Privacy

UnitedHealth Says Change Healthcare Hack Affects Over 100 Million (techcrunch.com) 35

UnitedHealth Group said a ransomware attack in February resulted in more than 100 million individuals having their private health information stolen. The U.S. Department of Health and Human Services first reported the figure on Thursday. TechCrunch reports: The ransomware attack and data breach at Change Healthcare stands as the largest known digital theft of U.S. medical records, and one of the biggest data breaches in living history. The ramifications for the millions of Americans whose private medical information was irretrievably stolen are likely to be life lasting. UHG began notifying affected individuals in late July, which continued through October. The stolen data varies by individual, but Change previously confirmed that it includes personal information, such as names and addresses, dates of birth, phone numbers and email addresses, and government identity documents, including Social Security numbers, driver's license numbers, and passport numbers. The stolen health data includes diagnoses, medications, test results, imaging and care and treatment plans, and health insurance information -- as well as financial and banking information found in claims and payment data taken by the criminals.

The cyberattack became public on February 21 when Change Healthcare pulled much of its network offline to contain the intruders, causing immediate outages across the U.S. healthcare sector that relied on Change for handling patient insurance and billing. UHG attributed the cyberattack to ALPHV/BlackCat, a Russian-speaking ransomware and extortion gang, which later took credit for the cyberattack. The ransomware gang's leaders later vanished after absconding with a $22 million ransom paid by the health insurance giant, stiffing the group's contractors who carried out the hacking of Change Healthcare out of their new financial windfall. The contractors took the data they stole from Change Healthcare and formed a new group, which extorted a second ransom from UHG, while publishing a portion of the stolen files online in the process to prove their threat.

There is no evidence that the cybercriminals subsequently deleted the data. Other extortion gangs, including LockBit, have been shown to hoard stolen data, even after the victim pays and the criminals claim to have deleted the data. In paying the ransom, Change obtained a copy of the stolen dataset, allowing the company to identify and notify the affected individuals whose information was found in the data. Efforts by the U.S. government to catch the hackers behind ALPHV/BlackCat, one of the most prolific ransomware gangs today, have so far failed. The gang bounced back following a takedown operation in 2023 to seize the gang's dark web leak site. Months after the Change Healthcare breach, the U.S. State Department upped its reward for information on the whereabouts of the ALPHV/BlackCat cybercriminals to $10 million.

News

Georgian Authorities Raid Homes of Disinformation Researchers Ahead of Elections (therecord.media) 68

Ahead of Georgia's parliamentary elections, Georgian authorities raided the homes of disinformation researchers Eto Buziashvili and Sopo Gelava, seizing personal devices. The Record: Eto Buziashvili and Sopo Gelava, both employees of the Atlantic Council think tank, had their homes searched and their own and their family members' personal devices seized by investigators working for the country's Ministry of Finance, according to friends of the pair who spoke to Recorded Future News. Both women are said to be safe, although there are concerns about the security of their devices and online accounts. The searches come a day after Buziashvili published an article detailing how the Kremlin was influencing Georgian politics by supporting the incumbent government and interfering in the upcoming elections.

Local media reported that the offices of outsourcing company Concentrix and other Georgian citizens were also subject to searches. The Ministry of Finance claimed on Facebook it launched searches of "specific facilities" related to "call centers" alleged to be engaged in illegal activity. The investigations come ahead of an election that is being seen as a bellwether of the country's future direction, either pursuing closer ties to Russia under the current prime minister Irakli Kobakhidze or moving towards the West through opposition figures.
Graham Brookie, the Atlantic Council's vice president for technology programs and strategy, said the organization "is deeply concerned about this development and its impact on our staff's work shortly before Georgian elections. [Gelava and Buziashvili] are engaged in independent, non-partisan work aimed at defending and strengthening democracy from those who would undermine it in online spaces, including research related to foreign influence efforts, the targeting of marginalized communities, and other online harms."

"We trust that Georgian authorities will provide more clarity on their actions, ensure the safety and security of our staff, return their property, and allow them to continue their contributions to Georgian democracy."
AI

White House Orders Pentagon and Intel Agencies To Increase Use of AI (msn.com) 38

The White House is directing the Pentagon and intelligence agencies to increase their adoption of AI, expanding the Biden administration's efforts to curb technological competition from China and other adversaries. From a report: The edict is part of a landmark national security memorandum published Thursday. It aims to make government agencies step up experiments and deployments of AI. The memo also bans agencies from using the technology in ways that "do not align with democratic values," according to a White House news release.

