In the US government's ongoing campaign to protect data in the age of quantum computers, a new and powerful attack that used a single traditional computer to completely break a fourth-round candidate highlights the risks involved in standardizing the next generation of encryption algorithms. From a report: Last month, the US Department of Commerce's National Institute of Standards and Technology, or NIST, selected four post-quantum computing encryption algorithms to replace algorithms like RSA, Diffie-Hellman, and elliptic curve Diffie-Hellman, which are unable to withstand attacks from a quantum computer. In the same move, NIST advanced four additional algorithms as potential replacements pending further testing in hopes one or more of them may also be suitable encryption alternatives in a post-quantum world. The new attack breaks SIKE, which is one of the latter four additional algorithms. The attack has no impact on the four PQC algorithms selected by NIST as approved standards, all of which rely on completely different mathematical techniques than SIKE.

U.S. crypto firm Nomad has been hit by a $190 million theft, blockchain researchers said on Tuesday, the latest such heist to hit the digital asset sector this year. From a report: Nomad said in a tweet that it was "aware of the incident" and was currently investigating, without giving further details or the value of the theft. Crypto analytics firm PeckShield told Reuters $190 million worth of users' cryptocurrencies were stolen, including ether and the stablecoin USDC. Other blockchain researchers put the figure at over $150 million.

Indonesia has lifted its ban on Steam and Yahoo now that both companies complied with the country's restrictive laws that regulate online activity. From a report: The Indonesian Ministry of Communication and Information (Kominfo) announced the news in a translated update on Twitter, noting that Counter-Strike: Global Offensive and Dota 2 are back online as well. Last week, Indonesia blocked access to Steam, PayPal, Yahoo, Epic Games, and Origin after the companies failed to meet a deadline to register with the country's database. This requirement is bundled with a broader law, called MR5, that Indonesia first introduced in 2020. The law gives the Indonesian government the authority to order platforms to take down content considered illegal as well as request the data of specific users. In 2021, the digital rights group Electronic Frontier Foundation (EFF) called the policy "invasive of human rights." Although PayPal has yet to comply, Indonesia unblocked access to the service for five days starting July 31st to give users a chance to withdraw money and make payments. According to the Indonesian news outlet Antara News, PayPal reportedly plans on registering with the country's database soon.

The system for getting donated kidneys, livers and hearts to desperately ill patients relies on out-of-date technology that has crashed for hours at a time and has never been audited by federal officials for security weaknesses or other serious flaws, according to a confidential government review obtained by The Washington Post. From the report: The mechanics of the entire transplant system must be overhauled, the review concluded, citing aged software, periodic system failures, mistakes in programming and over-reliance on manual input of data. In its review, completed 18 months ago, the White House's U.S. Digital Service recommended that the government "break up the current monopoly" that the United Network for Organ Sharing, the nonprofit agency that operates the transplant system, has held for 36 years. It pushed for separating the contract for technology that powers the network from UNOS's policy responsibilities, such as deciding how to weigh considerations for transplant eligibility.

About 106,000 people are on the waiting list for organs, the vast majority of them seeking kidneys, according to UNOS. An average of 22 people die each day waiting for organs. In 2021, 41,354 organs were transplanted, a record. UNOS is overseen by the Health Resources and Services Administration (HRSA), but that agency has little authority to regulate transplant activity. Its attempts to reform the transplant system have been rejected by UNOS, the report found. Yet HRSA continues to pay UNOS about $6.5 million annually toward its annual operating costs of about $64 million, most of which comes from patient fees. "In order to properly and equitably support the critical needs of these patients, the ecosystem needs to be vastly restructured," a team of engineers from the Digital Service wrote in the Jan. 5, 2021, report for HRSA, which is part of the Department of Health and Human Services.

