Sex, drugs, and … Eventbrite? A WIRED investigation published this week uncovered a network of spammers and scammers pushing the illegal sale of controlled substances like Xanax and oxycodone, escort services, social media accounts, and personal information on the event management platform. Making matters worse, Eventbrite’s recommendation algorithm promoted posts for opioids alongside addiction recovery events. The good news is, the company appears to have removed most of the more than 7,400 illicit posts WIRED uncovered.
If you drive a Tesla Model 3, make sure to enable your PIN-to-drive feature or your car could be easily stolen within seconds. While the company has added new ultra-wideband radio tech to its keyless system, which can prevent “relay attacks,” researchers at Beijing-based security firm GoGoByte found that Model 3s (as well as other unnamed makes and models of vehicles) are still vulnerable. Relay attacks use inexpensive radios to transmit the signal from someone’s key fob or phone app that can then be used to unlock and start an impacted vehicle. Tesla says its adoption of ultra-wideband radio was not meant to stop relay attacks (even though it technically could), but it’s possible the automaker will add that protection in the future.
Police busting people for running illicit online markets is nearly as old a tale as the dark web itself. But this week’s takedown offered a new twist. The FBI recently arrested Lin Rui-siang, a 23-year-old accused of operating Incognito Market, which authorities claim facilitated $100 million in sales of narcotics on the dark web. US prosecutors claim Lin then extorted Incognito’s users by threatening to expose them unless they paid up. Curiously, Lin’s professional experience includes teaching police how to catch cybercriminals by tracing cryptocurrency on blockchains. If the US Justice Department is correct about his alleged involvement in Incognito Market, that would make him one of the most unusual cybercriminals we’ve ever encountered.
Leaks don’t just impact people on the wrong side of the law, of course. An unsecured database recently exposed biometric data of police officers in India, including face scans, fingerprints, and more. The incident reveals the dangers of collecting sensitive biometrics in the first place.
Finally, the saga of WikiLeaks founder Julian Assange inched forward again this week, with a British court ruling that he can appeal his extradition to the US, where he faces 18 charges under the Espionage Act for WikiLeaks’ publication of classified US military information. The judges said that Assange can appeal US prosecutors’ assurances about how his trial would be conducted and on First Amendment grounds. The appeals process will inevitably push back any final decision about his potential extradition for months.
But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
Following the trend of tech companies in the AI race throwing privacy and caution to the wind, Microsoft unveiled plans this week to launch a tool on its forthcoming Copilot+ PCs called Recall that takes screenshots of its customers’ computers every few seconds. Microsoft says the tool is meant to give people the ability to “find the content you have viewed on your device.” The company also claims to have a range of protections in place and says the images are only stored locally in an encrypted drive, but the response has been roundly negative nonetheless, with some watchdogs reportedly calling it a possible “privacy nightmare.” The company notes that an intruder would need a password and physical access to the device to view any of the screenshots, which should rule out the possibility of anyone with legal concerns ever adopting the system. Ironically, Recall’s description sounds eerily reminiscent of computer monitoring software the FBI has used in the past. Microsoft even acknowledges that the system takes no steps to redact passwords or financial information.
Federal authorities are reportedly working quietly to establish connections between antiwar demonstrators on US campuses and any foreign groups or individuals overseas, as reported by journalist Ken Klippenstein, previously of the Intercept. He indicates that the National Counterterrorism Center is leading this effort. Evidence of connections with overseas entities would provide more ammunition to politicians, university officials, and police, who have repeatedly blamed “outside agitators” for the protests. This claim is often directed at protestors in the United States, suggesting that the protestors themselves are being manipulated. Interestingly, authorities may also bypass constitutional restrictions on surveillance by identifying a foreign subject to spy on, who is not protected by the country’s Fourth Amendment. Meanwhile, Republican representatives Mark Green and August Pfluger have asked the FBI and Department of Homeland Security to provide congressional committees with information about government surveillance of the protestors, including any attempts to infiltrate them using “online covert employees or confidential human sources”.
The FBI has apprehended a 42-year-old man from Wisconsin for using Stable Diffusion, an AI software that generates text-to-image, to create child sexual abuse material. The man was allegedly found with “thousands of realistic images” of children, with some images featuring them nude or partially clothed with men. Court records show that the evidence includes more than 13,000 images generated by AI, as well as the prompts he used to create these images. “Using AI to create sexually explicit depictions of children is illegal, and the Justice Department will not hesitate to hold those who possess, produce, or distribute AI-generated child sexual abuse material accountable,” said Nicole Argentieri, head of the Justice Department’s Criminal Division, in a statement. The arrest is part of Project Safe Childhood, a partnership between the government and corporations aimed at targeting online offenders.
Security researchers have reported to TechCrunch this week that they discovered consumer-grade spyware, often referred to as “stalkerware”, on the computers of “at least three” Wyndham hotels in the United States, putting travellers’ personal details at potential risk. The stalkerware, known as pcTattletale, can be installed on Android and Windows devices, allowing whoever controls the invasive app access to data on the targeted device and the ability to monitor users’ activity. The presence of pcTattletale was discovered due to a security vulnerability in the spyware that leaked screenshots of infected devices to the public internet, according to the researchers. Although the researchers found pcTattletale on Wyndham computers, the hotel company says that each of its locations operates as a franchise, suggesting that the stalkerware infection could be confined to a few locations.
By Matt Simon
By Celia Ford
By Emily Mullin
By Carlton Reid