New R Programming Vulnerability Exposes Projects to Supply Chain Attacks
A security vulnerability has been discovered in the R programming language that could be exploited by a threat actor to create a malicious RDS (R Data Serialization) file such that it results in code execution when loaded and referenced. The flaw, assigned the CVE identifier CVE-2024-27322, “involves the use of promise objects and lazy evaluation in R,” AI application security company HiddenLayer said in a report shared with The Hacker News. RDS, like pickle in Python, is a format used to serialize and save the state of data structures or objects in R, an open-source programming language used in statistical computing, data visualization, and machine learning.
FCC fines carriers $200 million for illegally sharing user location
The Federal Communications Commission (FCC) has fined the largest U.S. wireless carriers almost $200 million for sharing their customers’ real-time location data without their consent. FCC’s forfeiture orders finalize Notices of Apparent Liability (NAL) issued against AT&T, Sprint, T-Mobile, and Verizon in February 2020. The fines imposed on Monday include $12 million for Sprint and $80 million for T-Mobile (the two carriers have merged since the investigation began), more than $57 million for AT&T, and an almost $47 million fine for Verizon.
U.S. Government Releases New AI Security Guidelines for Critical Infrastructure
The U.S. government has unveiled new security guidelines aimed at bolstering critical infrastructure against artificial intelligence (AI)-related threats. “These guidelines are informed by the whole-of-government effort to assess AI risks across all sixteen critical infrastructure sectors, and address threats both to and from, and involving AI systems,” the Department of Homeland Security (DHS) said Monday. In addition, the agency said it’s working to facilitate safe, responsible, and trustworthy use of the technology in a manner that does not infringe on individuals’ privacy, civil rights, and civil liberties.
Apple’s ‘incredibly private’ Safari is not so private in Europe
Apple’s grudging accommodation of European antitrust rules by allowing third-party app stores on iPhones has left users of its Safari browser exposed to potential web activity tracking. Developers Talal Haj Bakry and Tommy Mysk looked into the way Apple implemented the installation process for third-party software marketplaces on iOS with Safari, and concluded Cupertino’s approach is particularly shoddy. “Our testing shows that Apple delivered this feature with catastrophic security and privacy flaws,” wrote Bakry and Mysk in an advisory published over the weekend.
Finnish Hacker Gets Prison for Accessing Thousands of Psychotherapy Records and Demanding Ransoms
A Finnish court on Tuesday sentenced a 26-year-old man to six years and three months in prison for hacking thousands of patient records at a private psychotherapy center and seeking ransom from some patients over the sensitive data. The case has caused outrage in the Nordic nation, with a record number of people — about 24,000 — filing criminal complaints with police. In February 2023, French police arrested well-known Finnish hacker Aleksanteri Kivimäki, who was living under a false identity near Paris. He was deported to Finland. His trial ended last month. The Länsi-Uusimaa District Court said Kivimäki was guilty of, among other things, aggravated data breach, nearly 21,000 aggravated blackmail attempts and more than 9,200 aggravated disseminations of information infringing private life. The court called the crimes “ruthless” and “very damaging” considering the state of people involved.