Healthcare giant Optum has restricted access to an internal AI chatbot used by employees after a security researcher found it was publicly accessible online, and anyone could access it using only a web browser. TechCrunch: The chatbot, which TechCrunch has seen, allowed employees to ask the company questions about how to handle patient health insurance claims and disputes for members in line with the company's standard operating procedures (SOPs).

While the chatbot did not appear to contain or produce sensitive personal or protected health information, its inadvertent exposure comes at a time when its parent company, health insurance conglomerate UnitedHealthcare, faces scrutiny for its use of artificial intelligence tools and algorithms to allegedly override doctors' medical decisions and deny patient claims.

Mossab Hussein, chief security officer and co-founder of cybersecurity firm spiderSilk, alerted TechCrunch to the publicly exposed internal Optum chatbot, dubbed "SOP Chatbot." Although the tool was hosted on an internal Optum domain and could not be accessed from its web address, its IP address was public and accessible from the internet and did not require users to enter a password.

HDMI Forum will announce new specifications with increased bandwidth capabilities at CES 2025, ahead of anticipated graphics card launches from AMD and NVIDIA. The announcement, scheduled for January 6, is expected to introduce HDMI 2.2 standard alongside a new cable supporting higher resolutions and refresh rates.

Current HDMI 2.1 specification maxes out at 48 Gbps bandwidth, allowing 10K resolution at 120 Hz with compression. The upgrade aims to compete with DisplayPort 2.1, which offers up to 80 Gbps bandwidth and is already supported by recent AMD and Intel GPUs.

Yahoo laid off around 25% of its cybersecurity team -- known as The Paranoids -- over the last year, TechCrunch has learned. From the report: Overall, the company has laid off or lost through attrition 40 to 50 people from a total of 200 employees in the cybersecurity team since the start of 2024, according to multiple current and former Yahoo employees who spoke to TechCrunch on condition of anonymity. (Yahoo is TechCrunch's parent company.)

The Paranoids are not the only team affected by the layoffs. Valeri Liborski, who was appointed Yahoo's chief technology officer in September, sent an email this week to employees announcing changes across the broader technology unit, including enterprise productivity and core services. The email to staff, which was obtained by TechCrunch, said: "This was a very difficult decision and one I have not taken lightly."

The Paranoids' so-called red team, or offensive security team -- which conducts cyberattack simulations to identify weaknesses in the company's network before external hackers can -- was eliminated entirely this week, and there have been at least three rounds of layoffs impacting the cybersecurity team this year, according to the sources.

An anonymous reader shares a report: Copilot has gone native for Windows Insiders and commandeered a popular keyboard shortcut in the process. The move from a Progressive Web App (PWA) to a native binary -- although most of it appears to still be a website, just not running as a PWA -- will be welcomed. Microsoft noted that once the app update has been installed, Copilot will appear in the system tray.

However, the assistant's quick view feature has been given the Alt+Space keyboard shortcut. This is already used by many other applications, including Microsoft's own PowerToys. PowerToys Run, for example, uses Alt+Space to open a launcher into which users can type in the name of the service they are seeking. Alt+Space is also used to show the context menu of the active window. Therefore, Microsoft's decision to hand the shortcut over to Copilot is unlikely to please keyboard warriors who are used to their shortcuts working in a particular way.

The Windows vendor acknowledged that the shortcut was already in use by many apps, saying: "For any apps installed on your PC that might utilize this keyboard shortcut, Windows will register whichever app is launched first on your PC and running in the background as the app that is invoked when using Alt+Space."

Amazon has postponed implementing Microsoft's cloud-based Office suite for its workforce by one year, citing security concerns following a Russian cyber attack on Microsoft's systems. The delay affects a $1 billion, five-year contract signed last year to provide Microsoft 365 to Amazon's 1.5 million employees, making the e-commerce giant one of the largest customers of Microsoft's cloud productivity suite.

The decision came after Microsoft revealed that Midnight Blizzard, a Russia-linked hacking group, had breached several employee email accounts, including those of senior executives and cybersecurity staff. Amazon subsequently conducted its own security review and requested enhanced protection measures from Microsoft.