Microsoft says the Outlook email client will crash when opening and reading emails with tables such as Uber receipt emails. BleepingComputer reports: "When opening, replying, or forwarding some emails that include complex tables, Outlook stops responding," the company explains in a support document. To make matters worse, emails with the same table contents will also cause the Microsoft Word app to stop responding. While the known issue affects Microsoft 365 customers in the Current Channel Version 2206 Build 15330.20196 and higher, it can also trigger freezes in current Beta and Current Channel Preview builds. The Microsoft Word team has already developed a fix that will be released to Beta channel customers soon, after undergoing verification. Microsoft added that customers using Outlook versions in the Current Channel would receive the fix as part of this month's Patch Tuesday, on August 9, 2022. For those unable to wait for the fix, Microsoft has provided a workaround that requires users to revert to an older build.

Hackers had access to dashboards used to remotely manage and control thousands of credit card payment terminals manufactured by digital payments giant Wiseasy, a cybersecurity startup told TechCrunch. From a report: Wiseasy is a brand you might not have heard of, but it's a popular Android-based payment terminal maker used in restaurants, hotels, retail outlets and schools across the Asia-Pacific region. Through its Wisecloud cloud service, Wiseasy can remotely manage, configure and update customer terminals over the internet. But Wiseasy employee passwords used for accessing Wiseasy's cloud dashboards -- including an "admin" account -- were found on a dark web marketplace actively used by cybercriminals, according to the startup. Youssef Mohamed, chief technology officer at pen-testing and dark web monitoring startup Buguard, told TechCrunch that the passwords were stolen by malware on the employee's computers. Mohamed said two cloud dashboards were exposed, but neither were protected with basic security features, like two-factor authentication, and allowed hackers to access nearly 140,000 Wiseasy payment terminals around the world.

"The Anonymous declaration of cyberwar was a top news story despite no evidence," writes cybersecurity specialist Jeremiah Fowler (an American who worked in Kyiv for the last 10 years — until fleeing in February to Poland). To investigate, Fowler performed a random sampling of 100 exposed Russian databases — and discovered that 92 of them had indeed been compromised. "Anti-Russian hackers used a similar script to the infamous 'MeowBot' that changed the name of folders and deleted the contents of the files. " (For example, renaming the folders to "putin_stop_this_war".)

And that was just the beginning, reports CNBC: Anonymous has claimed to have hacked over 2,500 Russian and Belarusian sites, said Fowler. In some instances, stolen data was leaked online, he said, in amounts so large it will take years to review. "The biggest development would be the overall massive number of records taken, encrypted or dumped online," said Fowler. Shmuel Gihon, a security researcher at the threat intelligence company Cyberint, agreed that amount of leaked data is "massive."

"We currently don't even know what to do with all this information, because it's something that we haven't expected to have in such a short period of time," he said....

The more immediate outcome of the hacks, Fowler and Gihon agreed, is that Russia's cybersecurity defenses have been revealed as being far weaker than previously thought.
Fowler's report argues that Anonymous has "rewritten the rules of how a crowdsourced modern cyberwar is conducted" — with the group also offering penetration testing to Ukraine, "finding vulnerabilities before Russia could exploit them." But in addition, Fowler writes, Anonymous's efforts have also "transformed into a larger operation that spread far beyond the Russian government, companies, or organizations, and included an information campaign aimed at Russian citizens."

Some examples: Hacking Printers — Russian censorship has blocked many inside the country from knowing the true scale of the war and Russian losses. Anonymous hacked printers across Russia and printed uncensored facts or anti-propaganda and pro-ukrainian messages. The group claims to have printed over 100,000 documents. This also includes barcode printers at grocery stores where prices were changed and product names were changed to anti-war or pro-Ukrainian slogans....

RoboDial, SMS, and Email Spam — Almost everyone on earth has received some form of spam in the form of a phone call, text, or email message. These usually try to sell a service or scam victims out of money. Now this same technology has been used to bypass Russian censorship and inform citizens of news and messages they are forbidden to learn on state sponsored propaganda channels. Anonymous affiliated Squad303 claimed to have sent over 100 million messages to Russian devices.

