wavePod

Criminal Organizations Exploit UTS, Airlines Hit by Cyber Attacks, and Supreme Court Upholds Porn ID Law - Cybersecurity Today | Wave AI Podcast Notes

Back to Cybersecurity Today

Criminal Organizations Exploit UTS, Airlines Hit by Cyber Attacks, and Supreme Court Upholds Porn ID Law - Cybersecurity Today cover

Criminal Organizations Exploit UTS, Airlines Hit by Cyber Attacks, and Supreme Court Upholds Porn ID Law

Cybersecurity Today

Mon Jun 30 2025

In today's episode of Cybersecurity Today, hosted by David Shipley, a report from the US Department of Justice unveils how criminal organizations use Ubiquitous Technical Surveillance (UTS) to track and kill FBI informants. Hawaiian Airlines...

Loading summary...

Transcript

David Shipley (0:00)

Criminal organizations are using ubiquitous technical surveillance to find and kill police informants. Hawaiian Airlines, second major North American airline hit with cyber attack this month. Bluetooth flaws could let hackers spy through your microphone. And U.S. supreme Court upholds Texas porn ID law. This is Cybersecurity Today and I'm your host David Shipley. Let's get started. A stunning report by the U.S. department of Justice's Office of the Inspector General has revealed an existential threat to the work of the FBI and other government agencies. So called ubiquitous technical surveillance, or uts. UTS refers to the global proliferation of Internet connected cameras and the thriving trade in vast amounts of communications, travel and location data. In the report released late last week, it was revealed that a cybercriminal working for the Sinaloa drug cartel obtained an FBI official's phone records and used Mexico's surveillance cameras to track and kill the agency's informants in 2018. The incident was revealed in an audit of the FBI's efforts to mitigate the risks of UTS. The report details how the cartel operative identified an FBI assistant legal attache to the U.S. embassy in Mexico City. It showed how they were able to use the attache's phone number to obtain calls made and received, as well as geolocation data. The report said the operative used Mexico City's camera system to follow the FBI official throughout the city and identify people the official had met with. The cartel then used that information to intimidate and kill potential sources or cooperating witnesses. The collection of granular location data from people's phones has proven to be a double edged sword for law enforcement and intelligence agencies. While they have benefited from UTs in their investigations, criminal organizations can also use those same tools to find and kill informants, a crucial resource that many complex investigations depend on. The audit report said technological advances since 2018 have made it easier for less sophisticated nations and criminal enterprises to identify and exploit vulnerabilities. It's faster and easier for them now more than ever. This is an example of cybersecurity gaps in critical infrastructure and the risk of unchecked data brokers pose in getting people hurt or killed. And it makes us all less safe. And this news comes after the assassination of former Minnesota House of Representative Speaker Melissa Hortman and her husband Mark. With the discovery of a list of data brokers and instructions on how to use them found in the accused murderer's car. The assassin had earlier tried to kill Democratic State Senator John Hoffman and his wife Yvette in their home. John Hoffman was shot nine times and his wife eight times. Both are recovering. The Hortmans were buried on Saturday. The killer had disguised himself as a police officer, and a list of dozens of other potential targets was found by police, along with the names of 11 different data brokers. The list included notations about what services were free to use and how much information they required in order to obtain detailed data about the individuals being searched for, according to an FBI affidavit. Data brokers collect a vast amount of detailed information on all of us, including names, home addresses, phone numbers, as well as our relatives names and home addresses, and publish that information online or trade it to other brokers. They typically require paid access, but anyone buying the data can do so without much or, if any, vetting. Lawmakers from various states have worked on legislation to force data brokers to delete data on politicians and law enforcement officers. But everyone should have those same rights for the exact same physical safety. Court officials, journalists, medical professionals, victims of intimate partner violence, members of targeted communities. The list goes on and on. Privacy is a fundamental human right, and increasingly it's crucial for physical safety. Hawaiian Airlines warned Thursday night that some of its IT systems were disrupted by a cyber attack, although flight operations were not. They did not disclose the exact nature of the attack, but the language they used was typical of that you can find in a ransomware incident. As of Sunday afternoon, no further details on the Hawaiian attack have been provided. The attack comes a week after Canadian airline WestJet described it had also been the victim of a cyber attack. As with the Hawaiian Airlines incident, flight operations thankfully were not compromised. WestJet has since not disclosed any further details in its cyber attack, which also looks likely to be ransomware. Friday night, the FBI said that the notorious threat actor Scattered Spider was observed targeting major airlines. Scattered Spider refers to a loose collective of mostly English speaking teenage males who work with the international ransomware gangs. The group was most recently behind over $600 million in disruptions to the food and retail sector in the uk and it has turned its attention to the insurance industry, hitting Aflac earlier this month. Scatter Spider has been on a tear since 2025 with successful attacks on Dior, the North Face, Cartier, Victoria's Secret, Adidas, Coca Cola and United Natural Foods. The group gained notoriety for attacks on MGM and Caesar's Palace. The key to Scattered Spiders success is their use of social engineering. They're prolific users of phishing by email, phone call and text message. They've used sim swapping hijacks to defeat multi factor authentication. They've also used MFA fatigue. Also known as MFA bombing to get targets to approve access. The group has also been known to use Attacker in the Middle or AITM phishing kits like Evil Jinx to steal live user sessions. All of these tactics have laid bare the mislabeling of MFA tools as being quote unquote phishing resistant. MFA