Startup Embodied is closing down, and its product, an $800 robot for kids ages 5 to 10, will soon be bricked. From a report: Embodied blamed its closure on a failed "critical funding round." On its website, it explained: "We had secured a lead investor who was prepared to close the round. However, at the last minute, they withdrew, leaving us with no viable options to continue operations. Despite our best efforts to secure alternative funding, we were unable to find a replacement in time to sustain operations."

The company didn't provide further details about the pulled funding. Embodied's previous backers have included Intel Capital, Toyota AI Ventures, Amazon Alexa Fund, Sony Innovation Fund, and Vulcan Capital, but we don't know who the lead investor mentioned above is. When it first announced Moxie in April 2020, Embodied described the robot as a "safe and engaging animate companion for children designed to help promote social, emotional, and cognitive development."

An anonymous reader shares a report: Russia has reportedly cut some regions of the country off from the rest of the world's internet for a day, effectively siloing them, according to reports from European and Russian news outlets reshared by the US nonprofit Institute for the Study of War (ISW) and Western news outlets.

Russia's communications authority, Roskomnadzor, blocked residents in Dagestan, Chechnya, and Ingushetia, which have majority-Muslim populations, ISW says. The three regions are in southwest Russia near its borders with Georgia and Azerbaijan. People in those areas couldn't access Google, YouTube, Telegram, WhatsApp, or other foreign websites or apps -- even if they used VPNs, according to a local Russian news site.

Russian digital rights NGO Roskomsvoboda told TechRadar that most VPNs didn't work during the shutdown, but some apparently did. It's unclear which ones or how many actually worked, though. Russia has been increasingly blocking VPNs more broadly, and Apple has helped the country's censorship efforts by taking down VPN apps on its Russian App Store. At least 197 VPNs are currently blocked in Russia, according to Russian news agency Interfax.

Security researchers have uncovered a new surveillance tool that they say has been used by Chinese law enforcement to collect sensitive information from Android devices in China. From a report: The tool, named "EagleMsgSpy," was discovered by researchers at U.S. cybersecurity firm Lookout. The company said at the Black Hat Europe conference on Wednesday that it had acquired several variants of the spyware, which it says has been operational since "at least 2017."

Kristina Balaam, a senior intelligence researcher at Lookout, told TechCrunch the spyware has been used by "many" public security bureaus in mainland China to collect "extensive" information from mobile devices. This includes call logs, contacts, GPS coordinates, bookmarks, and messages from third-party apps including Telegram and WhatsApp. EagleMsgSpy is also capable of initiating screen recordings on smartphones, and can capture audio recordings of the device while in use, according to research Lookout shared with TechCrunch.

A manual obtained by Lookout describes the app as a "comprehensive mobile phone judicial monitoring product" that can obtain "real-time mobile phone information of suspects through network control without the suspect's knowledge, monitor all mobile phone activities of criminals and summarize them."

An anonymous reader shares a report: Software vulnerability submissions generated by AI models have ushered in a "new era of slop security reports for open source" -- and the devs maintaining these projects wish bug hunters would rely less on results produced by machine learning assistants. Seth Larson, security developer-in-residence at the Python Software Foundation, raised the issue in a blog post last week, urging those reporting bugs not to use AI systems for bug hunting.

"Recently I've noticed an uptick in extremely low-quality, spammy, and LLM-hallucinated security reports to open source projects," he wrote, pointing to similar findings from the Curl project in January. "These reports appear at first glance to be potentially legitimate and thus require time to refute." Larson argued that low-quality reports should be treated as if they're malicious.

As if to underscore the persistence of these concerns, a Curl project bug report posted on December 8 shows that nearly a year after maintainer Daniel Stenberg raised the issue, he's still confronted by "AI slop" -- and wasting his time arguing with a bug submitter who may be partially or entirely automated.

chiguy writes: In October, a jury in a federal class-action lawsuit returned a verdict that found Cognizant intentionally discriminated against more than 2,000 non-Indian employees between 2013 and 2022. The verdict, which echoed a previously undisclosed finding from a 2020 US Equal Employment Opportunity Commission investigation, centered on discrimination claims based on race and national origin. Cognizant, based in Teaneck, New Jersey, was found to have preferred workers from India, most of whom joined the firm's US workforce of about 32,000 using skilled-worker visas called H-1Bs.

