A WIRED investigation this week found that the SweepWizard app, which some US law enforcement agencies use to coordinate raids, was publicly leaking confidential data on hundreds of police operations until WIRED exposed the flaw. The disclosed data included personally identifiable information about hundreds of officers and thousands of suspects, including geographic coordinates of suspects’ homes and the time and location of the raids, demographic and contact information, and some suspects’ social security numbers.
Meanwhile, in the Indian state of Telangana, police are embracing grassroots education initiatives to help people avoid digital fraud and other online exploits. And industrial controls giant Siemens this week disclosed a major vulnerability in one of its most popular lines of programmable logic controllers. The company has no plans to fix the vulnerability as it can only be exploited through physical access alone. However, researchers say it creates a vulnerability for industrial control and critical infrastructure environments containing any of the 120 models of vulnerable S7-1500 PLCs.
And there’s more. Each week we highlight the security news that we haven’t covered extensively ourselves. Click on the headlines below to read the full stories.
Britain’s Royal Mail service announced on Wednesday that it was hit by a ransomware attack and was unable to process parcels and letters for international shipping as a result. The company asked customers not to send international mail until the attack is resolved. Royal Mail officials blamed the prolific cybercriminal ransomware group LockBit, believed to be based in Russia, for the attack. Royal Mail has not commented extensively on the situation, instead calling it a “cyber incident” and warning that there would be “serious disruption” as a result of the attack.
In November, associates of President Joe Biden found classified footage from his time as vice president in an office he used prior to the start of his 2020 presidential campaign and at his home in Wilmington, Deleware. Now, after trawling through the President’s papers and offices, they have found more classified documents elsewhere. NBC News, which first reported the new details on Wednesday, wrote: “The classification level, number and exact location of the additional documents were not immediately clear. It was also not immediately clear when the additional documents were discovered and whether the search for other classified materials Biden may have from the Obama administration is complete.”
Microsoft said in March 2019 that it would shut down Windows 7 and that customers should migrate to newer versions of the operating system. As of January 2020, the company continued to provide security updates only to enterprise customers who paid for extended support. Microsoft said these too would be phased out by the end of 2022. The company confirmed on Tuesday that Windows 7 security updates are over and all users should update if they haven’t already. Computers that continue to run Windows 7 will not receive updates and are vulnerable to hacking. The operating system was first introduced in 2009 and was ubiquitous in its heyday. As with many versions of Windows, it will likely have a long tail. TechCrunch reports that from market share data, some analysts estimate that 10 percent of Windows PCs around the world are still running Windows 10. Seemingly due to lower adoption rates, Microsoft ended support for Windows 8 in January 2016 and also ended support for Windows 8.1 on Tuesday. And the company won’t offer extended support for Windows 8.1.
Cyber criminals intent on identity theft have exploited a very basic vulnerability on the website of credit reporting agency Experian. Experian designed its systems so that people who want a copy of their credit report must correctly answer a series of multiple-choice questions about their financial history to verify their identity. However, by the end of 2022, Experian’s website allowed anyone to bypass the requirement by simply entering an individual’s name, date of birth, social security number, and address. This information is often easily accessible to cybercriminals due to past data breaches and a compound repository of many breaches combined.
A September 2022 investigation by the New York Times included candid comments by Russian soldiers about their criticism of Russia’s invasion of Ukraine and the ongoing war in the country. But the story appears to have inadvertently disclosed phone numbers and other identifying metadata about some of the sources, and the information lingered in the publicly available source code for the story until Motherboard notified the release in January. Although unintentional, the flaw has real potential implications for the physical security of the sources, which could face consequences from the Russian government or other entities.