WIRED reported this week on public records that show the United States Department of Homeland Security urging local law enforcement around the country to interpret common protest activities and surrounding logistics—including riding a bike, livestreaming a police encounter, or skateboarding—as “violent tactics.” The guidance could influence cops to use everyday behavior as a pretext for police action.
An AI hiring bot used on the McDonald’s “McHire” site exposed tens of millions of job applicants’ personal data because of a group of web-based security vulnerabilities—including use of the classically guessable password “123456” on an administrator account. The site’s chatbot, known as Olivia, was built by the artificial intelligence software firm Paradox.ai. Meanwhile, in the wake of last week’s devastating floods in Texas that killed at least 120 people, conspiracy theories about the extreme weather event have gained enough traction among anti-government extremists, GOP influencers, and others with large platforms to produce real-world consequences like death threats.
Finally, the metadata of the “full raw” surveillance footage captured near Jeffrey Epstein’s cell the night before the disgraced financier was found hanged shows it’s not “raw” footage at all. Instead, according to a WIRED analysis and digital video forensics experts, the full video is made up of two clips, and it was likely processed using powerful editing software.
And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
Earlier this year, three retailers in the UK—Harrods, the Co-Op, and M&S—were disrupted by sprawling cyberattacks. Some shelves were left empty for weeks, and M&S executives expect the attacks will cost around £300 million ($407 million) in total. This week, law enforcement officials at the National Crime Agency (NCA), the country’s equivalent of the FBI, announced the arrest of four people as part of investigations into the three attacks.
A 20-year-old female, two males aged 19, and another aged 17 were all arrested at their homes in the West Midlands and London on Thursday morning. One of the 19-year-old males is from Latvia, while the others are from the UK, the NCA says. They are suspected of potential Computer Misuse Act offenses, blackmail, money laundering, and “participating in the activities of an organized crime group,” the NCA said in a statement. The law enforcement agency has not named the individuals arrested or released precise locations of where they are based; however, NCA’s deputy director Paul Foster said the arrests were a “significant step” in its investigations.
The attacks against the three British retailers have been broadly linked, including partially by the NCA, to the loose cybercriminal group Scattered Spider. The hacking group, which first emerged in 2022, is largely made up of young, English-speaking individuals, and has recently been seen targeting retailers, airlines, and the insurance industry across the UK and the US.
It didn’t take criminals long to start using generative AI to create ultra-realistic child sexual abuse images. Now huge volumes of illegal, AI-created content are being found online, with criminals moving to use the technology to create videos as well as still images. During the first six months of this year, analysts at the Internet Watch Foundation, a UK-based organization that removes child sexual abuse material (CSAM) from the web, identified 1,286 AI-generated videos that show abuse—more than 1,000 of the videos showed the most serious type of abuse.
“There is an incredible risk of AI-generated CSAM leading to an absolute explosion that overwhelms the clear web,” said Derek Ray-Hill, the interim chief executive of the Internet Watch Foundation. Separate figures from the US-based National Center for Missing & Exploited Children (NCMEC) say it has received 485,000 reports of AI CSAM in the first half of this year—up from 67,000 for the entirety of last year. Around 35 tech companies have reported finding AI-generated CSAM on their platforms, NCMEC said.
In a rare instance of Western law enforcement actually laying hands on an alleged Chinese state-sponsored hacker, Italian police arrested Xu Zewei, a 33-year-old from Shanghai, at an airport in Milan on July 3. The police were acting on a warrant issued by the US Department of Justice seeking Xu’s arrest on hacking charges. Authorities allege he’s a member of the espionage group known as Silk Typhoon or Hafnium, which has carried out widespread data theft from Western governments and private sector companies for years. US prosecutors are specifically accusing Xu of taking part in Silk Typhoon’s hacking that targeted researchers working to develop a Covid-19 vaccine in 2020 and 2021. He’s also alleged to have participated in a far less targeted hacking campaign in which the same group broke into tens of thousands of Microsoft exchange servers around the world, leaving behind backdoors for later reconnaissance. Xu’s lawyer denied the charges, saying it’s a case of mistaken identity, and Xu’s wife also has reportedly said that Xu is an IT technician at the company GTA Semi Conductor.
In more news of alleged hackers arrested in European airports—and a very unusual case of alleged cybercriminal moonlighting—French police this week detained Russian professional basketball player Daniil Kasatkin in the Charles de Gaulle airport in Paris, accusing him of being part of a ransomware group. Authorities haven’t yet named the ransomware crew they claim Kasatkin was a part of, but say that from 2020 to 2022 it hit close to 900 organizations, including two American government agencies. Kasatkin’s lawyer, Frédéric Bélot, denied the accusations, saying his client is “useless with computers and can’t even install an application.” Kasatkin, who played for the pro basketball team MBA Moscow, had traveled to France with his fiancée to propose to her.
Here’s your annual reminder, athletic oversharers of the world, to set your Strava account settings to private. This week, Sweden’s Dagens Nyheter newspaper revealed that seven bodyguards for Swedish government officials left their Strava accounts public, revealing their locations as they carried out 1,400 exercise activities—and in many cases, the locations of the people they were protecting, including the Swedish prime minister, Ulf Kristersson. The leaked locations of the prime minister included hotels where he stayed, private addresses, a family vacation, trips abroad, and his private home, which was intended to be secret. Repeat after me, Strava enthusiasts with security clearances: Go to Settings, tap Privacy Controls, then Activities. Future scandal averted.
