The Almighty Buck

US Fines T-Mobile $60 Million, Its Largest Penalty Ever, Over Unauthorized Data Access (reuters.com) 12

The U.S. Committee on Foreign Investment (CFIUS) fined T-Mobile $60 million, its largest penalty ever, for failing to prevent and report unauthorized access to sensitive data tied to violations of a mitigation agreement from its 2020 merger with Sprint. "The size of the fine, and CFIUS's unprecedented decision to make it public, show the committee is taking a more muscular approach to enforcement as it seeks to deter future violations," reports Reuters. From the report: T-Mobile said in a statement that it experienced technical issues during its post-merger integration with Sprint that affected "information shared from a small number of law enforcement information requests." It stressed that the data never left the law enforcement community, was reported "in a timely manner" and was "quickly addressed." The failure of T-Mobile to report the incidents promptly delayed CFIUS' efforts to investigate and mitigate any potential harm to U.S. national security, they added, without providing further details. "The $60 million penalty announcement highlights the committee's commitment to ramping up CFIUS enforcement by holding companies accountable when they fail to comply with their obligations," one of the U.S. officials said, adding that transparency around enforcement actions incentivizes other companies to comply with their obligations.
Security

Thousands of Corporate Secrets Were Left Exposed. This Guy Found Them All 7

Security researcher Bill Demirkapi unveiled a massive trove of leaked developer secrets and website vulnerabilities at the Defcon conference in Las Vegas. Using unconventional data sources, Demirkapi identified over 15,000 exposed secrets, including credentials for Nebraska's Supreme Court IT systems and Stanford University's Slack channels.

The researcher also discovered 66,000 websites with dangling subdomain issues, making them vulnerable to attacks. Among the affected sites was a New York Times development domain. Demirkapi's tack involved scanning VirusTotal's database and passive DNS replication data to identify vulnerabilities at scale. He developed an automated method to revoke exposed secrets, working with companies like OpenAI to implement self-service deactivation of compromised API keys.
Microsoft

Microsoft Temporarily Pumps the Brakes on Its Intrusive Windows 11 Ads (windowscentral.com) 32

Microsoft says it will temporarily cease its contentious Windows 11 upgrade campaign following user backlash. The tech giant had been bombarding Windows 10 users with full-screen popups urging them to switch operating systems. Starting with April's security update, these intrusive notifications will be discontinued. Microsoft says it will unveil a revised upgrade strategy in the coming months, as Windows 10 support nears its October 2025 end date.
Transportation

Intel and Karma Partner To Develop Software-Defined Car Architecture (arstechnica.com) 53

An anonymous reader quotes a report from Ars Technica: Intel is partnering with Karma Automotive to develop an all-new computing platform for vehicles. The new software-defined vehicle architecture should first appear in a high-end electric coupe from Karma in 2026. But the partners have bigger plans for this architecture, with talk of open standards and working with other automakers also looking to make the leap into the software-defined future. [...] In addition to advantages in processing power and weight savings, software-defined vehicles are easier to update over-the-air, a must-have feature since Tesla changed that paradigm. Karma and Intel say their architecture should also have other efficiency benefits. They give the example of security monitoring that remains active even when the vehicle is turned off; they move this to a low-powered device using "data center application orchestration concepts."

Intel is also contributing its power management SoC to get the most out of inverters, DC-DC converters, chargers, and as you might expect, the domain controllers use Intel silicon as well, apparently with some flavor of AI enabled. [...] Karma's first car to use the software-defined vehicle architecture will be the Kayeva, a $300,000 two-door with 1,000 hp (745 kW) on tap, which is scheduled to arrive in two years. But Intel and Karma want to offer the architecture to others in the industry. "For Tier 1s and OEMs not quite ready to take the leap from the old way of doing things to the new, Karma Automotive will play as an ally, helping them make that transition," said [Karma President Marques McCammon].
"Together, we're harnessing the combined might of Intel's technological prowess and Karma's ultra-luxury vehicle expertise to co-develop a revolutionary software-defined vehicle architecture," said McCammon. "This isn't just about realizing Karma's full potential; it's about creating a blueprint for the entire industry. We're not just building exceptional vehicles, we're paving the way for a new era of automotive innovation and offering a roadmap for those ready to make the leap."
Security

