A major coordinated reveal this week calls attention to the importance of prioritizing security in graphics processing unit (GPU) design. Researchers have released details of a “LeftoverLocals” vulnerability in multiple brands and models of mainstream GPUs, including Apple, Qualcomm and AMD chips, which can be exploited to steal sensitive data, such as responses from artificial intelligence systems. Meanwhile, new findings from cryptocurrency tracking firm Chainaanalysis show how stablecoins pegged to the value of the U.S. dollar played a significant role in cryptocurrency-based scams and sanctions evasion last year.
The Federal Trade Commission earlier this month reached a settlement with data broker X-Mode (now Outlogic) over its sale of location data collected from mobile phone apps to the U.S. government and other customers. While the action was hailed by some as a historic privacy victory, it also illustrates the limits of the data privacy enforcement powers of the FTC and the U.S. government, and how many companies can avoid scrutiny and scrutiny for failing to protect consumer data. consequences.
US internet provider Comcast Xfinity may collect data about customers’ personal lives for use in personalized advertising, including information about their political beliefs, race and sexual orientation. If you are a customer, we would recommend that you opt out where possible. If you need a good read over the weekend, we have the story of how a 27-year-old cryptography graduate student systematically debunked the myth of the anonymity of Bitcoin transactions.This article is excerpted from a documentary thriller by Wired magazine writer Andy Greenberg Stalkers in the Dark: Global Manhunt for Cryptocurrency Crime Lordsout in paperback this week.
there are more. Each week, we round up security and privacy news that we don’t cover or cover in depth ourselves. Click on the title to read the full story and stay safe.
On Friday, the U.S. Cybersecurity and Infrastructure Security Agency issued an emergency directive requiring federal agencies to patch two actively exploited vulnerabilities in popular VPN devices Ivanti Connect Secure and Policy Secure. Eric Goldstein, CISA’s executive assistant director, told reporters that CISA has notified every federal agency running a version of the product, and “approximately” 15 agencies in total have implemented mitigation measures. “We have not assessed significant risk to federal businesses, but we know the risk is not zero,” Goldstein said. He added that an investigation was underway into whether any federal agencies were compromised as a result of the attackers’ massive exploits.
Analysis shows that multiple actors have been finding and exploiting vulnerable Ivanti devices to gain access to organizational networks around the world. The campaign began in December 2023, but activity has increased in recent days as vulnerability information and proof-of-concepts emerged. Researchers at security firm Volexity said at least 1,700 Connect Secure devices were compromised. Both Volexity and Mandiant found evidence that at least part of the exploitation was motivated by espionage. CISA’s Goldstein said Friday that the U.S. government has not attributed any exploitation activity to specific actors, but “the exploitation of these products would be consistent with what we are seeing in China.” [People’s Republic of China] There have been actors like Volt Typhoon in the past. “
Ivanti Connect Secure is a rebrand of the Ivanti product line called Pulse Secure. The VPN platform’s vulnerabilities are known to have been exploited in a series of high-profile digital breaches in 2021 by Chinese state-backed hackers.
Microsoft said on Friday it detected a system intrusion on January 12 attributed to Russian state-backed hackers known as Midnight Blizzard or APT 29 Cozy Bear. The company said it has fully fixed the vulnerability, which began in November 2023 and used “password spraying” attacks to compromise historical system test accounts. In some cases, attackers could penetrate “a very small percentage of Microsoft corporate email account”, including members of our senior leadership team and employees in cybersecurity, legal and other functions. ” With this access, the Cozy Bear hackers were able to steal “some emails and attached files.” Microsoft noted that the attackers appeared to be seeking information about Microsoft’s investigation into the group itself. “This attack was not the result of a vulnerability in a Microsoft product or service,” the company wrote. “To date, there is no evidence that the threat actor had access to customer environments, production systems, source code, or artificial intelligence systems. If action is needed We will notify customers of any action.”
Gift card fraud, in which attackers trick victims into buying gift cards for them, is a long-standing problem, but a new report from ProPublica shows Walmart has been particularly neglectful in addressing the problem. For a decade, the retailer has fended off pressure from regulators and law enforcement to more closely scrutinize gift card sales and money transfers and expand employee training to prevent customers from being deceived and exploited by bad actors. ProPublica conducted dozens of interviews and reviewed internal documents, court documents and public records in its analysis.
“They’re worried about money. That’s it,” Nick Alicea, the former head of the U.S. Postal Inspection Service’s fraud unit, told ProPublica. Walmart defended its efforts, saying it had blocked more than $700 million in suspicious fund transfers and refunded $4 million to gift card fraud victims. “Walmart works hard to protect our customers from third-party fraudsters while providing these financial services,” the company said in a statement. “We have robust anti-fraud programs and other controls in place to Help stop scammers and other criminals who might take advantage of the financial services we provide to harm our customers.”
As Myanmar rebel groups violently oppose the country’s military government, human trafficking and abuse fueled pig-slaughter scams, exacerbating conflict. These scams have exploded in recent years, perpetrated not just by bad actors but by groups of forced laborers who are often kidnapped and held against their will. In one case this fall, a Myanmar rebel group called the Three Brothers Alliance took control of 100 military posts in the country’s northern Shan state and seized several towns along the border with China, vowing to “eradicate Telecommunications fraud, fraud dens.” and their customers across the country, including along the China-Myanmar border. “
The United Nations estimates that as many as 100,000 people may be detained in fraud centers in Cambodia and 120,000 in Myanmar. “I’ve been working in this field for over 20 years, and honestly, in terms of numbers, we’ve never seen anything like what we’re seeing now in Southeast Asia,” Rebecca Miller, regional program director for trafficking in persons at the United Nations Office on Drugs and Crime told Vox.
In a new survey, consumer reports The Markup crowdsourced three years of archived Facebook data from the social network’s 709 users to assess which data brokers and other organizations were tracking and monitoring the data. The reporter analyzed the data and found that a total of 186,892 companies sent the information of these 709 people to Facebook. On average, each user has 2,230 companies sending information about them to Facebook. However, the quantities vary. Some users have lower than average numbers, while others have more than 7,000 companies tracking them and providing information to the social network.