The case is part of a wave of recent discrimination claims against IT outsourcing companies that underscore growing concerns that these firms have exploited a broken employment-visa system to secure a cheaper, more malleable workforce. In the process, US workers say they've been disadvantaged. The industry, which provides computer services to other companies, makes extensive use of H-1Bs; over the past decade and a half, no employer has obtained more of them than Cognizant, federal records show.

Google's app store claims that their text-messaging app Google Messages means "conversations are end-to-end encrypted".

"That is some serious bullshit," argues tech blogger John Gruber: It's shamefully misleading regarding Google Messages's support for end-to-end encryption... Google Messages does support end-to-end encryption, but only over RCS and only if all participants in the chat are using a recent version of Google Messages. But the second screenshot in the Play Store listing flatly declares "Conversations are end-to-end encrypted", full stop...

I realize that "Some conversations are end-to-end encrypted" will naturally spur curiosity regarding which conversations are encrypted and which aren't, but that's the truth. And users of the app should be aware of that. "RCS conversations with other Google Messages users are encrypted" would work.

Then, in the "report card" section of the listing, it states the following:

Data is encrypted in transit
Your data is transferred over a secure connection

Which, again, is only true sometimes. It's downright fraudulent to describe Google Messages's transit security this way.... [D]epending who you communicate with — iPhone users, Android users with old devices, Android users who use other text messaging apps — it's quite likely most of your messages won't be secure... E2EE is never available for SMS, and never available if a participant in the chat is using any RCS client (on Android or Apple Messages) other than Google Messages. That's an essential distinction that should be made clear, not obfuscated.
Gruber's earlier blog post had pointed out that the RCS standard "has no encryption; E2EE RCS chats in Google Messages use Google's proprietary extension and are exclusive to the Google Messages app, so RCS chats between Google Messages and other apps, most conspicuously Apple Messages, are not encrypted."

And in his newer post, Gruber adds, "While I'm at it, it's also embarrassing that Google Voice has no support for RCS at all. It's Google's own app and service, and Google has been the world's most vocal proponent of RCS messaging."

China-linked spies may still be lurking in U.S. telecommunications networks — but the breach could be much, much wider. In fact, a "couple dozen" countries were hit by the attack, the Wall Street Journal reported this week, citing a top U.S. national security adviser. "Chinese government hackers have compromised telecommunications infrastructure across the globe as part of a massive espionage campaign..." Speaking during a press briefing Wednesday, Anne Neuberger, President Biden's deputy national security adviser for cyber and emerging technology, said the so-called Salt Typhoon campaign is ongoing and that at least eight telecommunications firms in the U.S. had been breached... The Journal previously identified Verizon, AT&T, T-Mobile and Lumen Technologies among the victims... [M]etadata grabs appeared to be "regional" in focus, and were likely a means to identify phone lines of valuable senior government officials, which the hackers then targeted to steal encrypted text messages and listen in on some phone calls, the official said... President-elect Donald Trump, Vice President-elect JD Vance, senior congressional staffers and an array of U.S. security officials were among scores of individuals to have their calls and texts directly targeted, an intelligence-collection coup that likely ensnared their private communications with thousands of Americans, the Journal has reported.

The senior administration official said the global tally of countries victimized was currently believed to be in the "low, couple dozen" but didn't give a precise figure. The global campaign of hacking activity dates back at least a year or two, the official said.
"Neuberger, on the press briefing, said that it wasn't believed that classified communications were accessed in the breaches."

The Solana JavaScript SDK "was temporarily compromised yesterday in a supply chain attack," reports BleepingComputer, "with the library backdoored with malicious code to steal cryptocurrency private keys and drain wallets." Solana offers an SDK called "@solana/web3.js" used by decentralized applications (dApps) to connect and interact with the Solana blockchain. Supply chain security firm Socket reports that Solana's Web3.js library was hijacked to push out two malicious versions to steal private and secret cryptography keys to secure wallets and sign transactions... Solana confirmed the breach, stating that one of their publish-access accounts was compromised, allowing the attackers to publish two malicious versions of the library... Solana is warning developers who suspect they were compromised to immediately upgrade to the latest v1.95.8 release and to rotate any keys, including multisigs, program authorities, and server keypairs...

