Tech
Iran abused mobile networks’ vulnerabilities to locate U.S. military in the Middle East, report says
The Iranian government abused well-known vulnerabilities in the global telecoms infrastructure to locate U.S. military personnel in the build-up to the Iran War, as well as in the early days of the conflict, according to The Financial Times.
The Iranian government exploited Signaling System 7, or SS7, a set of protocols for 2G and 3G networks that has long been the backbone of how cellular networks connect to each other to route subscribers’ calls and texts around the world, the newspaper reported, citing research by the Mobile Surveillance Monitor, as well as anonymous government officials with knowledge of the spy campaign.
Intelligence agencies have long abused SS7 to track cellphones abroad, which is what happened in this campaign.
Using this technique, Iran was reportedly able to locate U.S. military forces stationed in military bases as well as hotels in Iraq, Bahrain, and other countries in the Middle East, which allowed the regime to strike them. These attacks resulted in several injuries.
Apart from SS7, Iran also abused advertising technology used to serve tailored ads to cellphone users, another well-known surveillance technique that relies on everyday technology.
>
Tech
UK cops say arrest of two young hackers disrupted the operations of an infamous hacking group
U.K police said on Thursday that the jailing of two teenage hackers has “severely” hampered the activities of the infamous cybercrime group known as Scattered Spider.
Owen Flowers, 18, and Thalha Jubair, 20, pleaded guilty earlier this year to hacking Transport of London (TfL), the government body overseeing the U.K. capital’s public transit system in 2024. The two were sentenced to five years and six months in prison on Thursday.
The jailing of Flowers and Jubair is a reminder that, sometimes, the most dangerous and effective hackers don’t work for sophisticated government agencies with millions of dollars of budget. More often, they are rather very young and smart hackers motivated by money and infamy among their peers.
Groups such as Scattered Spider, as well as ShinyHunters, another cybercriminal collective, often target and exploit employees and individuals rather than computer systems, a strategy that’s both effective and hard to counter.
While hacking groups’ members tend to come and go, the groups themselves can rebrand. But British authorities are convinced the jailing of Flowers and Jubair represents a significant blow to Scattered Spider, an amorphous group that’s been linked to dozens of high-profile attacks, such as those against casino giant MGM, airline WestJet, and cybersecurity firm Okta. These attacks in turn gave the hackers access to several of these companies customers.
“Scattered Spider has been the most significant cybercrime threat to the U.K. in recent years. Through this investigation, we have severely disrupted that threat and brought key offenders to justice,” said Paul Foster, the head of the U.K. National Crime Agency’s National Cyber Crime Unit.
The two hackers were behind the cyberattack against TfL in summer 2024, which took the system’s infrastructure offline, including the ticketing system, and the online real-time train arrival information system. The disruptions lasted for weeks.
Flowers and Jubair were arrested a year later. At the time, the FBI accused Jubair of being involved in attacks on more than 120 companies using social engineering tactics.
Authorities said the attack against TfL resulted in losses of around £29 million (around $47 million). The two hackers had such deep access to TfL systems that they “could have shut out and shut down TfL completely,” and held “the keys to the kingdom” to the company’s systems, according to the Guardian.
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.
>
Tech
Yes, you can now order DoorDash from the command line
Sudo make me a sandwich. The future has arrived! DoorDash just introduced a limited beta of DoorDash CLI, a command-line tool for developers that lets you order DoorDash directly from your AI agent. The tool can be used to search stores, find deals, and check out, the company says.
Called “dd-cli,” the new tool is open to U.S. and Canadian macOS developers via a waitlist, said DoorDash co-founder and CTO Andy Fang in a post on X. DoorDash was asked for comment about the new feature.
The announcement is getting a lot of attention because, on the face of it, it’s rather funny. Command-line tools are associated with programming, not ordering lunch. An AI agent running commands to order your salad or sandwich can initially feel somewhat absurd.
But the DoorDash CLI isn’t actually a joke; it’s an example of what agentic commerce can look like.