"Jacob Wayne John Keen, now 24, was 15 years old and living in his mother's rental when he allegedly created a sophisticated spyware tool known as a remote access trojan that allowed users to remotely take control of their victims' computers," reports the Guardian.

Once installed it could be used to steal victims' personal information, spy on them via webcams and microphones and track what they typed into emails or documents. Keen allegedly sold the tool for $35 on a hacking forum, making between $300,000 and $400,000 by selling it to more than 14,500 people in 128 countries....

Keen was slapped with six charges earlier in July, and is due to appear at Brisbane's magistrates court next month. His mother, 42, has also been charged with allegedly dealing in the proceeds of crime.

A global investigation involving more than a dozen law enforcement agencies across Europe led to 85 search warrants being executed around the world, with 434 devices seized and 13 people arrested for using the malware for "alleged criminality".
Among the tool's 14,500 users were a "statistically high" proportion of domestic violence perpetrators (and at least one child sex offender), according to the Australian federal police, who believe there were ultimately "tens of thousands" of victims globally.

Slashdot reader Bruce66423 suggests an appropriate punishment would be sentencing Keen to work for spy agencies.

Long-time Slashdot reader tsu doh nimh writes: 911[.]re, a proxy service that since 2015 has sold access to hundreds of thousands of Microsoft Windows computers daily, announced this week that it is shutting down in the wake of a data breach that destroyed key components of its business operations, KrebsOnSecurity reports.
From the article: "On July 28th, a large number of users reported that they could not log in the system," the statement continues. "We found that the data on the server was maliciously damaged by the hacker, resulting in the loss of data and backups. Its [sic] confirmed that the recharge system was also hacked the same way. We were forced to make this difficult decision due to the loss of important data that made the service unrecoverable."

Operated largely out of China, 911 was an enormously popular service across many cybercrime forums, and it became something akin to critical infrastructure for this community after two of 911's longtime competitors — malware-based proxy services VIP72 and LuxSock — closed their doors in the past year...

911 wasn't the only major proxy provider disclosing a breach this week tied to unauthenticated APIs: On July 28, KrebsOnSecurity reported that internal APIs exposed to the web had leaked the customer database for Microleaves, a proxy service that rotates its customers' IP addresses every five to ten minutes. That investigation showed Microleaves — like 911 — had a long history of using pay-per-install schemes to spread its proxy software.

"For more than a decade, Google has been baking and eating its own homemade Linux desktop distribution," writes Computerworld.

Long-time Slashdot reader waspleg shared their report: The first version was Goobuntu. (As you'd guess from the name, it was based on Ubuntu.) In 2018, Google moved its in-house Linux desktop from the Goobuntu to a new Linux distro, the Debian-based gLinux. Why? Because, as Google explained, Ubuntu's Long Term Support (LTS) two-year release "meant that we had to upgrade every machine in our fleet of over 100,000 devices before the end-of-life date of the OS."

That was a pain. Add in the time-consuming need to fully customize engineers' PCs, and Google decided that it cost too much. Besides, the "effort to upgrade our Goobuntu fleet usually took the better part of a year. With a two-year support window, there was only one year left until we had to go through the same process all over again for the next LTS. This entire process was a huge stress factor for our team, as we got hundreds of bugs with requests for help for corner cases."

So, when Google had enough of that, it moved to Debian Linux (though not just vanilla Debian). The company created a rolling Debian distribution: GLinux Rolling Debian Testing (Rodete). The idea is that users and developers are best served by giving them the latest updates and patches as they're created and deemed ready for production.
Google's using what appears to be an automated build system (along with virtualized test suites, and eventually "incremental canarying"), the article points out. The end result?

"The entire gLinux development team consists of a single on-duty release engineer position that rotates among team members."