tools are important. They help defeat brute force attacks up to 99% of the time. But a determined attacker, as shown, will find ways to defeat them if your people and processes aren't resilient as well. Scattered Spider has even gone so far as to social engineer domain registrars, to take control of an organization's DNS records, to hijack mail routing or MX records, to capture inbound emails, and to take over a business app environment like Google Workspace or Office365. Their latest successes use targeted attacks on help desk processes. They gather information from public sources like LinkedIn, then use social engineering pressure tactics to convince Help Desk teams to reset privileged user access or grant new access. And there is no easy technical solution to threats like Scattered Spider. It takes a combination of technology control, security culture and process change. If you want to make your organization resilient to Scattered Spider and other threat actors now copying their highly successful tactics, you need to change your help desk processes. You need to ensure that your help desk personnel are incentivized to challenge access requests efficiently and stop measuring your help desk on access requests like it's a typical service request that should be solved as quickly as possible to the lowest level as possible. And additionally, if anyone in your organization, regardless of title, gives your help desk any trouble or disrespect for a more rigorous process, those individuals need to be called out. That's how you create a more secure culture. That's how you build resiliency to Scattered Spider. We can now add another set of Bluetooth vulnerabilities to the long list of ways devices can be hacked and turned into convenient and Internet of Things WireTaps. More than two dozen audio devices from 10 vendors use the same Bluetooth chipset that can be hacked for eavesdropping. Researchers confirmed that 29 devices from Beyerdynamic, Bose, Sony, Marshall, Jabra, JBL, JLab, Eris, Max, Morelabs and TOEFL are affected. The list of impacted products includes speakers, earbuds, headphones, and wireless microphones. A chain of critical vulnerabilities can be leveraged to take over a targeted product. In some phones, an attacker within connection range may be able to even extract call history and contacts. These vulnerabilities were disclosed at the Trooper Security Conference by researchers at the cybersecurity company ernw. They impact the Air HOLA system on a chip which is used in the true wireless or TWS systems. The good news is that these vulnerabilities weren't remotely accessible over the Internet. They rely on close proximity within standard Bluetooth range, which is typically about 10 meters or 33ft, though newer versions of Bluetooth can reach up to 240 meters or 800ft. Factors such as walls and competing radio traffic have huge impacts on Bluetooth range. The vulnerabilities tied to this are CVE2025 2700, which is a 6.7 on the severity score or medium missing authentication For GATT services, CVE2025 2701, another 6.7 medium missing authentication for Bluetooth, BR EDR and CVE2025 2702A 7.5 or high severity score. Critical capabilities of a custom protocol While the vulnerabilities, as they were, were not remotely executable, the researchers did disclose that vulnerable device firmware could potentially have been rewritten to enable remote code execution that would have laid the groundwork for a wormable exploit capable of propagating across multiple devices. It's not a stretch to see how criminals could use a vulnerability like this to create a chain of infected devices across law enforcement, informants and others. Or another example how these kinds of vulnerabilities could be used to target politicians devices to harvest conversations or to track them. Improving the security of digital devices everyone depends on is vital to improve the protection from all sorts of crimes, digital or very serious physical crime. Finally, a U.S. supreme Court decision has upheld the legality of Texas porn ID law. On Friday, in a 6, 3 decision that could reshape online privacy and free speech in the United States, the Supreme Court upheld Texas age verification law, which was one of the first of more than a dozen such laws since passed by other states. The law requires websites publishing pornographic content to check all visitors are over 18. It has $10,000 fines per day for websites that are more than one third sexual material that don't have age verification in place, with additional penalties of up to $250,000. The law also forces such sites to display warnings about the health risks of pornography. The US Isn't the only country to try and pass such age verification laws. The UK did so years ago, only to delay and eventually abandon them in 2019. Since then, a wave of technology companies has emerged to sell age verification software. These methods can include but aren't limited to checking someone's identity against a government id, providing banking details or using face checking systems that can predict someone's age. The idea is to have third party companies, not necessarily the pornographic websites, do the checking. Privacy and civil liberties experts have noted that any collection of someone's access or use of pornographic material can have devastating consequences. Examples include the breach of adultery website Ashley Madison which was linked to at least one suicide, and the risks for these services are real. One major ID verification service used by TikTok, Uber Hospitality and banking services called AU10tix or Authentic, suffered a data breach last year after it exposed administrative credentials online for more than a year. In Canada, Senate Bill S209 also seeks to put similar age verification tools on pornographic websites. Now. Last week the preliminary results of an age checking trial in Australia, which had passed recent laws to ban children under 16 from accessing social media, found such systems may not be effective as well. Virtual private networks or VPNs can be used to easily circumvent age based verification requirements that are based on geography. In addition to the severe personal risk faced by individuals if identity verification services are breached, the presence of such controls may drive people to illegal websites that may attempt to infect their devices or could be used as part of criminal money laundering efforts. As always, stay skeptical and stay patched. We're always interested in your opinion and you can contact us@EditorialEchnewsDay CA or leave a comment under the YouTube video I've been your host David Shipley, sitting in for Jim Love. Thanks for listening.