With this move, the company is exposing DoorDash’s ordering platform to AI agents, allowing developers to add functionality to their own software and services. That means instead of visiting DoorDash’s app, developers could build their own tools for ordering food, groceries, or finding local lunch deals, among other things, or use those capabilities as building blocks that are combined with other tools.
DoorDash, too, has experimented with offering its service via iMessage and now has its own AI chatbot, “Ask DoorDash,” — offering two examples of how agentic commerce can work. It also exposes its service to AI chatbots, like OpenAI’s ChatGPT and Claude.
The company’s sign-up form for access to the new CLI tool includes a field asking developers what they would build, if allowed into the beta.
The launch has a bit of humor to it, as it recalls that old XKCD comic about programmers automating ridiculous tasks — like making a sandwich. In the comic, a programmer says “make me a sandwich,” and the other person responds, “What? Make it yourself,” so the programmer says “sudo make me a sandwich,” and the other person says “OK.” (It’s programming humor, okay?)
The attached video in the X post leans into the over-engineering angle, as it reads Slack, recalls memories, parses JSON, inspects menu structures, runs Python scripts, recovers from errors, and calculates totals, just to do something as simple as ordering three salads. As the task runs, the interface reads “Flibbertigibbeting,” making the whole thing even funnier.
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.
>
Tech
Period tracker Stardust shares users’ health data with analytics firm, says Mozilla research
“Your data is private. Period,” says period tracker Stardust on its website. As new research by Mozilla discovered, some users might find that claim to be a stretch.
According to Mozilla’s latest findings examining the privacy practices of period-tracking apps, Stardust was found to be sharing users’ sensitive health information with third-party analytics company RudderStack. This data included the user’s birthdate, birth control type, reproductive goals, and specific symptoms that the user was experiencing, and it tied that record to a unique identifier in place of the person’s name. (The FTC has long warned that this does not make the data anonymous or prevent it from being linked back to a person.)
Mozilla’s research underscores the security and privacy risks with using period tracking and other health apps that share data with third parties. Oftentimes this happens as background activity within the app, and isn’t visible to the user. It’s not uncommon for apps to share data with other services for storage, analytics, and payments, but sharing users’ information with third parties inherently carries risks, such as potential security lapses, data breaches, or having the data sought by law enforcement.
TechCrunch previously wrote about Stardust in 2022 after the app surged in downloads following the overturning of the constitutional right to seek an abortion in the United States. Stardust claimed it was end-to-end encrypted — meaning that not even the company could access its users’ data — but TechCrunch found by analyzing the app’s network traffic that the company’s claim was false.
Mozilla security researcher Shoshana Wodinsky used a similar technique of analyzing the network traffic of several period trackers, including Stardust, to understand how the apps collected and shared data (if at all) with third parties. Wodinsky found that Stardust was the only app out of the six tested that shared the user’s sensitive health data with another company.
As quoted by BBC News, a Stardust spokesperson said that RudderStack is “contractually prohibited from selling or using it for its own purposes.” As U.S.-based companies, both Stardust and RudderStack can still receive demands for users’ information from law enforcement for users’ health information that’s stored on their servers.
Stardust founder Rachel Moranis did not respond to TechCrunch’s request for comment on Thursday, or questions about whether the company has received demands for its users’ data. A spokesperson acknowledged receipt of an email but did not provide comment.
Of the six apps tested by Wodinsky, Mozilla recommended Euki as “squeaky clean,” as the app was not seen to be sharing any data with third parties with its core features, and the user’s health data did not leave their device.
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.
>
-
Fashion9 years ago
These ’90s fashion trends are making a comeback in 2017
-
Fashion9 years ago
According to Dior Couture, this taboo fashion accessory is back
-
Fashion9 years ago
Model Jocelyn Chew’s Instagram is the best vacation you’ve ever had
-
Fashion9 years ago
Your comprehensive guide to this fall’s biggest trends
-
Fashion9 years ago
A photo diary of the nightlife scene from LA To Ibiza
-
Fashion9 years ago
9 Celebrities who have spoken out about being photoshopped
-
Fashion9 years ago
Emily Ratajkowski channels back-to-school style
-
Tech3 months agoOpenAI CEO apologizes to Tumbler Ridge community