From Drone Leaks to AI Nudity: This Week in Cybersecurity & Privacy
This week, a trove of San Francisco Police Department drone footage was exposed online, highlighting the escalating stakes of urban surveillance. Simultaneously, the city intensified its fight against AI 'nudifying' apps, while revelations about **Meta**'s **NameTag** system sparked further privacy concerns. We also dive into critical breaches, a significant shift in Russian cyber warfare, and the ongoing debate around AI regulation.
### San Francisco Confronts Dual Surveillance and AI Threats
Hours of **San Francisco Police Department** drone video footage were found exposed on the open web, underscoring a new era of granular and consequential urban surveillance. The incident highlights the growing risks associated with widespread camera deployments and the potential for sensitive data exposure.
In a related development, the **San Francisco City Attorneyβs Office** issued cease-and-desist letters to **Apple** and **Google**. The demand calls for the tech giants to remove 13 AI nudifying βface-swapβ apps from their app stores, citing their almost exclusive use to target women and girls.
### Meta's NameTag: Clarifying the Face Recognition Debate
Following initial reports in June about **Meta**'s **NameTag** face-recognition system, company executives have offered conflicting statements regarding its existence. We've taken a closer look to present the claims versus the facts surrounding this very real system, which continues to raise significant privacy questions.
### Anthropic Pushes for Faster AI Regulation
As AI tools rapidly advance and their adoption expands, tech giant **Anthropic** is actively advocating for faster AI regulation at the state level in the US. Cesar Fernandez, Anthropic's head of US state and local government relations, emphasized the need for policy responses to match the rapid advancements in AI system capabilities, building on last year's transparency-focused safety bills in California and New York.
### Period Tracker Privacy Under Scrutiny
A **Mozilla Foundation** audit, conducted in partnership with **Harvard's Berkman Klein Center**, revealed alarming privacy practices among popular period tracking apps. The astrology-themed app **Stardust** scored a dismal 2 out of 10, found to be sharing sensitive reproductive health dataβincluding birth control type, pregnancy status, moods, and specific symptomsβwith an unnamed data firm and **Facebook** advertising identifiers. This data transfer occurred immediately upon app opening and symptom logging, without opt-out options.
In stark contrast, **Euki**, a nonprofit-run tracker, achieved a perfect 10. This app requires no account, keeps health data on the user's phone, and offers features like PIN protection, automatic data deletion, and a decoy screen. Its only minor vulnerability lies in an in-app browser that loads standard web trackers, though it resets identifiers between visits.
### Russia's FSB Sanctioned for Polish Grid Cyberattack
In a significant shift, **Russiaβs FSB** (Federal Security Service) has been sanctioned by the EU and UK, with an advisory from the **US Cybersecurity and Infrastructure Security Agency (CISA)**, the **FBI**, and the **NSA**, for a cyberattack against the Polish electric grid. This is a rare instance of the FSB, typically known for sophisticated cyberespionage, engaging in a disruptive attack that nearly caused outages in Poland's electric and water utilities. The attack was initially attributed to **Sandworm** (also known as Unit 74455 of the **GRU**), a more common suspect for infrastructure hacking. However, the **Polish computer emergency response team** disputed this, tying it to the FSBβa conclusion now broadly supported by Western governments. This incident suggests the FSB may be adopting the more aggressive tactics previously associated with the GRU.
### Alleged Russian State Hacker Had Ties to Kaspersky
Long-standing allegations of **Kaspersky**'s ties to the Russian government have been difficult to substantiate, despite the US government banning its products. Now, Reuters reports that **Denis Obrezko**, a Russian national facing hacking charges in Boston and an alleged member of the hacking group **Void Blizzard** (or **Laundry Bear**), worked at **Kaspersky** for two years. This stint occurred before he joined **Yutek-NN**, where he allegedly participated in a campaign that stole data and communications from multiple NATO governments and at least 11 US companies. Prior to **Kaspersky**, Obrezko also allegedly worked for the **FSB**, effectively sandwiching his time at the cybersecurity firm with intelligence service work. Obrezko has pleaded not guilty, and Kaspersky stated that the charged offenses are unrelated to his role or responsibilities during his employment.
### DHS Breach Initially Dismissed as False Positive
In an alarming incident for network security professionals, officials at the **Department of Homeland Security (DHS)** twice dismissed signs of a hacker breach in its **Homeland Security Information Network (HSIN)** platform as false positives. The **HSIN**, used for sharing unclassified yet highly sensitive data among state, local, federal, and international agencies, was indeed breached two months ago. Analysts at the **Federal Emergency Management Agency (FEMA)** first detected hacker activity in mid-Mayβincluding altering files, hijacking a web server, and deleting logsβbut these findings were initially dismissed. The hackers returned weeks later, were again detected, and again dismissed. The misjudgment may stem from the increasing challenge of detecting βliving off the landβ hacking techniques, which leverage legitimate network features rather than easily identifiable malware. Senator Mark Warner, vice chair of the Senate Intelligence Committee, emphasized that the exposure of even unclassified data from the HSIN poses national security risks.
### AI Music Generator Suno Exposed for Data Scraping and User Data
AI music startup **Suno** has been revealed to have scraped millions of songs, lyrics, and podcasts from **YouTube Music**, **Deezer**, **Genius**, and various stock-audio libraries to train its models. This information came to light after a hacker breached the company, exposing internal data. The intrusion also compromised account information for hundreds of thousands of customers, including emails, phone numbers, and **Stripe** payment records. Dataset notes from 2023 and 2024 reportedly show over 113,879 hours of **YouTube Music** audio scraped.