The Microsoft threat research team scanned all Microsoft user accounts and found that 44 million users were employing usernames and passwords that leaked online following security breaches at other online services. From a report: The scan took place between January and March 2019. Microsoft said it scanned user accounts using a database of over three billion leaked credentials, which it obtained from multiple sources, such as law enforcement and public databases. The scan effectively helped Microsoft identify users who reused the same usernames and passwords across different online accounts. The 44 million total included Microsoft Services Accounts (regular user accounts), but also Azure AD accounts.

Uber has lost its license to operate in London, one of its biggest markets globally, with a local transport regulator reaffirming a previous claim that Uber is not a "fit and proper" operator. From a report: The regulator also found that Uber's systems are "easily manipulated" by unauthorized drivers. The announcement follows a two-year battle with Transport for London (TfL) that kicked off back in September 2017, when the local transport regulator ruled that Uber failed to take sufficient "corporate responsibility" when it came to safety and security. Concerns included its approach to reporting crimes and its process for driver background checks. Although TfL conceded that Uber has since made some "positive changes," the regulator identified a continued "pattern of failures," including "breaches that placed passengers and their safety at risk." "As the regulator of private hire services in London, we are required to make a decision today on whether Uber is fit and proper to hold a licence," said Helen Chapman, TfL's director of licensing, regulation, and charging. "Safety is our absolute top priority. While we recognize Uber has made improvements, it is unacceptable that Uber has allowed passengers to get into minicabs with drivers who are potentially unlicensed and uninsured."

The IRS's criminal division identified "dozens" of potential cryptocurrency tax evaders or cybercriminals after a meeting this week with tax authorities from four other countries. Bloomberg reports: Officials from the U.S., U.K., Australia, Canada and the Netherlands -- known as the Joint Chiefs of Global Tax Enforcement -- shared data, tools and tax enforcement strategies to find new leads in a quest to mitigate cross-border money-laundering, tax evasion and cybercrime. The IRS's cybercrime unit has developed expertise in "who is moving the money and where it's going," Ryan Korner, a senior special agent in the IRS's Criminal Investigations office in Los Angeles, said in a call with reporters Friday. "We have tools in place that we didn't have six months or a year ago."

The effort is part of the Internal Revenue Service's renewed focus on fighting tax evasion tied to cryptocurrency as digital currency has become more popular and gained in value. The agency has struggled in recent years to enforce tax laws and keep up with criminals as technology has advanced. "Tax fraud is not a new crime, but the sophistication with which criminals commit tax fraud has significantly increased through cyber-related activities in recent years," the joint chiefs said in a statement. "Data breaches, intrusions, takeovers and compromises are the new tools that criminals use to commit tax crimes." The IRS is preparing for a new wave of cryptocurrency audits. The agency sent letters to more than 10,000 people earlier this year, warning that they might be subject to penalties for skirting taxes on their virtual investments. The IRS and its partners are using data from previous enforcement activities to find new criminals, Korner said. Using the data from the five countries gives them a broader view of how accounts, money and people are connected.

New submitter byteme01 writes: Hospitals that have been hit by a data breach or ransomware attack can expect to see an increase in the death rate among heart patients in the following months or years because of cybersecurity remediation efforts, a new study posits. Health industry experts say the findings should prompt a larger review of how security -- or the lack thereof -- may be impacting patient outcomes. Researchers at Vanderbilt University's Owen Graduate School of Management took the Department of Health and Human Services (HHS) list of healthcare data breaches and used it to drill down on data about patient mortality rates at more than 3,000 Medicare-certified hospitals, about 10 percent of which had experienced a data breach. As PBS noted in its coverage of the Vanderbilt study, after data breaches as many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals examined. The researchers found that for care centers that experienced a breach, it took an additional 2.7 minutes for suspected heart attack patients to receive an electrocardiogram.

"Top domain name registrars NetworkSolutions.com, Register.com and Web.com are asking customers to reset their passwords after discovering an intrusion in August 2019 in which customer account information was accessed," reports security researcher Brian Krebs: "On October 16, 2019, Web.com determined that a third-party gained unauthorized access to a limited number of its computer systems in late August 2019, and as a result, account information may have been accessed," Web.com said in a written statement. "No credit card data was compromised as a result of this incident." The Jacksonville, Fla.-based Web.com said the information exposed includes "contact details such as name, address, phone numbers, email address and information about the services that we offer to a given account holder...."

Both Network Solutions and Register.com are owned by Web.com. Network Solutions is now the world's fifth-largest domain name registrar, with almost seven million domains in its stable, according to domainstate.com; Register.com listed at #17 with 1.7 million domains.... Web.com said it has reported the incident to law enforcement and hired an outside security firm to investigate further, and is in the process of notifying affected customers through email and via its website....

