A widespread IT outage, caused by a defective software update from cybersecurity firm CrowdStrike, is affecting businesses worldwide, causing significant disruptions across various sectors. The issue has primarily impacted computers running Windows, resulting in system crashes and "blue screen of death" errors. The travel industry appears to be among the hardest hit, with airlines and airports in multiple countries reporting problems with check-in and ticketing systems, leading to flight delays. Other affected sectors include banking, retail, and healthcare.

CrowdStrike CEO George Kurtz confirmed the outage was due to a "defect" in a content update for Windows hosts, ruling out a cyberattack. The company is working on a fix. CrowdStrike said the crash reports were "related to the Falcon Sensor" -- its cloud-based security service that it describes as "real-time threat detection, simplified management, and proactive threat hunting."

A Microsoft spokesperson told TechCrunch that the previous Microsoft 365 service disruption overnight July 18-19 was unrelated to the widespread outage triggered by the CrowdStrike update.

Editor's note: The story has been updated throughout the day and moved higher on the front page.

An anonymous reader quotes a report from 404 Media: A group of researchers, academics, and hackers are trying to make it easier to break AI companies' terms of service to conduct "good faith research" that exposes biases, inaccuracies, and training data without fear of being sued. The U.S. government is currently considering an exemption to U.S. copyright law that would allow people to break technical protection measures and digital rights management (DRM) on AI systems to learn more about how they work, probe them for bias, discrimination, harmful and inaccurate outputs, and to learn more about the data they are trained on. The exemption would allow for "good faith" security and academic research and "red-teaming" of AI products even if the researcher had to circumvent systems designed to prevent that research. The proposed exemption has the support of the Department of Justice, which said "good faith research can help reveal unintended or undisclosed collection or exposure of sensitive personal data, or identify systems whose operations or outputs are unsafe, inaccurate, or ineffective for the uses for which they are intended or marketed by developers, or employed by end users. Such research can be especially significant when AI platforms are used for particularly important purposes, where unintended, inaccurate, or unpredictable AI output can result in serious harm to individuals."

Much of what we know about how closed-sourced AI tools like ChatGPT, Midjourney, and others work are from researchers, journalists, and ordinary users purposefully trying to trick these systems into revealing something about the data they were trained on (which often includes copyrighted material indiscriminately and secretly scraped from the internet), its biases, and its weaknesses. Doing this type of research can often violate the terms of service users agree to when they sign up for a system. For example, OpenAI's terms of service state that users cannot "attempt to or assist anyone to reverse engineer, decompile or discover the source code or underlying components of our Services, including our models, algorithms, or systems (except to the extent this restriction is prohibited by applicable law)," and adds that users must not "circumvent any rate limits or restrictions or bypass any protective measures or safety mitigations we put on our Services."

Shayne Longpre, an MIT researcher who is part of the team pushing for the exemption, told me that "there is a lot of apprehensiveness about these models and their design, their biases, being used for discrimination, and, broadly, their trustworthiness." "But the ecosystem of researchers looking into this isn't super healthy. There are people doing the work but a lot of people are getting their accounts suspended for doing good-faith research, or they are worried about potential legal ramifications of violating terms of service," he added. "These terms of service have chilling effects on research, and companies aren't very transparent about their process for enforcing terms of service." The exemption would be to Section 1201 of the Digital Millennium Copyright Act, a sweeping copyright law. Other 1201 exemptions, which must be applied for and renewed every three years as part of a process through the Library of Congress, allow for the hacking of tractors and electronic devices for the purpose of repair, have carveouts that protect security researchers who are trying to find bugs and vulnerabilities, and in certain cases protect people who are trying to archive or preserve specific types of content. Harley Geiger of the Hacking Policy Council said that an exemption is "crucial to identifying and fixing algorithmic flaws to prevent harm or disruption," and added that a "lack of clear legal protection under DMCA Section 1201 adversely affect such research."

