Earlier this week, T-Mobile has confirmed a data breach which affects at least 48 million people, a number that could rise further as the company continues its investigation. The dataset contains particularly sensitive information such as social security numbers, driver’s license details and would have even the unique IMEI numbers associated with each smartphone. Not only that, but the the vast majority of victims of the breach so far are not even T-Mobile customers; rather, they are former customers or potential customers who at some point requested a credit from the carrier. A class action lawsuit has already been filed although the arbitration clause in T-Mobile’s customer agreements may be an obstacle on the way to restitution.
We also examined a disturbing vulnerability in ThroughTek Kalay, a software development kit for a platform that powers tens of millions of Internet of Things video devices. It means baby monitors, security cameras, etc. Researchers have shown how attackers could use flaws to watch real-time video streams or shut them down with denial of service attacks. ThroughTek sent an update in 2018 that provided ways to mitigate the attack, but no clear instructions on how or why customers should implement them.
Likewise, Google made some changes to Workspace, the cloud-based productivity software suite formerly known as G Suite, after a Google Docs worm in 2017 showed how vulnerable the platform was. to crooks. But a security researcher has shown that it is still very possible for a dedicated hacker to abuse the system.
Dozen of civil rights groups take up arms on Apple’s controversial system, which would use some of the IPhones to help find child pornography. China has long been a powerhouse of propaganda and recently turned his attention to the BBC, attacking various currents of information that go against the interests of the country. And we made a quick guide to how to send messages that disappear in the most popular chat apps.
And there’s more ! Each week, we collect all the security news that WIRED hasn’t covered in depth. Click on the titles to read the full stories and stay safe.
It’s been a big month for cryptocurrency theft! Last week it was Poly Network, which saw a hacker flee with more than $ 610 million in various digital pieces before returning most of them. Now, apparently it’s Liquid’s turn. The Japanese cryptocurrency exchange said this week that its “hot” wallets – those connected to the Internet, compared to “cold” wallets, which are not – were compromised in a hack that generated around $ 97 million worth of bitcoin, ethereum, and other coins. being stolen. Liquid said it moved some assets into cold wallets in response, but the damage had been done.
Elliot Carter operates a site called WashingtonTunnels.com, which really lives up to its name. The “DC Underground Atlas” offers a detailed overview of the underground passages of the American capital. As you can imagine, this usually attracts a steady stream of enthusiasts rather than seeing big spikes in traffic. That is to say until a few days before rioters stormed the United States Capitol. Around this time, Carter told the DC-area NBC affiliate, he saw an increase in visitors from across the country, many from “anonymous bulletin boards, sites and forums named after militias or firearms, or using Donald Trump’s name ”. Mistrustful! Carter reported the activity to the FBI, and a few days later it happened.
The bad news is that hackers compromised the US Census Bureau in January 2020, in a preventable and possibly a little embarrassing way. The good news, or at least the least bad, is that these hackers weren’t far from the actual census results. But they gained access to the servers thanks to a vulnerability that software company Citrix revealed a few weeks earlier, the day after a proof of concept for an exploit of the flaw was posted on GitHub. According to a schedule provided by the Office of Inspector General, the Census Bureau’s firewall prevented attackers from communicating with their command and control server after a few days, but it took the agency weeks to mitigate completely intrusions.
Apple takes a notoriously tough line against leaks, by deploying a team of investigators to minimize the disclosure of company secrets and minimize the fallout. They also apparently recruited at least one member of the community that markets illicit Apple documents and hardware, according to a new report from Motherboard. The informant says he contacted Apple, rather than the other way around, but ultimately deteriorated their relationship. It’s worth reading to get a glimpse of both Apple’s anti-leak team and the people they’re trying to track down.
More great WIRED stories