"This is our nation's first ever strategy for harnessing the power and managing the risks of AI to advance our national security," national security adviser Jake Sullivan said in a speech Thursday. Sullivan called the speed of change in AI "breathtaking" and said it had the potential to affect fields ranging from nuclear physics to rocketry and stealth technology. The White House believes that providing clear rules for using AI will make it easier for government agencies to use the technology, according to a briefing with senior administration officials who spoke on the condition of anonymity to discuss details of the report before its publication.

Businesses

Cable Companies Ask 5th Circuit To Block FTC's Click-to-Cancel Rule (arstechnica.com) 55

Cable companies, advertising firms, and newspapers are asking courts to block a federal "click-to-cancel" rule that would force businesses to make it easier for consumers to cancel services. From a report: Lawsuits were filed yesterday, about a week after the Federal Trade Commission approved a rule that "requires sellers to provide consumers with simple cancellation mechanisms to immediately halt all recurring charges."

Cable lobby group NCTA-The Internet & Television Association and the Interactive Advertising Bureau trade group sued the FTC in the conservative US Court of Appeals for the 5th Circuit. The lawsuit claims the 5th Circuit is a proper venue because a third plaintiff, the Electronic Security Association, has its principal offices in Dallas. That group represents security companies such as ADT.

Social Networks

LinkedIn Fined More Than $300 Million in Ireland Over Personal Data Processing (msn.com) 13

Ireland's data-protection watchdog fined LinkedIn 310 million euros ($334.3 million), saying the Microsoft-owned career platform's personal-data processing breached strict European Union data-privacy and security legislation. From a report: The Irish Data Protection Commission in 2018 launched a probe into LinkedIn's processing of users' personal data for behavioral analysis and targeted advertising after its French equivalent flagged a complaint it received from a non-profit organization. Irish officials raised concerns on the lawfulness, fairness and transparency of the practice, saying Thursday that LinkedIn was in breach of the EU's General Data Protection Regulation.

"The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subjects' fundamental right to data protection," said Graham Doyle, deputy commissioner at the Irish Data Protection Commission. In their decision, Irish officials said LinkedIn wasn't sufficiently informing users when seeking their consent to process third-party data for behavioral analysis and targeted advertising and ordered the platform to bring its processing into compliance.

China

Foreign Disinformation Is Hitting the US Election From All Directions (apnews.com) 421

An anonymous reader quotes a report from Wired: As November 5 draws closer, the Microsoft Threat Analysis Center (MTAC) warned on Wednesday that malicious foreign influence operations launched by Russia, China, and Iran against the US presidential election are continuing to evolve and should not be ignored even though they have come to feel inevitable. In the group's fifth report, researchers emphasize the range of ongoing activities (source may be paywalled; alternative source) as well as the inevitability that attackers will work to stoke doubts about the integrity of the election in its aftermath.

In spite of escalating conflict in the Middle East, Microsoft says that Iran has been able to keep up its operations targeting the US election, particularly targeting the Trump campaign and attempting to foment anti-Israel sentiment. Russian actors, meanwhile, have been focused on targeting the Harris campaign with character attacks and AI-generated content, including deepfakes. And China has shifted its focus in recent weeks, researchers say, to target down-ballot Republican candidates as well as sitting members of Congress who promote policies adversarial to China or in conflict with its interests.

Crucially, MTAC says it is all but certain that these actors will attempt to stoke division and mistrust in vote security on Election Day and in its immediate aftermath. "As MTAC observed during the 2020 presidential cycle, foreign adversaries will amplify claims of election rigging, voter fraud, or other election integrity issues to sow chaos among the US electorate and undermine international confidence in US political stability," the researchers wrote in their report. As the 2024 campaign season enters its final phase, the researchers say that they expect to see AI-generated media continuing to show up in new campaigns, particularly because content can spread so rapidly in the charged period immediately around Election Day. The report also notes that Microsoft has detected Iranian actors probing election-related websites and media outlets, "suggesting preparations for more direct influence operations as Election Day nears."
"History has shown that the ability of foreign actors to rapidly distribute deceptive content can significantly impact public perception and electoral outcomes," wrote MTAC general manager Clint Watts. "With a particular focus on the 48 hours before and after Election Day, voters, government institutions, candidates and parties must remain vigilant to deceptive and suspicious activity online."
Social Networks

Norway To Increase Minimum Age Limit On Social Media To 15 To Protect Children (theguardian.com) 71

Norway plans to enforce a strict minimum social media age of 15 to protect children from harmful content and the influence of algorithms. The Guardian reports: The Scandinavian country already has a minimum age limit of 13 in place. Despite this, more than half of nine-year-olds, 58% of 10-year-olds and 72% of 11-year-olds are on social media, according to research by the Norwegian media authority. The government has pledged to introduce more safeguards to prevent children from getting around the age restrictions -- including amending the Personal Data Act so that social media users must be 15 years old to agree that the platform can handle their personal data, and developing an age verification barrier for social media.