Longtime Slashdot reader SonicSpike shares an op-ed from Reason, written by Sen. Rand Paul: In America, we do not punish businesses for their success. We certainly do not punish businesses because their competitors are struggling to keep pace. Sadly, that is exactly what the Department of Justice (DOJ) is attempting to do in its recent lawsuit against Apple. In March, the DOJ, joined by 15 states and the District of Columbia, filed a lawsuit aimed at penalizing Apple for successfully competing in the market for smartphones. However, like much of the Biden administration's approach to antitrust enforcement, the DOJ's lawsuit is focused on punishing Apple for its success rather than addressing any real harm to consumers. Instead of fostering innovation and competition, this approach threatens to stifle the very progress that benefits Americans.

In its lawsuit, the DOJ makes the unsubstantiated claim that Apple has "willfully monopolized" the smartphone market through "exclusionary" and "anticompetitive" conduct. In particular, it accuses Apple of exercising unwarranted control over the creation, distribution, and functioning of apps within the iPhone operating system. What the complaint ignores, however, is that this control is not simply a lawful business practice by a privately held company; it is an indispensable part of Apple's business model. Far from being an "anticompetitive" practice that harms consumers, Apple's careful approach to app integration is a pro-competitive way in which it meets its users' demands.

Privacy, security, and seamless integration have been the core of Apple's operational strategy for years. Back in 2010, Steve Jobs explained that "when selling to people who want their devices to just work, we think integrated wins every time." That "open systems don't always work," and Apple was "committed to the integrated approach." What makes Apple products so unique is their ease of use and consistency over time. While no product will ever be perfect, Apple's goal is to deliver a seamless, integrated experience that users can rely on time after time without giving it a second thought. How does Apple do this? By carefully exercising the very control that the DOJ is trying to punish. As economist Alex Tabarrok explains in Marginal Revolution: "Apple's promise to iPhone users is that it will be a gatekeeper. Gatekeeping is what allows Apple to promise greater security, privacy, usability and reliability. Gatekeeping is Apple's brand promise. Gatekeeping is what the consumer's are buying." [...] "Digital markets do not need more government regulation; they need more companies willing to innovate and compete," concludes Sen. Paul. "The DOJ should not waste taxpayer-provided resources targeting a company that has earned its success through excellence in the marketplace. An Apple a day may keep the doctor away, but it seems that all of the pro-competitive justifications in the world cannot keep a politically motivated antitrust enforcer at bay."

An anonymous reader shares a report: Indian crypto exchange WazirX on Thursday confirmed it had suffered a security breach after about $230 million in assets were "suspiciously transferred" out of the platform earlier in the day. The Mumbai-based firm said one of its multisig wallets had suffered a security breach, and it was temporarily pausing all withdrawals from the platform.

Lookchain, a third-party blockchain explorer, reported that more than 200 cryptocurrencies, including 5.43 billion SHIB tokens, over 15,200 Ethereum tokens, 20.5 million Matic tokens, 640 billion Pepe tokens, 5.79 million USDT, and 135 million Gala tokens were "stolen" from the platform. WazirX reported holdings of about $500 million in its June proof-of-reserves disclosure.

An anonymous reader quotes an excerpt from TechCrunch, written by Zack Whittaker: We're over halfway through 2024, and already this year we have seen some of the biggest, most damaging data breaches in recent history. And just when you think that some of these hacks can't get any worse, they do. From huge stores of customers' personal information getting scraped, stolen and posted online, to reams of medical data covering most people in the United States getting stolen, the worst data breaches of 2024 to date have already surpassed at least 1 billion stolen records and rising. These breaches not only affect the individuals whose data was irretrievably exposed, but also embolden the criminals who profit from their malicious cyberattacks. Travel with us to the not-so-distant past to look at how some of the biggest security incidents of 2024 went down, their impact and. in some cases, how they could have been stopped. These are some of the largest breaches highlighted in the report:

AT&T's Data Breaches: AT&T experienced two data breaches in 2024, affecting nearly all its customers and many non-customers. The breaches exposed phone numbers, call records, and personal information, risking account hijacks for 7.6 million customers.
Change Healthcare Hack: A ransomware attack on Change Healthcare resulted in the theft of sensitive medical data, affecting a substantial proportion of Americans. The breach caused widespread outages in healthcare services across the U.S. and compromised personal, medical, and billing information.
Synnovis Ransomware Attack: The cyberattack on U.K. pathology lab Synnovis disrupted patient services in London hospitals for weeks, leading to thousands of postponed operations and the exposure of data related to 300 million patient interactions.
Snowflake Data Theft (Including Ticketmaster): Cybercriminals stole hundreds of millions of records from Snowflake's corporate customers, including 560 million records from Ticketmaster. The breach affected data from multiple companies and institutions, exposing vast amounts of customer and employee information.

