Democratic Lawmakers to Google: Stop Collecting Location Data That Imperils Abortion Seekers

Hacker releases heartbreaking images of Chinese camps, Ransomware attack delays flights at Indian airline, DuckDuckGo creates carve-out for Microsoft ad data, Zoom fixes four flaws and much more

May 25

Google sign — Photo by Pawel Czerwinski on Unsplash

More than 40 Democratic members of Congress, led by Senator Ron Wyden (D-OR), sent a letter to Sundar Pichai, the CEO of Google parent Alphabet Inc., asking him to stop what they see as Google’s unnecessary collection and retention of people’s location data. They argue that anti-choice actors could use the information to identify women seeking abortions.

The lawmakers expressed concern that if abortion were to become illegal in the U.S., the company’s “current practice of collecting and retaining extensive records of cell phone location data will allow it to become a tool for far-right extremists looking to crack down on people seeking reproductive health care.” But to date, tech companies have tried mainly to stay out of the impending repeal of reproductive healthcare rights that will be ushered in when the Supreme Court overturns its landmark Roe v. Wade decision. (Barbara Ortutay / Associated Press)

Evan Greer @evan_greer

BREAKING: More than 40 lawmakers just sent a letter to Google demanding that they stop unnecessarily collecting troves of location data that can and will be used to target people seeking abortions if Roe v Wade is overturned

Democrats: Google must protect privacy of abortion patientsMore than 40 Democratic members of Congress are asking Google to stop what they see as the unnecessary collection and retention of people’s location data, arguing the information could be used to identify women seeking abortions.apnews.com

Thousands of photographs from the heart of China’s highly secretive system of mass incarceration in Xinjiang, as well as a shoot-to-kill policy for those who try to escape, are among a massive cache of data called the Xinjiang Police Files hacked from police computer servers in the region. An anonymous source claims to “have hacked, downloaded and decrypted the files from a number of police computer servers in the Xinjiang region.”

The cache reveals, in unprecedented detail, China’s use of “re-education” camps and formal prisons as two separate but related systems of mass detention for Uyghurs - and seriously calls into question its well-honed public narrative about both. (John Sudworth / BBC News)

Sean Lyngaas @snlyngaas

US Ambassador to UN weighs in on the hacked Xinjiang police files

Ambassador Linda Thomas-Greenfield @USAmbUN

Horrified by the Xinjiang Police Files, which spotlight China's mass incarceration of Uyghurs and other ethnic and religious minorities. @mbachelet and @UNHumanRights must take a hard look at these faces and press Chinese officials for full, unfettered access – and answers. https://t.co/ZkpbfA7ZvJ

An attempted ransomware attack on India’s Spice Airlines delayed flights at the Delhi, Jaipur, and Kanpur airports.

Spicejet acknowledged the attempted attack but said the situation had been rectified and flights are operating normally now. (India Today)

SpiceJet @flyspicejet

#ImportantUpdate: Certain SpiceJet systems faced an attempted ransomware attack last night that impacted and slowed down morning flight departures today. Our IT team has contained and rectified the situation and flights are operating normally now.

Security researcher Zach Edwards found hidden limits on privacy-oriented browser DuckDuckGo’s (DDG) tracking protection that creates a carve-out for specific advertising data requests by its search syndication partner, Microsoft.

Edwards tested browser data flows on a Facebook-owned site, Workplace.com, and found that while DDG informed users it had blocked Google and Facebook trackers, it did not prevent Microsoft from receiving data flows linked to their browsing on the non-Microsoft website. The limitation on DDG’s browser’s tracker blocking amounts to an exemption from protection against certain advertising data transfers to Microsoft subsidiaries, including Bing and LinkedIn, to undermine DDG browser users’ privacy. (Natasha Lomas / TechCrunch)

ℨ𝔞𝔠𝔥 𝔈𝔡𝔴𝔞𝔯𝔡𝔰 @thezedwards

I tested the DuckDuckGo so-called private browser for both iOS and Android, yet *neither version* blocked data transfers to Microsoft's Linkedin + Bing ads while viewing Facebook's workplace[.]com homepage. Look at DDG bragging about stopping Facebook on Workplace, no MSFT..:

The Duck Duck Go brags about stopping data transfers on Workplace.com

Eva @evacide

So...this is bad.

