Lapsus$ hacks and extortion attempts, City of London police announced Friday that they had arrested two teenagers, a 16-year-old and a 17-year-old. , in connection with the crimes of the gang. Each teen faces three counts of unauthorized access to a computer and one count of fraud. The 16-year-old is also facing “one count of causing a computer to perform a function to protect unauthorized access to a program,” police said. Due to strict privacy rules in the UK, the teens have not been named publicly.
Despite the story that Russia failed to use its hacking power as part of its unprovoked war against Ukraine, mounting evidence shows that this is not true. First, Viasat released new details about the attack on its network at the start of Russia’s war against Ukraine in late February, which took some Ukrainian military communications and tens of thousands of people across Europe offline. Viasat too confirmed an analysis by SentinelLabs, which revealed that the attackers were using a modem-wiper malware known as AcidRain. That malware, the researchers found, may have “developmental similarities” with another malware, VPNFilter, which US national intelligence has linked to Russia’s GRU hacker group Sandworm.
Then came the most significant cyber attack since Russia started its war. Ukrainian State Service for Special Communications announced On Monday, state Internet provider Ukrtelecom faced a “vigorous” cyber attack on its core infrastructure. While the SSSC said Ukrtelecom was able to fend off the attack and begin recovery, internet surveillance service NetBlock said on Twitter that it witnessed a “connectivity that collapsed across the country”.
Internet-connected “Wyze Cam” cameras have been exposed for nearly three years, thanks to a vulnerability that could have allowed attackers to remotely access videos and other images stored on device memory cards. Such vulnerabilities, unfortunately, are not uncommon in Internet-of-things devices, especially IP cameras. The situation was particularly significant, however, as researchers from Romanian security firm Bitdefender have been trying since March 2019 to disclose the vulnerability to Wyze and get the company to issue a patch. It’s unclear why the researchers didn’t make the findings public. rather, as is customary when making vulnerabilities public after three months, to draw more attention to the situation. Wyze released patches for the bug for its V2 and V3 cameras on January 29. However, the company no longer supports its V1 camera, which is also vulnerable. The bug can be exploited remotely, but not directly on the open internet. Attackers must first compromise the local network on which the camera resides before targeting the Wyze vulnerability itself.
More great WIRED stories