7-Eleven stores in Denmark shut down today after a cyberattack disrupted stores' payment and checkout systems throughout the country. Bleeping Computer reports: The attack occurred early this morning, August 8th, with the company posting on Facebook that they were likely "exposed to a hacker attack." The translated statement says that the company has closed all the stores in the country while investigating the security incident: ""Unfortunately, we suspect that we have been exposed to a hacker attack today, Monday 8 August 2022. This means that we cannot use checkouts and/or receive payment. We are therefore keeping the stores closed until we know the extent. We naturally hope that we can open the stores again soon." - 7-Eleven DK." At this time, there are no further details about the attack, including whether ransomware was involved, which has become the most common cyberattack causing wide-scale outages.

Communications giant Twilio has confirmed hackers accessed customer data after successfully tricking employees into handing over their corporate login credentials. From a report: The San Francisco-based company, which allows users to build voice and SMS capabilities -- such as two-factor authentication (2FA) -- into applications, said in a blog post published Monday that it became aware that someone gained "unauthorized access" to information related to some Twilio customer accounts on August 4. Twilio has more than 150,000 customers, including Facebook and Uber. According to the company, the as-yet-unidentified threat actor convinced multiple Twilio employees into handing over their credentials, which allowed access to the company's internal systems. The attack used SMS phishing messages that purported to come from Twilio's IT department, suggesting that the employees' password had expired or that their schedule had changed, and advised the target to log in using a spoofed web address that the attacker controls.

"A class action lawsuit has been filed against big-three consumer credit bureau Experian," reports Krebs on Security, "over reports that the company did little to prevent identity thieves from hijacking consumer accounts.

The legal filing cites liberally from an investigation KrebsOnSecurity published in July, which found that identity thieves were able to assume control over existing Experian accounts simply by signing up for new accounts using the victim's personal information and a different email address. The lawsuit, filed July 28, 2022 in California Central District Court, argues that Experian's documented practice of allowing the re-registration of accounts without first verifying that the existing account authorized the changes is a violation of the Fair Credit Reporting Act.
The lawsuit even cites a July blog post from Krebs on Security. The blog post's title? "Experian, You Have Some Explaining to Do." After providing my Social Security Number (SSN), date of birth, and answering several multiple choice questions whose answers are derived almost entirely from public records, Experian promptly changed the email address associated with my credit file. It did so without first confirming that new email address could respond to messages, or that the previous email address approved the change... After that, Experian prompted me to select new secret questions and answers, as well as a new account PIN — effectively erasing the account's previously chosen PIN and recovery questions. Once I'd changed the PIN and security questions, Experian's site helpfully reminded me that I have a security freeze on file, and would I like to remove or temporarily lift the security freeze?
Experian did send an automated message to the account's original email address when a new one was added, Krebs wrote, but wondered what good that would actually do. "The only recourse Experian offered in the alert was to sign in, or send an email to an Experian inbox that replies with the message, 'this email address is no longer monitored'..."

"I could see no option in my account to enable multi-factor authentication for all logins..."

And Krebs added Friday that "Since that story ran I've heard from several more readers who were doing everything right and still had their Experian accounts hijacked, with little left to show for it except an email alert from Experian saying they had changed the address on file for the account."

Friday the Twitter Privacy Center posted an announcement on their blog:

"We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account. We take our responsibility to protect your privacy very seriously and it is unfortunate that this happened...."

Engadget explains: [T]he company said a malicious actor took advantage of a zero-day flaw before Twitter became aware of and patched the issue in January 2022. The vulnerability was discovered by a security researcher who contacted Twitter through the company's bug bounty program. When Twitter first learned of the flaw, it said it had "no evidence" to suggest it had been exploited. However, an individual told Bleeping Computer last month that they took advantage of the vulnerability to obtain data on more than 5.4 million accounts. Twitter said it could not confirm how many users were affected by the exposure.
From the Twitter Privacy Center: This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.... After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.

