ReportWire

Tag: Cybersecurity

  • AT&T says hackers stole call and text data from nearly all customers

    AT&T says hackers stole call and text data from nearly all customers

    A security breach in 2022 compromised the data of nearly all of AT&T’s cellular customers, customers of mobile virtual network operators using AT&T’s wireless network, as well as its landline customers interacted with those cellular numbers.

    A company investigation determined that compromised data includes files containing AT&T records of calls and texts between May 1, 2022, and Oct. 31, 2022.

    AT&T has more than 100 million customers in the U.S. and almost 2.5 million business accounts.

    The company said Friday that it has launched an investigation and engaged with cybersecurity experts to understand the nature and scope of the criminal activity.

    “The data does not contain the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information,” AT&T said Friday.

    The compromised data also doesn’t include some information typically seen in usage details, such as the time stamp of calls or texts, the company said. The data doesn’t include customer names, but AT&T said that there are often ways, using publicly available online tools, to find the name associated with a specific telephone number.

    AT&T said that it currently doesn’t believe that the data is publicly available.

    The compromised data also includes records from Jan. 2, 2023, for a very small number of customers. The records identify the telephone numbers an AT&T or MVNO cellular number interacted with during these periods. For a subset of records, one or more cell site identification number(s) associated with the interactions are also included.

    The company continues to cooperate with law enforcement on the incident and that it understands that at least one person has been apprehended so far.

    Shares of AT&T Inc., based in Dallas, fell more than 2% before the markets opened on Friday.

    Michelle Chapman | The Associated Press

    Source link

  • Save $60 on This Travel VPN Router Now | Entrepreneur

    Save $60 on This Travel VPN Router Now | Entrepreneur

    Disclosure: Our goal is to feature products and services that we think you’ll find interesting and useful. If you purchase them, Entrepreneur may get a small share of the revenue from the sale from our commerce partners.

    TL;DR: Keep your personal and business data secure while traveling with the Deeper Connect Air Portable VPN Travel Router, now $60 off when you use promo code CONNECT.

    Every entrepreneur has a host of important data that they don’t want falling into the wrong hands. When you connect to public Wi-Fi, you put that data at least a little at risk. So, when you’re traveling and connecting to Wi-Fi at the airport, on the plane, and at the hotel, it’s important to give yourself the protection you need. With the Deeper Connect Air Portable VPN Travel Router, you’ll be covered, and you can get it on sale during our version of Prime Day.

    This plug-and-play security solution is fully loaded with a Decentralized VPN (DPN), ad blocker, and cybersecurity features to keep your device and data safe without any subscription fees. When you plug it in, you’ll connect to a decentralized, military-grade encrypted network that lets you access your work files and bypass geographic restrictions no matter where you are in the world.

    The travel router can connect to more than 80,000 nodes worldwide, allowing you to reach speeds of up to 300Mbps when connected to a powerful enough network. The intelligent software switches nodes automatically according to your internet usage to optimize speeds and always blocks ads—even YouTube ones. It’s also set up to support more than 80 Web3 features.

    Whether you’re a remote worker getting online at a coffee shop or traveling abroad and need safe internet access, this travel router has you covered.

    Enjoy a better, safer internet experience while traveling or working remotely.

    For a limited time only, you can get the Deeper Connect Air Portable VPN Travel Router for $159 (reg. $219) when you use the promo code CONNECT.

    StackSocial prices subject to change.

    Entrepreneur Store

    Source link

  • Hackers Leaking Taylor Swift Tickets? Don’t Get Your Hopes Up

    Hackers Leaking Taylor Swift Tickets? Don’t Get Your Hopes Up

    Proton, the company behind Proton Mail, launched an end-to-end encrypted alternative to Google Docs, seeking to compete with the cloud giant on privacy. We broke down how Apple is taking a similar approach with its implementation of AI, using a system it calls Private Cloud Compute in its new Apple Intelligence features.

    In other news, we dug into how the US bans on TikTok and Kaspersky software, despite their national security justifications, pose a threat to internet freedom. We went inside a crash course for US diplomats on cybersecurity, privacy, surveillance, and other digital threats. And we published an in-depth investigation into the origins of the world’s most popular 3D-printed gun, which revealed that its creator was a self-described “incel” with fantasies of right-wing terror.

    But that’s not all. Each week, we round up the security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

    The giant hack against Ticketmaster may have taken another twist. In June, criminal hackers claimed they had stolen 560 million people’s information from the ticketing company owned by Live Nation. The company has since confirmed a breach, saying its information was taken from its Snowflake account. (More than 165 Snowflake customers were impacted by attacks on the cloud storage company that exploited a lack of multi-factor authentication and stolen login details).

    Now in a post on cybercrime marketplace BreachForums, a hacker going by the name of Sp1d3rHunters is threatening to publish more data from Ticketmaster. The account claims to be sharing 170,000 ticket barcodes for upcoming Taylor Swift gigs in the US during October and November. The hacker demanded Ticketmaster “pay us $2million USD” or it will leak “680 million” users’ information and publish millions more event barcodes, including for concerts by artists such as Pink and Sting, and sporting events such as NFL games and F1 races.

    The claims appear to be dubious, however, as Ticketmaster’s barcodes aren’t static, according to the company. “Ticketmaster’s SafeTix technology protects tickets by automatically refreshing a new and unique barcode every few seconds so it cannot be stolen or copied,” a Ticketmaster spokesperson tells WIRED in a statement. The spokesperson adds that the company has not paid any ransom or engaged with the hackers’ demands.

    Hacker groups are known to lie, exaggerate, and overinflate their claims as they try to get victims to pay. The 680 million customers that Sp1d3rHunters claimed to have data on is higher than the original figure provided when the Ticketmaster breach was first claimed, and neither number has been confirmed. Even if victims do decide to pay, hackers can still keep the data and try to extort companies for a second time.

    Despite the breach at Ticketmaster originally being publicized in June, the company has only recently begun emailing customers alerting them to the incident, which happened between April 2 and May 18 this year. The company says the database accessed may include emails, phone numbers, encrypted credit card information, and other personal information.

    In recent years, there’s been a sharp uptick in cybercriminals deploying infostealers. This malware can grab all of the login and financial details that someone enters on their machine, which hackers then sell to others who want to exploit the information.

    Cybersecurity researchers at Recorded Future have now published proof-of-concept findings showing these stolen login details can be used to potentially track down people visiting dark-web child sexual abuse material (CSAM) sites. Within infostealer logs, the researchers say they were able to find thousands of login details for known CSAM websites, which they could then cross-reference with other details and identify the potential real-world names connected to the abusive website logins. The researchers reported details of individuals to law enforcement.

    Matt Burgess, Andy Greenberg

    Source link

  • OpenAI hit by two big security issues this week

    OpenAI hit by two big security issues this week

    OpenAI seems to make headlines every day and this time it’s for a double dose of security concerns. The first issue centers on the Mac app for ChatGPT, while the second hints at broader concerns about how the company is handling its cybersecurity.

    Earlier this week, engineer and Swift developer Pedro José Pereira Vieito the Mac ChatGPT app and found that it was storing user conversations locally in plain text rather than encrypting them. The app is only available from OpenAI’s website, and since it’s not available on the App Store, it doesn’t have to follow Apple’s sandboxing requirements. Vieito’s work was then covered by and after the exploit attracted attention, OpenAI released an update that added encryption to locally stored chats.

    For the non-developers out there, sandboxing is a security practice that keeps potential vulnerabilities and failures from spreading from one application to others on a machine. And for non-security experts, storing local files in plain text means potentially sensitive data can be easily viewed by other apps or malware.

    The second issue occurred in 2023 with consequences that have had a ripple effect continuing today. Last spring, a hacker was able to obtain information about OpenAI after illicitly accessing the company’s internal messaging systems. reported that OpenAI technical program manager Leopold Aschenbrenner raised security concerns with the company’s board of directors, arguing that the hack implied internal vulnerabilities that foreign adversaries could take advantage of.

