hatemail tech newsletter 2023-09-11
Private sector offensive actors be offending; Google prepares new browser history tracking system; and more in the week's ethical tech news


BLASTPASS: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild
Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware while checking the device of an individual employed by a Washington DC-based civil society organization with international offices. We refer to the exploit chain as BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim. [CitizenLab] [Apple]
Keeping Pegasus on The Wing: The Legitimization of Cyber Espionage
“We show that these legitimation axes are designed to simultaneously ensure the company's survivability and to sustain surveillance realism – the perception of surveillance as the only viable option. This article contributes to the emerging literature on cyber surveillance firms and to the burgeoning research on the legitimation of surveillance by shedding light on the discursive infrastructures behind contemporary cyber espionage.” [Taylor Francis]
When AI systems are used, they are usually used for surveillance
The President of the messaging app Signal, Meredith Whittaker, warns about the application of Artificial Intelligence. It’s important not to give big corporations linked to governments a free pass. [Schweizer Monat]
Mobile App Stores Begin Enforcing China's New Oversight Move On Apps
Mobile app stores in China run by Tencent Holdings, Xiaomi, and others have started to bar app publishers from launching new apps if they do not make all the disclosures required by authorities, documents seen by Reuters showed. [Reuters]
Thanks for reading hatemail! Subscribe for a weekly roundup of ethical tech, hacking, and counter abuse content.

Google Chrome pushes browser history-based ad targeting
The risks will vary, based on where you are. [The Register]
If You’ve Got a New Car, It’s a Data Privacy Nightmare
Bad news: your car is a spy. Every major car brand failed a recent privacy and security test from Mozilla. You’re probably driving around in a "privacy nightmare" that may collect information as sensitive as your race, health status, and sexual activity. [Gizmodo]
Google Search, Whatsapp, and TikTok on list of 22 services targeted by EU’s tough new DMA
They now have six months to comply with the rules. [The Verge]
The Absence of Data Privacy Law is a National Security Threat
Informational technology companies’ involvement in aiding and abetting foreign intelligence activities in alleged human rights violations must continue to face scrutiny. [National Interest]
Gov monitors Global Entry travelers daily, even if they aren't traveling
"Trusted traveler"? Don't kid yourself. If you traveled this year, the Feds are spying on you. [Newsweek]

NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild
Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware while checking the device of an individual employed by a Washington DC-based civil society organization with international offices.The exploit chain, which Citizen Lab has dubbed “BLASTPASS,” was capable of compromising iPhones running the latest version of iOS (16.6). [CitizenLab] [Meysam on Twitter]
Members of Trickbot and Conti hacking groups indicted and sanctioned by the US
Authorities have sanctioned 11 alleged members of the cybercriminal groups, while the US Justice Department unsealed three federal indictments against nine people accused of being members.
[Indictment on DocumentCloud] [Sanctions announcement from Treasury Department]
AI-Based Honeypot Dubbed “sheLM” by Researchers
A new AI-based honeypot – a network with a component designed to lure and study cyber-attack techniques – has caught the attention of researchers at Czech Technical University and UNCuyo. [Cyber Security News]
Results of Major Technical Investigations for Storm-0558
After disclosing an intrusion last month from a Chinese-nexus threat actor, Microsoft has published their technical investigation and findings for transparency. [Microsoft Blog] [Microsoft Blog]
Microsoft Says China is Using AI to Influence U.S. Voters
On Thursday, Microsoft researchers reported that a network of fake, Chinese-controlled social media accounts appear to be seeking to influence U.S. voters with artificial intelligence. The Chinese embassy in Washington denied the accusation. [Reuters]
Malicious Chinese Code in Korean Gear is Just the Tip of the Iceberg
South Korea suspects China’s been tinkering with government computer hardware. [Bloomberg] [Bloomberg]
In-vehicle wireless devices are endangering emergency first responders
Gateways are supposed to make cops safer. Many leak their locations in real time. [ArsTechnica]
Breaking Down the Door to Emergency Services through Cellular IoT Gateways
If configured incorrectly, cellular IoT gateways can give attackers access to critical infrastructure, threatening human life in ways only Hollywood has conceived. [F5]

New Musk biography offers fresh details about the billionaire's Ukraine dilemma
Elon Musk secretly ordered his engineers to turn off his company’s Starlink satellite communications network near the Crimean coast last year to disrupt a Ukrainian sneak attack on the Russian naval fleet, according to an excerpt adapted from Walter Isaacson’s new biography of the eccentric billionaire titled “Elon Musk.” [CNN]
In Ukraine, a U.S. Arms Dealer Is Making a Fortune and Testing Limits
Billions are pouring into a clubby, secretive arms market. With Pentagon cash and unusually close Ukrainian military ties, Marc Morales has few peers. [NYTimes]
After Prigozhin’s Death, a High-Stakes Scramble for His Empire
A shadowy fight is playing out on three continents for control of Yevgeny Prigozhin’s sprawling interests as head of the Wagner mercenary group. The biggest prize: his lucrative operations in Africa. [NYTimes]
Dozens of ‘Cop City’ Activists Are Indicted on Racketeering Charges
Opponents of a police training facility in Atlanta say they are engaged in legitimate acts of protest. Prosecutors accuse them of taking part in a sprawling criminal enterprise. [NYTimes]

Metamorphosis of a fake account
The weird and wacky journey from cryptocurrency-shilling spambot to propaganda-pushing persona. [Norteno Conspirador]
The Current Campaign of Fake AI Bots Trying to Install Malware
Fake ads are flooding Facebook & Co. offering downloads of the latest AI tools. Instead of smart helpers, you'll only get malware. [We Live Security]
Thanks for reading hatemail! Subscribe for a weekly roundup of ethical tech, hacking, and counter abuse content.