Security

Ransomware Group Reports Victim It Breached To SEC Regulators (arstechnica.com) 32

One of the world's most active ransomware groups has taken an unusual -- if not unprecedented -- tactic to pressure one of its victims to pay up: reporting the victim to the US Securities and Exchange Commission. From a report: The pressure tactic came to light in a post published on Wednesday on the dark web site run by AlphV, a ransomware crime syndicate that's been in operation for two years. After first claiming to have breached the network of the publicly traded digital lending company MeridianLink, AlphV officials posted a screenshot of a complaint it said it filed with the SEC through the agency's website. Under a recently adopted rule that goes into effect next month, publicly traded companies must file an SEC disclosure within four days of learning of a security incident that had a "material" impact on their business.

"We want to bring to your attention a concerning issue regarding MeridianLink's compliance with the recently adopted cybersecurity incident disclosure rules," AlphV officials wrote in the complaint. "It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under item 1.05 of form 8-K within the stipulated four business days, as mandated by the new SEC rules." The violation category selected in the online report was "Material misstatement or omission in a company's filings or financial statements or a failure to file."

Apple

Apple Says RCS Messages Will Have Green Bubbles (9to5mac.com) 182

Apple announced on Thursday its plans to bring RCS support to the iPhone in 2024. But some things are not going to change, sadly. 9to5Mac reports: Since I published my story on the news this morning, there's one thing everyone wants to know: is the blue bubbles vs green bubbles debate coming to an end? I'm happy to say I now have an official answer: nope. RCS will use green bubbles just like SMS. [...] Apple has confirmed to me that blue bubbles will still be used to represent iMessages, while green bubbles will represent RCS messages. The company uses blue bubbles to denote what it believes is the best and most secure way for iPhone users to communicate, which is iMessage.
Privacy

Prison Phone Company Leaked 600,000 Users' Data and Didn't Notify Them (arstechnica.com) 45

An anonymous reader quotes a report from Ars Technica: Prison phone company Global Tel*Link leaked the personal information of nearly 650,000 users and failed to notify most of the users that their personal data was exposed, the Federal Trade Commission said today. The company agreed to a settlement that requires it to change its security practices and offer free credit monitoring and identity protection to affected users, but the settlement doesn't include a fine. "Global Tel*Link and two of its subsidiaries failed to implement adequate security safeguards to protect personal information they collect from users of its services, which enabled bad actors to gain access to unencrypted personal information stored in the cloud and used for testing," the FTC said.

A security researcher notified Global Tel*Link of the breach on August 13, 2020, according to the FTC's complaint (PDF). This happened just after "the company and a third-party vendor copied a large volume of sensitive, unencrypted personal information about nearly 650,000 real users of its products and services into the cloud but failed to take adequate steps to protect the data," the FTC said. The data was copied to an Amazon Web Services test environment to test a new version of a search software product. For about two days, the data was in the test environment and "accessible via the Internet without password protection or other access controls," the FTC said. After hearing from the security researcher, Global Tel*Link reconfigured the test environment to cut off public access. But a few weeks later, the firm was notified by an identity monitoring vendor that the data was available on the dark web. Global Tel*Link didn't notify any users until May 2021, and even then, it only notified a subset of them, according to the FTC. [...]

The complaint said that Global Tel*Link violated the Federal Trade Commission Act's section on unfair or deceptive acts or practices and charged the firm with unfair data security practices, unfair failure to notify affected consumers of the incident, misrepresentations regarding data security, misrepresentations to individual users regarding the incident, misrepresentations to individual users regarding notice, and deceptive representations to prison facilities regarding the incident. To settle the charges, the company agreed to new security protocols, including "'change management' measures to all of its systems to help reduce the risk of human error, use of multifactor authentication, and procedures to minimize the amount of data it collects and stores," the FTC said. Global Tel*Link also has to notify the affected users who were not previously notified of the breach and provide them with credit monitoring and identity protection products. The product must include $1,000,000 worth of identity theft insurance to cover costs related to identity theft or fraud. The company must also notify consumers and prison facilities within 30 days of future data breaches and notify the FTC of the incidents, the agency said. Violations of the settlement could result in fines of $50,120 for each violation, the FTC said.

