Since Elon Musk spent $44 billion on Twitter and laid off a large percentage of the company’s staff, there are concerns about data breaches. Now a security incident that preceded Musk’s acquisition seems to be causing concern. This week it emerged that hackers have released a treasure trove of 200 million email addresses and their links to Twitter handles, likely collected between June 2021 and January 2022. At the company.
WhatsApp has launched a new anti-censorship tool that it hopes will help people in Iran avoid government-imposed blocks on the messaging platform. The company has made it possible for people to use proxies to access WhatsApp and avoid government filters. The tool is available worldwide. We also explained what pig slaughtering is and how to avoid falling into the trap.
Also this week, cybersecurity firm Mandiant revealed that it has seen Russian cyber-espionage group Turla use innovative new hacking tactics in Ukraine. The group, believed to have ties to FSB intelligence, was spotted piggybacking on dormant USB infections from other hacker groups. Turla registered expired domains of years-old malware and managed to take over its command-and-control servers.
We also reported on the ongoing fallout from the EncroChat hack. In June 2020, police across Europe revealed that they had hacked into the EncroChat encrypted phone network, collecting over 100 million messages from users, many of them potentially serious criminals. Now thousands of people have been jailed based on the information gathered, but the arrest raises wider questions about law enforcement hacking and the future of encrypted telephone networks.
But that is not everything. Each week we round up the security stories we haven’t covered in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.
On December 31, as millions of people prepared for the start of 2023, Slack has posted a new security update on its blog. In the post, the company says it has discovered a “security vulnerability involving unauthorized access to a subset of Slack’s code repositories.” As of Dec. 27, it discovered that an unknown threat actor stole Slack employee tokens and used them to access its remote GitHub repository and download some of the company’s code.
“When we were made aware of the incident, we immediately invalidated the stolen tokens and began investigating the potential impact on our customers,” Slack’s disclosure says, adding that the attacker had no access until customer data and Slack users didn’t have to do anything.
The incident is similar to a December 21 security incident revealed by authentication company Okta, as a cybersecurity journalist Catalin Cimpanu notes. Just before Christmas, Okta revealed the code repositories had been opened and copied.
Slack quickly discovered the incident and reported it. However, as noted by Beeping computer, Slack’s security disclosure did not appear on its usual news blog. And in some parts of the world, the company has added code to prevent search engines from including it in their results. In August 2022, Slack enforced password resets after a bug exposed hashed passwords for five years.
A black man in Georgia spent nearly a week in jail after police reportedly relied on a facial recognition match gone wrong. Louisiana police used the technology to obtain an arrest warrant for Randal Reid in a robbery case they were investigating. “I have never been to Louisiana for a day in my life. Then they told me it was for theft. So not only have I not been to Louisiana, I’m not stealing,” Reid told the local news site Nola.
The publication says a detective “took the algorithm at face value to obtain a warrant” and says little is known about the Louisiana police’s use of facial recognition technology. The names of the systems used have not been disclosed. However, this is just the latest case of facial recognition technology being used in wrongful arrests. While police use of facial recognition technology has spread rapidly across U.S. states, research has repeatedly shown that people of color and women are more likely to be misidentified than white men.
On the first day of this year, Ukraine launched its deadliest missile strike yet against invading Russian forces. An attack on a temporary Russian barracks in Makiivka, in the Russian-occupied region of Donetsk, killed 89 soldiers, the Russian defense ministry said. Ukrainian officials say about 400 Russian soldiers were killed. In the aftermath, the Russian Defense Ministry claimed that the location of the troops had been identified because it was using cell phones without permission.
During the war, both sides said yes can intercept and locate telephone calls. While Russia’s latest claim should be treated with caution, the conflict has highlighted how open source data can be used to attack troops. Drones, satellite images and social media posts have been used to track people on the front lines.
A new law in Louisiana requires porn sites to verify the ages of out-of-state visitors to prove they are over 18 years old. By law, age verification must be used when a website contains 33.3 percent or more pornographic content. In response to the law, PornHub, the world’s largest porn website, is now giving people the option to link their driver’s license or government ID through an outside service to prove they are legal adults. PornHub says it doesn’t collect user data, but the move has raised surveillance fears.
Around the world, countries are introducing laws requiring visitors to porn sites to prove they are old enough to view the explicit material. Lawmakers in Germany and France have threatened to block porn sites if they don’t take action. Meanwhile, in February 2022, Twitter began blocking adult content creators in Germany for lacking age verification systems. The UK attempted to introduce similar age verification measures between 2017 and 2019; however, the plans collapsed because of confusion, design flaws, and data breach fears among porn website operators.
The world of spies is naturally shrouded in secrecy. Nations send agents to countries to gather intelligence, recruit other resources, and influence events. But occasionally these spies get caught. Since the large-scale Russian invasion of Ukraine in February 2022, more Russian spies have been identified and expelled from countries across Europe. A new database from open source researcher @inteltakes has collected known cases of Russian spies in Europe since 2018. The database contains 41 entries of spies who have been exposed and, where possible, details the nationality, profession and service through which they were recruited.
