Fake Cops Scammed Apple and Meta to Get User Data

Credit to Author: Andrew Couts, Lily Hay Newman| Date: Sat, 02 Apr 2022 13:00:00 +0000

To revist this article, visit My Profile, then View saved stories.

To revist this article, visit My Profile, then View saved stories.

Ipsa scientia potestas est,” 16th-century philosopher and statesman Sir Frances Bacon famously wrote in his 1597 work, Meditationes Sacrae. Knowledge itself is power. The aphorism, cliché as it may be, takes on a palpable truth in times of war. 

Just ask the people of Mariupol, a city in southeastern Ukraine, where Russia's devastating attacks have cut off the flow of information in and out of the city. Meanwhile, in Russia, the government has banned Facebook and Instagram amid its crackdown on news without the state's stamp of approval. But as we explained this week, building a full China-style splinternet is far more difficult than the Kremlin might like to admit

We further explored the power of information—and the power to keep information secret—this week with a look at a new idea for creating digital cash in the US—no, not Bitcoin or any other cryptocurrency. Actual digital cash that, crucially, has the same built-in privacy as the bills in your actual wallet. We also dove into the pitfalls of knowing where your children and other loved ones are at any moment through the use of tracking apps, which you should probably stop using. And following last week's approval of the Digital Markets Act in Europe, we parsed the tricky business of forcing encrypted messaging apps to work together, as the law requires. 

To round things out, we got our mitts on some leaked internal documents that shed new light on the Lapsus$ extortion gang's Okta hack. And we took a look at how researchers used a decommissioned satellite to broadcast hacker TV

But that's not all, folks. Read along below for the rest of the top security stories of the week.

In one of the more creative ploys we've seen recently, hackers reportedly duped Apple and Meta into handing over sensitive user data, including names, phone numbers, and IP addresses, Bloomberg reports. The hackers did so by exploiting so-called emergency data requests (EDRs), which police use to access data when someone is potentially in immediate danger, such as an abducted child, and which do not require a judge's signature. Civil liberty watchdogs have long criticized EDRs are ripe for abuse by law enforcement, but this is the first we've heard of hackers using the data-privacy loophole to steal people's data.

According to security journalist Brian Krebs, the hackers gained access to police systems to send the fraudulent EDRs, which, because of their urgent nature, are allegedly difficult for tech companies to verify. (Both Apple and Meta told Bloomberg they have systems in place to validate requests from police.) Adding another layer to the saga: Some of the hackers involved in these scams were later part of the Lapsus$ group, both Bloomberg and Krebs reported, which is in the news again this week for entirely other reasons.

Following last week's arrest-and-release of seven young people in the UK related to the string of high-profile Lapsus$ hacks and extortion attempts, City of London police announced on Friday that it had charged two teenagers, a 16-year-old and a 17-year-old, in connection with the gang's crimes. Each teenager faces three counts of unauthorized access to a computer and one count of fraud. The 16-year-old also faces “one count of causing a computer to perform a function to secure unauthorized access to a program,” police said. Because of strict privacy rules in the UK, the teens have not been named publicly.

Despite the narrative that Russia hasn't used its hacking might as part of its unprovoked war against Ukraine, increasing evidence shows that isn't true. First, Viasat released new details about the attack on its network at the start of Russia's war against Ukraine in late February, which knocked offline some Ukrainian military communications and tens of thousands of people across Europe. Viasat also confirmed an analysis by SentinelLabs, which found that the attackers used a modem wiper malware known as AcidRain. That malware, the researchers found, may have “developmental similarities” to another malware, VPNFilter, which US national intelligence has linked to Russian GRU hacker group Sandworm

Then came the most significant cyberattack since Russia began its war. Ukraine's State Service of Special Communication announced on Monday that state-owned internet provider Ukrtelecom suffered a “powerful” cyberattack on its core infrastructure. While the SSSC said Ukrtelecom was able to fend off the attack and begin recovery, internet-monitoring service NetBlock said on Twitter that it witnessed a “connectivity collapsing” nationwide. 

“Wyze Cam” internet-connected cameras have been exposed for almost three years, thanks to a vulnerability that could have let attackers remotely access videos and other images stored on device memory cards. Such vulnerabilities are, unfortunately, not unusual in internet-of-things devices, including IP cameras specifically. The situation was particularly significant, though, because researchers from the Romanian security firm Bitdefender have been trying to disclose the vulnerability to Wyze and get the company to issue a patch since March 2019. It's unclear why the researchers didn't go public with the findings sooner, as is standard in vulnerability disclosure after three months, to call more attention to the situation. Wyze issued patches for the flaw on January 29 for its V2 and V3 cameras. The company no longer supports its V1 camera, though, which is also vulnerable. The bug is remotely exploitable, but not directly on the open internet. Attackers would first need to compromise the local network the camera is on before targeting the Wyze vulnerability itself.

https://www.wired.com/category/security/feed/