Businesses

Users Can't Speak To Viral AI Girlfriend CarynAI Because CEO Is in Jail (404media.co) 52

samleecole writes: People who paid to speak to an AI girlfriend modeled after real life 23-year-old influencer Caryn Marjorie are distraught because the service they paid for, Forever Companions, no longer works. It appears that the service stopped working shortly after Forever Companion CEO and founder John Meyer was arrested for trying to set his own apartment on fire.

404 Media tested CarynAI today as well as other AI bots and confirmed the service is not working. According to what we saw in the Telegram channel where Forever Companion users start conversations with CarynAI, the service has not been working since October 23. "I terminated my relationship with Forever Voices due to unforeseen circumstances," Marjorie told 404 Media in an email. "I wish the best for John Meyer and his family as he recovers from his mental health crisis. We didn't see this coming but I vow to push CarynAI forward for my fans and supporters." On October 30, Marjorie also announced that she's making a similar AI companion, "CarynAI 2.0," with another company called Banter AI. On social media for the last few weeks, the official Forever Voices Twitter account has been posting bizarre videos and statements about the CIA, Donald Trump, and the FBI.

Programming

Developers Can't Seem To Stop Exposing Credentials in Publicly Accessible Code (arstechnica.com) 59

Despite more than a decade of reminding, prodding, and downright nagging, a surprising number of developers still can't bring themselves to keep their code free of credentials that provide the keys to their kingdoms to anyone who takes the time to look for them. From a report: The lapse stems from immature coding practices in which developers embed cryptographic keys, security tokens, passwords, and other forms of credentials directly into the source code they write. The credentials make it easy for the underlying program to access databases or cloud services necessary for it to work as intended. [...]

The number of studies published since following the revelations underscored just how common the practice had been and remained in the years immediately following Uber's cautionary tale. Sadly, the negligence continues even now. Researchers from security firm GitGuardian this week reported finding almost 4,000 unique secrets stashed inside a total of 450,000 projects submitted to PyPI, the official code repository for the Python programming language. Nearly 3,000 projects contained at least one unique secret. Many secrets were leaked more than once, bringing the total number of exposed secrets to almost 57,000.

Encryption

Signal Reveals Its Operation Costs, Estimates $50 Million a Year In 2024 (wired.com) 29

gaiageek writes: Of note, given the recent Slashdot article about Signal opening up to trying out usernames, is the $6 million annual cost of sending SMS messages for account verification, which certainly suggests that getting rid of phone number verification would be a significant cost-saving solution.

Signal pays $14 million a year in infrastructure costs, for instance, including the price of servers, bandwidth, and storage. It uses about 20 petabytes per year of bandwidth, or 20 million gigabytes, to enable voice and video calling alone, which comes to $1.7 million a year. The biggest chunk of those infrastructure costs, fully $6 million annually, goes to telecom firms to pay for the SMS text messages Signal uses to send registration codes to verify new Signal accounts' phone numbers.


Apple

Apple To Add RCS Support To iPhone Next Year (9to5mac.com) 160

9to5Mac: In a surprising move, Apple has announced today that it will adopt the RCS (Rich Communication Services) messaging standard. The feature will launch via a software update "later next year" and bring a wide range of iMessage-style features to messaging between iPhone and Android users. Apple's decision comes amid pressure from regulators and competitors like Google and Samsung. It also comes as RCS has continued to develop and become a more mature platform than it once was.

In a statement to 9to5Mac, an Apple spokesperson said that the company believes RCS will offer better interoperability for cross-platform messages. "Later next year, we will be adding support for RCS Universal Profile, the standard as currently published by the GSM Association. We believe RCS Universal Profile will offer a better interoperability experience when compared to SMS or MMS. This will work alongside iMessage, which will continue to be the best and most secure messaging experience for Apple users."