Researchers Hack Electronic Shifters With a Few Hundred Dollars of Hardware 125

An anonymous reader quotes a report from Wired: Professional cycling has, in its recent history, been prone to a shocking variety of cheating methods and dirty tricks.Performance-enhancing drugs.Tacks strewn on race courses. Even stealthy motors hidden inside of wheel hubs. Now, for those who fail to download a software patch for their gear shifters -- yes, bike components now get software updates -- there may be hacker saboteurs to contend with, too. At the Usenix Workshop on Offensive Technologies earlier this week, researchers from UC San Diego and Northeastern University revealed a technique that would allow anyone with a few hundred dollars of hardware to hack Shimano wireless gear-shifting systems (Warning: source may be paywalled; alternative source) of the kind used by many of the top cycling teams in the world, including in recent events like the Olympics and the Tour de France. Their relatively simple radio attack would allow cheaters or vandals to spoof signals from as far as 30 feet away that trigger a target bike to unexpectedly shift gears or to jam its shifters and lock the bike into the wrong gear.

The trick would, the researchers say, easily be enough to hamper a rival on a climb or, if timed to certain intense moments of a race, even cause dangerous instability. "The capability is full control of the gears. Imagine you're going uphill on a Tour de France stage: If someone shifts your bike from an easy gear to a hard one, you're going to lose time," says Earlence Fernandes, an assistant professor at UCSD's Computer Science and Engineering department. "Or if someone is sprinting in the big chain ring and you move it to the small one, you can totally crash a person's bike like that." [...] The researchers' technique exploits the increasingly electronic nature of modern high-end bicycles, which now have digital components like power meters, wireless control of fork suspensions, and wireless shifters. "Modern bicycles are cyber-physical systems," the researchers note in their Usenix paper. Almost all professional cyclists now use electronic shifters, which respond to digital signals from shifter controls on the bike's handlebars to move a bicycle's chain from gear to gear, generally more reliably than mechanical shifting systems. In recent years, those wired electronic shifters have transitioned again to wireless versions that pair via a radio connection, such as the popular Di2 wireless shifters sold by the Japanese cycling component firm Shimano, which the researchers focused on.
Shimano says it has developed a firmware update to patch the exploit but it won't be available widely until late August. The update is intended to improve wireless transmission across Shimano Di2 component platforms, though specific details about the fix and how it prevents the identified attacks have not been disclosed for security reasons.
Microsoft

German Cyber Agency Wants Changes in Microsoft, CrowdStrike Products After Tech Outage (wsj.com) 50

An anonymous reader shares a report: Since last month's blue-screen deluge, CrowdStrike has published analyses of what went wrong and said it hired third-party security companies to review its product. Now, Germany's powerful cybersecurity agency is seizing the moment and hoping to rattle tech and cyber companies into altering their products to head off another mega-meltdown. In particular, the Bonn-based Federal Office for Information Security is taking aim at the access Microsoft gives security providers to its Windows kernel, a core part of its operating system. As well, the German agency is looking for fundamental changes in the way CrowdStrike and other cyber firms design their tools, in hopes of curbing that access.

"The most important thing is to prevent [that] this can happen again," said Thomas Caspers, director general for technology strategy at the BSI, as the agency is known. Leveraging the dread that filled Silicon Valley following the July outage, the BSI is planning to organize a conference this year gathering major tech firms, where it hopes they will commit to restricting access to the kernel, a change Caspers says is crucial to stopping similar failures. "We expect each company to be very specific about what they will do based on what we agreed on," he said.

Android

Google Sold Android Phones With Hidden Insecure Feature, Companies Find (washingtonpost.com) 30

Google's master software for some Android phones includes a hidden feature that is insecure and could be activated to allow remote control or spying on users, according to a security company that found it inside phones at a U.S. intelligence contractor. From a report: The feature appears intended to give employees at stores selling Pixel phones and other models deep access to the devices so they can demonstrate how they work, according to researchers at iVerify who shared their findings with The Washington Post. The discovery and Google's lack of explanation alarmed the intelligence contractor, data analysis platform vendor Palantir Technologies, to the extent that it has stopped issuing Android phones to employees, Palantir told The Post.