"It sends quite a strong signal," the prime minister told the newspaper VG on Wednesday. "Children must be protected from harmful content on social media. These are big tech giants pitted against small children's brains. We know that this is an uphill battle, because there are strong forces here, but it is also where politics is needed." While he said he understood that social media could offer lonely children a community, self-expression must not be in the power of algorithms. "On the contrary, it can cause you to become single-minded and pacified, because everything happens so fast on this screen," he added.
"It is also about giving parents the security to say no," said Kjersti Toppe, the minister for children and families. "We know that many people really want to say no, but don't feel they can."
Security

White Hat Hackers Earn $500,000 On First Day of Pwn2Own Ireland 2024 (securityweek.com) 3

An anonymous reader quotes a report from SecurityWeek.com: White hat hackers taking part in the Pwn2Own Ireland 2024 contest organized by Trend Micro's Zero Day Initiative (ZDI) have earned half a million dollars on the first day of the event, for exploits targeting NAS devices, cameras, printers and smart speakers. The highest single reward, $100,000, was earned by Sina Kheirkhah of Summoning Team, who chained a total of nine vulnerabilities for an attack that went from a QNAP QHora-322 router to a TrueNAS Mini X storage device. Another exploit chain involving the QNAP QHora-322 and TrueNAS Mini X products was demonstrated by Viettel Cyber Security, but this team earned only $50,000.

A significant reward was also earned by Jack Dates of RET2 Systems, who received $60,000 for hacking a Sonos Era 300 smart speaker. QNAP TS-464 and Synology DiskStation DS1823XS+ NAS device exploits earned $40,000 each for two different teams. Participants also successfully demonstrated exploits against the Lorex 2K WiFi, Ubiquity AI Bullet, and Synology TC500 cameras, and HP Color LaserJet Pro MFP 3301fdw and Canon imageCLASS MF656Cdw printers. These attempts earned the hackers between $11,000 and $30,000. According to ZDI, a total of $516,250 was paid out on the first day of Pwn2Own Ireland for over 50 unique vulnerabilities.

Security

Russia Says 'Unprecedented' Cyberattack Hits Foreign Ministry Amid BICS Summit (reuters.com) 65

The Russian Foreign Ministry says it had been targeted by a large-scale distributed denial-of-service attack (DDoS). "A massive cyberattack from abroad began this morning on the infrastructure of the official website, the Russian Foreign Ministry's portal," said spokeswoman Maria Zakharova. She noted that the ministry regularly encounters similar attacks, but today's attack was "unprecedented in scale." Reuters notes that the attack coincided with the major BRICS summit taking place in the country.

Developing...
Security

Over 6,000 WordPress Hacked To Install Plugins Pushing Infostealers (bleepingcomputer.com) 32

WordPress sites are being compromised through malicious plugins that display fake software updates and error messages, leading to the installation of information-stealing malware. BleepingComputer reports: Since 2023, a malicious campaign called ClearFake has been used to display fake web browser update banners on compromised websites that distribute information-stealing malware. In 2024, a new campaign called ClickFix was introduced that shares many similarities with ClearFake but instead pretends to be software error messages with included fixes. However, these "fixes" are PowerShell scripts that, when executed, will download and install information-stealing malware.

Last week, GoDaddy reported that the ClearFake/ClickFix threat actors have breached over 6,000 WordPress sites to install malicious plugins that display the fake alerts associated with these campaigns. "The GoDaddy Security team is tracking a new variant of ClickFix (also known as ClearFake) fake browser update malware that is distributed via bogus WordPress plugins," explains GoDaddy security researcher Denis Sinegubko. "These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users."

