Real-time cyber historian of the late capitalist era @TechCrunch, writing about the intersection of hackers, human rights, and spies.
Also writing a book about Hacking Team and the history of government spyware.
Posts about infosec, surveillance by day. đ, â˝ď¸, đ¸, đŽ by night. âŠ
âď¸ Signal: +1 917 257 1382â¨
đť Keybase/Telegram: @ lorenzofbâ¨
âď¸ [email protected]âŠ
Previously: VICE Motherboard, Mashable, WIRED's Danger Room.
| https://twitter.com/lorenzofb | |
| Personal Site | https://lorenzofb.com |
| Pronouns | He/him |
| Searchable via | tootfinder |
| TechCrunch | https://techcrunch.com/author/lorenzo-franceschi-bicchierai/ |
NEW: Cybersecurity researchers are not happy about the guardrails on Anthropicâs new model Fable.
Researchers say that the new LLM basically blocks anything related to cybersecurity, including code reviews and prompts asking for help writing secure code.
â[Fable] rejects any request that could be tangentially cyber related. Even innocuous tasks like reading a blog post,â said one researcher.
New, by me: ServiceNow appears to have notified some enterprise customers that there was outside access to their data, after a security bug left instances exposed to the web.
The company has hidden its notice behind a login wall, but was shared by network defenders on Reddit.
NEW: WhatsApp said it caught and disrupted a new hacking campaign by NSO Group against its users.
The Meta-owned messaging giant said this phishing campaign violates a court decision that ordered NSO to stop targeting WhatsApp and its users. WhatsApp is seeking to hold NSO in contempt of court because of this violation.
NEW: A former cybersecurity executive turned whistleblower accused IBM of getting breached three times and trying to cover up the hacks.
IBM was âroutinely hacked by foreign state actors and others,â and data was frequently stolen and government agencies were ânever notified,â he said in a lawsuit.
IBM and two of its subsidiary companies were allegedly breached during the mid-2010s â a lawsuit filed by a former cybersecurity executive accuses IBM of not disclosing and actively covering it up.
NEW: Google and the FBI say they have seen a ransomware gang send people pretending to be IT support to victims' offices, where they use USB drives to steal data.
The hackers mix this tactic with traditional email and voice phishing attacks to pilfer information and then threaten and extort victims.
âIn case of ignorance or no agreement, We will notify your employees, partners and customers, after which We will publish your data,â the hackers wrote to one victim, according to Google.
Cybercriminals, part of a gang known as Silent Ransom Group, have sent people pretending to be IT support employees to law firms' offices, where the criminals have stolen data using USB drives or remote access tools.
You know things are bad when Chinese spies are *also* spending their entire day on LinkedIn.
Andy Boyd, the CEO of Red Lattice (the company that now owns spyware maker Paragon), went on the Risky Business podcast this week.
The host Patrick Gray asked Boyd about the contract that the company signed with ICE.
To me the most interesting part is when Boyd said that Red Lattice/Paragon: "...only sell to countries that adhere to their rule of law ... for conducting legitimate missions that fall under the laws of whatever country that may be in."
Here is the whole exchange. (starts at ~18:00)
https://www.youtube.com/watch?v=AOQETNsmTEU&t=1191s
âPATRICK:
Now we're actually on to something that is somewhat relevant to your day job, Andy, because we've got a story here from 404 Media where they are suing the US government, or they're suing ICE to get its spyware contract with Paragon.
I guess this is interesting for a couple reasons, right?
I understand that ICE is extremely unpopular in the United States, and in my opinion, quite reasonably so, given some of the stuff that they've been doing on the streets of the United States. They've earned some scrutiny, in my opinion.
But I think also we've got to remember that Homeland Security Investigations is a division of ICE. So the idea that Homeland Security Investigations might want this sort of software is entirely reasonable.*
So just reading from HSI's website, "It is the principal investigative component of DHS and is responsible for investigating, disrupting and dismantling transnational criminal organizations and terrorist networks that threaten or seek to exploit the customs and immigration laws of the United States."
So if I had to bet, it would be dollars to donuts that that is the sort of use that, you know, HSI is using it for that sort of thing, not just deploying spyware onto the devices of people who are suspected of entering the United States without prior approval.
Now, we have you here. So I figured I wanted to ask you about this report to see if you've got anything to say because we have had your company come out and make statements along the lines of, well, we don't actually have a relationship with ICE because that means, well, maybe a contract expired and then we've had now suspicions from other quarters of the media "Oh, well, perhaps they're accessing this technology through a third party."*
We've got you here. Do you have anything you can share with us on this?
âBOYD
Yes, I guess I'm going to violate my rule of "I'm just a friend of Patrick." So for this one question.
Yes, as the CEO of Red Lattice, I'm not going to comment on specific customers, whether or not we have said specific customers.
But what I will say is that Red Lattice has a very specific policy on evaluating our customers before we sign any contract with them. This is something that is in the public domain.
You Google the HSI writeup, our policies and how we go about evaluating potential customers. We only sell to liberal democracies, we only sell to countries that adhere to their rule of law. We sell to legitimate intelligence, military, and law enforcement authorities for conducting legitimate missions that fall under the laws of whatever country that may be in and that applies to the United States government as well.
âPATRICK
Yeah and I mean we should say too that this is a two million dollar contract which in the context of this industry is tiny. I mean can you say â would you acknowledge that?
âBOYD
I would acknowledge that any one of us, you, me, or James would be happy to have two million dollars at any time of day, but for a large company that may or may not be working with a government as big as the US government, that would be a fairly small contract, yes.
âPATRICK
Yeah, yeah. And I mean, I think we would point out too that there was some controversy around Paragon, the use of Paragon technology in Italy. I think where that ended up is you gave them the old heave-ho, didn't you?
âBOYD
Yeah, I'm not going to, again, that speaks to a very specific customer that is in the public domain. I think, Patrick, your inferences may be correct, but I'm not going to comment anymore on that one.
Worth listening to this 404 Media podcast about this hacking campaign. Really explains well just how crazy this hacking campaign is, and how bad it is in the context of having AI do sensitive stuff.
https://www.youtube.com/watch?v=MsAtXST87pk
And this point by Dino Dai Zovi is also very important:
New: Wearable health-tech startup Ultrahuman said hackers gained unauthorized access to customersâ wellness data after stealing an employeeâs credentials through malware.
NEW: Instagram is notifying victims of the massive hacking campaign that relied on asking the Meta AI support chatbot to hand over control of accounts.
It appears that the hacks continued on Tuesday, even though an Instagram spokesperson said on Monday that âthe issue has already been fixed.â
Zack Whittaker
Jagmeet Singh