We will be directly notifying the account owners we can confirm were affected by this issue. We are publishing this update because we aren't able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors.

If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened. To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.

An anonymous reader quotes a report from Ars Technica: The US Department of Homeland Security is warning of vulnerabilities in the nation's emergency broadcast network that makes it possible for hackers to issue bogus warnings over radio and TV stations. "We recently became aware of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to the most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure (TV, radio, cable network)," the DHS's Federal Emergency Management Agency (FEMA) warned. "This exploit was successfully demonstrated by Ken Pyle, a security researcher at CYBIR.com, and may be presented as a proof of concept at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14."

Pyle told reporters at CNN and Bleeping Computer that the vulnerabilities reside in the Monroe Electronics R189 One-Net DASDEC EAS, an emergency alert system encoder and decoder. TV and radio stations use the equipment to transmit emergency alerts. The researcher told Bleeping Computer that "multiple vulnerabilities and issues (confirmed by other researchers) haven't been patched for several years and snowballed into a huge flaw."

"When asked what can be done after successful exploitation, Pyle said: 'I can easily obtain access to the credentials, certs, devices, exploit the web server, send fake alerts via crafts message, have them valid / pre-empting signals at will. I can also lock legitimate users out when I do, neutralizing or disabling a response,'" Bleeping Computer added.

Olivia Meehan, who worked on the web archiving team at the US Library of Congress, evaluates how well online archives of the Papal Transition 2005 Collection from 2005 have survived: Based on the results I have so far and conversations I've had with other web archivists, the lifecycle of websites is unpredictable to the extent that accurately tracking the status of a site inherently requires nuance, time, and attention -- which is difficult to maintain at scale. This data is valuable, however, and is worth pursuing when possibleÂ. Using a sample selection of URLs from larger collections could make this more manageable than comprehensive reviews.

Of the content originally captured in the Papal Transition 2005 Collection, 41% is now offline. Without the archived pages, the information, perspectives, and experiences expressed on those websites would potentially be lost forever. They include blogs, personal websites, individually-maintained web portals, and annotated bibliographies. They frequently represent small voices and unique perspectives that may be overlooked or under-represented by large online publications with the resources to maintain legacy pages and articles.

The internet is impermanent in a way that is difficult to quantify. The constant creation of new information obscures what is routinely deleted, overwritten, and lost. While the scope of this project is small within the context of the wider internet, and even within the context of the Library's Web Archive collections as a whole, I hope that it effectively demonstrates the value of web archives in preserving snapshots of the online world as it moves and changes at a record pace.

Thousands of Solana users collectively lost about $4.5 million worth of SOL and other tokens from Tuesday night into early Wednesday, and now there's a likely explanation for why: it's being blamed on a private key exploit tied to mobile software wallet Slope. From a report: On Wednesday afternoon, the official Solana Status Twitter account shared preliminary findings through collaboration between developers and security auditors, and said that "it appears affected addresses were at one point created, imported, or used in Slope mobile wallet applications."

"This exploit was isolated to one wallet on Solana, and hardware wallets used by Slope remain secure," the thread continues. "While the details of exactly how this occurred are still under investigation, but private key information was inadvertently transmitted to an application monitoring service." "There is no evidence the Solana protocol or its cryptography was compromised," the account added. Some Phantom wallets were also drained of their SOL and tokens in the attack, however it appears that those wallets' holders had previously interacted with a Slope wallet. "Phantom has reason to believe that the reported exploits are due to complications related to importing accounts to and from Slope," the Phantom team tweeted today.

An anonymous reader quotes a report from BleepingComputer: Cybersecurity researchers have uncovered a set of 3,207 mobile apps that are exposing Twitter API keys to the public, potentially enabling a threat actor to take over users' Twitter accounts that are associated with the app. The discovery belongs to cybersecurity firm CloudSEKE, which scrutinized large app sets for potential data leaks and found 3,207 leaking a valid Consumer Key and Consumer Secret for the Twitter API. When integrating mobile apps with Twitter, developers will be given special authentication keys, or tokens, that allow their mobile apps to interact with the Twitter API. When a user associates their Twitter account with this mobile app, the keys also will enable the app to act on behalf of the user, such as logging them in via Twitter, creating tweets, sending DMs, etc.