The malicious plugins utilize names similar to legitimate plugins, such as Wordfense Security and LiteSpeed Cache, while others use generic, made-up names. Website security firm Sucuri also noted that a fake plugin named "Universal Popup Plugin" is also part of this campaign. When installed, the malicious plugin will hook various WordPress actions depending on the variant to inject a malicious JavaScript script into the HTML of the site. When loaded, this script will attempt to load a further malicious JavaScript file stored in a Binance Smart Chain (BSC) smart contract, which then loads the ClearFake or ClickFix script to display the fake banners. From web server access logs analyzed by Sinegubko, the threat actors appear to be utilizing stolen admin credentials to log into the WordPress site and install the plugin in an automated manner.

Intel

'Crises at Boeing and Intel Are a National Emergency' (msn.com) 216

Intel and Boeing, once exemplars of American manufacturing prowess, now face existential crises. Their market values have plummeted, jeopardizing not just shareholder wealth but national security. The U.S. is losing its edge in manufacturing high-tech products, crucial in its geopolitical contest with China, a story on WSJ argues.

Unlike past manufacturing declines, Intel and Boeing's woes stem from internal missteps, prioritizing financial performance over engineering excellence. Their potential demise threatens America's semiconductor and commercial aircraft industries, with far-reaching consequences for the nation's technological ecosystem. While government intervention is controversial, national security concerns may necessitate support. WSJ adds: So, much as national leaders would like to ignore these companies' woes, they can't. National security dictates the U.S. maintain some know-how in making aircraft and semiconductors.

Certainly other countries feel that way: European governments heavily subsidized Airbus. China is pursuing dominance in key technologies regardless of the cost. Its so-called Big Fund has sunk roughly $100 billion into semiconductors while aid to Comac had reached $72 billion in 2020, according to the Center for Strategic and International Studies.

"Until Comac succeeds in gaining significant global market share, it will continue to run big losses and be bailed out by the Chinese government," said Atkinson, whose organization gets support from Boeing.

Both political parties have bought into the idea that manufacturing is special and thus deserving of public support. That raises the question: which manufacturing, and what kind of support?

The goal of manufacturing strategy shouldn't be just producing jobs but great, world-beating products. [...]

Linux

Linus Torvalds Growing Frustrated By Buggy Hardware, Theoretical CPU Attacks (phoronix.com) 73

jd writes: Linus Torvalds is not a happy camper and is condemning hardware vendors for poor security and the plethora of actual and theoretical attacks, especially as some of the new features being added impact the workarounds. These workarounds are now getting very expensive, CPU-wise.

TFA quotes Linus Torvalds:

"Honestly, I'm pretty damn fed up with buggy hardware and completely theoretical attacks that have never actually shown themselves to be used in practice.

"So I think this time we push back on the hardware people and tell them it's *THEIR* damn problem, and if they can't even be bothered to say yay-or-nay, we just sit tight.

Because dammit, let's put the onus on where the blame lies, and not just take any random shit from bad hardware and say 'oh, but it *might* be a problem.'"

Programming

An Alternative to Rewriting Memory-Unsafe Code in Rust: the 'Safe C++ Extensions' Proposal (theregister.com) 105

"After two years of being beaten with the memory-safety stick, the C++ community has published a proposal to help developers write less vulnerable code," reports the Register.

"The Safe C++ Extensions proposal aims to address the vulnerable programming language's Achilles' heel, the challenge of ensuring that code is free of memory safety bugs..." Acknowledging the now deafening chorus of calls to adopt memory safe programming languages, developers Sean Baxter, creator of the Circle compiler, and Christian Mazakas, from the C++ Alliance, argue that while Rust is the only popular systems level programming language without garbage collection that provides rigorous memory safety, migrating C++ code to Rust poses problems. "Rust lacks function overloading, templates, inheritance and exceptions," they explain in the proposal. "C++ lacks traits, relocation and borrow checking. These discrepancies are responsible for an impedance mismatch when interfacing the two languages. Most code generators for inter-language bindings aren't able to represent features of one language in terms of the features of another."

Though DARPA is trying to develop better automated C++ to Rust conversion tools, Baxter and Mazakas argue telling veteran C++ developers to learn Rust isn't an answer... The Safe C++ project adds new technology for ensuring memory safety, Baxter explained, and isn't just a reiteration of best practices. "Safe C++ prevents users from writing unsound code," he said. "This includes compile-time intelligence like borrow checking to prevent use-after-free bugs and initialization analysis for type safety." Baxter said that rewriting a project in a different programming language is costly, so the aim here is to make memory safety more accessible by providing the same soundness guarantees as Rust at a lower cost. "With Safe C++, existing code continues to work as always," he explained. "Stakeholders have more control for incrementally opting in to safety."

