
The end of warrantless searches?
A federal court finds the FBI’s warrantless section 702 searches unconstitutional. The DOJ charges five in a fake IT worker scheme. The Texas Attorney General expands his investigation into automakers’ data sharing. CISA highlights vulnerabilities in the aircraft collision avoidance system. Estonia will host Europe's new space cybersecurity testing ground. Hackers use hardware breakpoints to evade EDR detection. Subaru’s Starlink connected vehicle service exposed sensitive customer and vehicle data. Asian nations claim progress against criminal cyber-scam camps. Our guest today is Dr. Chris Pierson, Founder and CEO of BlackCloak, with his outlook on 2025. Sticking AI crawlers in the tar pit.
Today is Friday January 24th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
A federal court finds the FBI’s warrantless section 702 searches unconstitutional.
A federal court has ruled the FBI’s warrantless searches of communications under Section 702 of the Foreign Intelligence Surveillance Act (FISA) unconstitutional, citing violations of the Fourth Amendment. Judge LaShann DeArcy Hall stated that Americans’ communications, even if incidentally collected during foreign surveillance, require a warrant to be searched unless there are urgent national security concerns. She criticized the FBI’s practice of querying such data without judicial oversight, noting that in some cases, the agency searched for months without seeking a warrant.
The ruling stops short of banning all warrantless searches but emphasizes the need for tighter controls. Digital rights groups like the EFF and ACLU have hailed the decision, urging Congress to reform Section 702 before it expires in April 2026. They advocate for a mandatory warrant requirement and increased transparency to prevent abuses. The ACLU called Section 702 “one of the most abused provisions of FISA,” citing widespread privacy violations.
The DOJ charges five in a fake IT worker scheme.
The U.S. Department of Justice charged five individuals for participating in a scheme involving North Korean IT workers funneling funds to the Pyongyang regime. North Korean nationals Jin Sung-Il and Pak Jin-Song, along with facilitators Erick Ntekereze Prince, Emanuel Ashtor (both U.S. citizens), and Mexican national Pedro Ernesto Alonso De Los Reyes, allegedly generated over $866,000 by obtaining work from 64 U.S. companies between 2018 and 2024.
Using forged documents and remote access setups, they concealed the North Koreans’ identities, bypassing sanctions and deceiving employers. Funds were laundered through various accounts, including a Chinese bank. Ashtor, Ntekereze, and Alonso have been arrested, with an FBI search revealing a “laptop farm” aiding the scheme.
The indictment highlights North Korea’s widespread use of IT workers abroad to generate revenue through fake identities, prompting renewed scrutiny and recent sanctions by the U.S. government.
The Texas Attorney General expands his investigation into automakers’ data sharing.
The Texas Attorney General is investigating Ford, Hyundai, Toyota, and Fiat Chrysler over their collection and sale of consumer data, expanding scrutiny on automakers’ data practices. This follows a lawsuit against General Motors in August for allegedly misleading consumers about data collection and sharing it with third parties.
Texas AG Ken Paxton’s office has demanded detailed records from the automakers, including how they collect, share, and sell data, the number of customers affected, and consent procedures. Toyota’s inquiry also targets its data-sharing practices with Connected Analytic Services, linked to its insurance programs.
Paxton’s broader efforts include a January lawsuit against Allstate for collecting and selling location data from millions of Americans, implicating several automakers. Privacy experts say the entire auto industry is under scrutiny for practices related to geolocation and driving data, signaling ongoing investigations into potential violations.
CISA highlights vulnerabilities in the aircraft collision avoidance system.
The Cybersecurity and Infrastructure Security Agency (CISA) disclosed two vulnerabilities in the Traffic Alert and Collision Avoidance System II (TCAS II), used to prevent aircraft collisions. The first flaw (CVE-2024-9310, CVSS 6.0) allows attackers to spoof aircraft locations using software-defined radios, while the second (CVE-2024-11166, CVSS 7.1) enables manipulation of system configurations, potentially disabling collision resolution advisories. While exploitation is deemed unlikely outside labs, CISA recommends upgrading to ACAS X or compliant transponders to mitigate risks.
Estonia will host Europe's new space cybersecurity testing ground.