    Aschenbrenner now says he was fired for disclosing information about OpenAI and for surfacing concerns about the company’s security. A representative from OpenAI told The Times that “while we share his commitment to building safe A.G.I., we disagree with many of the claims he has since made about our work” and added that his exit was not the result of whistleblowing.

    App vulnerabilities are something that every tech company has experienced. Breaches by hackers are also depressingly common, as are contentious relationships between whistleblowers and their former employers. However, between how broadly ChatGPT has been adopted into services and how chaotic the company’s , and have been, these recent issues are beginning to paint a more worrying picture about whether OpenAI can manage its data.

    Anna Washenko

    Source link

  • The Tech Crash Course That Trains US Diplomats to Spot Threats

    The Tech Crash Course That Trains US Diplomats to Spot Threats

    By the time the Senate unanimously confirmed Nate Fick to be America’s cyber ambassador in September 2022, tech diplomacy headaches were impossible to ignore, and Fick quickly tasked his team with creating a modern training program and embedding it in the FSI’s regular curriculum.

    “He understood that we needed to do more and better in terms of preparing our people in the field,” Hop says.

    The training program fit neatly into secretary of state Antony Blinken’s vision of an American diplomatic corps fully versed in modern challenges and nimble enough to confront them. “Elevating our tech diplomacy” is one of Blinken’s “core priorities,” Fick says.

    As they developed a curriculum, Fick and his aides had several big goals for the new training program.

    The first priority was to make sure diplomats understood what was at stake as the US and its rivals compete for global preeminence on tech issues. “Authoritarian states and other actors have used cyber and digital tools to threaten national security, international peace and security, economic prosperity, [and] the exercise of human rights,” says Kathryn Fitrell, a senior cyber policy adviser at State who helps run the course.

    Equally critical was preparing diplomats to promote the US tech agenda from their embassies and provide detailed reports back to Washington on how their host governments were approaching these issues.

    “It’s important to us that tech expertise [in] the department not sit at headquarters alone,” Fick says, “but instead that we have people everywhere—at all our posts around the world, where the real work gets done—who are equipped with the tools that they need to make decisions with a fair degree of autonomy.”

    Foreign Service officers are America’s eyes and ears on the ground in foreign countries, studying the landscape and alerting their bosses back home to risks and opportunities. They are also the US government’s most direct and regular interlocutors with representatives of other nations, forming personal bonds with local officials that can sometimes make the difference between unity and discord.

    When these diplomats need to discuss the US tech agenda, they can’t just read monotonously off a piece of paper. They need to actually understand the positions they’re presenting and be prepared to answer questions about them.

    “You can’t be calling back to someone in Washington every time there’s a cyber question,” says Sherman.

    But some issues will still require help from experts at headquarters, so Fick and his team also wanted to use the course to deepen their ties with diplomats and give them friendly points of contact at the cyber bureau. “We want to be able to support officers in the field as they confront these issues,” says Melanie Kaplan, a member of Fick’s team who took the class and now helps run it.

    Inside the Classroom

    After months of research, planning, and scheduling, Fick’s team launched the Cyberspace and Digital Policy Tradecraft course at the Foreign Service Institute with a test run in November 2022. Since then, FSI has taught the class six more times—once in London for European diplomats, once in Morocco for diplomats in the Middle East and Africa, and four times in Arlington—and trained 180 diplomats.

    The program begins with four hours of “pre-work” to prepare students for the lessons ahead. Students must document that they’ve completed the pre-work—which includes experimenting with generative AI—before taking the class. “That has really put us light-years ahead in ensuring that no one is lost on day one,” Hop says.

    Eric Geller

    Source link

  • Cryptographers Are Discovering New Rules for Quantum Encryption

    Cryptographers Are Discovering New Rules for Quantum Encryption

    The original version of this story appeared in Quanta Magazine.

    Say you want to send a private message, cast a secret vote, or sign a document securely. If you do any of these tasks on a computer, you’re relying on encryption to keep your data safe. That encryption needs to withstand attacks from code breakers with their own computers, so modern encryption methods rely on assumptions about what mathematical problems are hard for computers to solve.

    But as cryptographers laid the mathematical foundations for this approach to information security in the 1980s, a few researchers discovered that computational hardness wasn’t the only way to safeguard secrets. Quantum theory, originally developed to understand the physics of atoms, turned out to have deep connections to information and cryptography. Researchers found ways to base the security of a few specific cryptographic tasks directly on the laws of physics. But these tasks were strange outliers—for all others, there seemed to be no alternative to the classical computational approach.

    By the end of the millennium, quantum cryptography researchers thought that was the end of the story. But in just the past few years, the field has undergone another seismic shift.

    “There’s been this rearrangement of what we believe is possible with quantum cryptography,” said Henry Yuen, a quantum information theorist at Columbia University.

    In a string of recent papers, researchers have shown that most cryptographic tasks could still be accomplished securely even in hypothetical worlds where practically all computation is easy. All that matters is the difficulty of a special computational problem about quantum theory itself.

    “The assumptions you need can be way, way, way weaker,” said Fermi Ma, a quantum cryptographer at the Simons Institute for the Theory of Computing in Berkeley, California. “This is giving us new insights into computational hardness itself.”

    This Message Will Self-Destruct

    The story begins in the late 1960s, when a physics graduate student named Stephen Wiesner started thinking about the destructive nature of measurement in quantum theory. Measure any system governed by the rules of quantum physics, and you’ll alter the quantum state that mathematically describes its configuration. This quantum measurement disturbance was a hindrance for most physicists. Wiesner, who took an unorthodox information-centric view of quantum theory, wondered whether it could be made useful. Perhaps it could serve as a form of built-in tamper protection for sensitive data.

    But Wiesner’s ideas were too far ahead of their time, and he left academia after graduate school. Fortunately, he’d discussed his ideas with his friend and fellow physicist Charles Bennett, who unsuccessfully tried to interest others in the subject for a decade. Finally, in 1979, Bennett met the computer scientist Gilles Brassard while swimming off the coast of Puerto Rico during a conference. Together, they wrote a groundbreaking paper describing a new approach to an important cryptographic task. Their protocol was based on quantum measurement disturbance, and needed no assumptions about the difficulty of any computational problems.

    Ben Brubaker

    Source link

  • The US Wants to Integrate the Commercial Space Industry With Its Military to Prevent Cyber Attacks

    The US Wants to Integrate the Commercial Space Industry With Its Military to Prevent Cyber Attacks

    THIS ARTICLE IS republished from The Conversation under a Creative Commons license.

    The US military recently launched a groundbreaking initiative to strengthen ties with the commercial space industry. The aim is to integrate commercial equipment into military space operations, including satellites and other hardware. This would enhance cybersecurity for military satellites.

    As space becomes more important to the world’s critical infrastructure, the risk increases that hostile nation-states will deploy cyberattacks on important satellites and other space infrastructure. Targets would include not just spy satellites or military communications satellites, but commercial spacecraft too.

    The US Department of Defense believes its new partnership, called Commercial Augmentation Space Reserve (CASR), would enhance US national security and the country’s competitive advantage in space. It would go some way beyond the relationship between government and private contractor that already exists.

    In some cases, the commercial sector has advanced rapidly beyond government capabilities. This situation exists in numerous countries with a space capability and may apply in certain areas in the US too.

    The governments of some nation-states are therefore confronted with a choice. They could utilize bespoke systems for protecting their satellites, even though these may be outdated, or they could use other commercial—and potentially more advanced—“off-the-shelf” components. However, the commercial hardware may be less well understood in terms of its vulnerabilities to cyberattacks.