Once the threat actors gain access to these keys, they can load them into their own wallets and remotely drain all stored cryptocurrency and NFTs... Socket says the attack has been traced to the FnvLGtucz4E1ppJHRTev6Qv4X7g8Pw6WPStHCcbAKbfx Solana address, which currently contains 674.86 Solana and varying amounts of the Irish Pepe , Star Atlas, Jupiter, USD Coin, Santa Hat, Pepe on Fire, Bonk, catwifhat, and Genopets Ki tokens. Solscan shows that the estimated value of the stolen cryptocurrency is $184,000 at the time of this writing.

For anyone whose wallets were compromised in this supply chain attack, you should immediately transfer any remaining funds to a new wallet and discontinue the use of the old one as the private keys are now compromised.
Ars Technica adds that "In social media posts, one person claimed to have lost $20,000 in the hack."

The compromised library "receives more than ~350,000 weekly downloads on npm," Socket posted. (Although Solana's statement says the compromised versions "were caught within hours and have since been unpublished."

A ransomware attack on the multinational Stoli Group in August helped push two of the vodka-maker's U.S. subsidiaries into bankruptcy, according to the company's CEO. From a report: In a Texas bankruptcy court filing on November 29, CEO Chris Caldwell attributed a range of external factors to the financial woes of Stoli Group USA and Kentucky Owl (KO) -- which are facing $84 million in debt. But one of the most prominent was a ransomware attack this year that damaged the parent company's IT system.

"In August 2024, the Stoli Group's IT infrastructure suffered severe disruption in the wake of a data breach and ransomware attack," Caldwell said in the filing. "The attack caused substantial operational issues throughout all companies within the Stoli Group, including Stoli USA and KO, due to the Stoli Group's enterprise resource planning (ERP) system being disabled and most of the Stoli Group's internal processes (including accounting functions) being forced into a manual entry mode." Caldwell said the systems will be restored âoeno earlier than in the first quarter of 2025.â

An anonymous reader shared this report from NBC News: Amid an unprecedented cyberattack on telecommunications companies such as AT&T and Verizon, U.S. officials have recommended that Americans use encrypted messaging apps to ensure their communications stay hidden from foreign hackers...

In the call Tuesday, two officials — a senior FBI official who asked not to be named and Jeff Greene, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency — both recommended using encrypted messaging apps to Americans who want to minimize the chances of China's intercepting their communications. "Our suggestion, what we have told folks internally, is not new here: Encryption is your friend, whether it's on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible," Greene said. The FBI official said, "People looking to further protect their mobile device communications would benefit from considering using a cellphone that automatically receives timely operating system updates, responsibly managed encryption and phishing resistant" multi-factor authentication for email, social media and collaboration tool accounts...

The FBI and other federal law enforcement agencies have a complicated relationship with encryption technology, historically advocating against full end-to-end encryption that does not allow law enforcement access to digital material even with warrants. But the FBI has also supported forms of encryption that do allow some law enforcement access in certain circumstances.
Officials said the breach seems to include some live calls of specfic targets and also call records (showing numbers called and when). "The hackers focused on records around the Washington, D.C., area, and the FBI does not plan to alert people whose phone metadata was accessed."

"The scope of the telecom compromise is so significant, Greene said, that it was 'impossible" for the agencies "to predict a time frame on when we'll have full eviction.'"

China-linked spies are still lurking inside U.S. telecommunications networks roughly six months after American officials started investigating the intrusions, senior officials told reporters Tuesday. From a report: This is the first time U.S. officials have confirmed reports that Salt Typhoon hackers still have access to critical infrastructure -- and they're proving difficult to kick out. Officials added that they don't yet know the full scope of the intrusions, despite starting the investigation in late spring.

The Cybersecurity and Infrastructure Security Agency and FBI released guidance Tuesday for the communications sector to harden their networks against Chinese state-sponsored hackers. The guide includes basic steps like maintaining logs of activity on the network, keeping an inventory of all devices in the telecom's environment and changing any default equipment passwords. The hack has given Salt Typhoon unprecedented access to records from U.S. telecommunications networks about who Americans are communicating with, a senior FBI official told reporters during a briefing.