The next step, Baxter said, involves greater participation from industry to help realize the Safe C++ project. "The foundations are in: We have fantastic borrow checking and initialization analysis which underpin the soundness guarantees," he said. "The next step is to comprehensively visit all of C++'s features and specify memory-safe versions of them. It's a big effort, but given the importance of reducing C++ security vulnerabilities, it's an effort worth making."

Security

Microsoft's Honeypots Lure Phishers at Scale - to Spy on Them and Waste Their Time (bleepingcomputer.com) 21

A principal security software engineer at Microsoft described how they use their Azure cloud platform "to hunt phishers at scale," in a talk at the information security conference BSides Exeter.

Calling himself Microsoft's "Head of Deception." Ross Bevington described how they'd created a "hybrid high interaction honeypot" on the now retired code.microsoft.com "to collect threat intelligence on actors ranging from both less skilled cybercriminals to nation state groups targeting Microsoft infrastructure," according to a report by BleepingComputer: With the collected data, Microsoft can map malicious infrastructure, gain a deeper understanding of sophisticated phishing operations, disrupt campaigns at scale, identify cybercriminals, and significantly slow down their activity... Bevington and his team fight phishing by leveraging deception techniques using entire Microsoft tenant environments as honeypots with custom domain names, thousands of user accounts, and activity like internal communications and file-sharing...

In his BSides Exeter presentation, the researcher says that the active approach consists in visiting active phishing sites identified by Defender and typing in the credentials from the honeypot tenants. Since the credentials are not protected by two-factor authentication and the tenants are populated with realistic-looking information, attackers have an easy way in and start wasting time looking for signs of a trap. Microsoft says it monitors roughly 25,000 phishing sites every day, feeding about 20% of them with the honeypot credentials; the rest are blocked by CAPTCHA or other anti-bot mechanisms.

Once the attackers log into the fake tenants, which happens in 5% of the cases, it turns on detailed logging to track every action they take, thus learning the threat actors' tactics, techniques, and procedures. Intelligence collected includes IP addresses, browsers, location, behavioral patterns, whether they use VPNs or VPSs, and what phishing kits they rely on... The deception technology currently wastes an attacker 30 days before they realize they breached a fake environment. All along, Microsoft collects actionable data that can be used by other security teams to create more complex profiles and better defenses.

AI

Can We Turn Off AI Tools From Google, Microsoft, Apple, and Meta? Sometimes... (seattletimes.com) 80

"Who asked for any of this in the first place?" wonders a New York Times consumer-tech writer. (Alternate URL here.) "Judging from the feedback I get from readers, lots of people outside the tech industry remain uninterested in AI — and are increasingly frustrated with how difficult it has become to ignore." The companies rely on user activity to train and improve their AI systems, so they are testing this tech inside products we use every day. Typing a question such as "Is Jay-Z left-handed?" in Google will produce an AI-generated summary of the answer on top of the search results. And whenever you use the search tool inside Instagram, you may now be interacting with Meta's chatbot, Meta AI. In addition, when Apple's suite of AI tools, Apple Intelligence, arrives on iPhones and other Apple products through software updates this month, the tech will appear inside the buttons we use to edit text and photos.

The proliferation of AI in consumer technology has significant implications for our data privacy, because companies are interested in stitching together and analyzing our digital activities, including details inside our photos, messages and web searches, to improve AI systems. For users, the tools can simply be an annoyance when they don't work well. "There's a genuine distrust in this stuff, but other than that, it's a design problem," said Thorin Klosowski, a privacy and security analyst at the Electronic Frontier Foundation, a digital rights nonprofit, and a former editor at Wirecutter, the reviews site owned by The New York Times. "It's just ugly and in the way."

It helps to know how to opt out. After I contacted Microsoft, Meta, Apple and Google, they offered steps to turn off their AI tools or data collection, where possible. I'll walk you through the steps.

The article suggests logged-in Google users can toggle settings at myactivity.google.com. (Some browsers also have extensions that force Google's search results to stop inserting an AI summary at the top.) And you can also tell Edge to remove Copilot from its sidebar at edge://settings.