    Nevertheless, the US military believes that CASR will give it advanced strategic capabilities, and that potential risks can be minimized by actively avoiding overreliance on any single commercial entity.

    The supply chain aims to transition the US military from a restricted pool of commercial suppliers to a broader spectrum of partners. However, there are risks with a bigger pool of commercial suppliers too. Some might be unable to meet the demands of military contracts, could run into financial instability, or encounter other pressures that hinder their ability to supply critical components.

    New Priorities

    In 2022 there was a cyberattack on the KA-Sat consumer satellite broadband service. It targeted the satellites delivering the broadband and disrupted the service.

    There are many ways to attack another state’s satellites, such as anti-satellite (ASAT) weapons, which are often designed to physically destroy or disable the spacecraft. However, compared to ASATs, cyberattacks can be carried out in ways that are cheaper, quicker, and more difficult to trace.

    Part of the critical need to prioritize cybersecurity as a result of this strategy is that the US is an attractive market for global players in space. This strategic shift by the US Department of Defense is therefore likely to encourage more global companies to participate.

    Resilience to cyberattacks in the space industry has not always been a top priority. It is likely to take time for this to enter the thinking of major players in the space sector.

    This historical lack of emphasis on cybersecurity in space highlights an obvious need. There are also inconsistencies and gaps regarding the basic cyber requirements for government and industry, which vary depending on the stance of each nation-state.

    Sharon Lemac-Vincere

    Source link

  • US Bans Kaspersky Software

    US Bans Kaspersky Software

    The Russian cybersecurity software firm Kaspersky’s days of operating in the United States are now officially numbered.

    The Biden administration on Thursday said it’s banning the company from selling its products to new US-based customers starting on July 20, with the company only allowed to provide software updates to existing customers through September 29. The ban—the first such action under authorities given to the Commerce Department in 2019—follows years of warnings from the US intelligence community about Kaspersky being a national security threat because Moscow could allegedly commandeer its all-seeing antivirus software to spy on its customers.

    “When you think about national security, you may think about guns and tanks and missiles,” Commerce secretary Gina Raimondo told reporters during a briefing Thursday. “But the truth is, increasingly, it’s about technology, and it’s about dual-use technology, and it’s about data.”

    The US conducted an “extremely thorough” investigation of Kaspersky and explored “every option” to mitigate its risks, Raimondo said, but officials settled on a full ban “given the Russian government’s continued offensive cyber capabilities and capacity to influence Kasersky’s operations.”

    The Kaspersky ban represents the latest rift in relations between the US and Russia as the latter country remains locked in a brutal war with Ukraine and takes other steps to threaten Western democracies, including testing a nuclear-powered anti-satellite weapon and forming a strategic alliance with North Korea. But the ban could also immediately complicate business operations for American companies using Kaspersky software, which will lose up-to-date antivirus definitions critical for blocking malware in only three months.

    The Biden administration knows roughly how many customers Kaspersky has in the US, but government lawyers have determined that this information is proprietary business data and cannot be published, according to a Commerce Department official, who briefed reporters on the condition of anonymity to discuss a sensitive matter. The official did say the “significant number” of US customers includes state and local governments and organizations that supply critical infrastructure such as telecommunications, power, and health care.

    Raimondo had a message for Kaspersky’s US customers on Thursday: “You have done nothing wrong, and you are not subject to any criminal or civil penalties. However, I would encourage you, in as strong as possible terms, to immediately stop using that software and switch to an alternative in order to protect yourself and your data and your family.”

    Commerce will work with the departments of Homeland Security and Justice to “get this message out” and “ensure a smooth transition,” including through a website explaining the ban, Raimondo said. “We certainly don’t want to disrupt the business or families of any Americans.”

    DHS’s Cybersecurity and Infrastructure Security Agency will contact critical infrastructure organizations that use Kaspersky to brief them on the alleged national security risks and “help them identify alternatives,” the Commerce Department official said.

    Kaspersky has consistently denied being a national security risk or an agent of the Kremlin. In a statement to WIRED, the company accused the government of having “made its decision based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky’s products and services.”

    Eric Geller

    Source link

  • Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake

    Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake

    It’s possible the ShinyHunter hackers did not directly hack the EPAM worker, and simply gained access to the Snowflake accounts using usernames and passwords they obtained from old repositories of credentials stolen by info stealers. But, as Reddington points out, this means that anyone else can sift through those repositories for these and other credentials stolen from EPAM accounts. Reddington says they found data online that was used by nine different infostealers to harvest data from the machines of EPAM workers. This raises potential concerns about the security of data belonging to other EPAM customers.

    EPAM has customers across various critical industries, including banks and other financial services, health care, broadcast networks, pharmaceutical, energy and other utilities, insurance, and software and hi-tech—the latter customers include Microsoft, Google, Adobe, and Amazon Web Services. It’s not clear, however, if any of these companies have Snowflake accounts to which EPAM workers have access. WIRED also wasn’t able to confirm whether Ticketmaster, Santander, Lending Tree, or Advance AutoParts are EPAM customers.

    The Snowflake campaign also highlights the growing security risks from third-party companies in general and from infostealers. In its blog post this week, Mandiant suggested that multiple contractors were breached to gain access to Snowflake accounts, noting that contractors—often known as business process outsourcing (BPO) companies—are a potential gold mine for hackers, because compromising the machine of a contractor that has access to the accounts of multiple customers can give them direct access to many customer accounts.

    “Contractors that customers engage to assist with their use of Snowflake may utilize personal and/or non-monitored laptops that exacerbate this initial entry vector,” wrote Mandiant in its blog post. “These devices, often used to access the systems of multiple organizations, present a significant risk. If compromised by infostealer malware, a single contractor’s laptop can facilitate threat actor access across multiple organizations, often with IT and administrator-level privileges.”

    The company also highlighted the growing risk from infostealers, noting that the majority of the credentials the hackers used in the Snowflake campaign came from repositories of data previously stolen by various infostealer campaigns, some of which dated as far back as 2020. “Mandiant identified hundreds of customer Snowflake credentials exposed via infostealers since 2020,” the company noted.

    This, accompanied by the fact that the targeted Snowflake accounts didn’t use MFA to further protect them, made the breaches in this campaign possible, Mandiant notes.

    Snowflake’s CISO, Brad Jones, acknowledged last week that the lack of multifactor authentication enabled the breaches. In a phone call this week, Jones told WIRED that Snowflake is working on giving its customers the ability to mandate that users of their accounts employ multifactor authentication going forward, “and then we’ll be looking in the future to [make the] default MFA,” he says.

    Kim Zetter

    Source link

  • Bangladeshi police agents accused of selling citizens’ personal information on Telegram | TechCrunch

    Bangladeshi police agents accused of selling citizens’ personal information on Telegram | TechCrunch

    Two senior officials working for anti-terror police in Bangladesh allegedly collected and sold classified and personal information of citizens to criminals on Telegram, TechCrunch has learned. 

    The data allegedly sold included national identity details of citizens, cell phone call records and other “classified secret information,” according to a letter signed by a senior Bangladeshi intelligence official, seen by TechCrunch.

    The letter, dated April 28, was written by Brigadier General Mohammad Baker, who serves as a director of Bangladesh’s National Telecommunications Monitoring Center, or NTMC, the country’s electronic eavesdropping agency. Baker confirmed the legitimacy of the letter and its contents in an interview with TechCrunch. 

    “Departmental investigation is ongoing for both the cases,” Baker said in an online chat, adding that the Bangladeshi Ministry of Home Affairs ordered the affected police organizations to take “necessary action against those officers.” 

    The letter, which was originally written in Bengali and addressed to the senior secretary of the Ministry of Home Affairs Public Security Division, alleges the two police agents accessed and passed “extremely sensitive information” of private citizens on Telegram in exchange for money.

    According to the letter, the police agents were caught after investigators analyzed logs of the NTMC’s systems and how often the two accessed it.