The cyber risks facing the United Kingdom are being "widely underestimated," the country's new cyber chief will warn on Tuesday as he launches the National Cyber Security Centre's (NCSC) annual review. From a report: In his first major speech since joining the NCSC -- part of the signals and cyber intelligence agency GCHQ -- Richard Horne will drive a shift in tone in how the cybersecurity agency communicates these risks. Despite some evidence showing cyberattacks growing year-on-year for half a decade, the NCSC has not previously confirmed the trend nor expressed alarm about it.

"What has struck me more forcefully than anything else since taking the helm at the NCSC is the clearly widening gap between the exposure and threat we face, and the defences that are in place to protect us," Horne will say, according to an advance preview of his speech on Tuesday. Citing the intelligence that NCSC has access to as an agency within GCHQ, Horne will warn that "hostile activity in UK cyberspace has increased in frequency, sophistication and intensity," adding that despite growing activity from Russian and Chinese threat actors, the agency believes British society as a whole is failing to appreciate the severity of the risk. The annual review reveals that the agency's incident management team handled a record number of cyber incidents over the past 12 months -- 430 compared to 371 last year -- 89 of which were considered nationally significant incidents.

An anonymous reader shares a report: ChatGPT users have spotted an unusual glitch that prevents the AI chatbot from saying the name 'David Mayer.' OpenAI's hugely popular AI tool responds to requests to write the name with an error message, stating: "I'm unable to produce a response." The chat thread is then ended, with people forced to open a new chat window in order to keep interacting with ChatGPT.

"Spacecraft, satellites, and space-based systems all face cybersecurity threats that are becoming increasingly sophisticated and dangerous," reports CNBC.

"With interconnected technologies controlling everything from navigation to anti-ballistic missiles, a security breach could have catastrophic consequences." Critical space infrastructure is susceptible to threats across three key segments: in space, on the ground segment and within the communication links between the two. A break in one can be a cascading failure for all, said Wayne Lonstein, co-founder and CEO at VFT Solutions, and co-author of Cyber-Human Systems, Space Technologies, and Threats. "In many ways, the threats to critical infrastructure on Earth can cause vulnerabilities in space," Lonstein said. "Internet, power, spoofing and so many other vectors that can cause havoc in space," he added. The integration of artificial intelligence into space projects has heightened the risk of sophisticated cyber attacks orchestrated by state actors and individual hackers. AI integration into space exploration allows more decision-making with less human oversight.

For example, NASA is using AI to target scientific specimens for planetary rovers. However, reduced human oversight could make these missions more prone to unexplained and potentially calamitous cyberattacks, said Sylvester Kaczmarek, chief technology officer at OrbiSky Systems, which specializes in the integration of AI, robotics, cybersecurity, and edge computing in aerospace applications. Data poisoning, where attackers feed corrupted data to AI models, is one example of what could go wrong, Kaczmarek said. Another threat, he said, is model inversion, where adversaries reverse-engineer AI models to extract sensitive information, potentially compromising mission integrity. If compromised, AI systems could be used to interfere with or take control of strategically important national space missions...

The U.S. government is tightening up the integrity and security of AI systems in space. The 2023 Cyberspace Solarium Commission report stressed the importance of designating outer space as a critical infrastructure sector, urging enhanced cybersecurity protocols for satellite operators... The rivalry between the U.S. and China includes the new battleground of space. As both nations ramp up their space ambitions and militarized capabilities beyond Earth's atmosphere, the threat of cyberattacks targeting critical orbital assets has become an increasingly pressing concern... Space-based systems increasingly support critical infrastructure back on Earth, and any cyberattacks on these systems could undermine national security and economic interests.

"A flaw in a WordPress anti-spam plugin with over 200,000 installations allows rogue plugins to be installed on affected websites," reports Search Engine Journal.

The authentication bypass vulnerability lets attackers gain full access to websites without a username or password, according to the article, and "Security researchers rated the vulnerability 9.8 out of 10, reflecting the high level of severity..." The flaw in the Spam protection, Anti-Spam, FireWall by CleanTalk plugin, was pinpointed by security researchers at Wordfence as caused by reverse DNS spoofing... [T]he attackers can trick the Ant-Spam plugin that the malicious request is coming from the website itself and because that plugin doesn't have a check for that the attackers gain unauthorized access... Wordfence recommends users of the affected plugin to update to version 6.44 or higher.
Thanks to Slashdot reader bleedingobvious for sharing the news.