可被黑客攻击的机器人割草机开启了新的噩梦
内容总结:
本周全球网络安全新闻综述
教育平台遭勒索攻击,全美学生受影响
期末考试期间,美国无数学生遭遇噩梦——他们使用的学习平台Canvas因教育科技公司Instructure遭受勒索软件攻击而突然进入"维护模式"。名为ShinyHunters的黑客组织声称对此次入侵负责。专家表示,这场混乱展示了网络犯罪分子为勒索受害者不惜采取何等极端手段。
Chrome浏览器自动下载AI模型引隐私担忧
谷歌Chrome浏览器用户最近发现,自2024年起,Gemini Nano AI模型已在不知不觉中占用了桌面端4GB存储空间,引发用户不满和隐私担忧。好消息是,用户可以禁用该AI模型,但代价是失去一些有用的安全功能。当然,用户也可以选择免费下载其他浏览器。
"氛围编程"应用大量泄露企业及个人数据
研究人员本周披露,数千个通过"氛围编程"(vibe coding)开发的应用暴露在开放互联网上,泄露了敏感的企业和个人数据。这一安全漏洞提醒人们:能写代码不代表就应该写代码。
美国国土安全部调取加拿大公民位置数据遭起诉
美国国土安全部向谷歌发出传票,试图获取一名加拿大男性的位置数据和账户活动信息。该男子曾在今年早些时候明尼阿波利斯发生两名女性被杀事件后,批评美国移民执法手段。美国公民自由联盟(ACLU)已代表该男子对国土安全部提出投诉,该男子已超过10年未踏足美国。
网络犯罪也"反AI":骗子加入抵制AI生成内容行列
最新研究显示,诈骗者、低级黑客和其他网络犯罪分子也加入了抵制AI生成内容的人类行列。与此同时,Meta正在升级其年龄验证技术,此前有研究发现儿童使用简单技巧就能绕过在线年龄检查——其中一名"小英雄"仅通过画假胡子就成功欺骗了系统。此外,我们还报道了俄罗斯试图打造星链卫星互联网服务本土竞争对手的努力,以及其带来的隐私和安全担忧。
机器人割草机成安全隐患
对于售价5000美元的Yarbo机器人割草机(兼具吹叶、扫雪和修边功能)的用户来说,他们最不希望的就是后院那个90公斤重的刀片机器人被轻易入侵。然而事实并非如此。据《The Verge》报道,一名安全研究人员发现该机器人存在多处漏洞,黑客可远程控制设备(包括其摄像头),还能获取用户的邮箱地址、Wi-Fi密码和家庭位置。
当Yarbo发言人声称机器人的"诊断环境不对外公开访问"后,记者和研究人员通过操纵被劫持的机器人差点撞上记者,证明了安全漏洞的严重性。该公司目前已表示正在修复研究人员发现的部分漏洞。
Meta撤销Instagram端到端加密
马克·扎克伯格旗下的Meta已撤回对Instagram私信端到端加密的支持,放弃了此前保护用户隐私的计划。5月8日起,Meta停止在Instagram提供加密功能,使公司更容易从技术上访问用户的私信内容。
Meta在2023年宣布已为Messenger推出默认加密,同时为Instagram推出可选的加密功能,并计划最终将其设为默认设置。然而,由于今年3月Meta认定选择加密的用户数量不足,决定完全移除该选项。这一"急转弯"激怒了隐私和安全专家,他们担心这可能会损害全球端到端加密的努力。
特朗普新反恐战略瞄准"安提法"和"激进跨性别"意识形态
特朗普政府公布新版反恐战略,特朗普在前言中称这是"回归常识与以实力求和平"。文件将三大恐怖组织类型列为贩毒集团、伊斯兰恐怖组织和"暴力左翼极端分子",后者包括无政府主义者和反法西斯主义者,其意识形态被指"反美"和"激进支持跨性别"。
文件承诺"将宪法允许的所有工具用于在国内绘制其图谱、识别成员、理清其与国际组织如安提法的联系,并运用执法手段在其实施暴力前将其彻底瘫痪"。值得注意的是,在去年的国会听证会上,FBI国家安全分部行动主任无法回答关于"安提法"成员数量、具体位置等基本问题。
泄密文件揭露俄罗斯精英黑客培训学校
俄罗斯军事情报总局(GRU)发动了历史上最肆无忌惮、破坏性最强的网络攻击。虽然部分特工已被公开点名并受到国际制裁,但多家媒体联合调查本周揭露了莫斯科国立鲍曼技术大学内部一个名为"第四教研室"的特殊部门,据称该部门为GRU提供培训和人才输送,包括涉及黑客攻击和虚假信息行动的单位。
由《世界报》、《卫报》、《明镜周刊》等媒体组成的调查团获得的文件显示,GRU情报官员(包括与知名黑客组织Fancy Bear有关联的人员)在第四教研室任教。学生需学习多种黑客技术并进行渗透测试。部分毕业生已加入Fancy Bear和臭名昭著的Sandworm组织,后者曾攻击乌克兰电网、平昌冬奥会,并制造了造成全球数十亿美元损失的NotPetya恶意软件。
波兰情报机构:黑客入侵五地供水系统
乌克兰十多年来一直是俄罗斯网络战技术的头号试验场,而波兰已成为第二大目标。波兰国内情报机构ABW本周警告称,黑客去年入侵了波兰五个城镇供水公司的网络。在某些情况下,攻击者深入渗透至工业控制系统,可能影响这些设施的实际运行——ABW称这对城镇供水连续性构成"直接威胁"。