Security

Samsung Says Hackers Accessed Customer Data During Year-Long Breach (techcrunch.com) 7

Samsung has admitted that hackers accessed the personal data of U.K.-based customers during a year-long breach of its systems. From a report: In a statement to TechCrunch, Samsung spokesperson Chelsea Simpson, representing the company via a third-party agency, said Samsung was "recently alerted to a security incident" that "resulted in certain contact information of some Samsung U.K. e-store customers being unlawfully obtained." Samsung declined to answer further questions about the incident, such as how many customers were affected or how hackers accessed its internal systems.

In a letter sent to affected customers, Samsung admitted that attackers exploited a vulnerability in an unnamed third-party business application to access the personal information of customers who made purchases at Samsung U.K.'s store between July 1, 2019 and June 30, 2020. The letter, which was shared on X (formerly Twitter), Samsung said it didn't discover the compromise until more than three years later, on November 13, 2023. Samsung told affected customers that hackers may have accessed their names, phone numbers, postal addresses, and email addresses.

Android

Children's Tablet Has Malware and Exposes Kids' Data, Researcher Finds (techcrunch.com) 37

An anonymous reader shares a report: In May this year, Alexis Hancock's daughter got a children's tablet for her birthday. Being a security researcher, Hancock was immediately worried. "I looked at it kind of sideways because I've never heard of Dragon Touch," Hancock told TechCrunch, referring to the tablet's maker. As it turned out, Hancock, who works at the Electronic Frontier Foundation, had good reasons to be concerned. Hancock said she found that the tablet had a slew of security and privacy issues that could have put her daughter's and other children's data at risk.

The Dragon Touch KidzPad Y88X contains traces of a well-known malware, runs a version of Android that was released five years ago, comes pre-loaded with other software that's considered malware and a "potentially unwanted program" because of "its history and extensive system level permissions to download whatever application it wants," and includes an outdated version of an app store designed specifically for kids, according to Hancock's report, which was released on Thursday and seen by TechCrunch ahead of its publication. Hancock said she reached out to Dragon Touch to report these issues, but the company never responded. Dragon Touch did not respond to TechCrunch's questions either.
After TechCrunch reached out to the company, Walmart removed the listing from its website, while Amazon said it's looking into the matter.
Technology

Proton Mail CEO Calls New Address Verification Feature 'Blockchain in a Very Pure Form' (fortune.com) 28

Proton Mail, the leading privacy-focused email service, is making its first foray into blockchain technology with Key Transparency, which will allow users to verify email addresses. From a report: In an interview with Fortune, CEO and founder Andy Yen made clear that although the new feature uses blockchain, the key technology behind crypto, Key Transparency isn't "some sketchy cryptocurrency" linked to an "exit scam." A student of cryptography, Yen added that the new feature is "blockchain in a very pure form," and it allows the platform to solve the thorny issue of ensuring that every email address actually belongs to the person who's claiming it.

Proton Mail uses end-to-end encryption, a secure form of communication that ensures only the intended recipient can read the information. Senders encrypt an email using their intended recipient's public key -- a long string of letters and numbers -- which the recipient can then decrypt with their own private key. The issue, Yen said, is ensuring that the public key actually belongs to the intended recipient. "Maybe it's the NSA that has created a fake public key linked to you, and I'm somehow tricked into encrypting data with that public key," he told Fortune. In the security space, the tactic is known as a "man-in-the-middle attack," like a postal worker opening your bank statement to get your social security number and then resealing the envelope.

Blockchains are an immutable ledger, meaning any data initially entered onto them can't be altered. Yen realized that putting users' public keys on a blockchain would create a record ensuring those keys actually belonged to them -- and would be cross-referenced whenever other users send emails. "In order for the verification to be trusted, it needs to be public, and it needs to be unchanging," Yen said.

Microsoft

Microsoft and Nvidia Are Making It Easier To Run AI Models on Windows (theverge.com) 14

Microsoft and Nvidia want to help developers run and configure AI models on their Windows PCs. During the Microsoft Ignite event on Wednesday, Microsoft announced Windows AI Studio: a new hub where developers can access AI models and tweak them to suit their needs. From a report: Windows AI Studio allows developers to access development tools and models from the existing Azure AI Studio and other services like Hugging Face. It also offers an end-to-end "guided workspace setup" with model configuration UI and walkthroughs to fine-tune various small language models (SLMs), such as Microsoft's Phi, Meta's Llama 2, and Mistral.

