A hacker group calling itself Solntsepek, previously linked to the infamous Russian military hacking unit Sandworm, took credit this week for a disruptive attack on the Ukrainian internet and mobile service provider Kyivstar. As Russia’s kinetic war against Ukraine has dragged on, inflicting what the World Bank estimates to be around $410 billion in recovery costs for Ukraine, the country has launched an official crowdfunding platform known as United24 as a means of raising awareness and rebuilding.
Kytch, the small company that aimed to fix McDonald’s notably often-broken ice cream machines, claims it has discovered a “smoking gun” email from the CEO of McDonald’s ice cream machine manufacturer that Kytch’s lawyers say suggests an alleged plan to undermine Kytch as a potential competitor. Kytch argues in a recent court filing that the email reveals the real reason why, a couple of weeks later, McDonald’s sent an email to thousands of its restaurant franchisees claiming safety hazards related to Kytch’s ice-cream-machine-whispering device.
WIRED looked at how Microsoft’s Digital Crime Unit has refined a strategy over the past decade that combines intelligence and technical capabilities from Microsoft’s massive infrastructure with creative legal tactics to disrupt both global cybercrime and state-backed actors. And we dove into the controversy over reauthorization of Section 702 surveillance powers in the US Congress.
And there’s more. Each week, we round up the security and privacy news we didn’t break or cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.
Geofence warrants, which require tech companies to cough up data on everyone in a certain geographic area at a certain time, have become an incredibly powerful tool for law enforcement. Sending a geofence warrant to Google, in particular, has come to be seen as almost an “easy button” among police investigators, given that Google has long stored location data on users in the cloud, where it can be demanded to help police identify suspects based on the timing and location of a crime alone—a practice that has appalled privacy advocates and other critics who say it violates the Fourth Amendment. Now, Google has made technical changes to rein in that surveillance power.
The company announced this week that it would store location history only on users’ phones, delete it by default after three months, and, if the user does choose to store it in a cloud account, keep it encrypted so that even Google can’t decrypt it. The move has been broadly cheered by the privacy and civil liberties crowds as a long-overdue protection for users. It will also strip law enforcement of a tool it had come to increasingly rely on. Geofence warrants were sent to Google, for instance, to obtain data on more than 5,000 devices present at the storming of the US Capitol on January 6, 2021, but they have also been used to solve far smaller crimes, including nonviolent ones. So much for the “easy button.”
In a different sort of technical move to tighten users’ data protections, Apple has added new security features designed to make it harder for thieves to exploit users’ sensitive data and accounts. The Wall Street Journal had previously reported on how thieves who merely learned someone’s passcode—say, by looking over their shoulder—and then stole their phone could access their online accounts and even make payments to drain their bank balances. Apple has now created a Stolen Device Protection feature that, when enabled, will require you to use a biometric feature like TouchID or FaceID to access certain accounts and phone features, in addition to the passcode that unlocks the phone. For the most sensitive features, like changing passwords or passcodes or turning off Find My, Apple will also force you to wait an hour and authenticate again if the phone isn’t in a location the user typically frequents.
The group of Chinese hackers known as Volt Typhoon has rung alarm bells across the cybersecurity industry all year with news of its intrusions targeting power grids and other critical infrastructure in the Pacific region and the US. A new report from The Washington Post offers fresh details of the disturbing mix of networks that the group has breached, including a water utility in Hawaii, an oil and gas pipeline, and a major West Coast port. The hackers haven’t actually caused any disruptions, nor have they penetrated the industrial control system side of their targets’ networks—the sensitive systems capable of triggering physical effects. But in combination with previous reports of Volt Typhoon’s work to plant malware inside electric utilities in the continental US and Guam, the report paints a picture of China’s escalating moves to prepare the groundwork for disruption in the event of a crisis, such as an invasion of Taiwan.
The notion that your iPhone or Amazon Echo is quietly listening to your conversations has long been one of the most paranoid suspicions of all technology users—bolstered, of course, by the targeted ads that are often so accurate that they seem to be pulled directly from verbal conversations. This week, that suspicion finally became more than an urban legend when 404 Media reported on an advertising company actively claiming that it can eavesdrop on conversations via those kinds of devices. The company, Cox Media Group, (CMG) brags in its marketing materials that it’s already offering the technique to clients and “the ROI is already impressive.” It lists Amazon, Microsoft, and Google as alleged customers. But 404 Media couldn’t verify if the technique works as advertised—an enormous “if”—and CMG didn’t respond to 404 Media’s request for comment.