    The letter reveals the identity of the officials. One of the accused is a police superintendent serving with the Anti-Terrorism Unit (ATU). The other is an assistant police superintendent deputy at the Rapid Action Battalion, also known as RAB 6, a controversial paramilitary unit that the U.S. government sanctioned in 2021 over allegations that the unit is linked to hundreds of disappearances and extrajudicial killings. TechCrunch is not naming the two people who were accused as it’s unclear if they have been charged under the country’s legal system.

    The NTMC is a government intelligence agency established under Bangladesh’s Ministry of Home Affairs. The agency’s core task is to monitor all telecommunications traffic and intercept phone and web communications to detect and prevent threats to national security. 

    Organizations like Human Rights Watch and Freedom House have criticized the NTMC for lacking safeguards against abuses, both against free speech as well as privacy. Over the years, NTMC procured sophisticated technology from companies in Israel, which Bangladesh does not officially recognize, as well as other Western countries, to conduct mass surveillance largely on opposition party members, journalists, civil society members and activists.  

    As part of its mission, the NTMC runs the National Intelligence Platform, or NIP, an internal government web portal that holds classified citizen information, like national identification details, cell phone registration and cell data records, criminal profiles and other information. 

    Various law enforcement and intelligence agencies have user accounts on the NIP portal provided by the NTMC. 

    NTMC’s own investigation concluded that the agents used the NIP platform more frequently than others, and accessed and collected information that was not relevant to them.

    “Considering the context, such irrelevant access and unlawful handover of extremely sensitive classified data should be investigated to identify everyone involved in this and we also request for appropriate action against all those identified/involved,” the letter read.  

    Baker told TechCrunch that there were a “number of Telegram channels,” adding that one of them was called BD CYBER GANG.

    TechCrunch could not identify the specific channel on Telegram. 

    Contact Us

    Do you have more information about this incident, or similar incidents? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You can also reach out to Zulkarnain Saer Khan on Signal at +36707723819, or on X @ZulkarnainSaer. You also can contact TechCrunch via SecureDrop.

    Baker told TechCrunch that it appears that the two agents sent the information to the administrator of at least one Telegram group, who then attempted to sell it. 

    Baker said that the two agents have been notified of the investigation. 

    Because of the investigation, all NIP users from ATU and RAB 6 have had their access suspended “until the involved officials are identified, and proper action is taken,” according to the letter.

    Baker confirmed the suspended access, saying that if agents “need any information for investigation purposes they can collect through Police and RAB HQ.”

    Spokespeople for Bangladesh’s Ministry of Home Affairs and ATU did not respond to multiple requests for comment. A person identifying only as an “operations officer” at RAB 6 told TechCrunch that the agency had no comment. 

    Last year, a security researcher found that the NTMC was leaking people’s personal information on an unsecured server. The leaked data included real-world names, phone numbers, email addresses, locations and exam results, according to Wired. Another Bangladeshi government agency, the Office of the Registrar General, Birth & Death Registration, also leaked citizens’ sensitive data last year, as TechCrunch reported at the time.

    In both cases, the leaks were found by Viktor Markopoulos, a researcher who works at Bitcrack Cyber Security. 

    While those were significant cases of data exposure, this incident allegedly involving the ATU and RAB 6 agents is potentially more damaging, given that the agents allegedly sold information online in an attempt to profit from their privileged access to classified personal information.  

    Although the incident is under investigation, a well-placed source within the government told TechCrunch that there are still officials who are offering to sell citizens’ data.

    Lorenzo Franceschi-Bicchierai

    Source link

  • Microsoft’s Recall Feature Is Even More Hackable Than You Thought

    Microsoft’s Recall Feature Is Even More Hackable Than You Thought

    Microsoft’s CEO Satya Nadella has hailed the company’s new Recall feature, which stores a history of your computer desktop and makes it available to AI for analysis, as “photographic memory” for your PC. Within the cybersecurity community, meanwhile, the notion of a tool that silently takes a screenshot of your desktop every five seconds has been hailed as a hacker’s dream come true and the worst product idea in recent memory.

    Now, security researchers have pointed out that even the one remaining security safeguard meant to protect that feature from exploitation can be trivially defeated.

    Since Recall was first announced last month, the cybersecurity world has pointed out that if a hacker can install malicious software to gain a foothold on a target machine with the feature enabled, they can quickly gain access to the user’s entire history stored by the function. The only barrier, it seemed, to that high-resolution view of a victim’s entire life at the keyboard was that accessing Recall’s data required administrator privileges on a user’s machine. That meant malware without that higher-level privilege would trigger a permission pop-up, allowing users to prevent access, and that malware would also likely be blocked by default from accessing the data on most corporate machines.

    Then on Wednesday, James Forshaw, a researcher with Google’s Project Zero vulnerability research team, published an update to a blog post pointing out that he had found methods for accessing Recall data without administrator privileges—essentially stripping away even that last fig leaf of protection. “No admin required ;-)” the post concluded.

    “Damn,” Forshaw added on Mastodon. “I really thought the Recall database security would at least be, you know, secure.”

    Forshaw’s blog post described two different techniques to bypass the administrator privilege requirement, both of which exploit ways of defeating a basic security function in Windows known as access control lists that determine which elements on a computer require which privileges to read and alter. One of Forshaw’s methods exploits an exception to those control lists, temporarily impersonating a program on Windows machines called AIXHost.exe that can access even restricted databases. Another is even simpler: Forshaw points out that because the Recall data stored on a machine is considered to belong to the user, a hacker with the same privileges as the user could simply rewrite the access control lists on a target machine to grant themselves access to the full database.

    That second, simpler bypass technique “is just mindblowing, to be honest,” says Alex Hagenah, a cybersecurity strategist and ethical hacker. Hagenah recently built a proof-of-concept hacker tool called TotalRecall designed to show that someone who gained access to a victim’s machine with Recall could immediately siphon out all the user’s history recorded by the feature. Hagenah’s tool, however, still required that hackers find another way to gain administrator privileges through a so-called “privilege escalation” technique before his tool would work.

    With Forshaw’s technique, “you don’t need any privilege escalation, no pop-up, nothing,” says Hagenah. “This would make sense to implement in the tool for a bad guy.”

    Andy Greenberg

    Source link

  • US National Security Experts Warn AI Giants Aren’t Doing Enough to Protect Their Secrets

    US National Security Experts Warn AI Giants Aren’t Doing Enough to Protect Their Secrets

    Google, in public comments to the NTIA ahead of its report, said it expects “to see increased attempts to disrupt, degrade, deceive, and steal” models. But it added that its secrets are guarded by a “security, safety, and reliability organization consisting of engineers and researchers with world-class expertise” and that it was working on “a framework” that would involve an expert committee to help govern access to models and their weights.

    Like Google, OpenAI said in comments to the NTIA that there was a need for both open and closed models, depending on the circumstances. OpenAI, which develops models such as GPT-4 and the services and apps that build on them, like ChatGPT, last week formed its own security committee on its board and this week published details on its blog about the security of the technology it uses to train models. The blog post expressed hope that the transparency would inspire other labs to adopt protective measures. It didn’t specify from whom the secrets needed protecting.

    Speaking alongside Rice at Stanford, RAND CEO Jason Matheny echoed her concerns about security gaps. By using export controls to limit China’s access to powerful computer chips, the US has hampered Chinese developers’ ability to develop their own models, Matheny said. He claimed that has increased their need to steal AI software outright.

    By Matheny’s estimate, spending a few million dollars on a cyberattack that steals AI model weights, which might cost an American company hundreds of billions of dollars to create, is well worth it for China. “It’s really hard, and it’s really important, and we’re not investing enough nationally to get that right,” Matheny said.

    China’s embassy in Washington, DC, did not immediately respond to WIRED’s request for comment on theft accusations, but in the past has described such claims as baseless smears by Western officials.