Windows AI Studio lets developers test the performance of their models using Prompt Flow and Gradio templates as well. Microsoft says it's going to roll out Windows AI Studio as a Visual Studio Code extension in the "coming weeks." Nvidia, similarly, revealed updates to TensorRT-LLM, which the company initially launched for Windows as a way to run large language models (LLMs) more efficiently on H100 GPUs. However, this latest update brings TensorRT-LLM to PCs powered by GeForce RTX 30 and 40 Series GPUs with 8GB of RAM or more.

IT

Asus Apologizes For Misprinted Evangelion Motherboard (videocardz.com) 116

Asus recently launched a special edition Rog Maximus Z790 Hero EVA-02 motherboard, but the company misspelt "Evangenlion" on it -- adding an extra "n" on the I/O heatsink. From a report: Despite being just a single letter, ASUS acknowledges that this error on a $700 motherboard is significant enough to warrant replacement, likely at no additional cost to the users.

ASUS has officially stated that users who find the typo on their motherboards unacceptable can reach out to ASUS support for guidance on the replacement process. Notably, there is no indication of a dedicated service to handle these replacements on behalf of users. So users will be asked to disassemble their motherboards themselves.

Bug

Intel Fixes High-Severity CPU Bug That Causes 'Very Strange Behavior' (arstechnica.com) 22

An anonymous reader quotes a report from Ars Technica: Intel on Tuesday pushed microcode updates to fix a high-severity CPU bug that has the potential to be maliciously exploited against cloud-based hosts. The flaw, affecting virtually all modern Intel CPUs, causes them to "enter a glitch state where the normal rules don't apply," Tavis Ormandy, one of several security researchers inside Google who discovered the bug, reported. Once triggered, the glitch state results in unexpected and potentially serious behavior, most notably system crashes that occur even when untrusted code is executed within a guest account of a virtual machine, which, under most cloud security models, is assumed to be safe from such faults. Escalation of privileges is also a possibility.

The bug, tracked under the common name Reptar and the designation CVE-2023-23583, is related to how affected CPUs manage prefixes, which change the behavior of instructions sent by running software. Intel x64 decoding generally allows redundant prefixes -- meaning those that don't make sense in a given context -- to be ignored without consequence. During testing in August, Ormandy noticed that the REX prefix was generating "unexpected results" when running on Intel CPUs that support a newer feature known as fast short repeat move, which was introduced in the Ice Lake architecture to fix microcoding bottlenecks. The unexpected behavior occurred when adding the redundant rex.r prefixes to the FSRM-optimized rep mov operation. [...]

Intel's official bulletin lists two classes of affected products: those that were already fixed and those that are fixed using microcode updates released Tuesday. An exhaustive list of affected CPUs is available here. As usual, the microcode updates will be available from device or motherboard manufacturers. While individuals aren't likely to face any immediate threat from this vulnerability, they should check with the manufacturer for a fix. People with expertise in x86 instruction and decoding should read Ormandy's post in its entirety. For everyone else, the most important takeaway is this: "However, we simply don't know if we can control the corruption precisely enough to achieve privilege escalation." That means it's not possible for people outside of Intel to know the true extent of the vulnerability severity. That said, anytime code running inside a virtual machine can crash the hypervisor the VM runs on, cloud providers like Google, Microsoft, Amazon, and others are going to immediately take notice.

Security

A Lost Bitcoin Wallet Passcode Helped Uncover a Major Security Flaw 22

After a tech entrepreneur and investor lost his password for retrieving $100,000 in bitcoin and hired experts to break open the wallet where he kept it, they failed to help him. But in the process, they discovered a way to crack enough other software wallets to steal $1 billion or more. From a report: On Tuesday, the team is releasing information about how they did it. They hope it's enough data that the owners of millions of wallets will realize they are at risk and move their money, but not so much data that criminals can figure out how to pull off what would be one of the largest heists of all time.

