The U.S. government is urging senior government officials and politicians to ditch phone calls and text messages following intrusions at major American telecommunications companies blamed on Chinese hackers. From a report: In written guidance, opens new tab released on Wednesday, the Cybersecurity and Infrastructure Security Agency said "individuals who are in senior government or senior political positions" should "immediately review and apply" a series of best practices around the use of mobile devices.

The first recommendation: "Use only end-to-end encrypted communications." End-to-end encryption -- a data protection technique which aims to make data unreadable by anyone except its sender and its recipient -- is baked into various chat apps, including Meta's WhatsApp, Apple's iMessage, and the privacy-focused app Signal. Neither regular phone calls nor text messages are end-to-end encrypted, which means they can be monitored, either by the telephone companies, law enforcement, or - potentially - hackers who've broken into the phone companies' infrastructure.

Nebraska's attorney general has sued Change Healthcare over a massive data breach that exposed sensitive medical information of more than 100 million Americans following a February ransomware attack. The lawsuit alleges the UnitedHealth-owned company failed to implement basic security measures, including multi-factor authentication, allowing hackers to breach its systems using credentials from a customer support employee that were posted on Telegram.

The Russian-speaking ALPHV ransomware group accessed personal health records, financial data and treatment information across Change Healthcare's poorly segmented network, according to the complaint filed by Attorney General Mike Hilgers.

An anonymous reader shares a report: Australia's chief cyber security agency has decided local orgs should stop using the tech that forms the current cryptographic foundation of the internet by the year 2030 -- years before other nations plan to do so -- over fears that advances in quantum computing could render it insecure.

The Land Down Under's plans emerged last week when the Australian Signals Directorate (ASD) published guidance for High Assurance Cryptographic Equipment (HACE) -- devices that send and/or receive sensitive information -- that calls for disallowing the cryptographic algorithms SHA-256, RSA, ECDSA and ECDH, among others, by the end of this decade.

Bill Buchanan, professor in the School of Computing at Edinburgh Napier University, wrote a blog post in which he expressed shock that the ASD aims to move so quickly. "Basically, these four methods are used for virtually every web connection that we create, and where ECDH is used for the key exchange, ECDSA or RSA is used to authenticate the remote server, and SHA-256 is used for the integrity of the data sent," he wrote. "The removal of SHA-256 definitely goes against current recommendations."

U.S. authorities are investigating Chinese router manufacturer TP-Link over national security risks and considering banning its devices, WSJ reported Wednesday, citing sources familiar with the matter. The Commerce, Defense and Justice departments have launched separate probes into the company, which controls approximately 65% of the U.S. home and small business router market.

Microsoft reported in October that Chinese hackers had compromised thousands of TP-Link routers to launch cyberattacks against Western targets, including government organizations and Defense Department suppliers. The company's routers are widely used across federal agencies, including the Defense Department and NASA. The Justice Department is also examining whether TP-Link's significantly lower pricing violates federal anti-monopoly laws, the report said.

The Department of Homeland Security (DHS) believes that China, Russia, Iran, and Israel are the "primary" countries exploiting security holes in telecommunications networks to spy on people inside the United States, which can include tracking their physical movements and intercepting calls and texts, according to information released by Senator Ron Wyden. 404 Media: The news provides more context around use of SS7, the exploited network and protocol, against phones in the country. In May, 404 Media reported that an official inside DHS's Cybersecurity Insurance and Security Agency (CISA) broke with his department's official narrative and publicly warned about multiple SS7 attacks on U.S. persons in recent years. Now, the newly disclosed information provides more specifics on where at least some SS7 attacks are originating from.

The information is included in a letter the Department of Defense (DoD) wrote in response to queries from the office of Senator Wyden. The letter says that in September 2017 DHS personnel gave a presentation on SS7 security threats at an event open to U.S. government officials. The letter says that Wyden staff attended the event and saw the presentation. One slide identified the "primary countries reportedly using telecom assets of other nations to exploit U.S. subscribers," it continues.

