Sex, drugs and… Eventbrite? A WIRED investigation published this week uncovered a network of spammers and fraudsters pushing the illegal sale of controlled substances like Xanax and oxycodone, escort services, social media accounts and personal information on the event management platform. Making matters worse, Eventbrite’s recommendation algorithm promotes opioid posts alongside addiction recovery events. The good news is that the company appears to have removed most of the more than 7,400 illegal posts uncovered by WIRED.
If you’re driving a Tesla Model 3, make sure you’ve activated your PIN-to-drive feature or your car could easily be stolen in seconds. While the company has added new ultra-wideband radio technology to its keyless system that can prevent “relay attacks,” researchers from Beijing-based security firm GoGoByte found that Model 3s (as well as other unnamed vehicle makes and models) are still vulnerable . Relay attacks use cheap radios to transmit the signal from someone’s key fob or phone app, which can then be used to unlock and start a stricken vehicle. Tesla says the adoption of ultra-wideband radio wasn’t intended to stop relay attacks (although it technically could), but it’s possible the automaker could add that protection in the future.
Police arresting people for running illegal online marketplaces is almost as old a tale as the dark web itself. But this week’s removal offered a new twist. The FBI recently arrested Lin Rui-siang, 23, accused of running Incognito Market, which authorities say facilitated $100 million worth of drug sales on the dark web. US prosecutors allege Lin then blackmailed Incognito users by threatening to expose them unless they paid up. Curiously, Lin’s professional experience includes teaching police how to catch cybercriminals by tracking cryptocurrency on blockchains. If the US Department of Justice is correct about his alleged involvement with Incognito Market, it would make him one of the most unusual cybercriminals we’ve ever encountered.
Leaks don’t just affect people on the wrong side of the law, of course. An unsecured database recently exposed biometric data of police officers in India, including face scans, fingerprints, and more. The incident highlights the dangers of collecting sensitive biometric data in the first place.
Finally, this week the saga of WikiLeaks founder Julian Assange kicked off again with a British court ruling that he can appeal his extradition to the US, where he faces 18 charges under the Espionage Act for WikiLeaks’ publication of classified US military information . The judges said Assange could challenge assurances from US prosecutors about how his trial would be conducted on First Amendment grounds as well. The appeals process will inevitably delay any final decision on his potential extradition by months.
But that’s not all. Every week, we round up security and privacy news that we haven’t covered in depth. Click on the headlines to read the full stories. And stay safe out there.
Following the trend of tech companies in the AI race throwing privacy and caution to the wind, Microsoft revealed plans this week to release a tool on its upcoming Copilot+ PCs called Recall that takes screenshots of its customers’ PCs every few seconds. Microsoft says the tool aims to give people the ability to “find the content you’ve been watching on your device.” The company also claims it has a range of protections in place and says images are only stored locally on an encrypted drive, but the response has been flat-out negative, with some observers calling it a potential “privacy nightmare.” The company notes that an attacker would need a password and physical access to the device to see any of the screenshots, which should rule out the possibility of someone with legal issues adopting the system. Ironically, the description of Recall is eerily reminiscent of computer monitoring software used by the FBI in the past. Microsoft even admits that the system takes no steps to redact passwords or financial information.
Federal authorities are reportedly working quietly to establish links between anti-war demonstrators on American campuses and any foreign groups or individuals abroad, according to journalist Ken Klippenstein, formerly of the Intercept, who says the National Counterterrorism Center is at the center of efforts. The evidence of foreign ties will give additional ammunition to politicians, university officials and police, who have widely argued that “foreign agitators” are to blame for the demonstrations, a charge routinely leveled at protesters in the United States that is often meant to imply that the protesters themselves are frauds. Incidentally, authorities can also overcome constitutional obstacles to surveillance by identifying a foreign target to spy on; someone unprotected by the country’s Fourth Amendment. Republicans in Congress — Reps. Mark Green and August Pfluger — meanwhile asked the FBI and the Department of Homeland Security to provide congressional committees with records of government surveillance of protesters, including any attempts to infiltrate them by “online undercover agents or confidential human sources.”
The FBI has arrested a 42-year-old Wisconsin man for using Stable Diffusion, the artificial intelligence text-to-image generation software, to produce child sexual abuse material. The man was reportedly caught with “thousands of realistic images” of children, some depicting them naked or partially clothed with men. Court records show the evidence included more than 13,000 images from the AI gene, as well as the prompts it used to create the images. “Using AI to create sexually explicit images of children is illegal, and the Department of Justice will not hesitate to hold accountable those who own, produce or distribute AI-generated child sexual abuse material,” Nicole Argentieri, head of the Criminal department of the Ministry of Justice, said in a statement. The arrest is part of Project Safe Childhood, a collaboration between the government and corporations that reportedly targets online offenders.
Security researchers this week revealed to TechCrunch that they had discovered consumer spyware — commonly known as “stalkerware” — on the computers of “at least three” Wyndham hotels in the United States, potentially exposing travelers’ personal data. The stalker, called pcTattletale, can be installed on Android and Windows devices, allowing anyone in control of the nefarious app to access data on the target machine and monitor user activity. pcTattletale’s existence was discovered thanks to a security flaw in the spyware that showed screenshots of infected machines on the open Internet, according to researchers. Although the researchers found pcTattletale on Wyndham’s computers, the hotel company says each of its locations is a franchise, suggesting that the spyware infection may be limited to just a few locations.