But "There is no way for users to turn off Meta AI, Meta said. Only in regions with stronger data protection laws, including the EU and Britain, can people deny Meta access to their personal information to build and train Meta's AI." On Instagram, for instance, people living in those places can click on "settings," then "about" and "privacy policy," which will lead to opt-out instructions. Everyone else, including users in the United States, can visit the Help Center on Facebook to ask Meta only to delete data used by third parties to develop its AI.
By comparison, when Apple releases new AI services this month, users will have to opt in, according to the article. "If you change your mind and no longer want to use Apple Intelligence, you can go back into the settings and toggle the Apple Intelligence switch off, which makes the tools go away."
Security

How WatchTowr Explored the Complexity of a Vulnerability in a Secure Firewall Appliance (watchtowr.com) 9

Cybersecurity startup Watchtowr "was founded by hacker-turned-entrepreneur Benjamin Harris," according to a recent press release touting their Fortune 500 customers and $29 million investments from venture capital firms. ("If there's a way to compromise your organization, watchTowr will find it," Harris says in the announcement.)

This week they shared their own research on a Fortinet FortiGate SSLVPN appliance vulnerability (discovered in February by Gwendal Guégniaud of the Fortinet Product Security team — presumably in a static analysis for format string vulnerabilities). "It affected (before patching) all currently-maintained branches, and recently was highlighted by CISA as being exploited-in-the-wild... It's a Format String vulnerability [that] quickly leads to Remote Code Execution via one of many well-studied mechanisms, which we won't reproduce here..."

"Tl;dr SSLVPN appliances are still sUpEr sEcurE," their post begains — but the details are interesting. When trying to test an exploit, Watchtowr discovered instead that FortiGate always closed the connection early, thanks to an exploit mitigation in glibc "intended to hinder clean exploitation of exactly this vulnerability class." Watchtowr hoped to "use this to very easily check if a device is patched — we can simply send a %n, and if the connection aborts, the device is vulnerable. If the connection does not abort, then we know the device has been patched... " But then they discovered "Fortinet added some kind of certificate validation logic in the 7.4 series, meaning that we can't even connect to it (let alone send our payload) without being explicitly permitted by a device administrator." We also checked the 7.0 branch, and here we found things even more interesting, as an unpatched instance would allow us to connect with a self-signed certificate, while a patched machine requires a certificate signed by a configured CA. We did some reversing and determined that the certificate must be explicitly configured by the administrator of the device, which limits exploitation of these machines to the managing FortiManager instance (which already has superuser permissions on the device) or the other component of a high-availability pair. It is not sufficient to present a certificate signed by a public CA, for example...

Fortinet's advice here is simply to update, which is always sound advice, but doesn't really communicate the nuance of this vulnerability... Assuming an organisation is unable to apply the supplied workaround, the urgency of upgrade is largely dictated by the willingness of the target to accept a self-signed certificate. Targets that will do so are open to attack by any host that can access them, while those devices that require a certificate signed by a trusted root are rendered unexploitable in all but the narrowest of cases (because the TLS/SSL ecosystem is just so solid, as we recently demonstrated)...

While it's always a good idea to update to the latest version, the life of a sysadmin is filled with cost-to-benefit analysis, juggling the needs of users with their best interests.... [I]t is somewhat troubling when third parties need to reverse patches to uncover such details.

Thanks to Slashdot reader Mirnotoriety for sharing the article.
Security

Internet Archive Users Start Receiving Email From 'Some Random Guy' Criticizing Unpatched Hole (bleepingcomputer.com) 18

A post shared Saturday on social media acknowledges those admins and developers at the Internet Archive working "literally round the clock... They have taken no days off this past week. They are taking none this weekend... they are working with all of their energy and considerable talent."

It describes people "working so incredibly hard... putting their all in," with a top priority of "getting the site back secure and safe".

But there's new and continuing problems, reports The Verge's weekend editor: Early this morning, I received an email from "The Internet Archive Team," replying to a message I'd sent on October 9th. Except its author doesn't seem to have been the digital archivists' support team — it was apparently written by the hackers who breached the site earlier this month and who evidently maintain some level of access to its systems.

I'm not alone. Users on the Internet Archive subreddit are reporting getting the replies, as well. Here is the message I received:

It's dispiriting to see that even after being made aware of the breach 2 weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets.

As demonstrated by this message, this includes a Zendesk token with perms to access 800K+ support tickets sent to info@archive.org since 2018.

Whether you were trying to ask a general question, or requesting the removal of your site from the Wayback Machine — your data is now in the hands of some random guy. If not me, it'd be someone else.

The site BleepingComputer believes they know the larger context, starting with the fact that they've also "received numerous messages from people who received replies to their old Internet Archive removal requests... The email headers in these emails also pass all DKIM, DMARC, and SPF authentication checks, proving they were sent by an authorized Zendesk server."