Summary

Criminal Exploitation of Ubiquitous Technical Surveillance (UTS)

In a chilling revelation, David Shipley delves into a recent report by the U.S. Department of Justice's Office of the Inspector General, highlighting the existential threats posed by ubiquitous technical surveillance (UTS) to federal agencies like the FBI. UTS encompasses the widespread use of internet-connected cameras and the extensive trade of communications, travel, and location data.

At [02:30], Shipley discusses a harrowing case where a cybercriminal affiliated with the Sinaloa drug cartel exploited UTS to target FBI informants:

"The operative used Mexico City's camera system to follow the FBI official throughout the city and identify people the official had met with." — David Shipley

The report unveiled how the cartel obtained an FBI assistant legal attaché's phone records, enabling them to access call logs and geolocation data. This information was pivotal in tracking down and eliminating sources critical to ongoing investigations. Shipley emphasizes the dual-edged nature of UTS:

"While law enforcement benefits from these technologies, criminal organizations are equally adept at leveraging them to jeopardize physical safety." — David Shipley [05:15]

The discussion further touches on the broader implications of data brokers, whose vast repositories of personal information can inadvertently facilitate such criminal activities. Recent tragedies, including the assassination of former Minnesota House Representative Speaker Melissa Hortman and attempts on Democratic State Senator John Hoffman, underscore the tangible dangers posed by unrestricted data access.

Shipley calls for legislative action, noting:

"Privacy is a fundamental human right, and increasingly it's crucial for physical safety." — David Shipley [10:40]

He advocates for stringent regulations to protect sensitive individuals, such as politicians, law enforcement officers, journalists, and victims of intimate partner violence, from being targeted through data exploitation.

Cyber Attacks on Airlines and the Rise of Scattered Spider

The podcast shifts focus to the aviation industry's growing vulnerability to cyber threats. Hawaiian Airlines reported a cyber attack on June 30, 2025, disrupting some IT systems without affecting flight operations. Similarly, WestJet faced a cyber incident the previous week, also likely a ransomware attack, though details remain sparse.