虽然报告未将入侵归咎于任何国家的政府背景黑客,但普遍指出波兰面临不断升级的黑客攻击,"尤以俄罗斯联邦的特勤部门为甚"。报告还称俄罗斯正在进行大规模侦察活动,为针对波兰军队和关键基础设施的网络破坏行动做准备。
中文翻译:
期末考试前的突击复习本就够糟心了,更别提你用来完成学业的学习平台突然宕机。对全美无数学生而言不幸的是,这正是他们在周四面临的状况——教育科技公司Instructure遭遇勒索软件攻击后,其平台Canvas进入了"维护模式"。化名ShinyHunters的黑客声称对此次入侵负责,专家指出他们制造的混乱表明,这些黑客为了敲诈受害者会不择手段。
你知道吗?谷歌Chrome浏览器会自动下载Gemini Nano人工智能模型。如果你不知道,这很正常。使用这款极受欢迎浏览器的用户本周发现,自2024年起Gemini Nano就占用了电脑4GB的存储空间,引发用户不满和隐私担忧。幸运的是,你可以禁用这个AI模型——但会失去一些有用的安全功能。当然,你也可以直接免费下载其他浏览器。
本周研究人员披露,数千个通过"氛围编程"(vibe coding)开发的应用程序暴露在开放的互联网上,导致敏感的企业和个人数据泄露。这些安全漏洞提醒我们:能通过氛围编程开发某些东西,并不意味着你应该这样做。
今年早些时候,明尼阿波利斯的蕾妮·古德和亚历克斯·普雷蒂遇害后,一名加拿大男子批评了美国移民执法手段。美国国土安全部因此向谷歌发出传票,试图获取该男子的位置数据和账户活动记录。美国公民自由联盟本周代表这名已十多年未入境美国的男子,向国土安全部提起申诉。
最新研究显示,骗子、低级黑客及其他网络犯罪分子也加入了渴望摆脱AI垃圾信息的人类行列。与此同时,Meta公司正在升级年龄验证技术,此前有研究发现孩子们用简单手段就能骗过网络年龄检测——其中一位小英雄甚至画了假胡须来绕过在线年龄验证。最后,我们详细报道了俄罗斯打造本土版星链卫星互联网服务的努力,以及随之而来的所有隐私和安全问题。
更多精彩内容:每周我们都会汇总未深入报道的网络安全和隐私新闻。点击标题阅读全文。祝您安全上网。
机器人割草机是安全噩梦
大多数人希望自家后院重达200磅、带有刀片的机器人不容易被黑。但对Yarbo这款售价5000美元的割草机器人(还可兼作吹叶机、扫雪机和修边机)的用户来说,情况并非如此。据The Verge报道,安全研究员发现该机器人存在多处漏洞,黑客可远程接管设备(包括摄像头画面),还能窃取用户的电子邮箱、WiFi密码及家庭住址。当Yarbo发言人声称机器人的"诊断环境不对外开放"后,记者和研究员用被劫持的机器人差点碾过记者,以此演示安全漏洞及潜在后果。该公司随后表示正在开发至少针对研究员发现的一个漏洞的修复程序。
Meta从Instagram私信中移除加密
马克·扎克伯格的Meta已取消Instagram端到端加密消息功能,放弃了保护用户隐私、提供公司无法窥探的消息服务的计划。该公司5月8日停止在Instagram提供加密服务,使其在技术上更容易访问私信内容。在花费数年搭建加密系统保护聊天应用后,Meta于2023年宣布为Messenger推出默认加密功能,同时称正为Instagram引入可选加密功能,并计划最终将其设为默认设置。然而这一天始终未到来——Meta今年3月决定,因选择加密的用户数量不足,将移除加密Instagram聊天的选项。这一逆转激怒了隐私和安全专家,他们担心此举可能损害全球端到端加密努力。
特朗普新反恐战略瞄准"反法西斯运动"和"激进跨性别"意识形态
特朗普政府公布新反恐战略,总统唐纳德·特朗普在文件前言中将其描述为"回归常识与以实力求和平"。文件称三大恐怖组织类型为贩毒集团、伊斯兰恐怖组织和"暴力左翼极端分子",备忘录指出后者包括无政府主义者、反法西斯主义者,其意识形态"反美"且"激进支持跨性别"。备忘录承诺:"我们将运用宪法赋予的一切工具,在国内绘制其网络、识别成员身份、梳理其与国际组织(如反法西斯运动)的联系,并动用执法手段在其伤害或杀害无辜者之前从行动上削弱其能力。"值得注意的是,在去年一次国会听证会上,联邦调查局国家安全分局行动主任无法回答关于"反法西斯运动"成员数量、据点位置等具体问题。
泄密文件揭露俄罗斯精英黑客学校
俄罗斯GRU军事情报机构发动了历史上最肆无忌惮、破坏性最强的网络攻击。尽管部分特工已被公开点名并遭受国际制裁,但本周多家媒体联合披露了莫斯科国立鲍曼技术大学内一个名为"第四系"的特别部门,据称该部门提供培训并疑似为GRU单位输送人员,包括参与黑客攻击和虚假信息行动的单位。由《世界报》、《卫报》、《明镜》周刊等媒体组成的联合调查组获得的文件显示,包括与Fancy Bear黑客组织有关联的GRU情报官员在第四系授课。报道称学生需学习一系列黑客技能并进行渗透测试,部分毕业生已加入Fancy Bear和臭名昭著的Sandworm组织,后者曾攻击乌克兰电网、平昌冬奥会,并传播造成全球数十亿美元损失的NotPetya恶意软件。