Shivan Kaul Sahib @shivan_kaul

This is shocking. DuckDuckGo has a search deal with Microsoft which prevents them from blocking MS trackers. And they can't talk about it! This is why privacy products that are beholden to giant corporations can never deliver true privacy; the business model just doesn't work. https://t.co/bzxw8vaxsy

The team at Sonatype vetted claims that the PyPI module ctx that gets downloaded over 20,000 times a week has been compromised in a software supply chain attack with malicious versions stealing the developer's environment variables.

The threat actor replaced the older, safe versions of ctx with code that exfiltrates the developer's environment variables to collect secrets like Amazon AWS keys and credentials. In addition, versions of a phpass fork published to the PHP/Composer package repository Packagist had been altered to steal secrets similarly. (Ax Sharma / Bleeping Computer)

Zoom has fixed as many security vulnerabilities that could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages and executing malicious code.

Discovered by Ivan Fratric of Google Project Zero, the flaws are tracked from CVE-2022-22784 through CVE-2022-22787 and range from 5.9 to 8.1 in severity. (Ravie Lakshmanan / The Hacker News)

BlackBerry researchers published new insights into the Chaos ransomware builder, revealing a twisted family tree that links it to both the Onyx and Yashma ransomware variants.

The researchers say that someone claiming to be the creator of the Chaos ransomware builder’s kit joined a discussion between a recent victim and the threat group behind Onyx ransomware and revealed that Onyx was constructed from the author’s own Chaos v4.0 Ransomware Builder. The author went on to promote the most current version of the Chaos ransomware line, now renamed Yashma. (Steve Zurier / SC Magazine)

Related: The Hacker News, BlackBerry

Actor and producer Seth Green was robbed of several NFTs this month after succumbing to a phishing scam that inadvertently threw a monkey wrench into the plan for his new animated series developed from characters in Green’s expansive NFT collection.

On May 8, an anonymous scammer swiped four of Green’s NFTs in a phishing scheme. A Bored Ape, two Mutant Apes, and a Doodle were transferred out of Green’s wallet after he unknowingly interacted with a phishing site. One of the mutant apes was sold for $42,000, and the Bored Ape was sold for more than $200,000, potentially giving the new buyers more substantial intellectual property rights over the images. (Sarah Emerson / Buzzfeed News)

Related: Kotaku, Cointelegraph, AV Club

More Butter 🧈 @morebuttertv

Seth Green’s Bored Ape NFT, which was set to star in its own animated show, was stolen through a phishing scam. Green no longer owns the commercial rights to the NFT and thus the show cannot move forward. 🔗: buzzfeednews.com/article/sarahe…

The Cybersecurity and Infrastructure Security Agency (CISA) added 41 vulnerabilities to its catalog of known exploited flaws over the past two days, including flaws for the Android kernel and Cisco IOS XR.

The added vulnerabilities come from a wide range of years, with the oldest disclosed in 2016 and the most recent being a Cisco IOS XR vulnerability fixed last Friday. (Bill
Toulas / Bleeping Computer)

Related: Security Affairs, CISA

A scammer was able to trick a prolific NFT collector into signing a transaction on a fake trading website, which then allowed the scammer to maliciously transfer 29 pricey Moonbirds NFTs worth around 750 ETH or $1.5 million in a single transaction.

The targeted trader was a big-time Moonbirds fan, holding 29 of the NFTs in their affected wallet. (Molly White / Web 3 is going just great)

Related: Cointelegraph

Identity-driven threat detection and monitoring service Semperis raised over $200 million in a Series C funding round.

KKR led the round with participation from Ten Eleven Ventures, Paladin Capital Group, Atrium Health Strategic Fund, Tech Pioneers Fund, and existing investors, including Insight Partners. (Krystal Hu / Reuters)

Managed intelligence company Nisos raised $15 million in a Series B venture funding round.

Paladin Capital Group, Columbia Capital, and Skylab Capital led the round. (FinSMEs)

Related: Business Wire, Dark Reading

Open-source supply chain security provider Tidelift announced it had raised $27 million in a Series C venture funding round.

Dorilton Ventures led the round with Kaiser Permanente and Atlassian Ventures joining existing investors General Catalyst and Foundry Group. (Tim Keary / Venture Beat)

Related: Business Wire, Silicon Angle, SD Times, Pitchbook

ShardSecure, the inventor of Microshard™ technology that mitigates data security and privacy risks in the cloud, closed an oversubscribed Series A venture investment round.

Grotech Ventures led the round with significant participation from Gula Tech Adventures and KPMG LLP and existing investors Tom Noonan, EPIC Ventures, and Industrifonden. (PR Newswire)

Metacurity