"Mobile security is a very real concern for us, given where we're operating and who we're serving," Palantir Chief Information Security Officer Dane Stuckey said. "This was very deleterious of trust, to have third-party, unvetted insecure software on it. We have no idea how it got there, so we made the decision to effectively ban Androids internally." The security company said it contacted Google about its findings more than 90 days ago and that the tech giant has not indicated whether it would remove or fix the application. On Wednesday night, Google told The Post that it would issue an update to remove the application. "Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update," said company spokesperson Ed Fernandez. He said distributors of other Android phones would also be notified.

Businesses

Cisco Slashes Thousands of Workers As It Announces Yearly Profit of $10.3 Billion (sfgate.com) 51

An anonymous reader quotes a report from SFGATE: Cisco Systems is laying off 7% of its workforce, the company announced in a filing with the Securities and Exchange Commission on Wednesday. It's the San Jose tech giant's second time slashing thousands of jobs this year. The networking and telecommunications company is vast, reporting to have 84,900 employees in July 2023 before it chopped at least 4,000 in February. That means the new 7% cut will likely affect at least 5,500 workers. Cisco spokesperson Robyn Blum said in an email to SFGATE that the layoff is meant to allow the company to invest in "key growth opportunities and drive more efficiency in our business." [...]

More hints about the layoff's potential reasoning showed up in a Wednesday blog post from CEO Chuck Robbins. The executive wrote that Cisco plans to consolidate its networking, security and collaboration teams into one organization and said the company is still integrating Splunk; Cisco closed its $28 billion acquisition of San Francisco-based data security and management company in March. Cisco also announced its earnings for its last fiscal year on Wednesday. Total revenue was slightly down year over year, to $53.8 billion, but the company still reported a $10.3 billion profit during the same period.

Encryption

NIST Finalizes Trio of Post-Quantum Encryption Standards (theregister.com) 20

"NIST has formally accepted three algorithms for post-quantum cryptography," writes ancient Slashdot reader jd. "Two more backup algorithms are being worked on. The idea is to have backup algorithms using very different maths, just in case a flaw in the original approach is discovered later." The Register reports: The National Institute of Standards and Technology (NIST) today released the long-awaited post-quantum encryption standards, designed to protect electronic information long into the future -- when quantum computers are expected to break existing cryptographic algorithms. One -- ML-KEM (PDF) (based on CRYSTALS-Kyber) -- is intended for general encryption, which protects data as it moves across public networks. The other two -- ML-DSA (PDF) (originally known as CRYSTALS-Dilithium) and SLH-DSA (PDF) (initially submitted as Sphincs+) -- secure digital signatures, which are used to authenticate online identity. A fourth algorithm -- FN-DSA (PDF) (originally called FALCON) -- is slated for finalization later this year and is also designed for digital signatures.

NIST continued to evaluate two other sets of algorithms that could potentially serve as backup standards in the future. One of the sets includes three algorithms designed for general encryption -- but the technology is based on a different type of math problem than the ML-KEM general-purpose algorithm in today's finalized standards. NIST plans to select one or two of these algorithms by the end of 2024. Despite the new ones on the horizon, NIST mathematician Dustin Moody encouraged system administrators to start transitioning to the new standards ASAP, because full integration takes some time. "There is no need to wait for future standards," Moody advised in a statement. "Go ahead and start using these three. We need to be prepared in case of an attack that defeats the algorithms in these three standards, and we will continue working on backup plans to keep our data safe. But for most applications, these new standards are the main event."
From the NIST: This notice announces the Secretary of Commerce's approval of three Federal Information Processing Standards (FIPS):
- FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard
- FIPS 204, Module-Lattice-Based Digital Signature Standard
- FIPS 205, Stateless Hash-Based Digital Signature Standard

These standards specify key establishment and digital signature schemes that are designed to resist future attacks by quantum computers, which threaten the security of current standards. The three algorithms specified in these standards are each derived from different submissions in the NIST Post-Quantum Cryptography Standardization Project.