    Google has said that it tipped off law enforcement about the incident that became the US case alleging theft of AI chip secrets for China. While the company has described maintaining strict safeguards to prevent the theft of its proprietary data, court papers show it took considerable time for Google to catch the defendant, Linwei Ding, a Chinese national who has pleaded not guilty to the federal charges.

    The engineer, who also goes by Leon, was hired in 2019 to work on software for Google’s supercomputing data centers, according to prosecutors. Over about a year starting in 2022, he allegedly copied more than 500 files with confidential information over to his personal Google account. The scheme worked in part, court papers say, by the employee pasting information into Apple’s Notes app on his company laptop, converting the files to PDFs, and uploading them elsewhere, all the while evading Google’s technology meant to catch that sort of exfiltration.

    While engaged in the alleged stealing, the US claims the employee was in touch with the CEO of an AI startup in China and had moved to start his own Chinese AI company. If convicted, he faces up to 10 years in prison.

    Paresh Dave

    Source link

  • Hundreds of Snowflake customer passwords found online are linked to info-stealing malware | TechCrunch

    Hundreds of Snowflake customer passwords found online are linked to info-stealing malware | TechCrunch

    Cloud data analysis company Snowflake is at the center of a recent spate of alleged data thefts, as its corporate customers scramble to understand if their stores of cloud data have been compromised. 

    The Boston-based data giant helps some of the largest global corporations — including banks, healthcare providers and tech companies — store and analyze their vast amounts of data, such as customer data, in the cloud.

    Last week, Australian authorities sounded the alarm saying they had become aware of “successful compromises of several companies utilising Snowflake environments,” without naming the companies. Hackers had claimed on a known cybercrime forum that they had stolen hundreds of millions of customer records from Santander Bank and Ticketmaster, two of Snowflake’s biggest customers. Santander confirmed a breach of a database “hosted by a third-party provider,” but would not name the provider in question. On Friday, Live Nation confirmed that its Ticketmaster subsidiary was hacked and that the stolen database was hosted on Snowflake

    Snowflake acknowledged in a brief statement that it was aware of “potentially unauthorized access” to a “limited number” of customer accounts, without specifying which ones, but that it has found no evidence there was a direct breach of its systems. Rather, Snowflake called it a “targeted campaign directed at users with single-factor authentication” and that the hackers used “previously purchased or obtained through infostealing malware,” which is designed to scrape a user’s saved passwords from their computer.

    Despite the sensitive data that Snowflake holds for its customers, Snowflake lets each customer manage the security of their environments, and does not automatically enroll or require its customers to use multi-factor authentication, or MFA, according to Snowflake’s customer documentation. Not enforcing the use of MFA appears to be how cybercriminals allegedly obtained huge amounts of data from some of Snowflake’s customers, some of which set up their environments without the additional security measure. 

    Snowflake conceded that one of its own “demo” accounts was compromised because it wasn’t protected beyond a username and password, but claimed the account “did not contain sensitive data.” It’s unclear if this stolen demo account has any role in the recent breaches. 

    TechCrunch has this week seen hundreds of alleged Snowflake customer credentials that are available online for cybercriminals to use as part of hacking campaigns, suggesting that the risk of Snowflake customer account compromises may be far wider than first known. 

    The credentials were stolen by infostealing malware that infected the computers of employees who have access to their employer’s Snowflake environment.

    Some of the credentials seen by TechCrunch appear to belong to employees at companies known to be Snowflake customers, including Ticketmaster and Santander, among others. The employees with Snowflake access include database engineers and data analysts, some of whom reference their experience using Snowflake on their LinkedIn pages.

    For its part, Snowflake has told customers to immediately switch on MFA for their accounts. Until then, Snowflake accounts that aren’t enforcing the use of MFA to log in are putting their stored data at risk of compromise from simple attacks like password theft and reuse. 

    How we checked the data

    A source with knowledge of cybercriminal operations pointed TechCrunch to a website where would-be attackers can search through lists of credentials that have been stolen from various sources, such as infostealing malware on someone’s computer or collated from previous data breaches. (TechCrunch is not linking to the site where stolen credentials are available so as not to aid bad actors.)

    In all, TechCrunch has seen more than 500 credentials containing employee usernames and passwords, along with the web addresses of the login pages for the corresponding Snowflake environments. 

    The exposed credentials appear to pertain to Snowflake environments belonging to Santander, Ticketmaster, at least two pharmaceutical giants, a food delivery service, a public-run freshwater supplier, and others. We have also seen exposed usernames and passwords allegedly belonging to a former Snowflake employee. 

    TechCrunch is not naming the former employee because there’s no evidence they did anything wrong. (It’s ultimately both the responsibility of Snowflake and its customers to implement and enforce security policies that prevent intrusions that result from the theft of employee credentials.) 

    We did not test the stolen usernames and passwords as doing so would break the law. As such, it’s unknown if the credentials are currently in active use or if they directly led to account compromises or data thefts. Instead, we worked to verify the authenticity of the exposed credentials in other ways. This includes checking the individual login pages of the Snowflake environments that were exposed by the infostealing malware, which were still active and online at the time of writing.

    The credentials we’ve seen include the employee’s email address (or username), their password, and the unique web address for logging in to their company’s Snowflake environment. When we checked the web addresses of the Snowflake environments — often made up of random letters and numbers — we found the listed Snowflake customer login pages are publicly accessible, even if not searchable online.

    TechCrunch confirmed that the Snowflake environments correspond to the companies whose employees’ logins were compromised. We were able to do this because each login page we checked had two separate options to sign in.

    One way to login relies on Okta, a single sign-on provider that allows Snowflake users to sign in with their own company’s corporate credentials using MFA. In our checks, we found that these Snowflake login pages redirected to Live Nation (for Ticketmaster) and Santander sign-in pages. We also found a set of credentials belonging to a Snowflake employee, whose Okta login page still redirects to an internal Snowflake login page that no longer exists.

    Snowflake’s other login option allows the user to use only their Snowflake username and password, depending on whether the corporate customer enforces MFA on the account, as detailed by Snowflake’s own support documentation. It’s these credentials that appear to have been stolen by the infostealing malware from the employees’ computers.

    It’s not clear exactly when the employees’ credentials were stolen or for how long they have been online. 

    There is some evidence to suggest that several employees with access to their company’s Snowflake environments had their computers previously compromised by infostealing malware. According to a check on breach notification service Have I Been Pwned, several of the corporate email addresses used as usernames for accessing Snowflake environments were found in a recent data dump containing millions of stolen passwords scraped from various Telegram channels used for sharing stolen passwords.

    Snowflake spokesperson Danica Stanczak declined to answer specific questions from TechCrunch, including whether any of its customers’ data was found in the Snowflake employee’s demo account. In a statement, Snowflake said it is “suspending certain user accounts where there are strong indicators of malicious activity.”

    Snowflake added: “Under Snowflake’s shared responsibility model, customers are responsible for enforcing MFA with their users.” The spokesperson said Snowflake was “considering all options for MFA enablement, but we have not finalized any plans at this time.”

    When reached by email, Live Nation spokesperson Kaitlyn Henrich did not comment by press time.

    Santander did not respond to a request for comment.

    Missing MFA resulted in huge breaches

    Snowflake’s response so far leaves a lot of questions unanswered, and lays bare a raft of companies that are not reaping the benefits that MFA security provides. 

    What is clear is that Snowflake bears at least some responsibility for not requiring its users to switch on the security feature, and is now bearing the brunt of that — along with its customers.

    The data breach at Ticketmaster allegedly involves upwards of 560 million customer records, according to the cybercriminals advertising the data online. (Live Nation would not comment on how many customers are affected by the breach.) If proven, Ticketmaster would be the largest U.S. data breach of the year so far, and one of the biggest in recent history.

