After months of delays, the U.S. House of Representatives voted Friday to extend a controversial warrantless wiretapping program for two years. The program, known as Section 702, authorizes the U.S. government to collect communications from aliens abroad. This collection also includes vast amounts of communications from US citizens that are stored for years and can later be accessed without guarantee by the FBI, which heavily misused the program. An amendment that would require investigators to obtain such a warrant failed.
A group of U.S. lawmakers unveiled a proposal Sunday that they hope will become the country’s first nationwide privacy law. The American Privacy Rights Act would limit the data companies can collect and give U.S. citizens more control over the personal information collected about them. However, the passage of such a law is still a long way off: Congress has been trying to pass a national data protection law for years, but has so far failed.
Since there is no data protection law in the United States, you must take matters into your own hands. DuckDuckGo, the privacy-focused company known for its search engine, now offers a new product called Privacy Pro, which includes a VPN, a tool to remove your data from people search sites, and a service to restore your identity if you become a victim to identity theft. You can also take steps to reclaim some of the data used to train generative AI systems. Not all systems on the market offer the option to disable data collection. However, we’ve put together an overview of the systems that make this possible and how you can keep your data away from AI models.
Data collection is not the only risk associated with AI advances. AI-generated scam calls are becoming more sophisticated and cloned voices sound eerily like real voices. However, there are precautions you can take to protect yourself from being scammed by someone using AI to sound like a loved one.
Change Healthcare’s ongoing ransomware nightmare appears to have gotten worse. The company was originally attacked by a ransomware gang called AlphV in February. But after the hackers received a $22 million payment early last month, a rift appeared to be spreading between AlphV and affiliate hackers, who say AlphV took the money and ran away without paying other groups, who helped them carry out the attack. Now another ransomware group, RansomHub, claims it has terabytes of Change Healthcare data and is trying to extort the company. Service disruptions caused by the ransomware attack have impacted healthcare providers and their patients across the United States.
That’s not all. Each week we round up the privacy and security news that we haven’t covered in depth ourselves. Click on the headlines to read the full stories and stay safe out there.
Streaming video service Roku warned customers on Friday that 576,000 accounts had been compromised, a breach it discovered as part of its investigation into a much smaller breach it dealt with in March. Roku said that the hackers did not actually break into Roku’s own network through a security flaw, but rather carried out a “credential stuffing” attack in which they tried users’ passwords that had been leaked elsewhere and thus broke into accounts , where users would have reused these passwords. The company found that in fewer than 400 cases, hackers actually exploited their access to make purchases using the hijacked accounts. Still, the company is resetting users’ passwords and introducing two-factor authentication for all user accounts.
Apple sent email notices to users in 92 countries around the world this week, warning them that they had been targeted by sophisticated “mercenary spyware” and that their devices may have been compromised. The statement stressed that the company had “great confidence” in this warning and urged potential hacker victims to take it seriously. An update to the status page advised anyone who receives the alert to contact the nonprofit Access Now’s Digital Security Helpline and enable lockdown mode for future protection. Apple did not provide public information about who the hacking victims are, where they are located or who the hackers behind the attacks might be, but in its blog post it compared the malware to the sophisticated Pegasus spyware sold by the Israelis Hacking company NSO Group. In its public support post, the company wrote that it had warned users in a total of 150 countries about similar attacks since 2021.
April continues to be the cruelest month for Microsoft – or perhaps for Microsoft’s customers. Following a Cybersecurity Review Board report on Microsoft’s previous breach against state-sponsored Chinese hackers, the Cybersecurity and Infrastructure Security Agency (CISA) released a report this week warning federal agencies that their communications with Microsoft may have been compromised by a known group B. APT29, Midnight Blizzard or Cozy Bear, which are believed to be working on behalf of the Russian foreign intelligence service SVR. “Midnight Blizzard’s successful compromise of Microsoft companies’ email accounts and exfiltration of correspondence between government agencies and Microsoft poses a serious and unacceptable risk to government agencies,” CISA’s emergency directive states. As recently as March, Microsoft said it was continuing to work to expel the hackers from its network.
As ransomware hackers look for new ways to trick their victims into giving in to their extortion demands, one group tried the novel approach of calling the front desk of the company they had targeted to verbally threaten its employees. Thanks to a human resources manager named Beth, this tactic ended up sounding about as threatening as a clip from an episode of The office.
TechCrunch describes a recording of the conversation that a ransomware group calling itself Dragonforce posted on its dark web site in a misguided attempt to pressure the victim company into paying up. (TechCrunch did not identify the victim.) The call begins like any laborious attempt to find the right person, after calling a company’s publicly listed phone number while the hacker waits to speak to someone in “management.”
Finally, Beth answers the phone and a somewhat absurd conversation ensues as she asks the hacker to explain the situation. When he threatens to make the company’s stolen data available for “fraudulent activities and terrorism by criminals,” Beth, completely unfazed, replies, “Oh, OK.” She then asks whether the data will be published on “Dragonforce.com”. At another point, she makes it clear to the increasingly frustrated hacker that recording her call is illegal in Ohio, and he responds, “Ma’am, I’m a hacker. I don’t care about the law.” Finally, Beth refuses to negotiate with a “Well, good luck,” to which the hacker replies, “Thanks, take care.”