Estonia is set to host Europe's new space cybersecurity testing ground. For details, we turn to Maria Varmazis, host of N2k’s T-Minus daily space podcast.
Be sure to check out T-Minus wherever you get your favorite podcasts.
Hackers use hardware breakpoints to evade EDR detection.
Modern Endpoint Detection and Response (EDR) solutions depend on Event Tracing for Windows (ETW) to log system activities like memory allocation, thread manipulation, and hardware breakpoints. These logs help detect malicious activities in real time. However, according to research from Praetorian, attackers are increasingly exploiting ETW’s reliance on event triggers to evade detection.
A common evasion method involves hardware breakpoints, which use CPU debug registers (Dr0–Dr7) to monitor memory addresses or instructions. Unlike software breakpoints, hardware breakpoints operate at the CPU level and are harder to detect. Attackers exploit functions like NtContinue to modify debug registers without generating ETW logs. This technique avoids detection by EDR systems, enabling covert manipulations like altering AmsiScanBuffer or NtTraceEvent functions.
To counter this, security teams can monitor debug registers, enhance API tracking, and leverage machine learning for behavioral anomaly detection. These advanced defenses address critical gaps in current EDR architectures.
Subaru’s Starlink connected vehicle service exposed sensitive customer and vehicle data.
Security researcher Sam Curry discovered a vulnerability in Subaru’s Starlink connected vehicle service that exposed sensitive customer and vehicle data across the US, Canada, and Japan. Along with researcher Shubham Shah, Curry found that Subaru’s admin portal, meant only for employees, allowed attackers to reset passwords for employee accounts without needing confirmation tokens. By bypassing two-factor authentication, they gained admin access.
This access exposed vehicle and customer data, including location history, VIN numbers, names, ZIP codes, and billing information. Alarmingly, the admin panel allowed attackers to add themselves as authorized users of vehicles, enabling them to remotely start, stop, lock, unlock, and effectively take control of vehicles without notifying the owners.
Curry reported the flaw to Subaru on November 20, 2024, and the issue was fixed within 24 hours.
Asian nations claim progress against criminal cyber-scam camps.
The Lancang-Mekong law enforcement cooperation (LMLEC), formed by Cambodia, Laos, Myanmar, Thailand, Vietnam, and China, has made progress in combating criminal cyber-scam camps in the region. These camps lure workers with fake job offers, then trap them in debt, confiscate passports, and force them into scams under threats of violence. Victims often work under brutal conditions, with some dying during escape attempts.
The camps, often located in poorly policed border areas, target global victims through tech support scams or fraudulent investment schemes. China, with 100,000 of its citizens reportedly enslaved, has been a driving force behind LMLEC’s efforts. In 2024, LMLEC reported 70,000 arrests, freeing 160 people, and disrupting weapons smuggling linked to the camps.
While the group pledges deeper cooperation and intelligence sharing, critics note these promises have been made before, yet many camps remain operational.
Coming up after the break, our friend and BlackCloak’s CEO Dr. Chris Pierson joins me to share trends he sees coming our way in 2025. And, an open source “tar pit” to indefinitely trap AI training web crawlers. We’ll be right back.
Welcome back.
Sticking AI crawlers in the tar pit.
And finally, a coder with a flair for mischief and a knack for naming has unleashed Nepenthes [nuh-PEN-theez], an open-source “tar pit” designed to trap AI training web crawlers in an infinite loop of randomly generated, self-referential web pages. Named after carnivorous pitcher plants, Nepenthes doesn’t just catch flies—it strands crawlers in an endless maze, wasting their time and computing power like a bad episode of Westworld.
“Imagine a minotaur in a labyrinth that keeps rebuilding itself,” creator Aaron B explained. Web crawlers, which naïvely follow links, get stuck in Nepenthes’ loop, downloading link after link that leads back to… more links. It’s hilariously Sisyphean.
Aaron describes Nepenthes as part defense mechanism, part performance art, fueled by frustration over AI companies scraping the internet for profit. Deployed “defensively” or “offensively,” it’s already been hit millions of times—Who knew the secret to fighting AI overlords was less Terminator, more carnivorous plant.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.