“Ipsa scientia potestas est,” wrote the 16th-century philosopher and statesman Sir Francis Bacon in his 1597 work, Meditationes Sacrae. Knowledge itself is power. The aphorism, cliché as it may be, takes on a tangible truth in times of war.
Just ask the people of Mariupol, a city in southeastern Ukraine where Russia’s devastating attacks have disrupted the flow of information in and out of the city. Meanwhile, in Russia, the government banned Facebook and Instagram amid its crackdown on news without the state’s stamp of approval. But as we explained this week, building a fully branched Chinese-style network is much more difficult than the Kremlin would like to admit.
We further explored the power of information – and the power to keep information secret – this week with a look at a new idea to create digital money in the US – no, not Bitcoin or another cryptocurrency. Actual digital cash that, most importantly, has the same built-in privacy as the notes in your actual wallet. We also delved into the pitfalls of knowing where your kids and other loved ones are at all times through the use of tracking apps that you should probably stop using. And following last week’s approval of Europe’s Digital Markets Act, we’ve been analyzing the complex business of forcing encrypted messaging apps to work together as the law requires.
To wrap things up, we went with some leaked internal documents that shed new light on the Lapsus$ extortion gang’s Okta hack. And we looked at how researchers used a decommissioned satellite to broadcast hacker TV.
But that’s not all, folks. Read below for the rest of the week’s top security stories.
In one of the more creative tricks we’ve seen recently, hackers reportedly tricked Apple and Meta into handing over sensitive user data, including names, phone numbers and IP addresses, Bloomberg reports. The hackers did this by using so-called emergency data requests (EDRs), which police use to access data when someone is potentially in immediate danger, such as a kidnapped child, and which do not require a judge’s signature. Civil liberties watchdogs have long criticized EDRs for being open to abuse by law enforcement, but this is the first time we’ve heard of hackers using the data privacy loophole to steal people’s data.
According to security journalist Brian Krebs, the hackers gained access to police systems to send the fraudulent EDRs, which due to their urgent nature are supposed to be difficult for tech companies to verify. (Apple and Meta both told Bloomberg they have systems in place to validate requests from police.) Adding another layer to the saga: Some of the hackers involved in these scams were later part of the Lapsus$ group , both Bloomberg and Krebs reported, is back in the news this week for entirely different reasons.
Following the arrest and release last week of seven youths in the UK linked to the series of high-profile Lapsus$ hacks and extortion attempts, the City of London Police announced on Friday that they had charged two teenagers, a 16-year-old and a 17-year-old, in connection with the gang’s crimes. Each teenager faces three counts of unauthorized access to a computer and one count of fraud. The 16-year-old also faces “one count of causing a computer to perform a function to provide unauthorized access to a program,” police said. Due to strict privacy rules in the UK, the teenagers have not been named publicly.
Despite the narrative that Russia did not use its hacking prowess as part of its unprovoked war against Ukraine, mounting evidence suggests that this is not true. First, Viasat released new details about the attack on its network at the start of Russia’s war against Ukraine in late February, which knocked out some Ukrainian military communications and tens of thousands of people across Europe. Viasat too confirmed analysis by SentinelLabs, which found that the attackers used a modem wiper malware known as AcidRain. The researchers found that this malware may have “developmental similarities” to another piece of malware, VPNFilter, which US National Intelligence has linked to the Russian GRU’s Sandworm hacking group.
Then came the most significant cyberattack since Russia began its war. The State Service for Special Communication of Ukraine announced on Monday, state-owned ISP Ukrtelecom suffered a “powerful” cyberattack on its core infrastructure. While the SSSC said Ukrtelecom was able to repel the attack and begin recovery, internet monitoring service NetBlock said on Twitter that it witnessed a “connectivity collapse” across the country.
Internet-connected Wyze Cam cameras have been at risk for nearly three years thanks to a vulnerability that could have allowed attackers to remotely access videos and other images stored on the device’s memory cards. Such vulnerabilities are unfortunately not uncommon in IoT devices, including IP cameras specifically. However, the situation was particularly important as researchers from Romanian security firm Bitdefender are trying to expose the Wyze vulnerability and force the company to issue a March 2019 patch. It is not clear why the researchers did not publish the findings sooner, as is standard when vulnerabilities are disclosed after three months, to draw more attention to the situation. Wyze issued fixes for the flaw on January 29 for its V2 and V3 cameras. However, the company no longer supports its V1 camera, which is also vulnerable. The bug can be exploited remotely, but not directly on the open internet. Attackers must first compromise the local network the camera is on before targeting the Wyze vulnerability itself.
More great stories on WIRED