波兰情报机构称黑客入侵其供水系统
乌克兰十多年来一直是俄罗斯网络战技术的头号试验场,而波兰已成为其第二青睐的目标。值得注意的是,波兰国内情报机构ABW本周警告称,黑客去年侵入了波兰五个城镇供水系统的网络。在某些案例中,攻击者渗透深度足以访问可能影响这些设施物理运行的工业控制系统——ABW称这对城镇供水连续性构成"直接威胁"。报告未将入侵归咎于任何国家的国家背景黑客,但更泛泛指出波兰面临不断升级的黑客行动,"尤其针对俄罗斯联邦的特工部门"。报告还称俄罗斯正开展更广泛的侦察行动,为针对波兰军队和关键基础设施的网络破坏行动做准备。
英文来源:
Cramming for finals is bad enough without the platform you use to do your schoolwork suddenly shutting down. Unfortunately for countless students across the US, that’s exactly what they faced on Thursday after Canvas went into “maintenance mode” following a ransomware attack on education tech firm Instructure. Hackers using the name ShinyHunters claimed responsibility for the breach, and experts say the chaos they caused shows how far these actors will go to extort their victims.
Did you know that Google Chrome includes an automatic download of the Gemini Nano AI model? If not, you wouldn’t be alone. People who use Google’s wildly popular browser realized this week that Gemini Nano has been taking up 4 GB of space on their desktops since 2024, sparking annoyance and concerns over privacy. Fortunately, you can disable the AI model—but not without losing some helpful security features. Obviously, you can also just download a different browser for free.
Researchers this week revealed that thousands of vibe coded apps were left exposed on the open internet, revealing sensitive corporate and personal data. The security failings are a reminder: Just because you can vibe code something doesn’t necessarily mean you should.
The Department of Homeland Security subpoenaed Google in an attempt to obtain the location data and account activity of a Canadian man who criticized US immigration enforcement tactics following the killings of Renee Good and Alex Pretti in Minneapolis early this year. The American Civil Liberties Union this week filed a complaint against DHS on behalf of the man, who has not visited the US in more than 10 years.