The U.S. Commerce Department plans to issue proposed rules on connected vehicles next month and expects to impose limits on some software made in China and other countries deemed adversaries, a senior official said Tuesday. From a report: "We're looking at a few components and some software - not the whole car - but it would be some of the key driver components of the vehicle that manage the software and manage the data around that car that would have to be made in an allied country," said export controls chief Alan Estevez at a forum in Colorado.

In May, Commerce Secretary Gina Raimondo said her department planned to issue proposed rules on Chinese-connected vehicles this autumn and had said the Biden administration could take "extreme action" and ban Chinese-connected vehicles or impose restrictions on them after the Biden administration in February launched a probe into whether Chinese vehicle imports posed national security risks.

Cellebrite, the well-known mobile forensics company, was unable to unlock a sizable chunk of modern iPhones available on the market as of April 2024, 404 Media reported Wednesday, citing leaked documents it obtained. From the report: Mobile forensics companies typically do not release details on what specific models their tools can or cannot penetrate, instead using vague terms in marketing materials. The documents obtained by 404 Media, which are given to customers but not published publicly, show how fluid and fast moving the success, or failure, of mobile forensic tools can be, and highlights the constant cat and mouse game between hardware and operating manufacturers like Apple and Google, and the hacking companies looking for vulnerabilities to exploit.

[...] For all locked iPhones able to run 17.4 or newer, the Cellebrite document says "In Research," meaning they cannot necessarily be unlocked with Cellebrite's tools. For previous iterations of iOS 17, stretching from 17.1 to 17.3.1, Cellebrite says it does support the iPhone XR and iPhone 11 series. Specifically, the document says Cellebrite recently added support to those models for its Supersonic BF [brute force] capability, which claims to gain access to phones quickly. But for the iPhone 12 and up running those operating systems, Cellebrite says support is "Coming soon."

Britain's new Labour government has said it will explore how to effectively regulate AI models, but stopped short of proposing any specific laws. From a report: King Charles set out newly-elected Prime Minister Keir Starmer's legislative agenda in a speech on Wednesday to open the new session of parliament. It included more than 35 new bills covering everything from housing to cyber security measures. The government said it would seek to establish the appropriate legislation to place requirements on those working to develop "the most powerful artificial intelligence models."

Costs associated with ransomware attacks on critical national infrastructure (CNI) organizations skyrocketed in the past year. From a report: According to Sophos' latest figures, released today, the median ransom payments rose to $2.54 million -- a whopping 41 times last year's sum of $62,500. The mean payment for 2024 is even higher at $3.225 million, although this represents a less dramatic 6x increase. IT, tech, and telecoms were the least likely to pay mega bucks to cybercriminals with an average payment of $330,000, while lower education and federal government orgs reported the highest average payments at $6.6 million.

The numbers are based only on ransomware victims that were willing to disclose the details of their blunders, so do not present the complete picture. On the topic of ransom payments, only 86 CNI organizations of the total 275 involved in the survey offered data. There's a good chance that the numbers would be skewed if 100 percent of the total CNI ransomware victims polled were entirely transparent with their figures. Costs to recover from ransomware attacks are also significantly up compared to the researchers' report last year, with some CNI sectors' costs quadrupling to a median average of $3 million per incident. While the mean cost across oil, gas, energy, and utilities dropped slightly to $3.12 million from $3.17 million last year, the energy and water sectors saw the sharpest increase in recovery costs. The new average for just these two sectors is now four times greater than the global median cross-sector average of $750k, Sophos said.

A bipartisan pair of U.S. senators pressed the leaders of AT&T and data storage company Snowflake on Tuesday for more information about the scope of a recent breach that allowed cybercriminals to steal records on "nearly all" of the phone giant's customers. From a report: "There is no reason to believe that AT&T's sensitive data will not also be auctioned and fall into the hands of criminals and foreign intelligence agencies," Sens. Richard Blumenthal (D-CT) and Josh Hawley (R-MO), the leaders of the Judiciary Committee's privacy subpanel, wrote Tuesday in a letter to AT&T Chief Executive Officer John Stankey.