Shipley introduces the threat actor Scattered Spider, a notorious group responsible for over $600 million in disruptions across various sectors, including food, retail, and insurance. At [15:45], he explains the group's modus operandi:

"Scattered Spider relies heavily on social engineering, utilizing phishing through emails, phone calls, and text messages to penetrate defenses." — David Shipley

The group's tactics include SIM swapping to bypass multi-factor authentication (MFA) and MFA fatigue, where repeated authentication requests overwhelm users into granting access. Their sophisticated methods have led to significant breaches in high-profile companies like MGM, Caesar's Palace, Adidas, and Coca-Cola.

Shipley underscores the importance of a holistic security approach, combining technological defenses with robust security cultures and process changes:

"There's no easy technical solution to threats like Scattered Spider. It takes a combination of technology control, security culture, and process change." — David Shipley [23:20]

He provides actionable strategies for organizations to bolster resilience against such threats, particularly emphasizing the need to revamp help desk processes to prevent unauthorized access through social engineering.

Emerging Bluetooth Vulnerabilities and Device Security

Addressing hardware security, Shipley reports on significant Bluetooth vulnerabilities uncovered at the Trooper Security Conference by researchers from ernw. These vulnerabilities affect over two dozen audio devices across brands like Beyerdynamic, Bose, Sony, and Marshall, encompassing speakers, earbuds, and wireless microphones.

At [30:05], Shipley details the technical aspects:

"A chain of critical vulnerabilities can be leveraged to take over a targeted product, potentially allowing hackers to harvest conversations or track individuals." — David Shipley

The vulnerabilities, identified by their CVE codes (CVE-2025-2700, CVE-2025-2701, and CVE-2025-2702A), range in severity from medium to high. While remote exploitation over the Internet isn't currently feasible, attackers within Bluetooth range (up to 240 meters with newer versions) could exploit these flaws to execute malicious code or hijack device functions.

Shipley emphasizes the broader implications:

"Improving the security of digital devices everyone depends on is vital to protect against both digital and serious physical crimes." — David Shipley [34:50]

He calls for manufacturers to prioritize firmware security and for users to remain vigilant about device updates and Bluetooth connectivity settings.

Supreme Court Upholds Texas Age Verification Law for Pornographic Content

In a landmark decision, the U.S. Supreme Court has upheld Texas's stringent age verification law for online pornographic content, a move that could set significant precedents for online privacy and free speech. Shipley explores the ramifications of this 6-3 decision at [40:15].

The law mandates websites with more than one-third sexual material to verify that all visitors are over 18, imposing fines up to $250,000 for non-compliance and requiring the display of health risk warnings about pornography. Shipley compares this with international efforts, citing the UK's abandoned attempt in 2019 and similar initiatives in Canada.

However, the podcast highlights substantial concerns from privacy and civil liberties experts:

"Any collection of someone's access or use of pornographic material can have devastating consequences," — David Shipley [43:30]

Notable examples include the Ashley Madison breach, which was linked to at least one suicide, illustrating the potential personal risks. Additionally, the inherent vulnerabilities in age verification technologies, such as the use of Virtual Private Networks (VPNs) to bypass restrictions, raise questions about the law's effectiveness and security implications.

Shipley underscores the dangers of centralized age verification systems:

"The severe personal risk faced by individuals if identity verification services are breached is a real and present danger." — David Shipley [46:10]

He concludes by urging skepticism towards such regulations and advocating for robust security measures to protect individual privacy rights.

Conclusion

David Shipley wraps up the episode by reinforcing the interconnectedness of cybersecurity threats and personal safety. From the misuse of surveillance technologies by criminal organizations to sophisticated cyber attacks on major airlines and the implications of stringent online regulations, the episode underscores the pressing need for comprehensive security strategies. Shipley urges listeners to remain informed, vigilant, and proactive in safeguarding both their digital and physical well-being.

"As always, stay skeptical and stay patched." — David Shipley [49:50]

For further discussions and updates, Shipley invites listeners to engage via email or comments, ensuring a collaborative approach to navigating the complex landscape of cybersecurity.