An anonymous reader shares a report: A Chinese hacker indicted earlier this month and the PRC-based cybersecurity company he worked for are both sanctioned by the US government for compromising "tens of thousands of firewalls" -- some protecting US critical infrastructure, putting human lives at risk.

In a series of coordinated actions, the US Treasury Department's Office of Foreign Assets Control (OFAC), the Department of Justice (DoJ), and the FBI said the massive cyber espionage campaign, which compromised at least 36 firewalls protecting US critical infrastructure, posed significant risks to national security.

A federal court in Indiana earlier this month unsealed an indictment charging 30-year-old Guan Tianfeng (Guan) with conspiracy to commit computer and wire fraud by hacking into firewall devices worldwide, including one "used by an agency of the United States." Guan, employed by the Chinese cybersecurity firm Sichuan Silence -- a known contractor for Beijing intelligence -- was alleged to have discovered a zero-day vulnerability in firewall products manufactured by UK cybersecurity firm Sophos.

Meta has been fined around $263 million in the European Union for a Facebook security breach that affected millions of users which the company disclosed back in September 2018. From a report: The penalty, issued on Tuesday by Ireland's Data Protection Commission (DPC) -- enforcing the bloc's General Data Protection Regulation (GDPR) -- is far from being the largest GDPR fine Meta has been hit with since the regime came into force over five years ago but is notable for being a substantial sanction for a single security incident.

The breach it relates to dates back to July 2017 when Facebook, as the company was still known then, rolled out a video upload function that included a "View as" feature which let the user see their own Facebook page as it would be seen by another user. A bug in the design allowed users making use of the feature to invoke the video uploader in conjunction with Facebook's 'Happy Birthday Composer' facility to generate a fully permissioned user token that gave them full access to the Facebook profile of that other user. They could then use the token to exploit the same combination of features on other accounts -- gaining unauthorized access to multiple users' profiles and data, per the DPC.

A cyberattack on Rhode Island's RIBridges system has exposed personal data of individuals involved in programs like Medicaid, SNAP, and others, with hackers demanding a ransom. The breach may include sensitive details like Social Security numbers and banking information. The Associated Press reports: Anyone who has been involved in Medicaid, the Supplemental Nutrition Assistance Program known as SNAP, Temporary Assistance for Needy Families, Childcare Assistance Program, Rhode Island Works, Long-term Services and Supports, the At HOME Cost Share Program and health insurance purchased through HealthSource RI may be impacted, McKee said Saturday.

The system known as RIBridges was taken offline on Friday, after the state was informed by its vendor, Deloitte, that there was a major security threat to the system. The vendor confirmed that "there is a high probability that a cybercriminal has obtained files with personally identifiable information from RIBridges," the state said. The state has contracted with Experian to run a toll-free hotline for Rhode Islanders to call to get information about the breach and how they can protect their data.

An anonymous reader quotes a report from TechCrunch: The European Union is forging ahead with plans for a constellation of internet satellites to rival Elon Musk-owned Starlink, after signing a $11.1 billion deal to launch nearly 300 satellites into low- and medium-Earth orbits by 2030. The bloc wants the space tech to boost its digital sovereignty by providing secure comms to governments.

First announced in 2022, Iris^2 (Infrastructure for Resilience, Interconnectivity and Security by Satellite) is a public-private partnership whose initial cost estimate (6 billion euros) leapt 76% through a fraught negotiation process. In the end, the program will be 61% funded from the public purse; an industry consortium called SpaceRise, selected in October, is making up the difference. This grouping includes French satellite giant Eutelsat, which merged with European rival OneWeb back in 2022.

An anonymous reader shared this report from Computerworld: Microsoft has announced Phi-4 — a new AI model with 14 billion parameters — designed for complex reasoning tasks, including mathematics. Phi-4 excels in areas such as STEM question-answering and advanced problem-solving, surpassing similar models in performance. Phi-4, part of the Phi small language models (SLMs), is currently available on Azure AI Foundry under the Microsoft Research License Agreement and will launch on Hugging Face [this] week, the company said in a blog post.

