Democratic Lawmakers to Google: Stop Collecting Location Data That Imperils Abortion Seekers
Hacker releases heartbreaking images of Chinese camps, Ransomware attack delays flights at Indian airline, DuckDuckGo creates carve-out for Microsoft ad data, Zoom fixes four flaws and much more
More than 40 Democratic members of Congress, led by Senator Ron Wyden (D-OR), sent a letter to Sundar Pichai, the CEO of Google parent Alphabet Inc., asking him to stop what they see as Google’s unnecessary collection and retention of people’s location data. They argue that anti-choice actors could use the information to identify women seeking abortions.
The lawmakers expressed concern that if abortion were to become illegal in the U.S., the company’s “current practice of collecting and retaining extensive records of cell phone location data will allow it to become a tool for far-right extremists looking to crack down on people seeking reproductive health care.” But to date, tech companies have tried mainly to stay out of the impending repeal of reproductive healthcare rights that will be ushered in when the Supreme Court overturns its landmark Roe v. Wade decision. (Barbara Ortutay / Associated Press)
Thousands of photographs from the heart of China’s highly secretive system of mass incarceration in Xinjiang, as well as a shoot-to-kill policy for those who try to escape, are among a massive cache of data called the Xinjiang Police Files hacked from police computer servers in the region. An anonymous source claims to “have hacked, downloaded and decrypted the files from a number of police computer servers in the Xinjiang region.”
The cache reveals, in unprecedented detail, China’s use of “re-education” camps and formal prisons as two separate but related systems of mass detention for Uyghurs - and seriously calls into question its well-honed public narrative about both. (John Sudworth / BBC News)
Related: DataBreaches.net, The New Arab, EL PAÍS, Candid.Technology, Motherboard, Bloomberg, Digital Journal, The Guardian, Daily Mail, New Statesman Contents, Ars Technica, Hong Kong Free Press HKFP, Washington Examiner
Ambassador Linda Thomas-Greenfield @USAmbUNHorrified by the Xinjiang Police Files, which spotlight China's mass incarceration of Uyghurs and other ethnic and religious minorities. @mbachelet and @UNHumanRights must take a hard look at these faces and press Chinese officials for full, unfettered access – and answers. https://t.co/ZkpbfA7ZvJ
An attempted ransomware attack on India’s Spice Airlines delayed flights at the Delhi, Jaipur, and Kanpur airports.
Spicejet acknowledged the attempted attack but said the situation had been rectified and flights are operating normally now. (India Today)
Security researcher Zach Edwards found hidden limits on privacy-oriented browser DuckDuckGo’s (DDG) tracking protection that creates a carve-out for specific advertising data requests by its search syndication partner, Microsoft.
Edwards tested browser data flows on a Facebook-owned site, Workplace.com, and found that while DDG informed users it had blocked Google and Facebook trackers, it did not prevent Microsoft from receiving data flows linked to their browsing on the non-Microsoft website. The limitation on DDG’s browser’s tracker blocking amounts to an exemption from protection against certain advertising data transfers to Microsoft subsidiaries, including Bing and LinkedIn, to undermine DDG browser users’ privacy. (Natasha Lomas / TechCrunch)
Shivan Kaul Sahib @shivan_kaulThis is shocking. DuckDuckGo has a search deal with Microsoft which prevents them from blocking MS trackers. And they can't talk about it! This is why privacy products that are beholden to giant corporations can never deliver true privacy; the business model just doesn't work. https://t.co/bzxw8vaxsy
The team at Sonatype vetted claims that the PyPI module ctx that gets downloaded over 20,000 times a week has been compromised in a software supply chain attack with malicious versions stealing the developer's environment variables.
The threat actor replaced the older, safe versions of ctx with code that exfiltrates the developer's environment variables to collect secrets like Amazon AWS keys and credentials. In addition, versions of a phpass fork published to the PHP/Composer package repository Packagist had been altered to steal secrets similarly. (Ax Sharma / Bleeping Computer)
Zoom has fixed as many security vulnerabilities that could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages and executing malicious code.
Discovered by Ivan Fratric of Google Project Zero, the flaws are tracked from CVE-2022-22784 through CVE-2022-22787 and range from 5.9 to 8.1 in severity. (Ravie Lakshmanan / The Hacker News)
BlackBerry researchers published new insights into the Chaos ransomware builder, revealing a twisted family tree that links it to both the Onyx and Yashma ransomware variants.
The researchers say that someone claiming to be the creator of the Chaos ransomware builder’s kit joined a discussion between a recent victim and the threat group behind Onyx ransomware and revealed that Onyx was constructed from the author’s own Chaos v4.0 Ransomware Builder. The author went on to promote the most current version of the Chaos ransomware line, now renamed Yashma. (Steve Zurier / SC Magazine)
Actor and producer Seth Green was robbed of several NFTs this month after succumbing to a phishing scam that inadvertently threw a monkey wrench into the plan for his new animated series developed from characters in Green’s expansive NFT collection.
On May 8, an anonymous scammer swiped four of Green’s NFTs in a phishing scheme. A Bored Ape, two Mutant Apes, and a Doodle were transferred out of Green’s wallet after he unknowingly interacted with a phishing site. One of the mutant apes was sold for $42,000, and the Bored Ape was sold for more than $200,000, potentially giving the new buyers more substantial intellectual property rights over the images. (Sarah Emerson / Buzzfeed News)
The Cybersecurity and Infrastructure Security Agency (CISA) added 41 vulnerabilities to its catalog of known exploited flaws over the past two days, including flaws for the Android kernel and Cisco IOS XR.
The added vulnerabilities come from a wide range of years, with the oldest disclosed in 2016 and the most recent being a Cisco IOS XR vulnerability fixed last Friday. (Bill
Toulas / Bleeping Computer)
A scammer was able to trick a prolific NFT collector into signing a transaction on a fake trading website, which then allowed the scammer to maliciously transfer 29 pricey Moonbirds NFTs worth around 750 ETH or $1.5 million in a single transaction.
The targeted trader was a big-time Moonbirds fan, holding 29 of the NFTs in their affected wallet. (Molly White / Web 3 is going just great)
Identity-driven threat detection and monitoring service Semperis raised over $200 million in a Series C funding round.
KKR led the round with participation from Ten Eleven Ventures, Paladin Capital Group, Atrium Health Strategic Fund, Tech Pioneers Fund, and existing investors, including Insight Partners. (Krystal Hu / Reuters)
Related: Globes, Calcalist, SC Magazine, Business Wire Technology News, Business Wire Technology News, Security Week, Becker's Hospital Review, FinSMEs, SiliconANGLE, CRN, SC Magazine, GovInfoSecurity, VC News Daily, Grit Daily News, VC Deals – PE Hub
Managed intelligence company Nisos raised $15 million in a Series B venture funding round.
Paladin Capital Group, Columbia Capital, and Skylab Capital led the round. (FinSMEs)
Open-source supply chain security provider Tidelift announced it had raised $27 million in a Series C venture funding round.
Dorilton Ventures led the round with Kaiser Permanente and Atlassian Ventures joining existing investors General Catalyst and Foundry Group. (Tim Keary / Venture Beat)
ShardSecure, the inventor of Microshard™ technology that mitigates data security and privacy risks in the cloud, closed an oversubscribed Series A venture investment round.
Grotech Ventures led the round with significant participation from Gula Tech Adventures and KPMG LLP and existing investors Tom Noonan, EPIC Ventures, and Industrifonden. (PR Newswire)