    Snowflake is the latest company in a string of high-profile security incidents and sizable data breaches caused by the lack of MFA. 

    Last year, cybercriminals scraped around 6.9 million customer records from 23andMe accounts that weren’t protected without MFA, prompting the genetic testing company — and its competitors — to require users enable MFA by default to prevent a repeat attack.

    And earlier this year, the UnitedHealth-owned health tech giant Change Healthcare admitted hackers broke into its systems and stole huge amounts of sensitive health data from a system not protected with MFA. The healthcare giant hasn’t yet said how many individuals had their information compromised but said it is likely to affect a “substantial proportion of people in America.”

    Do you know more about the Snowflake account intrusions? Get in touch. To contact this reporter, get in touch on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop.

    Zack Whittaker

    Source link

  • TikTok Hack Targets ‘High-Profile’ Users via DMs

    TikTok Hack Targets ‘High-Profile’ Users via DMs

    TikTok says it’s currently taking steps to mitigate a cyberattack that’s targeting a number of high-profile users through direct messages, in an attempt to hijack their accounts.

    “We have taken measures to stop this attack and prevent it from happening in the future. We’re working directly with affected account owners to restore access, if needed,” says Jason Grosse, a spokesperson for TikTok’s privacy and security team.

    Grosse says TikTok is still investigating the attack and could not comment at this time about its scale or sophistication, describing the threat as merely a “potential exploit.”

    TikTok’s acknowledgment followed a report on Tuesday claiming CNN’s account had been temporarily breached last week. Citing an anonymous source at the news organization, Semifor reports that the breach did “not appear to be the result of someone gaining access from CNN’s end.” CNN did not immediately respond to WIRED’s request to comment.

    Concerns over hacking attempts targeting news organizations in the US are particularly high given the impending presidential election this fall.

    Forbes reported earlier in the day that the account of hotel heiress Paris Hilton was similarly affected, citing sources within the company. A source at TikTok tells WIRED that Hilton’s account was targeted but had not been compromised.

    Security and privacy concerns around TikTok expand beyond cyberattacks by malicious actors. The company itself is fighting to remain available in the United States after US president Joe Biden signed a law in April that forces its parent company, China-based ByteDance, to sell TikTok or face a ban. TikTok and several users have sued the US government, claiming the law is unconstitutional on First Amendment grounds.

    This is a developing story. Check back for updates.

    Dell Cameron

    Source link

  • Live Nation reveals ‘a criminal threat actor’ offered to sell Ticketmaster data on the dark web, while reports say hackers seek $500,000 for customer info

    Live Nation reveals ‘a criminal threat actor’ offered to sell Ticketmaster data on the dark web, while reports say hackers seek $500,000 for customer info

    Live Nation is investigating a data breach at its Ticketmaster subsidiary,which dominates ticketing for live events in the United States.

    Live Nation, based in Beverly Hills, California, said in a regulatory filing Friday that on May 27 “a criminal threat actor” offered to sell Ticketmaster data on the dark web.

    Other media reports say a hacking group named ShinyHunters claimed responsibility for the breach in an online forum and was seeking $500,000 for the data, which reportedly includes names, addresses, phone numbers and some credit card details of millions of Ticketmaster customers.

    Live Nation and Ticketmaster did not immediately respond to requests for comment.

    In a filing with the U.S. Securities and Exchange Commission, Live Nation said it was “working to mitigate risk to our users” and was cooperating with law enforcement officials. It said the breach was unlikely to have “a material impact on our overall business operations.”

    On May 23, the U.S. Justice Department sued Live Nation and Ticketmaster,accusing them of running an illegal monopoly over live events in America. The department asked a court to break up the system that it said limits competition and drives up prices for fans.

    Subscribe to the CFO Daily newsletter to keep up with the trends, issues, and executives shaping corporate finance. Sign up for free.

    The Associated Press

    Source link

  • The Ticketmaster Data Breach May Be Just the Beginning

    The Ticketmaster Data Breach May Be Just the Beginning

    One of the biggest hacks of the year may have started to unfold. Late on Friday, embattled events business Live Nation, which owns Ticketmaster, confirmed it suffered a data breach after criminal hackers claimed to be selling half a billion customer records online. Banking firm Santander also confirmed it had suffered a data breach impacting millions of customers and staff after its data was advertised by the same group of hackers.

    While the specific circumstances of the breaches—including exactly what information was stolen and how it was accessed—remain unclear, the incidents may be linked to attacks against company accounts with cloud hosting provider Snowflake. The US-based cloud firm has thousands of customers, including Adobe, Canva, and Mastercard, which can store and analyze vast amounts of data in its systems.

    Security experts say that as more details become clear about hackers’ attempts to access and take data from Snowflake’s systems, it is possible that other companies will reveal they had data stolen. At present, though, the developing situation is messy and complicated.

    “Snowflake recently observed and is investigating an increase in cyber threat activity targeting some of our customers’ accounts,” Brad Jones, Snowflake’s chief information security officer wrote in a blog post acknowledging the cybersecurity incident on Friday. Snowflake has found a “limited number” of customer accounts that have been targeted by hackers who obtained their login credentials to the company’s systems, Jones wrote. Snowflake also found one former staff member’s “demo” account that had been accessed.

    However, Snowflake doesn’t “believe” it was the source of any leaked customer credentials, the post says. “We have no evidence suggesting this activity was caused by any vulnerability, misconfiguration, or breach of Snowflake’s product,” Jones writes in the blog post.

    While the number of Snowflake accounts accessed and what data may have been taken have not been released, government officials are warning about the impact of the attack. Australia’s Cyber Security Center issued a “high” alert on Saturday saying it is “aware of successful compromises of several companies utilizing Snowflake environments” and companies using Snowflake should reset their account credentials, turn on multi-factor authentication, and review user activity.

    “It looks like Snowflake has had some rather egregiously bad security compromise,” security researcher Troy Hunt, who runs data breach notification website Have I Been Pwned, tells WIRED. “It being a provider to many other different parties, it has sort of bubbled up to different data breaches in different locations.”

    Details of the data breaches started to emerge on May 27. A newly registered account on cybercrime forum Exploit posted an advertisement where they claimed to be selling 1.3 TB of Ticketmaster data, including more than 560 million people’s information. The hacker claimed to have names, addresses, email addresses, phone numbers, some credit card details, ticket sales, order details, and more. They asked for $500,000 for the database.

    One day later, the established hacking group ShinyHunters—which first emerged in 2020 with a data-stealing rampage, before selling 70 million AT&T records in 2021—posted the exact same Ticketmaster ad on rival marketplace BreachForums. At the time, Ticketmaster and its parent company Live Nation had not confirmed any data theft and it was unclear if either post selling the data was legitimate.

    Matt Burgess

    Source link

  • Hacked, leaked, exposed: Why you should never use stalkerware apps | TechCrunch

    Hacked, leaked, exposed: Why you should never use stalkerware apps | TechCrunch

    Last week, an unknown hacker broke into the servers of the U.S.-based stalkerware maker pcTattletale. The hacker then stole and leaked the company’s internal data. They also defaced pcTattletale’s official website with the goal of embarrassing the company. 

    “This took a total of 15 minutes from reading the techcrunch article,” the hackers wrote in the defacement, referring to a recent TechCrunch article where we reported that pcTattletale was used to monitor several front desk check-in computers at Wyndham hotels across the United States.

    As a result of this hack, leak and shame operation, pcTattletale founder Bryan Fleming said he was shutting down his company.

    Consumer spyware apps like pcTattletale are commonly referred to as stalkerware because jealous spouses and partners use them to surreptitiously monitor and surveil their loved ones. These companies often explicitly market their products as solutions to catch cheating partners by encouraging illegal and unethical behavior. And there have been multiple court cases, journalistic investigations, and surveys of domestic abuse shelters that show that online stalking and monitoring can lead to cases of real-world harm and violence. 