As having access to these authentication keys could allow anyone to perform actions as associated Twitter users, it is never recommended to store keys directly in a mobile app where threat actors can find them. CloudSEK explains that the leak of API keys is commonly the result of mistakes by app developers who embed their authentication keys in the Twitter API but forget to remove them when the mobile is released. [...] One of the most prominent scenarios of abuse of this access, according to CloudSEK, would be for a threat actor to use these exposed tokens to create a Twitter army of verified (trustworthy) accounts with large numbers of followers to promote fake news, malware campaigns, cryptocurrency scams, etc. "CloudSEK shared a list of impacted applications [...] with apps between 50,000 and 5,000,000 downloads," reports BleepingComputer. They are not disclosing the list because they are still vulnerable to exploitation and Twitter account takeover.

An anonymous reader quotes a report from The Register: The head of WhatsApp will not compromise the security of its messenger service to bend to the UK government's efforts to scan private conversations. Will Cathcart, who has been at parent company Meta for more than 12 years and head of WhatsApp since 2019, told the BBC that the popular communications service wouldn't downgrade or bypass its end-to-end encryption (EE2E) just for British snoops, saying it would be "foolish" to do so and that WhatsApp needs to offer a consistent set of standards around the globe. "If we had to lower security for the world, to accommodate the requirement in one country, that ... would be very foolish for us to accept, making our product less desirable to 98 percent of our users because of the requirements from 2 percent," Cathcart told the broadcaster. "What's being proposed is that we -- either directly or indirectly through software -- read everyone's messages. I don't think people want that."

Strong EE2E ensures that only the intended sender and receiver of a message can read it, and not even the provider of the communications channel nor anyone eavesdropping on the encrypted chatter. The UK government is proposing that app builders add an automated AI-powered scanner in the pipeline -- ideally in the client app -- to detect and report illegal content, in this case child sex abuse material (CSAM).

The upside is that at least messages are encrypted as usual when transmitted: the software on your phone, say, studies the material, and continues on as normal if the data is deemed CSAM-free. One downside is that any false positives mean people's private communications get flagged up and potentially analyzed by law enforcement or a government agent. Another downside is that the definition of what is filtered may gradually change over time, and before you know it: everyone's conversations are being automatically screened for things politicians have decided are verboten. And another downside is that client-side AI models that don't produce a lot of false positives are likely to be easily defeated, and are mainly good for catching well-known, unaltered CSAM examples.

An anonymous reader quotes a report from Forbes: According to cyber security firm Volexity, the threat research team has found the North Korean 'SharpTongue' group, which appears to be part of, or related to, the Kimsuky advanced persistent threat group, deploying malware called SHARPEXT that doesn't need your Gmail login credentials at all. Instead, it "directly inspects and exfiltrates data" from a Gmail account as the victim browses it. This quickly evolving threat, Volexity says it is already on version 3.0 according to the malware's internal versioning, can steal email from both Gmail and AOL webmail accounts, and works across three browsers: Google Chrome, Microsoft Edge, and a South Korean client called Whale.

The U.S. Cybersecurity & Infrastructure Security Agency, CISA, reports that Kimsuky has been operating since 2012, and is "most likely tasked by the North Korean regime with a global intelligence gathering mission." While CISA sees Kimsuky most often targeting individuals and organizations in South Korea, Japan, and the U. S., Volexity says that the SharpTongue group has frequently been seen targeting South Korea, the U. S. and Europe. The common denominator between them is that the victims often " work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea."

