Musk sues disinformation researchers for driving away advertisers
The company formerly known as Twitter is suing the Center for Countering Digital Hate, that researches hate speech on social media, accusing it of conducting “a scare campaign to drive away advertisers.” The suit alleges that the nonprofit violated X’s terms of service and federal law by scraping data from the social media site. It accused the group of cherry picking posts to make it look like the platform is flooded with hate speech and other harmful content, in order to silence users. CCDH’s CEO Imran Ahmed said, “Musk is trying to ‘shoot the messenger’ who highlights the toxic content on his platform rather than deal with the toxic environment he’s created. Musk will not bully us into silence.”
(NPR)
Researchers claim cloud host facilitated state-backed cyberattacks
Researchers at Halcyon have identified an Internet Services Provider (ISP), named Cloudzy, providing command-and-control services to more than 20 hacking groups, including ransomware operators, spyware vendors, and state-sponsored APT actors. The company is registered in the United States, but the researchers believe it is operated out of Tehran, Iran. The analysis of Cloudzy’s services unveiled two previously unknown ransomware groups and attack infrastructure associated with hacking groups tied to governments in China, Iran, India, North Korea, Pakistan, Russia, and Vietnam. Halcyon said the ISP acts like a command-and-control provider (C2P), while advertising its services as protecting user anonymity, and does not appear to respond when malicious activity is brought to its attention.
(SecurityWeek and Reuters)
UK spy agencies want to relax ‘burdensome’ laws on AI data use
UK intelligence agencies including GCHQ, MI6 and MI5 propose weakening safeguards that limit training of AI models with bulk personal datasets (BPDs). These datasets often contain sensitive info about large groups of people, most of whom are unlikely to be of intelligence and security interest. The agencies argue the surveillance laws place a “burdensome” limit on their ability to train AI models which are needed to help analyse the vast and growing quantities of data they hold. Privacy experts have expressed alarm at the move, which would unwind some of the legal protection introduced in 2016 after disclosures by Edward Snowden about intrusive state surveillance. A leading privacy and surveillance expert, Ian Brown, wrote, “‘data scientists’ disappointment they don’t get to play with all their wonderful new toys isn’t a good justification for weakening fundamental rights protection.”
Hot Topic falls victim to credential-stuffing attacks
American apparel retailer Hot Topic is notifying customers about multiple cyberattacks between February 7 and June 21 that resulted in exposing sensitive information to hackers. The company said hackers used stolen account credentials to access their Rewards platform and potentially stole customer data. The company’s investigation determined that Hot Topic was not the source of the credentials used in the credential-stuffing attacks. Hot Topic said that it could not discern between unauthorized and legitimate logins and, as a result, it will notify all customers that had their accounts accessed during the cyberattacks.
Thanks to our sponsor, Opal
New infostealer targets Facebook business accounts
Researchers at Unit 42 have uncovered another phishing campaign designed to take over Facebook business accounts using a newly identified infostealer. The Python-based malware, dubbed NodeStealer 2.0, is believed to be of Vietnamese origin and is very similar to the NodeStealer variant identified and taken down by Meta earlier in 2023. NodeStealer 2.0 comes with cryptostealing and downloader capabilities, in addition to the ability to fully take over Facebook business accounts. This campaign no longer appears to be active, but the threat actors are expected to continue targeting Facebook business accounts. These campaigns have inflicted financial and reputational damage and have propagated further attacks using credentials stolen from browsers.
(Infosecurity Magazine and The Hacker News)
California agency probing into connected car data
The California Privacy Protection Agency has announced its plans to review the data privacy practices of automakers that produce connected vehicles equipped with data-mining features, from cameras and location sharing to web-based entertainment and smartphone integration. The Agency’s review will be conducted under the California Consumer Privacy Act, and is the first such review in the US, where automakers have enjoyed a more lax data privacy environment compared to Europe. Privacy advocates have expressed concerns about connected vehicles for years and similar reviews could soon be conducted in Connecticut, Colorado, Utah and Virginia.
Nearly all modern CPUs leak data to new side-channel attack
Researchers in Austria and Germany have discovered a new generic software-based attack, dubbed Collide+Power. The attack abuses the fact that some CPU components are designed to share data from different security domains and it works against devices powered by Intel, AMD or Arm processors and applies to any application and any type of data. The researchers achieved a data leakage rate of 4.82 bits per hour where the targeted application constantly accesses secret information and the attacker can directly read the power consumption of the CPU. Collide+Power’s slow leak rate makes the attack largely impractical in real-world situations but the research highlights potential issues that could pave the way for improved attacks. Affected chipmakers are publishing their own advisories for the attack under assigned CVE-2023-20583.
Health Service staff reprimanded for WhatsApp data sharing
A trust of the UK’s National Health Service (NHS) has been reprimanded for GDPR violations by the Information Commissioner’s Office (ICO) after it was discovered that staff had been sharing patient details on WhatsApp for two years. Twenty-six staff at NHS Lanarkshire were part of a WhatsApp group entering sensitive patient data including names, phone numbers, addresses, images, videos, screenshots and clinical information during the pandemic. The staff used the WhatsApp group to share the data without the trust’s knowledge and one non-staff member was accidentally added to the group, resulting in inappropriate disclosure of personal information. The ICO said patient data was entered into the app on more than 500 occasions and highlights the dangers of shadow IT.