THE CITY OF New York has agreed to pay more than $13 million total to 1,380 people as part of a settlement of a class action related to the New York Police Department’s treatment of demonstrators during protests in 2020 sparked by the murder of George Floyd. Lawyers representing the protesters secured the settlement with the help of a tool that allowed them to comb terabytes of video footage from police body cams, helicopter surveillance, and social media taken during the protests. This quickly produced clear evidence of widespread patterns in police behavior, allowing lawyers to showcase a broad survey rather than focusing on a handful of anecdotes. The tool, developed by SITU Research, a design agency that focuses on protecting civil liberties, is now being used in legal battles around the world.
New findings from researchers in Germany this week underscore longstanding concerns that the cybersecurity defenses of orbiting satellites are woefully inadequate. The researchers found numerous critical vulnerabilities in three different satellite models, underscoring broader problems with satellite security.
Meanwhile, a bill to prevent US law enforcement and intelligence from buying Americans’ data instead of getting a warrant to collect it is gaining traction in Congress as political rivals come together to oppose surveillance overreach.
And there’s more. Each week, we round up the stories we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
Microsoft revealed that a Chinese hacking group it calls Storm-0558 was able to access the email systems of US government agencies, potentially compromising hundreds of thousands of emails. Since then, details of the incident have started to emerge—including reports claiming that the email account of the US ambassador to China and other senior officials were breached. The attackers were able to access the email accounts, according to Microsoft and the US State Department, using a private signing key they had acquired and were using to generate access tokens for the accounts.
A new investigation by the cloud security firm Wiz, though, claims that the compromised key could have also been used to create access tokens for other Microsoft services including SharePoint, Teams, OneDrive, and third-party apps created by customers.
“All of Microsoft, all of Microsoft Office 365, all of Azure relies on authentication tokens. This is the fabric of the cloud,” says Wiz chief technology officer Ami Luttwak.
A Microsoft spokesperson told WIRED in a statement that “many of the claims made in this blog are speculative and not evidence-based,” but did not specify which claims.
“The methodology employed by Wiz to identify the broader scope of where the compromised key would be accepted looks very technically solid,” says Jake Williams, a former NSA hacker who now teaches at the Institute for Applied Network Security in Boston. “The research highlights that the scope of the compromised key is far broader than originally reported.”