Hackers linked to China are increasingly beyond espionage and into the disturbing world of attacks on the power grid. Threat researchers at security software company Symantec released new evidence this week that the Chinese hacking group known as APT41 has infiltrated an Asian country’s power grid. Some details of the latest intrusion resemble a 2021 attack on India’s power grid, suggesting the same hackers are responsible.
A scandal is unfolding in Argentina over the use of facial recognition software in Buenos Aires. Despite laws requiring authorities to limit searches to known fugitives, a judge’s investigation found the system was used to track down people who were not wanted for crimes. In other cases, mistakes led to police arresting or questioning the wrong people. As Buenos Aires tries to get the system back online after legal rulings ordered it shut down, the debacle shows how dangerous facial recognition can be, even with laws restricting it.
Facial recognition isn’t the only artificial intelligence-powered system that governments are using in new and disturbing ways. Like everyone else, state and local governments in the United States have started to play with generative AI tools like ChatGPT. And so far there is no consensus on how to use the technology. Some US states, such as Maine, have temporarily banned its use entirely over cybersecurity fears, while others use it to create speeches and social media posts.
Meanwhile, the US Senate is in the process of getting an AI education. About 60 senators attended a closed-door briefing this week where they heard from major tech CEOs including Elon Musk, Mark Zuckerberg and Sam Altman, as well as civil liberties advocates and AI ethics experts. The Senate has been delving into AI and its myriad issues for most of the year, with another forum on AI innovation planned for later this year. Despite these busy sessions, some lawmakers are wondering whether they are any closer to a responsible approach to AI.
Finally, the cyberattack against MGM casinos continues to wreak havoc on the resorts’ guests nearly a week after the attack began. While an attack on a major casino company inevitably gets a lot of attention, the group behind the breach, known as Alphv, has a long history of attacks on schools and hospitals – attacks that are far more consequential.
That’s not all. Every week we round up the security and privacy news that we haven’t covered in depth ourselves. Click on the headlines to read the full stories and stay safe out there.
Unless you’ve updated your browser in the last few days, it probably contains a critical error. The newly disclosed vulnerability exists in the WebP code library known as libwebp, which encrypts and decrypts images in the widely used WebP format. The flaw, commonly known as a ‘heap buffer overflow’, can be exploited using a specially crafted malicious image, allowing an attacker to execute malicious code on a targeted device. Google says the bug has already been exploited in the wild.
Initially identified early this week as a zero-day vulnerability in Google’s Chrome browser, the libwebp bug affects browsers built with Chromium, meaning Chrome, Mozilla’s Firefox, Microsoft Edge, Opera, Brave and more. It also affects apps like Telegram, 1Password, Thunderbird and Gimp. Patches for the bug are now being rolled out, so keep your eyes peeled for updates.
Malicious online advertising, also known as ‘malvertising’, has been around for years. Now they’re going pro. Several Israeli companies are developing exploits that exploit weaknesses in the technical mechanisms that bombard you with ads online. Haaretz reports, allowing attackers to track people and hack into their devices. The exploit takes advantage of the online ad bidding process, where bots compete in real time for specific ad spaces on web pages. By taking advantage of the split second before an ad slot is filled, these companies have figured out how to show you an ad that allegedly contains “advanced spyware.” While there is no quick fix to stop the spread of this malware, there is one simple thing you can do to protect yourself: use an ad blocker.
European data regulators this week fined TikTok €345 million ($368 million) for violating laws regarding the privacy of underage users. Ireland’s Data Protection Commission (DPC) said the company breached GDPR by not making underage users’ accounts private by default. The DPC also says that TikTok’s “family linking” feature, which allows an adult to take control of a child’s account settings, does not guarantee that the adult with access to the feature is a parent or guardian. TikTok says it is opposing the fine because it updated its settings to make the accounts of anyone under 16 private by default before the investigation began.
It turns out that secretly interfering with the battle plans of an ally of the United States does not go over well in Washington. The US Senate Armed Services Committee has opened an investigation into Elon Musk’s situation decision not to enable Starlink satellite communications in Crimea ahead of a Ukrainian military attack on Russian forces. The move, first revealed in author Walter Isaacson’s new biography of Musk, also prompted several Democratic senators to send a letter to US Defense Secretary Lloyd Austin asking him to explain what actions the Department of Defense (DOD) has taken or plans to take. to prevent “further dangerous interference” from Musk.
“SpaceX is a prime contractor and a critical industry partner for the [DOD] and the recipient of billions of dollars in taxpayer dollars,” the letter said. “We are deeply concerned about SpaceX’s ability and willingness to interrupt their service at the whim of Mr. Musk and for the purpose of shackles the self-defense of a sovereign country and thus effectively defend Russian interests.”
Even if you have an impeccable record, passing a background check can be one of the most stressful aspects of finding a new job or an apartment. We have some bad news: the information used to determine your eligibility may not be accurate. The U.S. Federal Trade Commission (FTC) this week announced a $5.8 million fine against background check providers TruthFinder and Instant Checkmate for “failing to ensure the greatest possible accuracy of their consumer reports,” a violation of the Fair Credit Reporting Act. The FTC claims the companies “made millions” by selling subscriptions that would alert people when a “criminal record” was found during their background check, “when the record was merely a traffic ticket.” The company also showed “Remove” and “Mark as Inaccurate” buttons that the FTC says “did not work as advertised.”
The regulatory pushback against TruthFinder and Instant Checkmate comes just months after the companies confirmed a data breach. In January, hackers leaked the personal data of millions of customers by leaking an April 2019 database backup stolen from the companies.