Amazon sent emails out Friday morning to Amazon Drive users to notify them that the company is shutting down its cloud storage service on Dec. 31, 2023. From a report: "We are taking the opportunity to more fully focus our efforts on Amazon Photos to provide customers a dedicated solution for photos and video storage," Amazon says in an FAQ. Amazon says photos and videos in Amazon Drive accounts have been automatically saved to Amazon Photos. "If you rely on Amazon Drive for your file storage, you will need to go to the Amazon Drive website and download your files by December 31, 2023," Amazon noted.

Longtime Slashdot reader HnT shares a report from Ars Technica: Microsoft said on Wednesday that an Austria-based company named DSIRF used multiple Windows and Adobe Reader zero-days to hack organizations located in Europe and Central America. Members of the Microsoft Threat Intelligence Center, or MSTIC, said they have found Subzero malware infections spread through a variety of methods, including the exploitation of what at the time were Windows and Adobe Reader zero-days, meaning the attackers knew of the vulnerabilities before Microsoft and Adobe did. Targets of the attacks observed to date include law firms, banks, and strategic consultancies in countries such as Austria, the UK, and Panama, although those aren't necessarily the countries in which the DSIRF customers who paid for the attack resided.

"MSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks," Microsoft researchers wrote. "These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open source news reports attributing Subzero to DSIRF." Referring to DSIRF using the work KNOTWEED, Microsoft researchers wrote: In May 2022, MSTIC found an Adobe Reader remote code execution (RCE) and a 0-day Windows privilege escalation exploit chain being used in an attack that led to the deployment of Subzero. The exploits were packaged into a PDF document that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim's Adobe Reader version was released in January 2022, meaning that the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit. Based on KNOTWEED's extensive use of other 0-days, we assess with medium confidence that the Adobe Reader RCE is a 0-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, and then patched in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was also designed to be used from Chromium-based browsers, although we've seen no evidence of browser-based attacks.

The CVE-2022-22047 vulnerability is related to an issue with activation context caching in the Client Server Run-Time Subsystem (CSRSS) on Windows. At a high level, the vulnerability could enable an attacker to provide a crafted assembly manifest, which would create a malicious activation context in the activation context cache, for an arbitrary process. This cached context is used the next time the process spawned.

CVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes (with some caveats, as discussed below) and achieve system-level code execution. The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL. Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved. Microsoft recommends a number of security considerations to help mitigate this attack, including patching CVE-2022-22047, updating Microsoft Defender Antivirus to update 1.371.503.0 or later, and enabling multifactor authentication (MFA).

The Justice Department is investigating a data breach of the U.S. federal courts system dating to early 2020, a top official testified on Capitol Hill Thursday. Politico reports: House Judiciary Committee Chair Jerrold Nadler (D-N.Y.) told fellow lawmakers that there had been a "system security failure" of the U.S. Courts' document management system. He said the committee learned in March about the "startling breadth and scope" of the breach. It was the first public disclosure of the hack. Nadler said the data breach of the courts was separate from the SolarWinds hack revealed in late 2020, which involved Russian government-backed hackers infiltrating the networks of over a dozen U.S. federal agencies for much of 2020, including the federal court systems. He spoke at a committee hearing on oversight of the Justice Department's National Security Division.

Assistant Attorney General for National Security Matthew Olsen testified to the committee that NSD is "working very closely with the judicial conference and judges around the country to address this issue," and committed to updating the committee on the investigation as it progressed. A committee aide said that Nadler's questions came after the committee received a briefing on the attack, noting that "the sweeping impact it may have had on the operation of the Department of Justice is staggering." The aide was granted anonymity in order to discuss a private briefing.

Committee member Rep. Sheila Jackson Lee (D-Texas) pressed Olsen for more details on how many cases had been impacted by the breach. "I would expect your preparation and for us to be able to get that information as quickly as possible in a setting that would be appropriate, but this is a dangerous set of circumstances that has now been publicly announced, and we need to know how many... were dismissed," Jackson Lee said. Nadler questioned Olsen on whether the breach had in any way affected cases pursued by the NSD, and Olsen testified he could not "think of anything in particular."