BleepingComputer also writes that they'd "repeatedly tried to warn the Internet Archive that their source code was stolen through a GitLab authentication token that was exposed online for almost two years."

And that "the threat actor behind the actual data breach, who contacted BleepingComputer through an intermediary to claim credit for the attack," has been frustrated by misreporting. (Specifically, they insist there were two separate attacks last week — a DDoS attack and a separate data breach for a 6.4-gigabyte database which includes email addresses for the site's 33 million users.) The threat actor told BleepingComputer that the initial breach of Internet Archive started with them finding an exposed GitLab configuration file on one of the organization's development servers, services-hls.dev.archive.org. BleepingComputer was able to confirm that this token has been exposed since at least December 2022, with it rotating multiple times since then. The threat actor says this GitLab configuration file contained an authentication token allowing them to download the Internet Archive source code. The hacker say that this source code contained additional credentials and authentication tokens, including the credentials to Internet Archive's database management system. This allowed the threat actor to download the organization's user database, further source code, and modify the site.

The threat actor claimed to have stolen 7TB of data from the Internet Archive but would not share any samples as proof. However, now we know that the stolen data also included the API access tokens for Internet Archive's Zendesk support system. BleepingComputer attempted contact the Internet Archive numerous times, as recently as on Friday, offering to share what we knew about how the breach occurred and why it was done, but we never received a response.

"The Internet Archive was not breached for political or monetary reasons," they conclude, "but simply because the threat actor could...

"While no one has publicly claimed this breach, BleepingComputer was told it was done while the threat actor was in a group chat with others, with many receiving some of the stolen data. This database is now likely being traded amongst other people in the data breach community, and we will likely see it leaked for free in the future on hacking forums like Breached."
AMD

Spectre Flaws Still Haunt Intel, AMD as Researchers Found Fresh Attack Method (theregister.com) 33

"Six years after the Spectre transient execution processor design flaws were disclosed, efforts to patch the problem continue to fall short," writes the Register: Johannes Wikner and Kaveh Razavi of Swiss University ETH Zurich on Friday published details about a cross-process Spectre attack that derandomizes Address Space Layout Randomization and leaks the hash of the root password from the Set User ID (suid) process on recent Intel processors. The researchers claim they successfully conducted such an attack.... [Read their upcomong paper here.] The indirect branch predictor barrier (IBPB) was intended as a defense against Spectre v2 (CVE-2017-5715) attacks on x86 Intel and AMD chips. IBPB is designed to prevent forwarding of previously learned indirect branch target predictions for speculative execution. Evidently, the barrier wasn't implemented properly.

"We found a microcode bug in the recent Intel microarchitectures — like Golden Cove and Raptor Cove, found in the 12th, 13th and 14th generations of Intel Core processors, and the 5th and 6th generations of Xeon processors — which retains branch predictions such that they may still be used after IBPB should have invalidated them," explained Wikner. "Such post-barrier speculation allows an attacker to bypass security boundaries imposed by process contexts and virtual machines." Wikner and Razavi also managed to leak arbitrary kernel memory from an unprivileged process on AMD silicon built with its Zen 2 architecture.

Videos of the Intel and AMD attacks have been posted, with all the cinematic dynamism one might expect from command line interaction.

Intel chips — including Intel Core 12th, 13th, and 14th generation and Xeon 5th and 6th — may be vulnerable. On AMD Zen 1(+) and Zen 2 hardware, the issue potentially affects Linux users. The relevant details were disclosed in June 2024, but Intel and AMD found the problem independently. Intel fixed the issue in a microcode patch (INTEL-SA-00982) released in March, 2024. Nonetheless, some Intel hardware may not have received that microcode update. In their technical summary, Wikner and Razavi observe: "This microcode update was, however, not available in Ubuntu repositories at the time of writing this paper." It appears Ubuntu has subsequently dealt with the issue.

AMD issued its own advisory in November 2022, in security bulletin AMD-SB-1040. The firm notes that hypervisor and/or operating system vendors have work to do on their own mitigations. "Because AMD's issue was previously known and tracked under AMD-SB-1040, AMD considers the issue a software bug," the researchers explain. "We are currently working with the Linux kernel maintainers to merge our proposed software patch."

BleepingComputer adds that the ETH Zurich team "is working with Linux kernel maintainers to develop a patch for AMD processors, which will be available here when ready."
Security

Internet Archive Services Resume as They Promise Stronger, More Secure Return (msn.com) 16

"The Wayback Machine, Archive-It, scanning, and national library crawls have resumed," announced the Internet Archive Thursday, "as well as email, blog, helpdesk, and social media communications. Our team is working around the clock across time zones to bring other services back online."