Scammers, low-level hackers, and other cybercriminals have joined the ranks of humanity yearning to be free of AI slop, according to new research. Meta, meanwhile, is sprucing up its age-verification tech after a study found that kids are tricking online age checks using simple techniques—including one child hero who circumvented online age verification by drawing on a fake mustache. Finally, we detailed Russia’s effort to create a local competitor to Starlink satellite internet service—with all the privacy and security concerns that entails.
And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
Robot Lawn Mower Is a Security Nightmare
Most people hope that the 200-pound robot with blades in their backyard cannot be easily hacked. Unfortunately for the owners of Yarbo, a $5,000 lawn mower robot that can also work as a leaf blower, snowblower, and edger, that was not the case. The Verge reports that a security researcher found numerous vulnerabilities in the lawn bots that could allow hackers to remotely take over the machines (including their camera feeds,) as well as extract owners' email addresses, Wi-Fi passwords, and home locations.
After a Yarbo spokesperson told The Verge that the robots' “diagnostic environment is not publicly accessible,” the reporter and researcher demonstrated the security flaws and their potential consequences by nearly running over the reporter with a hijacked robot. The company has since reported that they are developing a fix to at least one of the flaws the researcher identified.
Meta Strips Encryption From Instagram DMs
Mark Zuckerberg’s Meta has pulled support for end-to-end encrypted messages on Instagram, backtracking on its plans to protect people’s privacy by providing messaging the company could not snoop on. The company stopped offering encryption on Instagram on May 8, making it easier than before for the firm to technically access DMs.
After spending years building out the encryption systems needed to secure its chat apps, Meta said in 2023 that it had rolled out default encryption for Messenger. It also said it was introducing an opt-in version for Instagram, which it had planned would eventually become the default setting. However, that day never arrived with Meta deciding in March this year that not enough people had opted-in and it would remove the option to encrypt Instagram chats. The U-turn has infuriated privacy and security experts who fear the rollback could damage end-to-end encryption efforts around the world.
Trump’s New Counterterrorism Strategy Targets “Antifa,” “Radically Pro-Transgender” Ideology
The Trump administration unveiled a new counterterrorism strategy, which President Donald Trump describes as a “return to common sense and Peace through Strength” in a foreword included in the document. The three biggest types of terror groups, according to the document, are cartels, Islamist terror groups, and “violent left wing extremists,” which the memo says includes anarchists and anti-fascists and have ideologies that are “anti-American” and “radically pro-transgender.”
The memo promises, "We will use all the tools constitutionally available to us to map them at home, identify their membership, map their ties to international organizations like Antifa, and use law enforcement tools to cripple them operationally before they can maim or kill the innocent."
Notably, during a congressional hearing last year, the operations director of the FBI's National Security Branch was unable to answer questions about how many people were in “Antifa,” where it was located, or other specifics.
Elite Russian Hacking School Unmasked by Leaked Documents
Russia’s GRU military intelligence agency has launched some of the most brazen and destructive cyberattacks in history. While some of its operatives have been publicly named and hit with international sanctions, a consortium of journalists revealed this week how a special unit inside Bauman Moscow State Technical University, named Department 4, allegedly provides training and a suspected pipeline into GRU units, including those involved in hacking and disinformation.
Documents obtained by the consortium—which includes Le Monde, the Guardian, Der Spiegel, and other outlets—allegedly show how GRU intelligence officers, including those linked to the hacking group known as Fancy Bear, teach at Department 4. Students learn a range of hacking skills and must conduct penetration tests, according to the reporting. Some have graduated and joined both Fancy Bear and the notorious Sandworm group, which has been linked to attacks on Ukraine’s power grid, the Winter Olympics, and the NotPetya malware that caused billions of damage around the world.
Hackers Breached Poland’s Water Utilities, Its Intelligence Agency Says
While Ukraine has, for more than a decade, served as Russia’s number one testing ground for cyberwar techniques, Poland has come to represent its second favorite target. So it’s notable that this week Poland’s domestic intelligence agency, the ABW, warned that hackers infiltrated the networks of water utilities in five Polish towns last year. In some cases, the attackers penetrated deeply enough to access industrial control systems that could have affected the physical operations of those facilities—“a direct risk” to the continuity of the towns’ water supply, according to the ABW.
The report didn’t attribute the breaches to any country’s state-sponsored hackers, but noted more generally that Poland had faced escalating hacking operations “with particular emphasis on the special services of the Russian Federation.” The report also described Russia as carrying out a broader campaign of reconnaissance in preparation for cyber-sabotage operations that appeared to target the Polish military and the country’s critical infrastructure.