Sky Mavis, the company that makes the online game, says the executive was shoring up funds to protect the business and help users after Ronin attack. From a report: This spring, Sky Mavis, the startup that makes the video game Axie Infinity, announced it had suffered a devastating hack. While most video games are primarily recreational, Axie Infinity's popularity relied largely on its players' ability to trade and earn crypto tokens that had financial value, and players had stashes that represented significant savings. The hack forced the Vietnam-based game developer to shut down its system for pulling tokens out of the game, essentially freezing the assets of its users before they could react to the news.

Most of them, anyway. In the hours before the announcement and freeze, a digital wallet belonging to its chief executive officer and co-founder, Trung Nguyen, made a large transaction that included about $3 million worth of Axie Infinity's main token, AXS. The tokens moved from Axie's blockchain -- a digital ledger for recording transactions -- to the crypto exchange Binance. Although the transfer was visible to anyone with an internet connection, there's nothing about the wallet that directly connects it to the person controlling it, as is true of most crypto transactions. But after being presented with analysis of public data that seemed to link the wallet to Nguyen, Sky Mavis confirmed that he controlled it. The unusual activity took place during a moment of acute stress for Sky Mavis. For months, the first version of its game had been showing showing signs of steep decline, and many players were losing faith.

The company was rushing to get the new version of Axie Infinity out when hackers on March 23 drained its system of cryptocurrencies that were worth over $600 million at the time. It was one of the biggest cyberattacks in the history of crypto. Anyone who knew what was going on would have had a strong incentive to sell tokens in the system before they were temporarily locked up, and moving them to the Binance exchange would have been a necessary first step toward cashing them out. But Sky Mavis says that this wasn't the reason Nguyen made the transfer. In emails, Kalie Moore, a company spokeswoman, said that Nguyen had been working to shore up the company's finances during the crisis, and had to do so in way that wasn't obvious to the broader crypto market, for the good of the overall Axie Infinity economy. By moving AXS to the exchange, said Moore, the company could provide liquidity to its users as it restored access to funds via Binance.

joshuark writes: Dan Goodin of Ars Technica reports that security researchers have found that rootkits for Unified Extensible Firmware Interface (UEFI) are not rare, and difficult to detect. Kaspersky researchers profiled CosmicStrand, the security firm's name for a sophisticated UEFI rootkit that the company detected and obtained through its antivirus software. They state: "The most striking aspect of this report is that this UEFI implant seems to have been used in the wild since the end of 2016 -- long before UEFI attacks started being publicly described." The researchers warned that "the multiple rootkits discovered so far evidence a blind spot in our industry that needs to be addressed sooner rather than later."

The average cost of a data breach rose to an all-time high of $4.4 million this year, according to the IBM Security report released Wednesday. That marked a 2.6% increase from a year ago and a 13% jump since 2020. CNET reports: More than half of the organizations surveyed acknowledged they had passed on those costs to their customers in the form of higher prices for their products and services, IBM said. The annual report is based on an analysis of data breaches experienced by 550 organizations around the world between March 2021 and March 2022. The research, which was sponsored and analyzed by IBM, was conducted by the Ponemon Institute.

The cost estimates are based on both immediate and longer-term expenses. While some costs like the payment of ransoms and those related to investigating and containing the breach tend to be accounted for right away, others such as regulatory fines and lost sales can show up years later. On average, those polled said they accrued just under half of the costs related to a given breach more than a year after it occurred.

Between 1850 and 1855, someone published a series of unusual ads in the British newspaper The Times. They were made up of a series of seemingly random letters, apparently gobbledygook. An anonymous reader adds: Almost 200 years later, a group of codebreakers has finally been able to decrypt some of them and read what they said, discovering that they were actually encrypted messages from a rescue expedition in the Arctic Ocean.