Apple

Apple To Open Payment Chip To Third Parties and Charge Fees (financialpost.com) 37

Apple will begin letting third parties use the iPhone's payment chip to handle transactions, a move that allows banks and other services to compete with the Apple Pay platform. From a report: The move, announced Wednesday, follows years of pressure from regulators, including those in the European Union. Apple said it will allow developers to use the component starting in iOS 18.1, an upcoming software update for the iPhone. The payment chip relies on a technology called NFC, or near-field communication, to share information when the phone is near another device.

The change will allow outside providers to use the NFC chip for in-store payments, transit system fares, work badges, home and hotel keys, and reward cards. Support for government identification cards will come later, the company said. Users will also be able to set a third-party payment app as their default system, replacing Apple Pay. Apple had been reluctant to open up the chip to developers, citing security concerns. The change also threatens the revenue it generates from Apple Pay transactions. The company takes a cut of all payments made via the iPhone.

Encryption

Microsoft is Enabling BitLocker Device Encryption By Default on Windows 11 (theverge.com) 104

Microsoft is making BitLocker device encryption a default feature in its next major update to Windows 11. From a report: If you clean install the 24H2 version that's rolling out in the coming months, device encryption will be enabled by default when you first sign in or set up a device with a Microsoft account or work / school account.

Device encryption is designed to improve the security of Windows machines by automatically enabling BitLocker encryption on the Windows install drive and backing up the recovery key to a Microsoft account or Entra ID. In Windows 11 version 24H2, Microsoft is reducing the hardware requirements for automatic device encryption, opening it up to many more devices -- including ones running the Home version of Windows 11. Device encryption no longer requires Hardware Security Test Interface (HSTI) or Modern Standby, and encryption will also be enabled even if untrusted direct memory access (DMA) buses / interfaces are detected.

United States

Companies Prepare To Fight Quantum Hackers (wsj.com) 23

National-security authorities have warned for years that today's encryption will become vulnerable to hackers when quantum computers are widely available. Companies can now start to integrate new cryptographic algorithms into their products to protect them from future hacks. From a report: Some companies have already taken steps to replace current forms of encryption with post-quantum algorithms. The National Institute of Standards and Technology, an agency of the Commerce Department, published three new algorithms for post-quantum encryption Tuesday.

The three algorithms that NIST selected use different types of encryption to protect digital signatures that authenticates information, and cryptographic key exchange, which keeps data confidential. IBM researchers were part of teams that submitted algorithms that NIST selected. International Business Machines is working with companies in telecommunications, online payments and other industries on how to implement the new standards.

"Our digital economy is toast unless people go in and change the cryptography," said Scott Crowder, vice president of IBM's quantum adoption group. The new standards from NIST will be influential because they will replace encryption algorithms in use all over the world, said Joost Renes, principal cryptographer at NXP Semiconductors, a key provider of chips to the auto industry. NXP customers in different industries have been asking about the new encryption algorithms and want to make sure their suppliers are prepared to migrate to post-quantum cryptography, Renes said. He said NXP will start using the algorithms as soon as possible but declined to comment on when that will be. "You should really look at this as a kind of ongoing transition project which is going to take quite some time," he said.

Security

Six Ransomware Gangs Behind Over 50% of 2024 Attacks (theregister.com) 5

An anonymous reader shares a report: Despite a law enforcement takedown six months ago, LockBit 3.0 remains the most prolific encryption and extortion gang, at least so far, this year, according to Palo Alto Networks' Unit 42. Of the 53 ransomware groups whose underworld websites, where the crooks name their victims and leak stolen data, that the incident response team monitored, just six accounted for more than half of the total infections observed.

For its analysis, Unit 42 reviewed announcements posted on these crews' dedicated leak sites during the first six months of 2024 and counted 1,762 posts, which represents a 4.3 percent year-over-year increase from 2023. Before we get into the top six gangs' victims count, a note on how Unit 42 tracks nation-state and cybercrime groups: It combines a modifier with a constellation. And Scorpius is the lucky constellation that Unit 42 connects to ransomware gangs.