    And that’s why hackers have repeatedly targeted some of these companies.

    According to TechCrunch’s tally, with this latest hack, pcTattletale has become the 20th stalkerware company since 2017 that is known to have been hacked or leaked customer and victims’ data online. That’s not a typo: Twenty stalkerware companies have either been hacked or had a significant data exposure in recent years. And three stalkerware companies were hacked multiple times. 

    Eva Galerpin, the director of cybersecurity at the Electronic Frontier Foundation and a leading researcher and activist who has investigated and fought stalkerware for years, said the stalkerware industry is a “soft target.” “The people who run these companies are perhaps not the most scrupulous or really concerned about the quality of their product,” Galperin told TechCrunch.

    Given the history of stalkerware compromises, that may be an understatement. And because of the lack of care for protecting their own customers — and consequently the personal data of tens of thousands of unwitting victims — using these apps is doubly irresponsible. The stalkerware customers may be breaking the law, abusing their partners by illegally spying on them, and, on top of that, putting everyone’s data in danger. 

    A history of stalkerware hacks

    The flurry of stalkerware breaches began in 2017 when a group of hackers breached the U.S.-based Retina-X and the Thailand-based FlexiSpy back to back. Those two hacks revealed that the companies had a total number of 130,000 customers all over the world.

    At the time, the hackers who — proudly — claimed responsibility for the compromises explicitly said their motivations were to expose and hopefully help destroy an industry that they consider toxic and unethical.

    “I’m going to burn them to the ground, and leave absolutely nowhere for any of them to hide,” one of the hackers involved then told Motherboard. 

    Referring to FlexiSpy, the hacker added: “I hope they’ll fall apart and fail as a company, and have some time to reflect on what they did. However, I fear they might try and give birth to themselves again in a new form. But if they do, I’ll be there.”

    Despite the hack, and years of negative public attention, FlexiSpy is still active today. The same cannot be said about Retina-X.

    The hacker who broke into Retina-X wiped its servers with the goal of hampering its operations. The company bounced back — and then it got hacked again a year later. A couple of weeks after the second breach, Retina-X announced that it was shutting down

    Just days after the second Retina-X breach, hackers hit Mobistealth and Spy Master Pro, stealing gigabytes of customer and business records, as well as victims’ intercepted messages and precise GPS locations. Another stalkerware vendor, the India-based SpyHuman, encountered the same fate a few months later, with hackers stealing text messages and call metadata, which contained logs of who called who and when. 

    Weeks later, there was the first case of accidental data exposure, rather than a hack. SpyFone left an Amazon-hosted S3 storage bucket unprotected online, which meant anyone could see and download text messages, photos, audio recordings, contacts, location, scrambled passwords and login information, Facebook messages and more. All that data was stolen from victims, most of whom did not know they were being spied on, let alone know their most sensitive personal data was also on the internet for all to see. 

    Other stalkerware companies that over the years have irresponsibly left customer and victims’ data online are FamilyOrbit, which left 281 gigabytes of personal data online protected only by an easy-to-find password; mSpy, which leaked over 2 million customer records; Xnore, which let any of its customers see the personal data of other customers’ targets, which included chat messages, GPS coordinates, emails, photos and more; Mobiispy, which left 25,000 audio recordings and 95,000 images on a server accessible to anyone; KidsGuard, which had a misconfigured server that leaked victims’ content; pcTattletale, which prior to its hack also exposed screenshots of victims’ devices uploaded in real-time to a website that anyone could access; and Xnspy, whose developers left credentials and private keys left in the apps’ code, allowing anyone to access victims’ data.

    As far as other stalkerware companies that actually got hacked, there was Copy9, which saw a hacker steal the data of all its surveillance targets, including text messages and WhatsApp messages, call recordings, photos, contacts, and brows history; LetMeSpy, which shut down after hackers breached and wiped its servers; the Brazil-based WebDetetive, which also got its servers wiped, and then hacked again; OwnSpy, which provides much of the backend software for WebDetetive, also got hacked; Spyhide, which had a vulnerability in its code that allowed a hacker to access the back-end databases and years of stolen around 60,000 victims’ data; and Oospy, which was a rebrand of Spyhide, shut down for a second time.

    Finally there is TheTruthSpy, a network of stalkerware apps, which holds the dubious record of having been hacked or having leaked data on at least three separate occasions

    Hacked, but unrepented

    Of these 20 stalkerware companies, eight have shut down, according to TechCrunch’s tally. 

    In a first and so far unique case, the Federal Trade Commission banned SpyFone and its chief executive, Scott Zuckerman, from operating in the surveillance industry following an earlier security lapse that exposed victims’ data. Another stalkerware operation linked to Zuckerman, called SpyTrac, subsequently shut down following a TechCrunch investigation. 

    PhoneSpector and Highster, another two companies that are not known to have been hacked, also shut down after New York’s attorney general accused the companies of explicitly encouraging customers to use their software for illegal surveillance. 

    But a company closing doesn’t mean it’s gone forever. As with Spyhide and SpyFone, some of the same owners and developers behind a shuttered stalkerware maker simply rebranded. 

    “I do think that these hacks do things. They do accomplish things, they do put a dent in it,” Galperin said. “But if you think that if you hack a stalkerware company, that they will simply shake their fists, curse your name, disappear in a puff of blue smoke and never be seen again, that has most definitely not been the case.”

    “What happens most often, when you actually manage to kill a stalkerware company, is that the stalkerware company comes up like mushrooms after the rain,” Galperin added. 

    There is some good news. In a report last year, security firm Malwarebytes said that the use of stalkerware is declining, according to its own data of customers infected with this type of software. Also, Galperin reports seeing an increase in negative reviews of these apps, with customers or prospective customers complaining they don’t work as intended.

    But, Galperin said that it’s possible that security firms aren’t as good at detecting stalkerware as they used to be, or stalkers have moved from software-based surveillance to physical surveillance enabled by AirTags and other Bluetooth-enabled trackers.

    “Stalkerware does not exist in a vacuum. Stalkerware is part of a whole world of tech enabled abuse,” Galperin said.

    Say no to stalkerware

    Using spyware to monitor your loved ones is not only unethical, it’s also illegal in most jurisdictions, as it’s considered unlawful surveillance. 

    That is already a significant reason not to use stalkerware. Then there is the issue that stalkerware makers have proven time and time again that they cannot keep data secure — neither data belonging to the customers nor their victims or targets.

    Apart from spying on romantic partners and spouses, some people use stalkerware apps to monitor their children. While this type of use, at least in the United States, is legal, it doesn’t mean using stalkerware to snoop on your kids’ phone isn’t creepy and unethical. 

    Even if it’s lawful, Galperin thinks parents should not spy on their children without telling them, and without their consent. 

    If parents do inform their children and get their go-ahead, parents should stay away from insecure and untrustworthy stalkerware apps, and use parental tracking tools built into Apple phones and tablets and Android devices that are safer and operate overtly. 

    If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware has resources if you think your phone has been compromised by spyware.

    Lorenzo Franceschi-Bicchierai

    Source link

  • Zero-day flaw in Check Point VPNs is ‘extremely easy’ to exploit | TechCrunch

    Zero-day flaw in Check Point VPNs is ‘extremely easy’ to exploit | TechCrunch

    Cybersecurity company Check Point says attackers are exploiting a zero-day vulnerability in its enterprise VPN products to break into the corporate networks of its customers. 

    The technology maker hasn’t said yet who is responsible for the cyberattacks or how many of its customers are affected by intrusions linked to the vulnerability, which security researchers say is “extremely easy” to exploit.