The company emphasized that Phi-4's design focuses on improving accuracy through enhanced training and data curation.... "Phi-4 outperforms comparable and even larger models on tasks like mathematical reasoning, thanks to a training process that combines synthetic datasets, curated organic data, and innovative post-training techniques," Microsoft said in its announcement. The model leverages a new training approach that integrates multi-agent prompting workflows and data-driven innovations to enhance its reasoning efficiency. The accompanying report highlights that Phi-4 balances size and performance, challenging the industry norm of prioritizing larger models... Phi-4 achieved a score of 80.4 on the MATH benchmark and has surpassed other systems in problem-solving and reasoning evaluations, according to the technical report accompanying the release. This makes it particularly appealing for domain-specific applications requiring precision, like scientific computation or advanced STEM problem-solving.

Microsoft emphasized its commitment to ethical AI development, integrating advanced safety measures into Phi-4. The model benefits from Azure AI Content Safety features such as prompt shields, protected material detection, and real-time application monitoring. These features, Microsoft explained, help users address risks like adversarial prompts and data security threats during AI deployment. The company also reiterated that Azure AI Foundry, the platform hosting Phi-4, offers tools to measure and mitigate AI risks. Developers using the platform can evaluate and improve their models through built-in metrics and custom safety evaluations, Microsoft added... With Phi-4, Microsoft continues to evolve its AI offerings while promoting responsible use through robust safeguards. Industry watchers will observe how this approach shapes adoption in critical fields where reasoning and security are paramount.

Saturday night two men were arrested near Boston "following a hazardous drone operation near Logan Airport's airspace," according to a police statement. They credit an officer "leveraging advanced UAS monitoring technology" who "identified the drone's location, altitude, flight history, and the operators' position." Recognizing the serious risks posed by the drone's proximity to Logan's airspace, additional resources were mobilized. The Boston Police Department coordinated with Homeland Security, the Massachusetts State Police, the Joint Terrorism Task Force, the Federal Communications Commission (FCC), and Logan Airport Air Traffic Control to address the situation.
"Both suspects face charges of trespassing, with additional fines or charges potentially forthcoming."

Meanwhile on Friday night "Officials at Stewart International Airport, located roughly 60 miles north of New York City, said they shut down their runways for an hour," reports ABC News, after America's Federal Aviation Administration "alerted them that a drone was spotted in the area around 9:30 p.m." Though officials say flight operations weren't impacted during the closure, the article notes that New York's governor is now calling for federal assistance, including more federal law enforcement officers, saying "This has gone too far." [Governor Hochul] called on Congress to pass the Counter-UAS Authority Security, Safety, and Reauthorization Act, which would strengthen the FAA's oversight of drones and give more authority to state and local law enforcement agencies to investigate the activity.
The article explores the larger problem of Americans reporting drone sightings: Officials from a wide range of federal agencies spoke with reporters Saturday on a phone call and emphasized that the federal investigation into drone sightings in New Jersey is ongoing. One FBI official said that out of the nearly 5,000 tips they have received, less than 100 have generated credible leads for further investigation. A Department of Homeland Security official said that they are "confident that many of the reported drone sightings are, in fact, manned aircraft being misidentified as drones." The FBI official also talked about how investigators overlaid the locations of the reported drone sightings and found that "the density of reported sightings matches the approach pattern" of the New York area's busy airports including Newark-Liberty, JFK, and LaGuardia.

But, an FAA official says that there have "without a doubt" been drones flying over New Jersey, pointing to the fact that there are nearly a million drones registered in the U.S. "With nearly a million registered [unmanned aircraft systems] in the United States, there's no doubt many of them are owned and operated here within the state," the FAA official said... A Joint Chiefs of Staff official said that there have been visual sightings of drones reported by "highly trained security personnel" near Picatinny Arsenal and Naval Weapons Station Earle in New Jersey. The official said that they do not believe the sightings "were aligned with a foreign actor, or that they had malicious intent."