The duo also sent a missive to Snowflake CEO Sridhar Ramaswamy that said the theft of AT&T subscriber information "appears to be connected with an ongoing series of breaches" of the company's clients, including Ticketmaster, Advance Auto Parts, and Santander Bank. "Disturbingly, the Ticketmaster and AT&T breaches appears [sic] to have been easily preventable," they wrote to Ramaswamy. Blumenthal and Hawley have asked the corporate leaders to answer a series of questions about the lapses by July 29.

Rite Aid, the third-largest U.S. drug store chain, reported it a ransomware attack that compromised the personal data of 2.2 million customers. The data exposed includes names, addresses, dates of birth, and driver's license numbers or other forms of government-issued ID from transactions between June 2017 and July 2018.

"On June 6, 2024, an unknown third party impersonated a company employee to compromise their business credentials and gain access to certain business systems," the company said in a filing. "We detected the incident within 12 hours and immediately launched an internal investigation to terminate the unauthorized access, remediate affected systems and ascertain if any customer data was impacted." Ars Technica's Dan Goodin reports: RansomHub, the name of a relatively new ransomware group, has taken credit for the attack, which it said yielded more than 10GB of customer data. RansomHub emerged earlier this year as a rebranded version of a group known as Knight. According to security firm Check Point, RansomHub became the most prevalent ransomware group following an international operation by law enforcement in May that took down much of the infrastructure used by rival ransomware group Lockbit.

On its dark web site, RansomHub said it was in advanced stages of negotiation with Rite Aid officials when the company suddenly cut off communications. A Rite Aid official didn't respond to questions sent by email. Rite Aid has also declined to say if the employee account compromised in the breach was protected by multifactor authentication.

In its latest State of Application Security Report, Cloudflare says 6.8% of traffic on the internet is malicious, "up a percentage point from last year's study," writes ZDNet's Steven Vaughan-Nichols. "Cloudflare, the content delivery network and security services company, thinks the rise is due to wars and elections. For example, many attacks against Western-interest websites are coming from pro-Russian hacktivist groups such as REvil, KillNet, and Anonymous Sudan." From the report: [...] Distributed Denial of Service (DDoS) attacks continue to be cybercriminals' weapon of choice, making up over 37% of all mitigated traffic. The scale of these attacks is staggering. In the first quarter of 2024 alone, Cloudflare blocked 4.5 million unique DDoS attacks. That total is nearly a third of all the DDoS attacks they mitigated the previous year. But it's not just about the sheer volume of DDoS attacks. The sophistication of these attacks is increasing, too. Last August, Cloudflare mitigated a massive HTTP/2 Rapid Reset DDoS attack that peaked at 201 million requests per second (RPS). That number is three times bigger than any previously observed attack.

The report also highlights the increased importance of application programming interface (API) security. With 60% of dynamic web traffic now API-related, these interfaces are a prime target for attackers. API traffic is growing twice as fast as traditional web traffic. What's worrying is that many organizations appear not to be even aware of a quarter of their API endpoints. Organizations that don't have a tight grip on their internet services or website APIs can't possibly protect themselves from attackers. Evidence suggests the average enterprise application now uses 47 third-party scripts and connects to nearly 50 third-party destinations. Do you know and trust these scripts and connections? You should -- each script of connection is a potential security risk. For instance, the recent Polyfill.io JavaScript incident affected over 380,000 sites.

Finally, about 38% of all HTTP requests processed by Cloudflare are classified as automated bot traffic. Some bots are good and perform a needed service, such as customer service chatbots, or are authorized search engine crawlers. However, as many as 93% of bots are potentially bad.

A group calling itself "NullBulge" published a 1.1-TB trove of data late last week that it claims is a dump of Disney's internal Slack archive. From a report: The data allegedly includes every message and file from nearly 10,000 channels, including unreleased projects, code, images, login credentials, and links to internal websites and APIs. The hackers claim they got access to the data from a Disney insider and named the alleged collaborator.