Android

Google's Pixel 9 Lineup is a Pro Show (theverge.com) 34

Google unveiled its latest Pixel smartphone series on Tuesday, introducing four new models with enhanced AI capabilities and updated designs. The Pixel 9 lineup includes the standard Pixel 9, two Pro models, and a foldable device. The new Pixel phones feature flat sides and an elongated camera module on the rear, departing from the curved edges of previous generations. Screen sizes range from 6.3 inches on the standard Pixel 9 to 6.8 inches on the Pixel 9 Pro XL.

All models are powered by Google's new Tensor G4 processor and come with increased RAM, with Pro models boasting 16GB. The devices run on Android 14 and will receive seven years of OS updates and security patches. Google has significantly expanded the AI capabilities of the new Pixels. An updated on-device Gemini Nano model can now analyze images and speech in addition to text. New features include automatic screenshot cataloging and retrieval, and an AI-powered illustration generator called Pixel Studio. Camera improvements are a key focus, with all models receiving upgraded ultrawide lenses and the Pro versions featuring a new 42-megapixel selfie camera with autofocus. Google has introduced "Magic Editor," allowing users to transform parts of an image using text prompts and generative AI.

The Pixel 9 Pro Fold, Google's second-generation foldable device, is thinner than its predecessor at 5.1mm when unfolded. It features a larger 8-inch inner display with increased brightness, reaching up to 2,700 nits in peak mode. Pricing for the new Pixel lineup starts at $799 for the standard Pixel 9, representing a $100 increase from last year's model. The Pixel 9 Pro and Pro XL are priced at $999 and $1,099 respectively, while the Pixel 9 Pro Fold will retail for $1,799. The devices will be released in stages, with the Pixel 9 and 9 Pro XL available from August 22, followed by the 9 Pro in September and the Pro Fold on September 4.
United States

The Nation's Best Hackers Found Vulnerabilities in Voting Machines - But No Time To Fix Them (politico.com) 189

Hackers at the DEF CON conference in Las Vegas identified vulnerabilities in voting machines slated for use in the 2024 U.S. election, but fixes are unlikely to be implemented before November 5, organizers said. The annual "Voting Village" event, held away from the main conference floor due to security concerns, drew election officials and cybersecurity experts. Organizers plan to release a detailed report on the vulnerabilities found.

Catherine Terranova, an event organizer, said major systemic changes are difficult to make 90 days before an election, particularly given heightened scrutiny of election security in 2024. The process of addressing vulnerabilities involves manufacturer approval, recertification by authorities, and updating individual devices. This typically takes longer than the time remaining before the election, according to Scott Algeier, executive director of the Information Technology-Information Sharing and Analysis Center. The event comes amid ongoing concerns about foreign targeting of U.S. elections, including a recent hack of former President Donald Trump's campaign, reportedly by Iran.
Republicans

FBI Investigating After Trump Campaign Says It Was Hacked (thehill.com) 75

Over the weekend, former President Donald Trump's campaign said that it had been hacked, with internal documents reportedly obtained illegally by foreign sources to interfere with the 2024 election. While the Trump campaign claimed that Iran was responsible, it is unclear who exactly was behind the incident. The FBI said it was aware of the allegations and confirmed Monday that it is "investigating this matter." The Hill reports: U.S. agencies have thus far failed to comment on the claims that Iran was responsible for the hack, even as recent intelligence community reports have noted growing Iranian efforts to influence the U.S. election. "This is something we've raised for some time, raised concerns that Iranian cyber actors have been seeking to influence elections around the world including those happening in the United States," John Kirby, the White House's national security communications adviser, told reporters Monday. "These latest attempts to interfere in U.S. elections is nothing new for the Iranian regime, which from our vantage point has attempted to undermine democracies for many years now."

A report from the Office of the Director of National Intelligence released last month noted Iranian efforts designed to "fuel distrust in U.S. political institutions and increase social discord." "The IC has observed Tehran working to influence the presidential election, probably because Iranian leaders want to avoid an outcome they perceive would increase tensions with the United States. Tehran relies on vast webs of online personas and propaganda mills to spread disinformation," the report states, including being particularly active on exacerbating tensions over the Israel-Gaza conflict.