"We don't know what activity is. We don't know if it is criminal, but I will tell you that it is irresponsible," the official said. "Here on the military side, we are just as frustrated with the irresponsible nature of this activity."
Later ABC News reported that the FAA had imposed temporary drone flight restrictions in New Jersey over the Picatinny Arsenal military base. And they added that America's Homeland Security Secretary Alejandro Mayorkas "said the federal government is taking action to address the aerial drones that have prompted concern among New Jersey residents. "I want to assure the American public that we in the federal government have deployed additional resources, personnel, technology to assist the New Jersey State Police in addressing the drone sightings...." There have been numerous reports of drone activity along the East Coast since November. Mayorkas cited the 2023 change of a Federal Aviation Administration rule that allows drones to fly at night as to why there might be an uptick in sightings. "I want to assure the American public that we are on it," he said, before calling on Congress to expand local and state authority to help address the issue.

"It is critical, as we all have said for a number of years, that we need from Congress additional authorities to address the drone situation," Mayorkas said. "Our authorities currently are limited and they are set to expire. We need them extended and expanded... We want state and local authorities to also have the ability to counter growing activity under federal supervision," he added, echoing sentiments from local officials...

Addressing national security concerns the sightings have prompted, Mayorkas said the U.S. knows of no foreign involvement and that it remains "vigilant" in investigating the drone sightings. [ABC News anchor George] Stephanopoulos pressed Mayorkas about past security threats drones have caused, including the arrest of a Chinese national last week who allegedly flew a drone over an Air Force base in California. "When a drone is flown over restricted airspace, we act very, very swiftly," the homeland security secretary said. "In fact, when an individual in California flew a drone over restricted airspace, that individual was identified, apprehended and is being charged by federal authorities."

The non-profit, free certificate authority Let's Encrypt shared some news from their executive director as they approach their 10th anniversary in 2025: Internally things have changed dramatically from what they looked like ten years ago, but outwardly our service hasn't changed much since launch. That's because the vision we had for how best to do our job remains as powerful today as it ever was: free 90-day TLS certificates via an automated API. Pretty much as many as you need. More than 500,000,000 websites benefit from this offering today, and the vast majority of the web is encrypted.

Our longstanding offering won't fundamentally change next year, but we are going to introduce a new offering that's a big shift from anything we've done before — short-lived certificates. Specifically, certificates with a lifetime of six days. This is a big upgrade for the security of the TLS ecosystem because it minimizes exposure time during a key compromise event.

Because we've done so much to encourage automation over the past decade, most of our subscribers aren't going to have to do much in order to switch to shorter lived certificates. We, on the other hand, are going to have to think about the possibility that we will need to issue 20x as many certificates as we do now. It's not inconceivable that at some point in our next decade we may need to be prepared to issue 100,000,000 certificates per day. That sounds sort of nuts to me today, but issuing 5,000,000 certificates per day would have sounded crazy to me ten years ago... It was hard to build Let's Encrypt. It was difficult to scale it to serve half a billion websites...

Charitable contributions from people like you and organizations around the world make this stuff possible. Since 2015, tens of thousands of people have donated. They've made a case for corporate sponsorship, given through their Donor-Advised Funds, or set up recurring donations, sometimes to give $3 a month. That's all added up to millions of dollars that we've used to change the Internet for nearly everyone using it.
Thanks to long-time Slashdot reader rastos1 for sharing the news.

