A new jailbreak for John Deere tractors, demonstrated at the Defcon security conference in Las Vegas last Saturday, highlighted the strength of the right to repair movement as it continues to gain momentum in the United States . Meanwhile, researchers are developing expanded tools to detect spyware on Windows, Mac and Linux computers as malware continues to proliferate.
WIRED this week took an in-depth look at the Posey family who used the Freedom of Information Act to learn about the US Department of Defense and promote transparency — and make millions in the process. And researchers have discovered a potentially critical flaw in the Department of Veterans Affairs’ VistA electronic medical records system that has no easy fix.
If you need digital security and privacy projects this weekend for your own protection, we have tips on how to create a secure folder on your phone, how to set up and use the app in the safest way. Signal Encrypted Messaging and Android Privacy 13 setup tips to keep your data exactly where you want it and nowhere else.
And there’s more. Each week, we highlight news that we haven’t covered in depth ourselves. Click on the titles below to read the full stories. And stay safe there.
Janet Jackson’s classic “Rhythm Nation” may be from 1989, but it’s still blowing up the charts and some hard drives. This week, Microsoft shared details of a vulnerability in a widely used 5400 RPM laptop hard drive sold circa 2005. Just playing “Rhythm Nation” on or near a laptop vulnerable, the drive can fail and take his laptop down with it. Spinning disc hard drives have been increasingly phased out in favor of solid-state drives, but they still persist in a host of devices around the world. The defect, which has its own CVE Vulnerability Tracking Number, is due to “Rhythm Nation” inadvertently producing one of the natural resonant frequencies created by the movement of the hard drive. Who wouldn’t vibrate strong with such a classic jam? Microsoft claims that the manufacturer that made the discs developed a special filter for the audio processing system to detect and cancel the frequency as the song plays. Audio hacks that manipulate speakers, retrieve leaked vibration information, or exploit resonant frequency vulnerabilities are not often uncovered in research, but are an intriguing area.
When cloud services company Twilio announced last week that it had been hacked, one of its customers that suffered repercussions was secure messaging service Signal. Twilio powers Signal’s device verification service. When a Signal user registers a new device, Twilio is the provider that sends the SMS with a code that the user must put into Signal. Once they compromised Twilio, attackers could initiate a Signal device swap, read the code from the text message sent to the true owner of the account, and then take control of the Signal account. The secure messaging service said hackers targeted 1,900 of its users and explicitly sought three of them. Among this small subset was the Signal account of Motherboard security reporter Lorenzo Franceschi-Bicchierai. Signal is designed so attackers couldn’t have seen Franceschi-Bicchierai’s message history or contacts compromising his account, but they may have impersonated him and sent new messages from his account .
TechCrunch published a investigation in February in a group of spyware applications that all share backend infrastructure and expose target data due to a common vulnerability. The apps, which include TheTruthSpy, are invasive to begin with. But they also inadvertently expose the phone data of hundreds of thousands of Android users, TechCrunch reported, due to an infrastructure vulnerability. This week, however, TechCrunch released a tool that victims can use to check if their devices have been compromised by the spyware and regain control. “In June, a source provided TechCrunch with a cache of files extracted from TheTruthSpy’s internal network servers,” TechCrunch’s Zack Whittaker wrote. “This file cache included a list of all Android devices that were compromised by one of TheTruthSpy’s network spyware apps up to April 2022, when the data was presumably cleared. The leaked list does not contain enough information for TechCrunch to identify or notify owners of compromised devices. That’s why TechCrunch created this spyware scanner.
Domain Logistics, a distribution company that works with the Ontario Cannabis Store (OCS) in Canada, was hacked on August 5, limiting OCS’s ability to process orders and deliver cannabis products to stores and to Ontario customers. OCS said there was no evidence that customer data was compromised in the attack on Domain Logistics. OCS also says cybersecurity consultants are investigating the incident. Ontario customers can order online from OCS, which is supported by the government. The company also distributes to the approximately 1,330 licensed cannabis stores in the province. “Out of an abundance of caution to protect OCS and its customers, the decision has been made to close Domain Logistics’ operations until a full forensic investigation can be completed,” OCS said in a statement.