Founder Brewster Kahle told The Washington Post it's the first time in its almost 30-year history that it's been down more than a few hours. But their article says the Archive is "fighting back." Kahle and his team see the mission of the Internet Archive as a noble one — to build a "library of everything" and ensure records are kept in an online environment where websites change and disappear by the day. "We're all dreamers," said Chris Freeland, the Internet Archive's director of library services. "We believe in the mission of the Internet Archive, and we believe in the promise of the internet." But the site has, at times, courted controversy. The Internet Archive faces lawsuits from book publishers and music labels brought in 2020 and 2023 for digitizing copyrighted books and music, which the organization has argued should be permissible for noncommercial, archival purposes. Kahle said the hundreds of millions of dollars in penalties from the lawsuits could sink the Internet Archive.

Those lawsuits are ongoing. Now, the Internet Archive has also had to turn its attention to fending off cyberattacks. In May, the Internet Archive was hit with a distributed denial-of-service (DDoS) attack, a fairly common type of internet warfare that involves flooding a target site with fake traffic. The archive experienced intermittent outages as a result. Kahle said it was the first time the site had been targeted in its history... [After another attack October 9th], Kahle and his team have spent the week since racing to identify and fix the vulnerabilities that left the Internet Archive open to attack. The organization has "industry standard" security systems, Kahle said, but he added that, until this year, the group had largely stayed out of the crosshairs of cybercriminals. Kahle said he'd opted not to prioritize additional investments in cybersecurity out of the Internet Archive's limited budget of around $20 million to $30 million a year...

[N]o one has reliably claimed the defacement and data breach that forced the Internet Archive to sequester itself, said [cybersecurity researcher] Scott Helmef. He added that the hackers' decision to alert the Internet Archive of their intrusion and send the stolen data to Have I Been Pwned, the monitoring service, could imply they didn't have further intentions with it.... Helme said the episode demonstrates the vulnerability of nonprofit services like the Internet Archive — and of the larger ecosystem of information online that depends on them. "Perhaps they'll find some more funding now that all of these headlines have happened," Helme said. "And people suddenly realize how bad it would be if they were gone."

"Our priority is ensuring the Internet Archive comes online stronger and more secure," the archive said in Thursday's statement. And they noted other recent-past instances of other libraries also being attacked online: As a library community, we are seeing other cyber attacks — for instance the British Library, Seattle Public Library, Toronto Public Library, and now Calgary Public Library. We hope these attacks are not indicative of a trend."

For the latest updates, please check this blog and our official social media accounts: X/Twitter, Bluesky and Mastodon.

Thank you for your patience and ongoing support.

Space

SpaceX Secures New Contracts Worth $733.5 Million For National Security Space Missions (spacenews.com) 39

An anonymous reader quotes a report from Space News: SpaceX has been awarded contracts for eight launches under the National Security Space Launch (NSSL) Phase 3 Lane 1 program, the U.S. Space Force's Space Systems Command announced Oct. 18. The contracts worth $733.5 million span seven missions for the Space Development Agency (SDA) and one for the National Reconnaissance Office (NRO) projected to launch in 2026. These are part of the NSSL Phase 3 procurement of launch services for U.S. defense and intelligence agencies.

The NSSL Phase 3 Lane 1 program is structured as an Indefinite Delivery, Indefinite Quantity (IDIQ) contract, a flexible procurement method often used in government contracting. The total value of the Lane 1 contract is estimated at $5.6 billion over five years, with Blue Origin, SpaceX, and United Launch Alliance (ULA) selected as the primary vendors to compete for individual task orders. The Space Development Agency is utilizing SpaceX's Falcon 9 rocket to launch small satellites into a low-Earth orbit (LEO) constellation, a network of satellites designed to enhance military communications and intelligence capabilities. SpaceX has already completed two successful launches for the Tranche 0 portion of SDA's constellation.

"The Phase 3 Lane 1 construct allows us to execute launch services more quickly for risk-tolerant payloads, putting more capabilities in orbit faster to support national security," said Brig. Gen. Kristin Panzenhagen, program executive officer for Assured Access to Space at the Space Force. Blue Origin's New Glenn rocket has yet to perform its first launch and will need to complete at least two successful flights to qualify for NSSL certification, while ULA's Vulcan Centaur, which has completed two flights, is still awaiting final certification for the program.

Slashdot Top Deals