The report says that SHARPEXT differs from previous browser extensions deployed by these hacking espionage groups in that it doesn't attempt to grab login credentials but bypasses the need for these and can grab email data as the user reads it. The good news is that your system needs to be compromised by some means before this malicious extension can be deployed. Unfortunately, we know all too well that system compromise is not as difficult as it should be. Once a system has been compromised by phishing, malware, unpatched vulnerabilities, whatever, the threat actors can install the extension using a malicious VB script that replaces the system preference files. Once that's done and the extension runs quietly in the background, it is tough to detect. The user logs in to their Gmail account from their normal browser on the expected system. The security researchers recommend "enabling and analyzing PowerShell ScriptBlock logging" to detect whether you've been targeted by this attack, reports Forbes. Additionally, they recommend reviewing installed extensions regularly, especially looking for ones you don't recognize or are not available from the Chrome Web Store.

Digital attacks against Taiwanese government websites ahead of U.S. House of Representatives Speaker Nancy Pelosi's arrival in Tapei on Tuesday were likely launched by Chinese activist hackers rather than the Chinese government, a cybersecurity research organisation said. From a report: The website of Taiwan's presidential office was targeted by a distributed denial of service (DDoS) attack on Tuesday and was at one point malfunctioning, the office said in a statement. Access to the website was restored within about 20 minutes of the attack, the statement said. Taiwanese government agencies were monitoring the situation in the face of "information warfare," a spokesperson later added. A government portal website and Taiwan's foreign ministry website were also temporarily taken offline on Tuesday. In a statement, the foreign ministry said both websites had been hit with up to 8.5 million traffic requests a minute from a "large number of IPs from China, Russia and other places."

Eleven people who ran and promoted cryptocurrency firm Forsage are facing charges of operating a pyramid and Ponzi scheme that raised more than $300 million from millions of investors in the U.S. and elsewhere, according to the Securities and Exchange Commission. From a report: The Forsage executives posted videos that promised huge returns for investors, with one calling it "a powerful long-term source of passive income" and telling viewers, "Forsage means fast and furious." But securities regulators allege the service's founders weren't providing an investment strategy, but rather running a pyramid scheme, where investors made money by recruiting others. Also, earlier investors were paid through the money invested by newer customers, the hallmark of a classic Ponzi structure.

The charges underscore the financial risks of a sector that has drawn a fair share of fraudsters and scammers, aside from the massive price plunges that cryptocurrencies have experienced this year. In the case of Forsage, the service was created in 2020 and targeted retail investors who wanted to enter into crypto transactions via so-called "smart contracts" that operated on the ethereum, tron and binance blockchains. In addition to the four founders, the SEC also charged three U.S.-based promoters hired by Forsage to tout the service as well as several members of the Crypto Crusaders, a promotional group for the service, the SEC said.

In the US government's ongoing campaign to protect data in the age of quantum computers, a new and powerful attack that used a single traditional computer to completely break a fourth-round candidate highlights the risks involved in standardizing the next generation of encryption algorithms. From a report: Last month, the US Department of Commerce's National Institute of Standards and Technology, or NIST, selected four post-quantum computing encryption algorithms to replace algorithms like RSA, Diffie-Hellman, and elliptic curve Diffie-Hellman, which are unable to withstand attacks from a quantum computer. In the same move, NIST advanced four additional algorithms as potential replacements pending further testing in hopes one or more of them may also be suitable encryption alternatives in a post-quantum world. The new attack breaks SIKE, which is one of the latter four additional algorithms. The attack has no impact on the four PQC algorithms selected by NIST as approved standards, all of which rely on completely different mathematical techniques than SIKE.

U.S. crypto firm Nomad has been hit by a $190 million theft, blockchain researchers said on Tuesday, the latest such heist to hit the digital asset sector this year. From a report: Nomad said in a tweet that it was "aware of the incident" and was currently investigating, without giving further details or the value of the theft. Crypto analytics firm PeckShield told Reuters $190 million worth of users' cryptocurrencies were stolen, including ether and the stablecoin USDC. Other blockchain researchers put the figure at over $150 million.

