On Zoom conference calls across the US this week, brows furrowed as the news broke that the video conference company had a flaw in its backend that could give hackers access to people’s webcams. Worse, Zoom seemed at first unwilling to fix the problem. Thankfully, hours after the initial reports, Zoom backtracked and issued a new fix to solve underlying vulnerability. You can go back to Zooming your brilliant brainstorms in peace, everyone.
According to a new report this week, a Magecart hacking group has been breaking into misconfigured Amazon Web Services buckets, scanning the contents of 17,000 domains, and stealing any goodies—like credit card numbers used on some ecommerce sites.
In other Amazon news, are you ready for Amazon Prime Day on Monday? Phishing scammers sure are. In fact, in the last few weeks scammers have pushed a whole phishing toolkit targeting Amazon customers. Beware.
Also this week, we explained how to keep your kids’ data safe online, and took a closer look at the scourge of credential dumping. We also reported that the window the rein in the risks of facial recognition is closing, so something needs to be done fast. Oh, and we brought you the story of teens taking to TikTok to make fun of the surveillance app ruining their summers.
But that’s not all. Every Saturday we round up the security and privacy stories we didn’t break or report on in depth, which we think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.
Few Silicon Valley companies are more secretive than surveillance software provider Palantir, co-founded by Peter Thiel. Exactly what the company does, how it makes so much much money, and what it’s working on next is often shrouded in mystery. What is known is that Palantir’s surveillance software has become a backbone of US law enforcement, particularly Immigration and Customs Enforcement, which since 2014 has reportedly had contracts ranging from $41 to $51 million dollar per year with Palantir for access to the company’s tracking database and management software. Now, through a Freedom of Information Act request, VICE has gotten its hands on one of Palantir’s secret user manuals for law enforcement. The manual shows that with just the name of a person, law enforcement can use Palantir’s software to map that target’s family relationships, get their Social Security number, address, phone number, height, weight, and eye color. Add a license plate number, and Palantir’s system can often allow law enforcement to track where people have been during any period of time. Though much of this kind of information is available to law enforcement via separate means, Vice reports that Palantir’s system “aggregates and synthesizes” it in such a way as to give “law enforcement nearly omniscient knowledge over any suspect they decide to surveil.” As ICE prepares massive raids of immigrant families this weekend, the revealed Palantir system sheds light on how the government tracks and plans finds people to arrest and deport.
No one has ever actively wanted a hair straightening iron that connects to the Internet of Things, but that didn’t stop UK-based company Glamoriser from making one. If you happened to buy the Blue Smart hair straightener from Glamorizer—perhaps not even realizing it had Bluetooth capability, because why would it?—then TechCrunch is sorry to report but hackers could totally seize your device, and well, change the temperature of the hot iron remotely, if they wanted to. Would they want to? Probably not. But then again, why would you ever want to control the temperature of the straightener from your phone, rather than the device itself? Who knows! It’s a mystery!
Apple announced this week that it was disabling the push-to-talk Apple Watch Walkie Talkie app, after the company learned it let people eavesdrop on other people’s phones without permission. The tip came in through Apple’s bug-reporting portal, and Apple says it has no evidence that anyone actually took advantage of the vulnerability. Apple apologized for the bug and promised to “quickly fix the issue,” according to a statement reported by TechCrunch.
The Washington Post reports that Washington, DC’s local government paid $1.7 million to secure Donald Trump’s 4th of July military parade and fireworks display. That amount, DC Mayor Muriel E. Bowser said, has left the district’s special security fund empty. That account is intended to fund security measures for events, rallies, and to protect against terrorism. In 2017, Trump’s inauguration reportedly cost the district $7.3 million in security expenses, which were also drawn from that same fund and never reimbursed. The mayor is requesting the White House refill the district’s security coffers, arguing that it’s unprecedented and unfair for the district to pay for federal security with local tax money meant to protect residents of the District of Columbia.