America's 1994 "Communications Assistance for Law Enforcement Act" (or CALEA) created the security hole that helped enable a massive telecomm breach. But now America's FBI "is falling back on the same warmed-over, bad advice about encryption that it has trotted out for years," argues the Intercept: In response to the Salt Typhoon hack, attributed to state-backed hackers from China, the bureau is touting the long-debunked idea that federal agents could access U.S. communications without opening the door to foreign hackers. Critics say the FBI's idea, which it calls "responsibly managed encryption," is nothing more than a rebranding of a government backdoor. "It's not this huge about-face by law enforcement," said Andrew Crocker, the surveillance litigation director at the Electronic Frontier Foundation. "It's just the same, illogical talking points they have had for 30+ years, where they say, 'Encryption is OK, but we need to be able to access communications.' That is a circle that cannot be squared...."

In a blog post last month, encryption expert Susan Landau said CALEA had long been a "national security disaster waiting to happen... If you build a system so that it is easy to break into, people will do so — both the good guys and the bad. That's the inevitable consequence of CALEA, one we warned would come to pass — and it did," she said...

Sean Vitka, the policy director at the progressive group Demand Progress, said the hack has once again provided damning evidence that government backdoors cannot be secured. "If the FBI cannot keep their wiretap system safe, they absolutely cannot keep the skeleton key to all Apple phones safe," Vitka said.
Thanks to Slashdot reader mspohr for sharing the article.

An anonymous reader quotes a report from Ars Technica: A sophisticated and ongoing supply-chain attack operating for the past year has been stealing sensitive login credentials from both malicious and benevolent security personnel by infecting them with Trojanized versions of open source software from GitHub and NPM, researchers said. The campaign, first reported three weeks ago by security firm Checkmarx and again on Friday by Datadog Security Labs, uses multiple avenues to infect the devices of researchers in security and other technical fields. One is through packages that have been available on open source repositories for over a year. They install a professionally developed backdoor that takes pains to conceal its presence. The unknown threat actors behind the campaign have also employed spear phishing that targets thousands of researchers who publish papers on the arXiv platform.

The objectives of the threat actors are also multifaceted. One is the collection of SSH private keys, Amazon Web Services access keys, command histories, and other sensitive information from infected devices every 12 hours. When this post went live, dozens of machines remained infected, and an online account on Dropbox contained some 390,000 credentials for WordPress websites taken by the attackers, most likely by stealing them from fellow malicious threat actors. The malware used in the campaign also installs cryptomining software that was present on at least 68 machines as of last month. It's unclear who the threat actors are or what their motives may be. Datadog researchers have designated the group MUT-1244, with MUT short for "mysterious unattributed threat."

Google's NotebookLM and its podcast-like Audio Overviews are being updated with a new feature that allows listeners to interact with the AI "hosts." Google describes how this feature works in a blog post. The Verge reports: In addition to the interactive Audio Overviews, Google is introducing a new interface for NotebookLM that organizes things into three areas: a "sources" panel for your information, a "chat" panel to talk with an AI chatbot about the sources, and a "studio" panel that lets you make things like Audio Overviews and Study Guides. I think it looks nice.

Google is announcing a NotebookLM subscription, too: NotebookLM Plus. The subscription will give you "five times more Audio Overviews, notebooks, and sources per notebook," let you "customize the style and tone of your notebook responses," let you make shared team notebooks, and will offer "additional privacy and security," Google says. The subscription is available today for businesses, schools and universities, and organizations and enterprise customers. It will be added to Google One AI Premium in "early 2025." Google is also launching "Agentspace," a platform for custom AI agents for enterprises.

Healthcare giant Optum has restricted access to an internal AI chatbot used by employees after a security researcher found it was publicly accessible online, and anyone could access it using only a web browser. TechCrunch: The chatbot, which TechCrunch has seen, allowed employees to ask the company questions about how to handle patient health insurance claims and disputes for members in line with the company's standard operating procedures (SOPs).

While the chatbot did not appear to contain or produce sensitive personal or protected health information, its inadvertent exposure comes at a time when its parent company, health insurance conglomerate UnitedHealthcare, faces scrutiny for its use of artificial intelligence tools and algorithms to allegedly override doctors' medical decisions and deny patient claims.