An ongoing cybercriminal operation is targeting digital marketing and human resources professionals in an effort to hijack Facebook Business accounts using a newly discovered data-stealing malware. TechCrunch reports: Researchers at WithSecure, the enterprise spin-off of security giant F-Secure, discovered the ongoing campaign they dubbed Ducktail and found evidence to suggest that a Vietnamese threat actor has been developing and distributing the malware since the latter half of 2021. The firm added that the operations' motives appear to be purely financially driven. The threat actor first scouts targets via LinkedIn where it selects employees likely to have high-level access to Facebook Business accounts, particularly those with the highest level of access. The threat actor then uses social engineering to convince the target to download a file hosted on a legitimate cloud host, like Dropbox or iCloud. While the file features keywords related to brands, products, and project planning in an attempt to appear legitimate, it contains data-stealing malware that WithSecure says is the first malware that they have seen specifically designed to hijack Facebook Business accounts.

Once installed on a victim's system, the Ducktail malware steals browser cookies and hijacks authenticated Facebook sessions to steal information from the victim's Facebook account, including account information, location data, and two-factor authentication codes. The malware also allows the threat actor to hijack any Facebook Business account that the victim has sufficient access to simply by adding their email address to the compromised account, which prompts Facebook to to send a link, via email, to the same email address. The recipient -- in this case, the threat actor -- then interacts with the emailed link to gain access to that Facebook Business. The threat actors then leverage their new privileges to replace the account's set financial details in order to direct payments to their accounts or to run Facebook Ad campaigns using money from the victimized firms.

China tried to build a network of informants inside the Federal Reserve system, at one point threatening to imprison a Fed economist during a trip to Shanghai unless he agreed to provide nonpublic economic data, a congressional investigation found. From a report: The investigation by Republican staff members of the Senate's Committee on Homeland Security and Governmental Affairs found that over a decade Fed employees were offered contracts with Chinese talent recruitment programs, which often include cash payments, and asked to provide information on the U.S. economy, interest rate changes and policies, according to a report of the findings released on Tuesday. In the case of the economist, the report said, Chinese officials in 2019 detained and tried to coerce him to share data and information on U.S. government policies, including on tariffs while the U.S. and China were in the midst of a trade war. The report doesn't say whether any sensitive information was compromised. Access to such information could provide valuable insights given the Fed's extensive analysis of U.S. economic activity, its oversight of the U.S. financial system, and the setting of interest-rate policy.

The Republican-led investigation said the Fed failed to mount an adequate response. The report's findings show "a sustained effort by China, over more than a decade, to gain influence over the Federal Reserve and a failure by the Federal Reserve to combat this threat effectively." Fed Chairman Jerome Powell strongly disputed the report's findings and called its characterizations of some employees unfair. "Because we understand that some actors aim to exploit any vulnerabilities, our processes, controls, and technology are robust and updated regularly. We respectfully reject any suggestions to the contrary," he wrote in a letter to Sen. Rob Portman of Ohio, the committee's top Republican.

The source code for an information-stealing malware coded in Rust has been released for free on hacking forums, with security analysts already reporting that the malware is actively used in attacks. BleepingComputer reports: The malware, which the author claims to have developed in just six hours, is quite stealthy, with VirusTotal returning a detection rate of around 22%. As the info-stealer is written in Rust, a cross-platform language, it allows threat actors to target multiple operating systems. However, in its current form, the new info-stealer only targets Windows operating systems.

Analysts at cybersecurity firm Cyble, who sampled the new info-stealer and named it "Luca Stealer," report that the malware comes with standard capabilities for this type of malware. When executed, the malware attempts to steal data from thirty Chromium-based web browsers, where it will steal stored credit cards, login credentials, and cookies. The stealer also targets a range of "cold" cryptocurrency and "hot" wallet browser addons, Steam accounts, Discord tokens, Ubisoft Play, and more. Where Luca Stealer stands out against other info-stealers is the focus on password manager browser addons, stealing the locally stored data for 17 applications of this kind. In addition to targeting applications, Luca also captures screenshots and saves them as a .png file, and performs a "whoami" to profile the host system and send the details to its operators.