Code used to encrypt sensitive radio communications around the world for years had major flaws that could be exploited by attackers, according to new research. Among the flaws: a secret backdoor.
A group of researchers from the Netherlands discovered multiple vulnerabilities in encryption algorithms used in the European radio standard TETRA, which is used in radio communications by police, critical infrastructure workers, mass transit and freight trains, and major government bodies. While the TETRA standard is public, the ciphers used to encrypt the communications were kept secret. One of the algorithms, known as TEA1, had a feature that reduces its 80-bit encryption down to just 32 bits—a backdoor, the researchers say, that made it vulnerable to eavesdropping and potentially other attacks.
The body that develops and maintains TETRA—the European Telecommunications Standards Institute—rejects the “backdoor” label, saying that the weakened encryption was implemented to abide by encryption export controls in place when it was released in the 1990s. Regardless of what you call it, ETSI has released a replacement for the TEA1 algorithm and fixed another major flaw that made communications vulnerable to interception.
In the world of AI-fueled chatbots, security researchers warn that third-party plug-ins for ChatGPT’s paid version could add a layer of risk to users’ data and potentially be abused by attackers. OpenAI, the creator of ChatGPT, says it maintains high security standards for the plug-ins listed on its website. But ultimately, the choice to use a plug-in largely depends on whether you trust the developer who made it.
Even if you trust someone online, however, there’s no guarantee that they are who you think they are. This week, we detailed the saga of a Twitter user who thought he was buying a Macbook from someone he knew but ended up sending $1,000 to a scammer who used a hacked Twitter account to pull off the swindle. Threat researchers got involved and ultimately traced the scammers’ real-life identities, then handed over what they found to police.
Finally, in Washington, DC, the National Security Agency has been quietly pushing members of the US Congress to abandon an amendment to the “must-pass” National Defense Authorization Act (NDAA) that would prevent military intelligence agencies like the NSA for buying commercially available data on US citizens. Even if the NSA’s lobbying is successful, it may be forced to keep up the fight as separate legislation is making its way through Congress that would ban the purchase of sensitive data far more broadly than the NDAA amendment.
But that’s not all. Each week, we round up security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
Despite being released in 2009, the classic title Call of Duty: Modern Warfare 2 is still popular with a dedicated group of fans. Hundreds are still playing the game online. But on July 26, Activision, the game’s creator, announced it had taken the game on Steam offline while it was investigating “reports of an issue.” No further details were provided about the problem or why the game was pulled.
A report from TechCrunch sheds some possible light on the “issue.” Call of Duty players on the old game are being hit with malware that automatically spreads through multiplayer lobbies, according to the publication. Gamers appear to have posted about the malware, finding links to it on online code repositories, and claim it spreads through lobbies from one infected player to another. One anonymous source from the gaming industry said the malware appeared to be a worm.
According to TechCrunch it is unclear why the malware is spreading or what exactly the impact is on gamers. Valve, the owner of Steam, did not comment on the issue, according to the news website.
Public companies in the United States will soon have to report data breaches and hacking incidents four days after they deem an incident to have a “material” impact on their business. On Wednesday, the US Securities and Exchange Commission voted to introduce the regulations that require firms to disclose cyberattacks once they have determined it will disrupt its operations or finances. The disclosures must detail the “nature, scope, and timing” of the attack, as well as the potential impact it will have on the firm.
Former SEC rules required companies to disclose cyber incidents but did not impose any strict timeline on doing so. This can lead to firms waiting weeks or months to notify customers and lawmakers about data breaches and cyberattacks. A separate part of the new SEC rules also requires companies to detail their processes for “assessing, identifying, and managing material risks,” heaping extra public accountability on firms to make sure they’re taking security issues seriously. The rules will go into effect by no later than December.
Since Vladimir Putin started his full-scale invasion of Ukraine in February 2022, Russia’s internet censorship has become even more expansive. A new report this week from researchers at Citizen Lab, a research facility at the University of Toronto, shows how the country’s censors have clamped down on the social network VK, which is similar to Facebook. Russia’s government has been ordering VK to remove posts, videos, and accounts almost every day since the start of the war, the researchers found after reviewing court orders issued by the government.
There’s been a thirtyfold increase in censorship since the start of the war, Citizen Lab researchers found. In total, 94,942 videos, 1,569 community accounts, and 787 personal accounts are blocked in Russia, which has clamped down on independent media and blocked social media such as Facebook and YouTube as it looks to control the information people read and access within its borders.
At the end of May, Progress Software, the owner of the file transfer service MOVEit, released a patch for a vulnerability being exploited by the Russia-based ransomware gang Clop. The vulnerability allowed the cybercriminals to access MOVEit and steal data—with the attack impacting both direct users of the sharing service and some companies’ suppliers and vendors.
Analysis of state breach notification, SEC filings, Clop’s website, and public disclosures by cybersecurity firm Emisoft shows that, as of July 27, there are 518 reported victims. This includes more than 100 schools. And around 30 million individuals have had their data impacted, Emisoft says. Each day, the list of victims coming forward increases. Some of the most recent include Flutter, the owner of Poker Stars; Deloitte; Chuck E. Cheese; and US government service provider Maximus. More disclosures are expected.
More than a decade ago, Google faced a privacy backlash in Germany over its Google Street View cars taking pictures of people’s homes and illegally collecting data from people’s unsecured Wi-Fi networks. After 250,000 Germans told Google to blur pictures of their homes, and legal challenges, the company in 2011 stopped updating pictures of 20 major cities. That changed this week when Google announced that cars had been back in German cities since June and it is updating its images once again. “Times have changed,” Lena Heuermann, a Google spokesperson said, citing its own survey that 91 percent of respondents said they wanted Street View back in Germany. Hamburg’s data protection regulator said that Google publishing pictures it takes in public is legal and that people can request their homes be blurred.