Crime

Are Banks Doing Enough to Protect Customers from Zelle Scams? US Launches Federal Probe (yahoo.com) 82

"Zelle payments can't be reversed once they're sent," notes the Los Angeles Times — which could be why they're popular with scammers. "You can't simply stop the payment (like a check) or dispute it (like a credit card). Now, the federal regulator overseeing financial products is probing whether banks that offer Zelle to their account holders are doing enough to protect them against scams. Two major banks — JPMorgan Chase and Wells Fargo — disclosed in their security filings in the last week that they'd been contacted by the Consumer Financial Protection Bureau. According to the Wall Street Journal, which reported the filings Wednesday, the CFPB is exploring whether banks are moving quickly enough to shut down scammers' accounts and whether they're doing enough to identify and prevent scammers from signing up for accounts in the first place...

A J.D. Power survey this year found that 3% of the people who'd used Zelle said they had lost money to scammers, which was less than the average for peer-to-peer money transfer services such as Venmo, CashApp and PayPal. The chief executive of Early Warning Services, which runs Zelle, told a Senate subcommittee in July that only 0.1% of the transactions on Zelle involved a scam or fraud; in 2023, the company said, that percentage was 0.05%. But Zelle operates at such a large scale — 120 million users, 2.9 billion transactions and $806 billion transferred in 2023, according to Early Warning Services — that even a tiny percentage of scam and fraud problems translates into a large number of users and dollars... From 2022 to 2023, Zelle cut the rate of scams by nearly 50% even as the volume of transactions grew 28%, resulting in less money scammed in 2023 than in 2022, said Ben Chance, the chief fraud risk management officer for Zelle. The company didn't disclose the amounts involved, but if 0.05% of the $806 billion transferred in 2023 involved scam or fraud, that would translate to $403 million.

Do Zelle users get reimbursed for scams? Only in certain cases, and this is where the banks that offer Zelle have drawn the most heat. If you use Zelle to pay a scammer, banks say, that's a payment you authorized, so they're not obliged under law to refund your money... Some banks, such as Bank of America, say they will put a freeze on transfers by a suspected scammer as soon as a report comes in, then investigate and, if the report is substantiated, seize and return the money. But that works only if the scam is reported right away, before the scammer has the chance to withdraw the funds — which many will do immediately, said Iskander Sanchez-Rola, director of innovation at the cybersecurity company Gen.

Transportation

Kia and Hyundai's New Anti-Theft Software is Lowering Car-Stealing Rates (cnn.com) 43

An anonymous reader shared this report from CNN: More than a year after Hyundai and Kia released new anti-theft software updates, thefts of vehicles with the new software are falling — even as thefts overall remain astoundingly high, according to a new analysis of insurance claim data. The automakers released the updates starting last February, after a tenfold increase in thefts of certain Hyundai and Kia models in just the past three years — sparked by a series of social media posts that showed people how to steal the vehicles. "Whole vehicle" theft claims — insurance claims for the loss of the entire vehicle — are 64% lower among the Hyundai and Kia cars that have had the software upgrade, compared to cars of the same make, model and year without the upgrade, according to the Highway Loss Data Institute. "The companies' solution is extremely effective," Matt Moore, senior vice president of HLDI, an industry group backed by auto insurers, said in a statement...

Between early 2020 and the first half of 2023, thefts of Hyundai and Kia models rose more than 1,000%.

The article points out that HDLI's analysis covered 2023, and "By the end of that year, only about 30% of vehicles eligible for the security software had it installed. By now, around 61% of eligible Hyundai vehicles have the software upgrade, a Hyundai spokesperson said."

