After months of delays, the U.S. House of Representatives voted Friday to extend a controversial warrantless wiretapping program for two years. Known as Section 702, the program authorizes the U.S. government to collect the communications of foreigners abroad. But this collection also includes reams of communications from American citizens, which are stored for years and then accessed without a warrant by the FBI, which has grossly abused the program. An amendment that would require investigators to obtain such an order did not pass.
A group of US lawmakers on Sunday unveiled a proposal they hope will become the country’s first nationwide privacy law. The American Privacy Rights Act would limit the data companies can collect and give U.S. residents greater control over the personal information collected about them. However, passage of such legislation is still some way off: Congress has been trying to pass a national privacy law for years and so far has failed.
In the absence of a US privacy law, you’ll have to take matters into your own hands. DuckDuckGo, the privacy-focused company famous for its search engine, now offers a new product called Privacy Pro that includes a VPN, a tool to remove your data from people search websites, and a service to restore your identity if you are victim. to identity theft. There are also steps you can take to recover some of the data used to train generative AI systems. Not all systems out there offer the option to opt out of data collection, but we have a summary of those that do and how to keep your data out of AI models.
Data collection is not the only risk associated with AI advances. AI-generated scam calls are becoming more sophisticated, and cloned voices sound eerily like the real thing. But there are precautions you can take to protect yourself from being scammed by someone who uses AI to make themselves look like a loved one.
Change Healthcare’s current ransomware nightmare appears to have gotten worse. The company was originally attacked by a ransomware gang known as AlphV in February. But after the hackers received a $22 million payment early last month, a rift appeared to grow between AlphV and affiliated hackers, who say AlphV took the money and fled without paying other groups that helped them. to carry out the attack. Now, another ransomware group, RansomHub, claims it has terabytes of Change Healthcare data and is trying to extort money from the company. Service disruptions caused by the ransomware attack have impacted healthcare providers and their patients across the United States.
Thats not all. Each week, we round up the privacy and security news that we didn’t cover in depth. Click on the headlines to read the full stories and stay safe.
Video streaming service Roku warned its customers on Friday that 576,000 accounts had been compromised, a breach it discovered amid its investigation of a much smaller-scale intrusion it addressed in March. Roku said that instead of penetrating Roku’s own network through a security vulnerability, the hackers had carried out a “credential stuffing” attack in which they tested user passwords that had been leaked elsewhere, thus breaking into accounts where users had reused those passwords. The company noted that in fewer than 400 cases, hackers had leveraged their access to make purchases with the hijacked accounts. But the company is nonetheless resetting user passwords and is implementing two-factor authentication on all user accounts.
Apple sent email notices to users in 92 countries around the world this week, warning them that they had been attacked by sophisticated “mercenary spyware” and that their devices could be compromised. The notice emphasized that the company had “great confidence” in this warning and urged potential hacking victims to take it seriously. in a status page update, suggested that anyone who receives the warning contact the nonprofit Access Now’s digital security helpline and enable lockdown mode for future protection. Apple did not offer any information publicly about who the victims of the hack are, where they are located, or who the hackers behind the attacks might be, although in its blog post it compared the malware to the sophisticated Pegasus spyware sold by the Israeli manufacturer. hacking company NSO Group. It wrote in its public support post that it warned users in a total of 150 countries about similar attacks since 2021.
April continues to be the cruelest month for Microsoft, or perhaps for its customers. On the heels of a Cybersecurity Review Board report on the previous breach of Microsoft by Chinese state-sponsored hackers, the Cybersecurity and Infrastructure Security Agency (CISA) released a report this week warning federal agencies that your communications with Microsoft may have been compromised by a known group. such as APT29, Midnight Blizzard or Cozy Bear, is believed to work on behalf of the Russian foreign intelligence agency SVR. “Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and exfiltration of correspondence between agencies and Microsoft presents a serious and unacceptable risk to agencies,” CISA said in the emergency directive. In March, Microsoft said it was still working to kick hackers out of its network.
As ransomware hackers look for new ways to intimidate their victims into giving in to their extortion demands, one group tried the novel approach of calling the front desk of the company they had attacked to verbally threaten its staff. Thanks to a human resources manager named Beth, that tactic ended up sounding as threatening as a clip from an episode of The office.
TechCrunch describes a recording of the conversation, which a ransomware group calling itself Dragonforce posted on its dark website in a misguided attempt to pressure the victim company into paying up. (TechCrunch did not identify the victim.) The call begins like any tedious attempt to find the right person after calling a company’s public phone number, while the hacker waits to speak to someone in “management.”
Finally, Beth answers and a somewhat ridiculous conversation ensues as she asks the hacker to explain the situation. When she threatens to make the company’s stolen data available for “fraudulent activities and terrorism by criminals”, Beth responds “Oh, okay”, in a tone that makes her not at all impressed. She then asks if the data will be published on “Dragonforce.com”. At another point, she points out to the increasingly frustrated hacker that recording his call is illegal in Ohio, and he responds, “Ma’am, I’m a hacker. “I don’t care about the law.” Finally, she Beth refuses to negotiate with the hacker with a “Well, good luck,” to which the hacker replies, “Thanks, take care.”