Indonesia has lifted its ban on Steam and Yahoo now that both companies complied with the country's restrictive laws that regulate online activity. From a report: The Indonesian Ministry of Communication and Information (Kominfo) announced the news in a translated update on Twitter, noting that Counter-Strike: Global Offensive and Dota 2 are back online as well. Last week, Indonesia blocked access to Steam, PayPal, Yahoo, Epic Games, and Origin after the companies failed to meet a deadline to register with the country's database. This requirement is bundled with a broader law, called MR5, that Indonesia first introduced in 2020. The law gives the Indonesian government the authority to order platforms to take down content considered illegal as well as request the data of specific users. In 2021, the digital rights group Electronic Frontier Foundation (EFF) called the policy "invasive of human rights." Although PayPal has yet to comply, Indonesia unblocked access to the service for five days starting July 31st to give users a chance to withdraw money and make payments. According to the Indonesian news outlet Antara News, PayPal reportedly plans on registering with the country's database soon.

The system for getting donated kidneys, livers and hearts to desperately ill patients relies on out-of-date technology that has crashed for hours at a time and has never been audited by federal officials for security weaknesses or other serious flaws, according to a confidential government review obtained by The Washington Post. From the report: The mechanics of the entire transplant system must be overhauled, the review concluded, citing aged software, periodic system failures, mistakes in programming and over-reliance on manual input of data. In its review, completed 18 months ago, the White House's U.S. Digital Service recommended that the government "break up the current monopoly" that the United Network for Organ Sharing, the nonprofit agency that operates the transplant system, has held for 36 years. It pushed for separating the contract for technology that powers the network from UNOS's policy responsibilities, such as deciding how to weigh considerations for transplant eligibility.

About 106,000 people are on the waiting list for organs, the vast majority of them seeking kidneys, according to UNOS. An average of 22 people die each day waiting for organs. In 2021, 41,354 organs were transplanted, a record. UNOS is overseen by the Health Resources and Services Administration (HRSA), but that agency has little authority to regulate transplant activity. Its attempts to reform the transplant system have been rejected by UNOS, the report found. Yet HRSA continues to pay UNOS about $6.5 million annually toward its annual operating costs of about $64 million, most of which comes from patient fees. "In order to properly and equitably support the critical needs of these patients, the ecosystem needs to be vastly restructured," a team of engineers from the Digital Service wrote in the Jan. 5, 2021, report for HRSA, which is part of the Department of Health and Human Services.

Microsoft says the Outlook email client will crash when opening and reading emails with tables such as Uber receipt emails. BleepingComputer reports: "When opening, replying, or forwarding some emails that include complex tables, Outlook stops responding," the company explains in a support document. To make matters worse, emails with the same table contents will also cause the Microsoft Word app to stop responding. While the known issue affects Microsoft 365 customers in the Current Channel Version 2206 Build 15330.20196 and higher, it can also trigger freezes in current Beta and Current Channel Preview builds. The Microsoft Word team has already developed a fix that will be released to Beta channel customers soon, after undergoing verification. Microsoft added that customers using Outlook versions in the Current Channel would receive the fix as part of this month's Patch Tuesday, on August 9, 2022. For those unable to wait for the fix, Microsoft has provided a workaround that requires users to revert to an older build.

Hackers had access to dashboards used to remotely manage and control thousands of credit card payment terminals manufactured by digital payments giant Wiseasy, a cybersecurity startup told TechCrunch. From a report: Wiseasy is a brand you might not have heard of, but it's a popular Android-based payment terminal maker used in restaurants, hotels, retail outlets and schools across the Asia-Pacific region. Through its Wisecloud cloud service, Wiseasy can remotely manage, configure and update customer terminals over the internet. But Wiseasy employee passwords used for accessing Wiseasy's cloud dashboards -- including an "admin" account -- were found on a dark web marketplace actively used by cybercriminals, according to the startup. Youssef Mohamed, chief technology officer at pen-testing and dark web monitoring startup Buguard, told TechCrunch that the passwords were stolen by malware on the employee's computers. Mohamed said two cloud dashboards were exposed, but neither were protected with basic security features, like two-factor authentication, and allowed hackers to access nearly 140,000 Wiseasy payment terminals around the world.