Their start-up, Unciphered, has worked for months to alert more than a million people that their wallets are at risk. Millions more haven't been told, often because their wallets were created at cryptocurrency websites that have gone out of business. The story of those wallets' vulnerabilities underscores the enormous risk in experimental currencies, beyond their wild fluctuations in value and fast-changing regulations. Many wallets were created with code containing profound flaws, and the companies that used that code can disappear. Beyond that, it is a sobering reminder that underneath software infrastructure of all kinds, even ones explicitly dedicated to securing funds, are open-source programs that few or no people oversee. "Open-source ages like milk. It will eventually go bad," said Chris Wysopal, a co-founder of security company Veracode who advised Unciphered as it sorted through the problem.
IT

The $2,000 Phones That Let Anyone Make Robocalls (404media.co) 24

An anonymous reader writes: Videos collected by 404 Media over months give a peek into the world of spoofing numbers, automated call scripts, and a specific seller of the phones. From the report: "Alright lads," a man sitting in the passenger seat of a moving car says in a heavy British accent. In his left hand he holds a special phone he is showing off to his clients, while with the other he films his demonstration which was later uploaded to Telegram. "I'm only going to say it once, yeah. You swipe, and it's gone," he continues, demonstrating one app installed that can instantly destroy data stored on the device. The phone in question is one from "Russiancoms," an underground outfit that sells the devices for just under $2,000 each. For that price, customers get a laundry list of features: the ability to spoof phone numbers, play hold music, and have a computerized voice read pre-determined scripts. While Russiancoms does not acknowledge in its Telegram channel what the phones might really be for, those are features well suited to committing fraud.

The Russiancoms Telegram channel periodically deletes its videos and other messages, but 404 Media has been archiving many of them for months. They provide insight into a little known industry of fraud phones, ones that make it easy for anyone to enter the world of robocalling or other scams. While much of the underground phone industry has been focused on providing secure communications to criminals -- companies like Phantom Secure, Encrochat, and Sky for example -- Russiancoms and similar companies appear to cater to a different use case: enabling people to make calls that fraudulently appear to come from someone else. A common tool in the underground is also so-called Russian SIMs, which can spoof numbers in some cases. Russiancoms' phones, however, are more fully featured.

Security

FBI Struggled To Disrupt Dangerous Casino Hacking Gang, Cyber Responders Say 30

The U.S. Federal Bureau of Investigation (FBI) has struggled to stop a hyper-aggressive cybercrime gang that's been tormenting corporate America over the last two years, according to nine cybersecurity responders, digital crime experts and victims. Reuters: For more than six months, the FBI has known the identities of at least a dozen members tied to the hacking group responsible for the devastating September break-ins at casino operators MGM Resorts International and Caesars Entertainment, according to four people familiar with the investigation. Industry executives have told Reuters they were baffled by an apparent lack of arrests despite many of the hackers being based in America. "I would love for somebody to explain it to me," said Michael Sentonas, president of CrowdStrike, one of the firms leading the response effort to the hacks.

"For such a small group, they are absolutely causing havoc," Sentonas told Reuters in an interview last month. Sentonas said the hackers were "known" but didn't provide specifics. He did say, "I think there is a failure here." Asked who was responsible for the failure, Sentonas said, "law enforcement." [...] Dubbed by some security professionals as "Scattered Spider," the hacking group has been active since 2021 but it grabbed headlines following a series of intrusions at several high profile American companies.
Google

Google Sues Men Who Weaponized DMCA Notices To Crush Competition (torrentfreak.com) 50

An anonymous reader writes: Two men who allegedly used 65 Google accounts to bombard Google with fraudulent DMCA takedown notices targeting up to 620,000 URLs, have been named in a Google lawsuit filed in California on Monday. Google says the men weaponized copyright law's notice-and-takedown system to sabotage competitors' trade, while damaging the search engine's business and those of its customers.
Crime

Person Linked To Scam Asks FBI for His Seized Cryptocurrency Back (404media.co) 46

A person linked to a scam that tricked an elderly victim into transferring more than $100,000 formally requested the FBI give back his seized cryptocurrency, claiming in a petition to the agency that he is a part-time crypto investor and not doing anything illegal, according to a recently filed court record. From a report: 404 Media also reached the person by email and they largely repeated the same story. The request is an unusual sight, and, to be frank, probably not going to work. In the court record, authorities allege that the frozen funds are linked to a scam of a victim in the U.S. The document says authorities seized just under 18,500 Tether, valued at around $18,500, in July with a federal search warrant.