Mossab Hussein, chief security officer and co-founder of cybersecurity firm spiderSilk, alerted TechCrunch to the publicly exposed internal Optum chatbot, dubbed "SOP Chatbot." Although the tool was hosted on an internal Optum domain and could not be accessed from its web address, its IP address was public and accessible from the internet and did not require users to enter a password.

The U.S. and China signed a modified science and technology agreement on Friday, narrowing its scope and adding security safeguards to address growing technological rivalry between the world's two largest economies.

The updated pact, which extends cooperation for five years, focuses solely on basic research and excludes critical technologies like AI and quantum computing. The State Department said the agreement strengthens intellectual property protections and introduces new provisions for transparency and data sharing. The revision comes amid escalating tech tensions, with Washington restricting advanced chip exports to China and limiting U.S. investments in sensitive technologies that could enhance Chinese military capabilities.

An anonymous reader quotes a report from Tom's Hardware, written by Avram Piltch: Microsoft's Recall feature recently made its way back to Windows Insiders after having been pulled from test builds back in June, due to security and privacy concerns. The new version of Recall encrypts the screens it captures and, by default, it has a "Filter sensitive information," setting enabled, which is supposed to prevent it from recording any app or website that is showing credit card numbers, social security numbers, or other important financial / personal info. In my tests, however, this filter only worked in some situations (on two e-commerce sites), leaving a gaping hole in the protection it promises.

When I entered a credit card number and a random username / password into a Windows Notepad window, Recall captured it, despite the fact that I had text such as "Capital One Visa" right next to the numbers. Similarly, when I filled out a loan application PDF in Microsoft Edge, entering a social security number, name and DOB, Recall captured that. (Note that all info in these screenshots is made up). I also created my own HTML page with a web form that said, explicitly, "enter your credit card number below." The form had fields for Credit card type, number, CVC and expiration date. I thought this might trigger Recall to block it, but the software captured an image of my form filled out, complete with the credit card data. Recall did refuse to capture the credit card fields on the payment pages of Pimoroni and Adafruit. "So, when it came to real-world commerce sites that I visited, Recall got it right," adds Piltch. "However, what my experiment proves is that it's pretty much impossible for Microsoft's AI filter to identify every situation where sensitive information is on screen and avoid capturing it."

Yahoo laid off around 25% of its cybersecurity team -- known as The Paranoids -- over the last year, TechCrunch has learned. From the report: Overall, the company has laid off or lost through attrition 40 to 50 people from a total of 200 employees in the cybersecurity team since the start of 2024, according to multiple current and former Yahoo employees who spoke to TechCrunch on condition of anonymity. (Yahoo is TechCrunch's parent company.)

The Paranoids are not the only team affected by the layoffs. Valeri Liborski, who was appointed Yahoo's chief technology officer in September, sent an email this week to employees announcing changes across the broader technology unit, including enterprise productivity and core services. The email to staff, which was obtained by TechCrunch, said: "This was a very difficult decision and one I have not taken lightly."

The Paranoids' so-called red team, or offensive security team -- which conducts cyberattack simulations to identify weaknesses in the company's network before external hackers can -- was eliminated entirely this week, and there have been at least three rounds of layoffs impacting the cybersecurity team this year, according to the sources.

Amazon has postponed implementing Microsoft's cloud-based Office suite for its workforce by one year, citing security concerns following a Russian cyber attack on Microsoft's systems. The delay affects a $1 billion, five-year contract signed last year to provide Microsoft 365 to Amazon's 1.5 million employees, making the e-commerce giant one of the largest customers of Microsoft's cloud productivity suite.

The decision came after Microsoft revealed that Midnight Blizzard, a Russia-linked hacking group, had breached several employee email accounts, including those of senior executives and cybersecurity staff. Amazon subsequently conducted its own security review and requested enhanced protection measures from Microsoft.