This week, ex Twitter’s head of security, Peiter “Mudge” Zatko, filed a whistleblower complaint against the company. The allegations, which Twitter disputes, claim that the social media company has multiple security flaws that it has not taken seriously. Zatko alleges that Twitter put an Indian government agent on its payroll and failed to patch the company’s servers and laptops. Among the claims, however, one stands out: the suggestion that Twitter engineers were able to access the software live and have virtually untraceable access to its system.
In a privacy victory for America’s students, an Ohio judge has ruled that it is unconstitutional to scan students’ homes while they take remote tests. We also detailed the privacy flaw that threatens American democracy: The lack of federal privacy protections means that mass surveillance systems could be used against citizens in new ways.
Elsewhere, as Russia’s full-scale invasion of Ukraine ticks into six months, military forces are increasingly turning to open source data to support their efforts. Indian police are using facial recognition with very low accuracy rates: The technology is being widely used in Delhi, but it could be throwing up a lot of false positives. And we dove deep (maybe too much) into how four high school students hacked into 500 cameras in their schools, in six locations, and caught thousands of students and teachers. It’s an elaborate graduation prank.
And there’s more. Each week, we highlight the news we didn’t cover in depth. Click on the headlines below to read the full stories. And stay safe out there.
Ever since Russian-backed trolls flooded Facebook and Twitter with disinformation surrounding the 2016 US election, social media companies have improved their ability to crack down on disinformation networks. Companies often take down propaganda accounts linked to authoritarian states, such as Iran, Russia and China. But Western disinformation efforts are rarely discovered and exposed. This week, the Stanford Internet Observatory and social media analytics firm Graphika detailed a five-year operation pushing pro-Western narratives. (The investigation follows Twitter, Facebook and Instagram as they remove a number of accounts from their platforms for “coordinated inauthentic behavior”).
Propaganda accounts used memes, fake news websites, online petitions and various hashtags in an attempt to push pro-Western views and were linked to overt and covert influence operations. The accounts, some of which appear to use AI-generated profile pictures, targeted internet users in Russia, China and Iran, among other countries. Investigators say the accounts “strongly criticized” Russia after its large-scale invasion of Ukraine in February and also “promoted messages against extremism.” Twitter said the activity it saw likely originated in the US and UK, while Meta said it was in the US.
Many of the techniques used by the online influence operation appear to mimic Russian-backed accounts used in the run-up to the 2016 election. However, Western influence operations are likely to be less successful. “The vast majority of posts and tweets we reviewed received no more than a handful of likes or retweets, and only 19 percent of the covert assets we identified had more than 1,000 followers,” the researchers say.
In recent years, Charming Kitten, a hacking group linked to Iran, has been known for its “aggressive and targeted phishing campaigns.” These phishing efforts aim to gather usernames and passwords for people’s online accounts. This week, Google’s Threat Analysis Group (TAG) detailed a new hacking tool used by Charming Kitten that is capable of downloading all of people’s email inboxes. Called Hyperscrape, the tool can steal people’s details from Gmail, Yahoo and Microsoft Outlook. “The attacker runs Hyperscrape on his own machine to download victims’ inboxes using pre-acquired credentials,” TAG says in a blog post. The tool can also open new emails, download their contents and mark them as unread, so as not to raise suspicions. So far, Google says it has seen the tool used against fewer than two dozen accounts belonging to people based in Iran.
Password management company LastPass says it’s been hacked. “Two weeks ago, we detected unusual activity within parts of the LastPass development environment,” the company wrote in a statement this week. LastPass says an “unauthorized party” was able to access its development environment through a compromised developer account. Although the hacker (or hackers) were inside LastPass’s systems, they took some of its source code and “technical information proprietary to LastPass,” the company said in its statement. It has not detailed which elements of its source code were taken, making it difficult to assess the severity of the breach. However, the company says that customer passwords and data were not accessed; there is nothing LastPass users need to do in response to the hack. Despite this, the accusation is likely to be a headache for LastPass’ technical teams. (It’s also not the first time LastPass has been targeted by hackers.)
The head of communications at crypto exchange Binance claims that scammers created a fake version of him and tricked people into attending business meetings on Zoom calls using his fake. In a blog post on the company’s website, Binance’s Patrick Hillmann said several people had messaged him about his time. “It turns out that a sophisticated hacking team used past news interviews and TV appearances over the years to create a ‘deepfake’ of me,” Hillmann wrote, adding that the alleged deepfake was “refined enough to duping several highly intelligent members of the crypto community.” Neither Hillmann nor Binance have released any images showing the claimed deepfake. Since deepfakes first appeared in 2017, there have been relatively few incidents of fake video or audio impersonating people. (The vast majority of deepfakes have been used to create non-consensual pornographic images.) However, recent reports say that deepfake scams are on the rise, and in March of last year the ‘FBI warned it expected an increase in malicious deepfakes in the next 12 to 18 months.