And Ring wasn't the only one caught up in a child surveillance scandal lately. So was Toys "R" Us, which is back after its bankruptcy and stood accused of surveilling children after reports about its use of high-tech sensors to track shoppers around stores. The company behind those sensors, however, claims that the cameras are designed not to register people shorter than 4 feet tall .Meanwhile, another long-running surveillance story—the FBI inspector general's investigation into the origins of its own Trump-Russia probe and the FISA-enabled monitoring of Trump staffer Carter Page, who was suspected of ties to Russia—concluded in a 500-page report that exculpated the FBI of any partisan political motivations in the probe while also pointing out serious flaws in its adherence to legal protocols. Another equally complex surveillance scare is coming to a head, as rural US wireless providers are resisting an FCC proposal to remove all gear from American telecom networks sold by the Chinese firm Huawei , citing spying fears.
Elsewhere in the security world, researchers across half a dozen universities warned that Intel chips are vulnerable to a technique that fiddles with their voltage to make them spill their most well-protected secrets. And a bitcoin scheme allegedly lured in consumers with promises of a stake in a cryptocurrency mining operation to assemble a $722 million pyramid scheme .
And there's still more. Every Saturday we round up the security and privacy stories that we didn’t break or report on in-depth but think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.
Massive Iranian Bank Breach Exposes 15 Million AccountsWith tensions still high in Iran after weeks of public protests, hackers published 15 million bank debit card numbers from customers of Iran's three largest banks on social media this week. The breach impacts almost a fifth of Iran's total population. Iranian information and telecommunications minister Mohammad Javad Azari Jahromi said that the breach was a result of a rogue contractor who abused financial system access to steal the data and then posted it as part of an extortion scheme. Though a major breach, this explanation would mean that bank systems weren't actually hacked, but were compromised by someone with legitimate access. Outside analysts suggest, though, that a breach of this scale may have actually been the result of nation-state hacking, targeting Iran during a period of intense instability.
Terrorists should not feel free to upload terrible images of slaughter, but neither should they be empowered to empty people’s bank accounts or to tap the phones of presidents and prime ministers.“But,” people say, “What if only legitimate requests can get into the protected communications?” Weaknesses in computer systems are discovered by attackers all the time.
White House and Intelligence Vets Under Federal Scrutiny for UAE Espionage WorkUS authorities are investigating former White House and intelligence staffers who conducted espionage and hacking operations for the United Arab Emirates after leaving their US government positions. Reuters has reported previously on the group, known as Project Raven to its American participants and DREAD, or Development Research Exploitation and Analysis Department, in the UAE. The group formed a contract espionage firm in 2008 to help the UAE spy on targets including journalists, dissidents, terrorists, and human rights activists. In some cases, targets Project Raven members spied on were arrested or deported from the UAE and allegedly tortured in their home countries, such as Saudi Arabia. American participants in Project Raven became increasingly concerned that the work they were being asked to do by the Emiratis was targeting groups or people with US ties, potentially crossing a hard line.
Loza emphasizes that while the attacks likely required extensive expertise and planning over months, or even years, they were enabled by sloppy and insecure network architecture within the Mexican financial system, and security oversights in SPEI, Mexico's domestic money transfer platform run by central bank Banco de México, also known as Banxico.
Telegram Account Hacks in Russia Suggest Telephony HackingIn Russia, a rash of Telegram account breaches has led some researchers to believe that hackers are gaining access through telephony network hacking. The compromised accounts were protected by two-factor authentication, so attackers would have needed the username and password, plus a special one-time code sent in an SMS message. The fact that multiple accounts have been breached may indicate that attackers have access to the SMS messages at a network level, perhaps through known flaws in a ubiquitous telephony protocol known as SS7.
Drone Maker Inadvertently Exposed User Data Revealing Law Enforcement Flight PathsThe drone platform Dronesense left a database of user information exposed and accessible—a problematic mistake, but especially significant because Dronesense has government and law enforcement customers. For certain clients, the data revealed flight paths some drones took. Motherboard, which obtained samples of the data, was able to plot out drone courses, including a "Mapping Mission" seemingly to take photographs over a residential Washington, DC, neighborhood, a flight over an apartment building and parking lot in Atlanta, Georgia, and a "disaster assessment" over an unknown playground. The database seems to include data from organizations like the US Army Corps of Engineers, Atlanta Police Department, and City of Coral Springs.
Senate Hearing Pressures Tech Companies Over Encryption AccessIn a Senate Judiciary Committee hearing on Tuesday, lawmakers pressed Facebook and Apple representatives on the limits of law enforcement visibility into data on end-to-end encrypted services. They especially emphasized the need to access data related to child exploitation cases following a Department of Justice conference on the topic in October. Facebook has been under pressure from US law enforcement for months, since announcing earlier this year that it will add end-to-end encryption to its messaging services. Facebook-owned WhatsApp already offers the data protection.
The internal documents show that through its Vigilant Solutions contract, which began in 2018 and runs to September 2020, ICE has access not only to five billion records gathered by private businesses, but also to 1.5 billion data points contributed by over 80 local law enforcement agencies from more than a dozen states.