After months of delays, the US House of Representatives voted on Friday to extend a controversial warrantless wiretap program for two years. Known as Section 702, the program authorizes the US government to collect the communications of foreigners overseas. But this collection also includes reams of communications from US citizens, which are stored for years and can later be warrantlessly accessed by the FBI, which has heavily abused the program. An amendment that would require investigators to obtain such a warrant failed to pass.
A group of US lawmakers on Sunday unveiled a proposal that they hope will become the country’s first nationwide privacy law. The American Privacy Rights Act would limit the data that companies can collect and give US residents greater control over the personal information that is collected about them. Passage of such legislation remains far off, however: Congress has attempted to pass a national privacy law for years and has thus far failed to do so.
Absent a US privacy law, you’ll need to take matters into your own hands. DuckDuckGo, the privacy-focused company famous for its search engine, now offers a new product called Privacy Pro that includes a VPN, a tool for having your data removed from people-search websites, and a service for restoring your identity if you fall victim to identity theft. There are also steps you can take to wrench back some of the data used to train generative AI systems. Not all systems out there offer the option to opt out of data collection, but we have a rundown of the ones that do and how to keep your data out of AI models.
Data collection isn’t the only risk associated with AI advancements. AI-generated scam calls are becoming more sophisticated, with cloned voices sounding eerily like the real thing. But there are precautions you can take to protect yourself from getting swindled by someone using AI to sound like a loved one.
Change Healthcare’s ongoing ransomware nightmare appears to have gotten worse. The company was originally targeted by a ransomware gang known as AlphV in February. But after the hackers received a $22 million payment early last month, a rift appeared to grow between AlphV and affiliate hackers, who say AlphV took the money and ran without paying other groups that helped them carry out the attack. Now, another ransomware group, RansomHub, claims it has terabytes of Change Healthcare’s data and is attempting to extort the company. Service disruptions caused by the ransomware attack have impacted healthcare providers and their patients across the US.
That’s not all. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.
The streaming video service Roku warned customers Friday that 576,000 accounts had been compromised, a breach it discovered in the midst of its investigation of a far smaller-scale intrusion that it dealt with in March. Roku said that rather than actually penetrating Roku’s own network through a security vulnerability, the hackers had carried out a “credential-stuffing” attack in which they tried passwords for users that had leaked elsewhere, thus breaking into accounts where users had reused those passwords. The company noted that in less than 400 cases, hackers had actually exploited their access to make purchases with the hijacked accounts. But the company nonetheless reset users’ passwords and is implementing two-factor authentication on all user accounts.
Apple Notifies Users of Mercenary Spyware Infections
Apple sent notices via email to users in 92 countries around the world this week, warning them that they had been targeted by sophisticated “mercenary spyware” and that their devices may be compromised. The notice stressed that the company had “high confidence” in this warning and urged potential hacking victims to take it seriously. In a status page update, it suggested that anyone who receives the warning contact the Digital Security Helpline of the nonprofit Access Now and enable Lockdown Mode for future protection. Apple didn’t offer any information publicly about who the hacking victims are, where they’re located, or who the hackers behind the attacks might be, though in its blog post, it compared the malware to the sophisticated Pegasus spyware sold by the Israeli hacking firm NSO Group. It wrote in its public support post that it’s warned users in a total of 150 countries about similar attacks since 2021.
CISA Warns Federal Agencies to Look Out for Russian Hackers Stealing Emails
April continues to be the cruelest month for Microsoft—or perhaps Microsoft’s customers. On the heels of a Cybersecurity Review Board report on Microsoft’s previous breach by Chinese state-sponsored hackers, the Cybersecurity and Infrastructure Security Agency (CISA) published a report this week warning federal agencies that their communications with Microsoft may have been compromised by a group known as APT29, Midnight Blizzard, or Cozy Bear, believed to work on behalf of Russia’s SVR foreign intelligence agency. “Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” CISA said in the emergency directive. As recently as March, Microsoft said that it was still working to expel the hackers from its network.
When a Ransomware Hacker Calls a Victim Company’s Front Desk
As ransomware hackers seek new ways to bully their victims into giving in to their extortion demands, one group tried the novel approach of calling the front desk of the company it had targeted to verbally threaten its staff. Thanks to one HR manager named Beth, that tactic ended up sounding about as threatening as a clip from an episode of The Office.
TechCrunch describes a recording of the conversation, which a ransomware group calling itself Dragonforce posted to its dark-web site in a misguided attempt to pressure the victim company to pay. (TechCrunch didn’t identify the victim.) The call starts like any tedious attempt to find the right person after calling a company’s publicly listed phone number, as the hacker waits to speak to someone in “management.”
Eventually, Beth picks up and a somewhat farcical conversation ensues as she asks that the hacker explain the situation. When he threatens to make the company’s stolen data available for “fraudulent activities and for terrorism by criminals,” Beth responds “Oh, ok,” in an altogether unimpressed tone. She then asks if the data will be posted to “Dragonforce.com.” At another point, she notes to the increasingly frustrated hacker that recording their call is illegal in Ohio, and he responds, “Ma’am, I am a hacker. I don’t care about the law.” Finally, Beth refuses to negotiate with the hacker with a “Well, good luck,” to which the hacker responds, “Thank you, take care.”