"Hello Sir/Ma'am, My name is Vishal Gautam," the request starts. "The funds which you have on hold that is a very big amount of money for me and my family, I request you to please release it from your custody. Thank You & Regards." The message says that Gautam lives in India and as well as investing in cryptocurrency, he is a "full-time Health Insurance" worker. "In the month of July 2023 suddenly my crypto from Binance got disappeared, I don't know how it happened but then I got to know that the FBI has put hold on my assets," the message continues. "I am not into something illegal and never will be, I will not do any such thing that can harm your country or your people in any manner." U.S. authorities, meanwhile, allege that the seized cash is connected to a fraud scheme that targeted a senior citizen in Knoxville, Iowa. In February, this victim opened an email on her iPad that claimed it had been compromised, and that she needed to contact the sender for assistance, according to the court record.

Security

Healthcare Giant McLaren Reveals Data On 2.2 Million Patients Stolen During Ransomware Attack (techcrunch.com) 12

An anonymous reader quotes a report from TechCrunch: Michigan-based McLaren Health Care has confirmed that the sensitive personal and health information of 2.2 million patients was compromised during a cyberattack earlier this year. A ransomware gang later took credit for the cyberattack. In a new data breach notice filed with Maine's attorney general, McLaren said hackers were in its systems for three weeks during July 28 through August 23 before the healthcare company noticed a week later on August 31. McLaren said the hackers accessed patient names, their date of birth and Social Security number, and a wealth of medical information, including billing, claims and diagnosis information, prescription and medication details, and information relating to diagnostic results and treatments. Medicare and Medicaid patient information was also taken.

McLaren is a healthcare provider with 13 hospitals across Michigan and about 28,000 total employees. McLaren, whose website touts its cost efficiency measures, made over $6 billion in revenue in 2022. News of the incident broke in October when the Alphv ransomware gang (also known as BlackCat) claimed responsibility for the cyberattack, claiming it took millions of patients' personal information. Days after the cyberattack was disclosed, Michigan attorney general Dana Nessel warned state residents that the breach "could affect large numbers of patients." TechCrunch has seen several screenshots posted by the ransomware gang on its dark web leak site showing access to the company's password manager, internal financial statements, some employee information, and spreadsheets of patient-related personal and health information, including names, addresses, phone numbers, Social Security numbers, and diagnostic information. Alphv/BlackCat claimed in its post that the gang had been in contact with a McLaren representative, without providing evidence of the claim.

Security

New York Plans Cyber Rules for Hospitals (wsj.com) 24

New York regulators Monday plan to issue cybersecurity regulations for hospitals, after a series of attacks crippled operations at medical facilities. From a report: Under draft rules reviewed by The Wall Street Journal, New York will require general hospitals to develop and test incident response plans, assess their cybersecurity risks and install security technologies such as multifactor authentication. Hospitals must also develop secure software design practices for in-house applications, and processes for testing the security of software from vendors. Hacking "is a threat to every hospital, and my firm belief is if we protect the hospital, we're protecting the patients," said James McDonald, health commissioner for New York state.

Healthcare facilities are popular targets for cybercriminals, particularly ransomware operators hoping for quick ransom payments from administrators worried about risks to patients if technology goes down. Hospitals also hold large amounts of sensitive personal information on their staff and patients, including health and financial data. In August, the largest healthcare accreditation body in the U.S. issued cybersecurity guidelines calling for hospitals to prepare for cyberattacks that could take down critical systems for a month or longer -- measures that will require significant investment. Hospitals need to put in place tools and processes that anticipate technology critical for life and safety could be down, and find alternative ways to work without those systems, the nonprofit Joint Commission said.

Slashdot Top Deals