    In a blog post this week, Check Point said the vulnerability in its Quantum network security devices allows for a remote attacker to obtain sensitive credentials from an affected device, which can grant the attackers access to the victim’s wider network. Check Point said attackers began exploiting the bug around April 30. A zero day bug is when a vendor has no time to fix the bug before it is exploited.

    The company urged customers to install patches to remediate the flaw.

    Check Point has over 100,000 customers, according to its website. A spokesperson for Check Point did not return a request for comment asking how many of its customers are affected by the exploitation.

    Check Point is the latest security company in recent months to disclose a security vulnerability in its security products, the very technologies that are designed to protect companies from cyberattacks and digital intrusions.

    These network security devices sit on the edge of a company’s network and serve as digital gatekeepers for which users are allowed in, but have a tendency to contain security flaws that can in some cases easily skirt their security defenses and lead to compromise of the customer’s network.

    Several other enterprise and security vendors, including Ivanti, ConnectWise, and Palo Alto Networks, have in recent months rushed to fix flaws in their enterprise-grade security products that malicious attackers have exploited to compromise customer networks to steal data. All of the bugs in question are high severity in nature, in large part due to how easy they were to exploit.

    In the case of Check Point’s vulnerability, security research firm watchTowr Labs said in its analysis of the vulnerability that the bug was “extremely easy” to exploit once it had been located.

    The bug, which watchTowr Labs described as a path-traversal vulnerability, means it’s possible for an attacker to remotely trick an affected Check Point device into returning files that should have been protected and off-limits, such as the passwords for accessing the root-level operating system of the device.

    “This is much more powerful than the vendor advisory seems to imply,” said watchTowr Labs researcher Aliz Hammond.

    U.S. cybersecurity agency CISA said it added the Check Point vulnerability to its public catalog of known-exploited vulnerabilities. In brief remarks, the government cyber agency said that the vulnerability in question is often used by malicious cyber actors, and that these kinds of flaws pose “significant risks to the federal enterprise.”

    Zack Whittaker

    Source link

  • DOJ charges Chinese national with operating ‘world’s largest botnet’ that stole $5.9 billion in Covid relief funds

    DOJ charges Chinese national with operating ‘world’s largest botnet’ that stole $5.9 billion in Covid relief funds

    The seal of the US Department of Justice in Washington, DC on March 21, 2024. 

    Mandel Ngan | Afp | Getty Images

    A global malware network responsible for the theft of $5.9 billion in Covid relief funds and tied to other crimes like child exploitation and bomb threats has been shut down, Department of Justice officials announced Wednesday.

    The DOJ arrested 35-year-old YunHe Wang, a Chinese national who was charged with creating the “botnet,” a kind of malware that connects a network of hacked devices, which criminals can then use remotely to launch cyberattacks.

    Federal Bureau of Investigation Director Christopher Wray said it is “likely the world’s largest botnet ever.”

    From 2014 to 2022, Wang launched and operated the botnet, called “911 S5,” from roughly 150 servers worldwide, including some in the U.S., according to the indictment. 911 S5 hacked into over 19 million IP addresses in nearly 200 countries, about 614,000 of which were in the U.S., according to the DOJ.

    The FBI released a how-to guide for users to identify if their devices had been targets of a 911 S5 attack and if so, how to remove the malware.

    Wang allegedly sold access to the compromised IP addresses to cybercriminals and amassed at least $99 million, which he used to buy luxury cars, watches and property around the world.

    911 S5 was also used for fraud, stalking, harassment, illegal exportation of goods and other crimes, the DOJ said. In particular, the botnet targeted Covid relief programs and filed an estimated 560,000 false unemployment insurance claims, stealing $5.9 billion.

    “The conduct alleged here reads like it’s ripped from a screenplay,” said Assistant Secretary for Export Enforcement Matthew S. Axelrod of the U.S. Department of Commerce’s Bureau of Industry and Security.

    “What they don’t show in the movies though is the painstaking work it takes by domestic and international law enforcement, working closely with industry partners, to take down such a brazen scheme and make an arrest like this happen,” Axelrod added in his statement.

    The DOJ partnered with the FBI and other law enforcement agencies internationally to dismantle the botnet and arrest Wang.

    The arrest comes a day after Treasury Department sanctioned Wang and two others for their alleged involvement with 911 S5. Treasury also imposed sanctions on three companies that Wang owned or controlled: Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited.

    Wang is facing a maximum 65-year prison sentence with four criminal counts: conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud and conspiracy to commit money laundering. 

    The charges come as U.S. law enforcement agencies try to update protocols to keep up with more sophisticated cybersecurity threats.

    In recent years, the U.S. has expressed particular concern for China-backed hackers looking to subvert American infrastructure.

    In January, the FBI announced that it had dismantled the Chinese “Volt Typhoon” hacking group, which had been targeting U.S. water plants, electric grids and more.

    “Today, and literally every day, they’re actively attacking our economic security, engaging in wholesale theft of our innovation, and our personal and corporate data,” Wray said at a January hearing.

    Source link

  • How Researchers Cracked an 11-Year-Old Password to a $3 Million Crypto Wallet

    How Researchers Cracked an 11-Year-Old Password to a $3 Million Crypto Wallet

    “We ultimately got lucky that our parameters and time range was right. If either of those were wrong, we would have … continued to take guesses/shots in the dark,” Grand says in an email to WIRED. “It would have taken significantly longer to precompute all the possible passwords.”

    Grand and Bruno created a video to explain the technical details more thoroughly.

    RoboForm, made by US-based Siber Systems, was one of the first password managers on the market, and currently has more than 6 million users worldwide, according to a company report. In 2015, Siber seemed to fix the RoboForm password manager. In a cursory glance, Grand and Bruno couldn’t find any sign that the pseudo-random number generator in the 2015 version used the computer’s time, which makes them think they removed it to fix the flaw, though Grand says they would need to examine it more thoroughly to be certain.

    Siber Systems confirmed to WIRED that it did fix the issue with version 7.9.14 of RoboForm, released June 10, 2015, but a spokesperson wouldn’t answer questions about how it did so. In a changelog on the company’s website, it mentions only that Siber programmers made changes to “increase randomness of generated passwords,” but it doesn’t say how they did this. Siber spokesman Simon Davis says that “RoboForm 7 was discontinued in 2017.”

    Grand says that, without knowing how Siber fixed the issue, attackers may still be able to regenerate passwords generated by versions of RoboForm released before the fix in 2015. He’s also not sure if current versions contain the problem.

    “I’m still not sure I would trust it without knowing how they actually improved the password generation in more recent versions,” he says. “I’m not sure if RoboForm knew how bad this particular weakness was.”

    Customers may also still be using passwords that were generated with the early versions of the program before the fix. It doesn’t appear that Siber ever notified customers when it released the fixed version 7.9.14 in 2015 that they should generate new passwords for critical accounts or data. The company didn’t respond to a question about this.

    If Siber didn’t inform customers, this would mean that anyone like Michael who used RoboForm to generate passwords prior to 2015—and are still using those passwords—may have vulnerable passwords that hackers can regenerate.

    “We know that most people don’t change passwords unless they’re prompted to do so,” Grand says. “Out of 935 passwords in my password manager (not RoboForm), 220 of them are from 2015 and earlier, and most of them are [for] sites I still use.”

    Depending on what the company did to fix the issue in 2015, newer passwords may also be vulnerable.

    Last November, Grand and Bruno deducted a percentage of bitcoins from Michael’s account for the work they did, then gave him the password to access the rest. The bitcoin was worth $38,000 per coin at the time. Michael waited until it rose to $62,000 per coin and sold some of it. He now has 30 BTC, now worth $3 million, and is waiting for the value to rise to $100,000 per coin.

    Michael says he was lucky that he lost the password years ago because, otherwise, he would have sold off the bitcoin when it was worth $40,000 a coin and missed out on a greater fortune.

    “That I lost the password was financially a good thing.”

    Kim Zetter

    Source link