Whether the hackers actually had inside help remains unconfirmed; they could also have plausibly used info-stealing malware to compromise an employee's account. Disney did not confirm the breach or return multiple requests for comment about the legitimacy of the stolen data. A Disney spokesperson told the Wall Street Journal that the company "is investigating this matter." The data, which appears to have been first published on Thursday, was posted on BreachForums and later taken down, but it is still live on mirror sites. The hacker said they breached Disney in protest against AI-generated artwork.

Italian Prime Minister Giorgia Meloni plans to revive Italy's nuclear energy sector, focusing on small modular reactors to be operational within a decade. He said that nuclear energy could constitute at least 11% of the country's electricity mix by 2050. Semafor reports: Italy's energy minister told the Financial Times that the government would introduce legislation to support investment in small modular reactors, which could be operational within 10 years. [...] In Italy, concerns about energy security since Russia's invasion of Ukraine have pushed the government to reconsider nuclear power, Bloomberg wrote. Energy minister Pichetto Fratin told the Financial Times he was confident that Italians' historic "aversion" could be overcome, as nuclear technology now has "different levels of safety and benefits families and businesses." In Italy, safety is also top of mind: The Chernobyl tragedy of 1986 was the trigger for it to cease nuclear production in the first place, and the 2011 Fukushima disaster reignited those concerns. As of April, only 51% of Italians approved of nuclear power, according to polls shared by Il Sole 24 Ore.

The plan to introduce small modular reactors in Italy could add to the country's history of failure in nuclear energy, a former Italian lawmaker and researcher argued in Italian outlet Il Fatto Quotidiano, writing that these reactors are expensive and produce too little energy to justify an investment in them.They could also become obsolete within the next decade, the timeline for the government to introduce them, Italian outlet Domani added, and be overtaken by nuclear fusion reactors, which are more efficient and have "virtually no environmental impact." Italy's main oil company, Eni, has signed a deal with MIT spinout Commonwealth Fusion System, with the goal of providing the first operational nuclear fusion plant by 2030.

Last week, Senior Advisor on AI Governance at the Center for Democracy & Technology, Kevin Bankston, took to X to report that Google's Gemini AI was caught summarizing his private tax return on Google Drive without his permission. "Despite attempts to disable the feature, Bankston found that Gemini's continued to operate in Google Drive, raising questions about Google's handling of user data and privacy settings," writes TechRadar's Craig Hale. From the report: After failing to find the right controls to disable Gemini's integration, the Advisor asked Google's ChatGPT-rivalling AI chatbot on two occasions to pinpoint the settings. A second, more detailed response still brought no joy: "Gemini is *not* in Apps and services on my dashboard (1st option), and I didn't have a profile pic in the upper right of the Gemini page (2nd)."

With help from another X user, Bankston found the control, which was already disabled, highlighting either a malfunctioning control or indicating that further settings are hidden elsewhere. However, previous Google documentation has confirmed that the company will not use Google Workspace data to train or improve its generative AI services or to feed targeted ads. Bankston theorizes that his previous participation in Google Workspace Labs might have influenced Gemini's behavior. The Gemini side panel in Google Drive for PDFs can be closed if a user no longer wishes to access generative AI summaries.

In a perplexing turn of events that has raised concerns about the vulnerability of critical undersea infrastructure, Norway's Institute of Marine Research is reconfiguring its sophisticated underwater observatory after a mysterious incident left a section of its seafloor cable cleanly severed. The Lofoten-Vesteralen Ocean Observatory (LoVe), an advanced array of sensors designed to monitor marine life and environmental conditions off Norway's rugged coastline, unexpectedly went silent in April 2021, prompting an investigation that would uncover more questions than answers.

As the institute's acoustic engineer Guosong Zhang delved into the mystery, he meticulously traced ship movements in the area, uncovering a curious pattern: a Russian trawler had repeatedly crossed the cable's location at the precise time the outage occurred, a coincidence that seemed too striking to ignore. Despite this compelling lead, subsequent police investigations proved inconclusive, leaving the institute grappling with the unsettling possibility of deliberate sabotage.

The incident, compounded by similar damage to a communications cable serving the remote Svalbard archipelago, has cast a spotlight on the potential vulnerabilities of submarine assets in an era of heightened geopolitical tensions, with some experts pointing to the possibility of Russian intelligence activities targeting Norway's undersea infrastructure. In response to these challenges and the unresolved nature of the cable damage, the Institute of Marine Research has made the difficult decision to adapt its approach, opting to replace the compromised cable section with wireless modules -- a solution that, while sacrificing some data transmission capacity, aims to enhance the security and resilience of this vital scientific installation in the face of evolving threats beneath the waves.

