After months of delays, the U.S. House of Representatives voted Friday to extend a controversial warrantless wiretapping program for two years. The program, known as Section 702, authorizes the U.S. government to collect the communications of foreign nationals abroad. But the collection also included large amounts of communications from U.S. citizens that were stored for years and could later be accessed without authorization by the FBI, which severely abused the program. An amendment requiring investigators to obtain such a search warrant failed to pass.
A group of U.S. lawmakers on Sunday unveiled a proposal they hope will become the country’s first national privacy law. The U.S. Privacy Bill would limit the data companies can collect and give U.S. residents greater control over the personal information collected about them. However, passage of such legislation remains elusive: Congress has been trying to pass a national privacy law for years, but has so far failed.
Since there are no U.S. privacy laws, you’ll need to take matters into your own hands. DuckDuckGo, the privacy-focused company best known for its search engine, now offers a new product called Privacy Pro, which includes a VPN, a tool for removing data from people search sites, and a new feature that lets you Services to restore your identity if you become a victim of identity theft. There are also steps you can take to reclaim some of the data used to train your generative AI system. Not all systems offer the option to opt out of data collection, but we have listed the systems that can opt out of data collection and how to exclude data from AI models.
Data collection isn’t the only risk associated with advances in artificial intelligence. AI-generated scam calls are becoming increasingly sophisticated, with cloned voices sounding very similar to the real thing. But you can take some precautions to protect yourself from being scammed by those using artificial intelligence to impersonate loved ones.
Change Healthcare’s ongoing ransomware nightmare appears to be getting worse. The company was initially targeted in February by a ransomware gang called AlphV. But a rift appeared to appear between AlphV and affiliated hackers after the hackers received a $22 million payment early last month, with the latter claiming that AlphV took the money and ran without paying other groups that helped them carry out the attack. Now, another ransomware group, RansomHub, claims to have terabytes of Change Healthcare’s data and is trying to blackmail the company. Service disruptions caused by ransomware attacks have impacted healthcare providers and their patients across the United States.
That’s not all. Each week, we round up privacy and security news that we don’t cover in depth ourselves. Click on the title to read the full story and stay safe.
Streaming video service Roku warned customers on Friday that 576,000 accounts had been compromised, a breach the company discovered while investigating a much smaller breach it dealt with in March. Roku said the hackers did not actually penetrate Roku’s own network through the security flaw, but instead conducted a “credential stuffing” attack in which they tried to use user passwords that had been leaked elsewhere to break into accounts where users reused those passwords. The company noted that in fewer than 400 cases, hackers actually exploited their access to make purchases using hijacked accounts. But the company still reset user passwords and implemented two-factor authentication for all user accounts.
Apple this week sent a notification via email to users in 92 countries around the world, warning that they had been targeted by sophisticated “spyware for hire” and that their devices could be compromised. The notice stresses that the company has “a high degree of confidence” in the warning and urges potential hacking victims to take it seriously. In a status page update, it advised anyone who received the warning to contact nonprofit Access Now’s digital security helpline and enable lockdown mode for future protection. Apple has not publicly provided any information about who the hacking victims are, where they are located, or who the hackers might be behind the attack, although in its blog post it compared the malware to the sophisticated Pegasus spyware sold in Israel . Hacking company NSO Group. It wrote in its public support post that since 2021 it has warned users in a total of 150 countries of similar attacks.
April remains the cruelest month for Microsoft or its customers. Following the Cybersecurity Review Board’s report into previous attacks on Microsoft by Chinese government-backed hackers, the Cybersecurity and Infrastructure Security Agency (CISA) issued a report this week warning federal agencies that their communications with Microsoft may have been compromised. A known tissue breach. APT29, Midnight Blizzard or Cozy Bear are believed to work on behalf of Russia’s SVR foreign intelligence agency. “Midnight Blizzard successfully compromised Microsoft corporate email accounts and compromised communications between agencies and Microsoft, posing a serious and unacceptable risk to agencies,” CISA said in the emergency directive. As recently as March, , Microsoft said it was still working to expel the hackers from its network.
As ransomware hackers look for new ways to coerce victims into giving in to ransom demands, one group has tried a novel approach by calling the front desk of its target company to verbally threaten its employees. Thanks to a human resources manager named Beth, the tactic ended up sounding as threatening as a clip from an episode of the show. office.
TechCrunch describes a recording of a conversation that a ransomware group calling itself Dragonforce posted to its dark site in an attempt to pressure victim companies into paying. (TechCrunch is not identifying the victim.) The call started out like any tedious attempt to find the right person after calling a company’s publicly listed phone number, as the hacker waited to speak to someone in “management.”
Eventually, Beth answered the phone, and a somewhat comical conversation ensued in which she asked the hacker to explain the situation. When he threatened to use the company’s stolen data for “fraudulent activities and criminal terrorism,” Beth responded “Oh, okay,” in a completely unimpressed tone. She then asked if the data would be posted to “Dragonforce.com”. Elsewhere, she points out to an increasingly frustrated hacker that recording their calls is illegal in Ohio, to which he replies, “Ma’am, I’m a hacker. I don’t care about the law.” In the end, Beth refuses to deal with the hacker Negotiating, and saying “Okay, good luck,” the hacker responded: “Thanks, take care.”