British police taunt LockBit administrator
Following last Monday’s takedown of LockBit, in cooperation with the FBI, Europol and other partners, Britain’s National Crime Agency (NCA) is now taunting an individual known as LockbitSupp, purportedly the person behind the LockBit account. Stating that this individual has already “engaged with law enforcement,” the force has been posting details about him using a style similar to how LockBit taunted its victims, correcting some of his claims about where he lives and what kind of car he drives, and adding, “We know who he is. We know where he lives. We know how much he is worth.”
PayPal files patent for new stolen cookies detector
The technology behind the patent application can identify when a “super-cookie” is stolen. In developing this technology, PayPal is seeking to take on hackers who steal cookies that contain authentication tokens that do not need valid credentials, and which can bypass two-factor authentication (2FA). “With stolen cookies often containing hashed passwords, the attacker can use a web browser on the attacker’s computer to impersonate the user (or authenticated device thereof) and gain access to secure information associated with the user’s account without having to manually login or provide authentication credentials,” the company explained.
Vending machine crash reveals face recognition tech
Students at the University of Waterloo in Ontario, Canada are demanding answers after discovering that a M&Ms-branded smart vending machine had been apparently collecting facial recognition data. The discovery was made when the vending machine crashed and an error message on its screen stated, “Invenda.Vending.FacialRecognitionApp.exe” had failed to launch. According to Wired, one student noted that “Invenda sales brochures promised [that] the machines are capable of sending estimated ages and genders of every person who used the machines—without ever requesting consent.” The company responsible for installing and maintaining the vending machines on campus stated that the machines do not store photos, are not capable of facial recognition and are GDPR compliant. They add the technology “acts as a motion sensor that detects faces, so the machine knows when to activate the purchasing interface.”
(Wired)
U-Haul announces another breach
The company stated that a breach that occurred in December involved the data of about 67,000 customers in the U.S. and Canada. In a regulatory filing with the state of Maine, the company stated, “an unauthorized party used legitimate credentials to access a system that U-Haul dealers use to track reservations and view customer records.” They explained that the breached data included driver’s license numbers and other identification card numbers but did not involve the company’s payment system. A similar breach of customers’ information occurred between November 2021 and April 2022. In that breach, up to 2.2 million customers were affected.
Huge thanks to this week’s episode sponsor, Egress
RCMP investigating cyberattack as its website remains down
Canada’s national police force, the Royal Canadian Mounted Police (RCMP) has launched a criminal investigation into a “cyber event” which, as of this recording still involves its main website being offline and replaced with a 404 page. The attack occurred on Friday, and although few details are available, a spokesperson for the police force described the attack as “alarming.”
(Reuters)
Axie co-founder loses millions in crypto theft
The co-founder of the blockchain game Axie Infinity and of the Ronin Network, Jeff Zirlin, has announced that two of his personal crypto wallets have been hacked, resulting in losses of nearly $10 million worth of Ethereum. Zirlin confirmed that Ronin Network operations were not affected. This loss comes two years after the Lazarus Group stole over $600 million from Axie, five percent of which was later recovered by Chainalysis working with law enforcement.
Medical device maker announces breach from last year
Rotech, an Orlando-based, national provider of home medical equipment and services, has issued a statement that says some of its customers may have been impacted by a cybersecurity breach experienced by its partner Philips, specifically its Respironics unit. According to Reuters, Respironics, which sells breathing devices and ventilators to treat sleep apnea, was “made aware on June 5 of a privacy incident where an unauthorized third-party exploited a software to access information stored on its server, on May 31.” A second breach apparently related to Move-IT Transfer occurred in December. Details about which patients may have been impacted have not yet been provided.
(Reuters)
Apple announces post-quantum cryptographic protocol for iMessage
Named PQ3, the technology is designed to protect against quantum attacks. The number 3 in the name refers to Level 3 security, currently the most secure protocol for messaging apps. Post-quantum computing refers to developments that have followed the initial introduction of quantum computers. Apple calls this “has the strongest security properties of any at-scale messaging protocol in the world.” Support for PQ3 will start to roll out with the public releases of iOS and iPadOS 17.4, macOS 14.4, and watchOS 10.4.