The car companies told CNN that more than 2 million Hyundai and Kia vehicles have gotten the update (part of a $200 million class action settlement reached in May of 2023).
Security

Some Def Con Attendees Forgive Crowdstrike - and Some Blame Microsoft Windows (techcrunch.com) 93

Fortune reports that Crowdstrike "is enjoying a moment of strange cultural cachet at the annual Black Hat security conference, as throngs of visitors flock to its booth to snap selfies and load up on branded company shirts and other swag." (Some attendees "collectively shrugged at the idea that Crowdstrike could be blamed for a problem with a routine update that could happen to any of the security companies deeply intertwined with Microsoft Windows.") Others pointed out that Microsoft should take their fair share of the blame for the outage, which many say was caused by the design of Windows in its core architecture that leads to malware, spyware and driver instability. "Microsoft should not be giving any third party that level of access," said Eric O'Neill, a cybersecurity expert, attorney and former FBI operative. "Microsoft will complain, well, it's just the way that the technology works, or licensing works, but that's bullshit, because this same problem didn't affect Linux or Mac. And Crowdstrike caught it super-early."
Their article notes that Crowdstrike is one of this year's top sponsors of the conference. Despite its recent missteps, Crowdstrike had one of the biggest booths, notes TechCrunch, and "As soon as the doors opened, dozens of attendees started lining up." They were not all there to ask tough questions, but to pick up T-shirts and action figures made by the company to represent some of the nation-state and cybercriminal grups it tracks, such as Scattered Spider, an extortion racket allegedly behind last year's MGM Resorts and Okta cyberattacks; and Aquatic Panda, a China-linked espionage group.

"We're here to give you free stuff," a CrowdStrike employee told people gathered around a big screen where employees would later give demos. A conference attendee looked visibly surprised. "I just thought it would be dead, honestly. I thought it would be slower over there. But obviously, people are still fans, right?"

For CrowdStrike at Black Hat, there was an element of business as usual, despite its global IT outage that caused widespread disruption and delays for days — and even weeks for some customers. The conference came at the same time as CrowdStrike released its root cause analysis that explained what happened the day of the outage. In short, CrowdStrike conceded that it messed up but said it's taken steps to prevent the same incident happening again. And some cybersecurity professionals attending Black Hat appeared ready to give the company a second chance....

TechCrunch spoke to more than a dozen conference attendees who visited the CrowdStrike booth. More than half of attendees we spoke with expressed a positive view of the company following the outage. "Does it lower my opinion of their ability to be a leading-edge security company? I don't think so," said a U.S. government employee, who said he uses CrowdStrike every day.

Although TechCrunch does note that one engineer told his parent company they might consider Crowdstrike competitor Sophos...
Crime

Cyber-Heist of 2.9 Billion Personal Records Leads to Class Action Lawsuit (theregister.com) 18

"A lawsuit has accused a Florida data broker of carelessly failing to secure billions of records of people's private information," reports the Register, "which was subsequently stolen from the biz and sold on an online criminal marketplace." California resident Christopher Hofmann filed the potential class-action complaint against Jerico Pictures, doing business as National Public Data, a Coral Springs-based firm that provides APIs so that companies can perform things like background checks on people and look up folks' criminal records. As such National Public Data holds a lot of highly personal information, which ended up being stolen in a cyberattack. According to the suit, filed in a southern Florida federal district court, Hofmann is one of the individuals whose sensitive information was pilfered by crooks and then put up for sale for $3.5 million on an underworld forum in April.

If the thieves are to be believed, the database included 2.9 billion records on all US, Canadian, and British citizens, and included their full names, addresses, and address history going back at least three decades, social security numbers, and the names of their parents, siblings, and relatives, some of whom have been dead for nearly 20 years.

Hofmann's lawsuit says he 'believes that his personally identifiable information was scraped from non-public sources," according to the article — which adds that Hofmann "claims he never provided this sensitive info to National Public Data...

"The Florida firm stands accused of negligently storing the database in a way that was accessible to the thieves, without encrypting its contents nor redacting any of the individuals' sensitive information." Hofmann, on behalf of potentially millions of other plaintiffs, has asked the court to require National Public Data to destroy all personal information belonging to the class-action members and use encryption, among other data protection methods in the future... Additionally, it seeks unspecified monetary relief for the data theft victims, including "actual, statutory, nominal, and consequential damages."

Slashdot Top Deals