Security News This Week: A Link to This Site Can (Technically) Land You in Russian Prison
When you run a major app, all it takes is one mistake to put countless people at risk. Such is the case with Diksha, a public education app run by India's Ministry of Education that exposed the personal information of around 1 million teachers and millions of students across the country. The data, which included things like full names, email addresses, and phone numbers, was publicly accessible for at least a year and likely longer, potentially exposing those impacted to phishing attacks and other scams.
Speaking of cybercrime, the LockBit ransomware gang has long operated under the radar, thanks to its professional operation and choice of targets. But over the past year, a series of missteps and drama have thrust it into the spotlight, potentially threatening its ability to continue operating with impunity.
Encrypting everything on your machine isn't just the domain of criminals, however. This week, we explained how to protect your files under digital lock and key on both macOS and Windows. Know what is just the domain of criminals? Money laundering, which a Chainalysis report published this week says is primarily facilitated by only five crypto exchanges, four of which helped scofflaws cash out $1.1 billion in 2022.
Billionaires like Elon Musk may have reason to celebrate. The flight-tracking platform ADS-B Exchange, which provided data for the @ElonJet account that tracked the Tesla and Twitter CEO's private plane, has sold out. The company is now owned by aviation intelligence firm Jetnet, which is owned by private equity. Fans of ADS-B, including the creator of @ElonJet, are now jumping ship on the assumption that the new owner will be more likely to bow to censorship requests from the likes of Musk and the Saudi royal family.
But that's not all. Each week we round up the stories we didn't cover in-depth ourselves. Click on the headlines to read the full stories. And stay safe out there.
As Russia's catastrophic invasion of Ukraine has unfolded over the past year, the Kremlin has also tightened its repression of domestic and Russian-language media to quash anti-war dissent. The latest victim of that crackdown is, by some measures, the top independent Russian news website: Meduza. On Thursday, the Russian government added Meduza to its list of "undesirable organizations," effectively outlawing any collaboration or promotion of the news outlet. The country's general prosecutor went so far as to write in a statement that Meduza "poses a threat to the foundations of the constitutional system and the security of the Russian Federation."
While Meduza has long been based in Latvia to shield it from Russia's media restrictions and retaliation, the new measure makes it a crime for anyone in Russia to work for the news outlet, speak to its journalists, post a link to its website, or even so much as "like" one of its social media posts. A first violation of those restrictions is a misdemeanor defense under Russian law, punishable by a fine, but repeated violations are a felony, with years in prison as a possible sentence.
While a prison term is perhaps unlikely for anyone not actively involved in the news organization's work--most violations of the law have so far resulted in a fine-Meduza has warned Russians and anyone traveling to Russia to be careful to delete social media posts in which they link to or promote its content. Regardless of how the law is enforced, its chilling effects will no doubt be significant, and the draconian ban on Meduza represents another small step in Russia's long, slow slide into totalitarianism.
The FBI announced this week that it had foiled the operations of one of the world's most prolific and disruptive ransomware groups, known as Hive, taking down its dark-web site and recovering decryption keys to unlock the systems of victims who were facing $130 million in total ransom demands. "We hacked the hackers," deputy US attorney general Lisa Monaco told reporters in a press conference. In previous years of its extortion-fueled cybercrime spree, Hive victimized more than 80 networks and collected over $100 million in ransom payments, according to the FBI. But working with numerous law enforcement agencies, including German and Dutch federal police, the FBI surreptitiously gained access to the group's systems, surveilling and ultimately disrupting them. Despite that win, no arrests were mentioned in the splashy announcement, signaling that--as is usual in ransomware cases--Hive's hackers are likely located in non-extradition countries beyond the reach of Western law enforcement.
The FBI officially pointed the finger at a usual suspect in the cryptocurrency world's ongoing plague of massive breaches and thefts: North Korea. In its investigation of a heist that stole $100 million in cryptocurrency last year, the Bureau accused two hacker groups long believed to be associated with the regime of Kim Jong Un, known as APT38 or Lazarus--the latter of which is sometimes used as a broader umbrella term for multiple North Korean hacker units. Those hackers targeted the Horizon "bridge" owned by US crypto firm Harmony, a system used to allow transfers from one cryptocurrency to another. Bridges have increasingly become lucrative targets for thieves, who have stolen hundreds of millions worth of digital currency from them in recent years. Aside from its name-and-shame announcement, the FBI also says some portion of the stolen currency was seized when the hackers attempted to launder it, and the agency pointed to crypto addresses where about $40 million of the stolen loot is still stored.
If Madison Square Garden didn't want a legal scandal from its experiment in using face recognition technology to spot people it sought to ban from its venue, perhaps it shouldn't have started by banning lawyers. Following revelations that MSG had used facial recognition to prevent attorneys from multiple firms involved in lawsuits against the venue from attending its events--and then enforced that ban with controversial facial recognition technology--New York attorney general Letitia James sent a letter to MSG's owners demanding more information about its surveillance practices. The letter, which suggests the ban on lawyers is meant to dissuade people from filing lawsuits against MSG, asked about the reliability of the facial recognition technology MSG is using and whether it had safeguards against bias. "Anyone with a ticket to an event should not be concerned that they may be wrongfully denied entry based on their appearance," James wrote in a statement, "and we're urging MSG Entertainment to reverse this policy."