Clearview AI’s Massive Client List Got Hacked
Credit to Author: WIRED Staff| Date: Sat, 29 Feb 2020 14:00:00 +0000
Clever malware, student surveillance, and more of the week's top security news.
It was the RSA security conference in San Francisco this week, and the security industry descended on Moscone Center for days of handing out free stickers, demoing products, and presenting research. And the week was punctuated by fewer handshakes and more elbow bumps thanks to Covid-19. WIRED looked at research that North Korea is recycling Mac malware, and how it's indicative of booming malware reuse. Google researchers presented progress using deep learning to catch more malicious document attachments in Gmail.
Longtime vulnerability disclosure advocates Katie Moussouris and Chris Wysopal looked back on progress—as well as frustrating limitations—of disclosure today. And one hacker shared a story of sending his mother to break into a South Dakota prison. For research!
Outside of RSA, Nintendo has been cracking down on game leaks in recent months. A new tool called Dangerzone quarantines new PDFs you receive, combs them for anything sketchy, scrubs them, and spits out a safe version. And we looked at strategies for sharing online accounts like streaming accounts safely.
Plus, there's more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.
Soon after the Daily Beast reported that controversial facial recognition company Clearview AI's client list had been compromised in a breach, Buzzfeed shared details of who exactly was on that list. Among the thousands of listed organizations were law enforcement agencies, as you might expect, but also commercial entities like Best Buy and Macy's. Some of these groups only took a 30 day trial, rather than having an ongoing relationship. But Clearview's apparent pervasiveness troubles privacy advocates, who find both the company's opacity and its apparent willingness to share it far beyond the confines of law enforcement acutely troubling.
Cerberus malware has been around since last summer, but it's already picking up new tricks. Researchers at security firm ThreatFabric have observed that recent Cerberus samples appear capable of stealing two-factor authentication codes from Google Authenticator. The upgrade hasn't hit the version of Cerberus currently in use, but if it works it'll make it even easier for hackers to crack your bank account. If you're truly skittish, you've got plenty of 2FA options beyond Authenticator, a venerable but rarely updated app.
The NSA’s vast phone metadata collection, authorized under Section 215 of the Patriot Act, has been one of the most controversial practices in the intelligence agency’s history since it was exposed in 2013 by the leaks of Edward Snowden. But only now, a year after the program was officially ended, has the public learned not only the sweeping scope of that surveillance but also how expensive it was—and how expensive. A declassified study by the intelligent community’s Privacy and Civil Liberties Oversight Board shared with Congress this week revealed that the metadata program cost $100 million, and only on two occasions produced information that the FBI didn’t already possess. On one of those occasions, the investigation was dropped after the FBI looked into the lead. In another case, the NSA’s findings led to an actual foreign intelligence investigation. For that one case, the report doesn't reveal the nature of the investigation or what may have resulted. Hopefully whatever happened, it was worth $100 million of taxpayer funds—and an enormous controversy that has tarnished the NSA’s reputation for years.
CNET took a close look this week at Inpixon, a company that provides technology that allows schools to keep track of students' locations accurate down to a meter. The company touts its safety benefit, but raises obvious surveillance concerns, especially given that the affected group is definitionally minors. Its scanners pick up Wi-Fi, Bluetooth, and cellular signals from student smartphones, smartwatches, tablets, and more. And while it technically anonymizes data, it's easy enough to pair it with ubiquitous in-school camera systems to tie the individual to the activity.
The Justice Department this week announced the arrest of John Cameron Denton, an alleged former leader of the white supremacist group Atomwaffen Division, in connection with a series of swatting events between November 2018 and April 2019. (Swatting is the practice of calling 911 to report a serious crime at an address where none is occurring to get a heavily armed SWAT team to show up; it has gotten people killed, though not in the instances Denton is alleged to have participated in.) If convicted, Denton faces up to five years in prison.