"The Anonymous declaration of cyberwar was a top news story despite no evidence," writes cybersecurity specialist Jeremiah Fowler (an American who worked in Kyiv for the last 10 years — until fleeing in February to Poland). To investigate, Fowler performed a random sampling of 100 exposed Russian databases — and discovered that 92 of them had indeed been compromised. "Anti-Russian hackers used a similar script to the infamous 'MeowBot' that changed the name of folders and deleted the contents of the files. " (For example, renaming the folders to "putin_stop_this_war".)

And that was just the beginning, reports CNBC: Anonymous has claimed to have hacked over 2,500 Russian and Belarusian sites, said Fowler. In some instances, stolen data was leaked online, he said, in amounts so large it will take years to review. "The biggest development would be the overall massive number of records taken, encrypted or dumped online," said Fowler. Shmuel Gihon, a security researcher at the threat intelligence company Cyberint, agreed that amount of leaked data is "massive."

"We currently don't even know what to do with all this information, because it's something that we haven't expected to have in such a short period of time," he said....

The more immediate outcome of the hacks, Fowler and Gihon agreed, is that Russia's cybersecurity defenses have been revealed as being far weaker than previously thought.
Fowler's report argues that Anonymous has "rewritten the rules of how a crowdsourced modern cyberwar is conducted" — with the group also offering penetration testing to Ukraine, "finding vulnerabilities before Russia could exploit them." But in addition, Fowler writes, Anonymous's efforts have also "transformed into a larger operation that spread far beyond the Russian government, companies, or organizations, and included an information campaign aimed at Russian citizens."

Some examples: Hacking Printers — Russian censorship has blocked many inside the country from knowing the true scale of the war and Russian losses. Anonymous hacked printers across Russia and printed uncensored facts or anti-propaganda and pro-ukrainian messages. The group claims to have printed over 100,000 documents. This also includes barcode printers at grocery stores where prices were changed and product names were changed to anti-war or pro-Ukrainian slogans....

RoboDial, SMS, and Email Spam — Almost everyone on earth has received some form of spam in the form of a phone call, text, or email message. These usually try to sell a service or scam victims out of money. Now this same technology has been used to bypass Russian censorship and inform citizens of news and messages they are forbidden to learn on state sponsored propaganda channels. Anonymous affiliated Squad303 claimed to have sent over 100 million messages to Russian devices.

"Jacob Wayne John Keen, now 24, was 15 years old and living in his mother's rental when he allegedly created a sophisticated spyware tool known as a remote access trojan that allowed users to remotely take control of their victims' computers," reports the Guardian.

Once installed it could be used to steal victims' personal information, spy on them via webcams and microphones and track what they typed into emails or documents. Keen allegedly sold the tool for $35 on a hacking forum, making between $300,000 and $400,000 by selling it to more than 14,500 people in 128 countries....

Keen was slapped with six charges earlier in July, and is due to appear at Brisbane's magistrates court next month. His mother, 42, has also been charged with allegedly dealing in the proceeds of crime.

A global investigation involving more than a dozen law enforcement agencies across Europe led to 85 search warrants being executed around the world, with 434 devices seized and 13 people arrested for using the malware for "alleged criminality".
Among the tool's 14,500 users were a "statistically high" proportion of domestic violence perpetrators (and at least one child sex offender), according to the Australian federal police, who believe there were ultimately "tens of thousands" of victims globally.

Slashdot reader Bruce66423 suggests an appropriate punishment would be sentencing Keen to work for spy agencies.