At least a dozen organizations with domain names at domain registrar Squarespace saw their websites hijacked last week. Krebs on Security: Squarespace bought all assets of Google Domains a year ago, but many customers still haven't set up their new accounts. Experts say malicious hackers learned they could commandeer any migrated Squarespace accounts that hadn't yet been registered, merely by supplying an email address tied to an existing domain. The Squarespace domain hijacks, which took place between July 9 and July 12, appear to have mostly targeted cryptocurrency businesses, including Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains. In some cases, the attackers were able to redirect the hijacked domains to phishing sites set up to steal visitors' cryptocurrency funds.

New York City-based Squarespace purchased roughly 10 million domain names from Google Domains in June 2023, and it has been gradually migrating those domains to its service ever since. Squarespace has not responded to a request for comment, nor has it issued a statement about the attacks. But an analysis released by security experts at Metamask and Paradigm finds the most likely explanation for what happened is that Squarespace assumed all users migrating from Google Domains would select the social login options -- such "Continue with Google" or "Continue with Apple" -- as opposed to the "Continue with email" choice.

Russian cybersecurity firm, Kaspersky Lab, has told workers in its U.S.-based division that they are being laid off this week and that it is closing its U.S. business, Zero Day reported Monday, citing sources. From a report: The sudden move comes after the U.S. Commerce Department announced last month that it was banning the sale of Kaspersky software in the U.S. beginning July 20. The company has been selling its software here since 2005. Kaspersky confirmed the news to Zero Day, saying that beginning July 20 it will "gradually wind down" its U.S. operations and eliminate U.S.-based positions as a result of the new ban, despite initially vowing to fight the ban in court.

Cybercriminals are using Facebook business pages and advertisements to promote fake Windows themes that infect unsuspecting users with the SYS01 password-stealing malware. From a report: Trustwave researchers who observed the campaigns said the threat actors also promote fake downloads for pirated games and software, Sora AI, 3D image creator, and One Click Active. While using Facebook advertisements to push information-stealing malware is not new, the social media platform's massive reach makes these campaigns a significant threat.

The threat actors take out advertisements that promote Windows themes, free game downloads, and software activation cracks for popular applications, like Photoshop, Microsoft Office, and Windows. These advertisements are promoted through newly created Facebook business pages or by hijacking existing ones. When using hijacked Facebook pages, the threat actors rename them to suit the theme of their advertisement and to promote the downloads to the existing page members.

Alphabet, Google's parent company, is reportedly in advanced negotiations to acquire cloud security startup Wiz for approximately $23 billion, Wall Street Journal reported on Sunday. The potential deal, which would value Wiz at nearly double its most recent private valuation of $12 billion, underscores the growing importance of cybersecurity in Alphabet's enterprise strategy as it seeks to narrow the gap with cloud computing rivals such as Microsoft, Morgan Stanley said in a note.

Founded in January 2020, Wiz has quickly established itself as a leading player in the Cloud-Native Application Protection Platform (CNAPP) space, utilizing an agentless approach to secure cloud application deployments throughout their lifecycle. The company's platform continuously assesses and prioritizes critical risks across various security domains, providing customers with a comprehensive view of their cloud security posture. Wiz has experienced rapid growth since its inception, with annual recurring revenue (ARR) exceeding $350 million as of January 2024, representing a year-over-year increase of over 75%. The company boasts an impressive client roster, with more than 40% of Fortune 100 companies among its customers, and has raised nearly $2 billion in funding to date.

If confirmed, the acquisition would mark Alphabet's largest to date, significantly expanding its footprint in the burgeoning cloud security market. The move follows previous security-focused acquisitions by the tech giant, including the $5.4 billion purchase of Mandiant in 2022 and the $500 million acquisition of Siemplify. Morgan Stanley adds that the potential acquisition could raise questions about Wiz's ability to maintain neutrality across multiple cloud platforms, potentially benefiting competitors such as Palo Alto Networks and CrowdStrike in the near term.