Web.com wasn't clear how long the intrusion lasted, but if the breach wasn't detected until mid-October that means the intruders potentially had about six weeks inside unnoticed. That's a long time for an adversary to wander about one's network, and plenty of time to steal a great deal more information than just names, addresses and phone numbers.

More than 40 of America's 50 states now use Amazon's technology infrastructure for their elections, according to this Reuters article shared by joeblog. And so do both of America's political parties:

While it does not handle voting on election day, AWS -- along with a broad network of partners -- now runs state and county election websites, stores voter registration rolls and ballot data, facilitates overseas voting by military personnel and helps provide live election-night results, according to company documents and interviews... Amazon pitches itself as a low-cost provider of secure election technology at a time when local officials and political campaigns are under intense pressure to prevent a repeat of 2016 presidential elections, which saw cyber-attacks on voting systems and election infrastructure....

Most security experts Reuters spoke to said that while Amazon's cloud is likely much harder to hack than systems it is replacing, putting data from many jurisdictions on a single system raises the prospect that a single major breach could prove damaging. "It makes Amazon a bigger target" for hackers, "and also increases the challenge of dealing with an insider attack," said Chris Vickery, director of cyber risk research at cybersecurity startup Upguard. A recent hack into Capital One Financial Corp's data stored on Amazon's cloud service was perpetrated by a former Amazon employee. The breach affected more than 100 million customers, underscoring how rogue employees or untrained workers can create security risks even if the underlying systems are secure...

Vickery uncovered at least three instances where voter data on Amazon's cloud servers was exposed to the internet, which have been reported previously. For example, in 2017, he found a Republican contractor's database for nearly every registered American voter hosted on AWS exposed on the internet for 12 days. In 2016, he found Mexico's entire voter database on AWS servers was leaked. Amazon said the breaches were caused by customer errors, adding that while AWS secures the cloud infrastructure, customers are responsible for security of what goes in the cloud.

BuzzFeed says they've identified two firms which "misappropriated names and personal information as part of a bid to submit more than 1.5 million statements" pretending to oppose net neutrality regulations: The anti-net neutrality comments harvested on behalf of Broadband for America, the industry group that represented telecommunications giants including AT&T, Cox, and Comcast, were uploaded to the FCC website by Media Bridge founder Shane Cory, a former executive director of both the Libertarian Party and the conservative sting group Project Veritas. Cory has claimed credit for "20 or 30" major public advocacy campaigns in recent years, including, he says, record-setting submissions to the IRS, Environmental Protection Agency, Bureau of Land Management, Bureau of Ocean Energy Management, and "probably a handful of others." On Media Bridge's website, the company has described itself as having expertise in "overwhelming government agencies" with avalanches of public submissions, and has publicly dubbed its approach to marshaling comments the "Big Hammer." In the FCC campaign, Cory was working for Ralph Reed -- a high-powered political strategist and titan of the Christian right who himself was working for Broadband for America. Cory, in turn, enlisted LCX Digital to find the commenters...

BuzzFeed News ran large samples of the email addresses in those files through Have I Been Pwned, a website that identifies whether an address has been exposed in any of hundreds of major data breaches. The results were stark: In one particular group of 1.9 million comments, according to BuzzFeed News' analysis, 94% of the email addresses belonged to people who had fallen victim to a hack known as the Modern Business Solutions data breach, in which millions of people's personal information, including full names, birthdates, home addresses, and email addresses, had been stolen... All these comments were uploaded by Cory, using his Media Bridge email address. (Some of the comments were full duplicates; after removing them, there were just over 1.5 million comment-and-email combinations.)

In its letter to BuzzFeed News, Media Bridge contested the idea that email addresses showing up in breached databases were a sign of improprieties. In fact, it said, a "high match rate" is a sign of validity, since most Americans appear in breached databases....
Two of the commenters were named Luke Skywalker and Boba Fett -- and yet mysteriously "the names and street addresses were exactly as they appeared in that breach... A separate spot check by BuzzFeed News of 100 randomly selected Media Bridge comments revealed a similar pattern -- even down to a street address that used underscores instead of spaces."

In addition, Buzzfeed found that "almost all" of the remaining 6% appears to just be "recycled" identities drawn from comments left in 2016 when the FCC was considering a new rule that would allow cable consumers to use their own set-top boxes -- a regulation that the cable industry opposed. "One year later, 99.9% of those exact same names and addresses appeared on the FCC's website, weighing in on an entirely different policy debate -- net neutrality. They were uploaded by Media Bridge."

France is poised to become the first European country to use facial recognition technology to give citizens a secure digital identity -- whether they want it or not. From a report: Saying it wants to make the state more efficient, President Emmanuel Macron's government is pushing through plans to roll out an ID program, dubbed Alicem, in November, earlier than an initial Christmas target. The country's data regulator says the program breaches the European rule of consent and a privacy group is challenging it in France's highest administrative court. It took a hacker just over an hour to break into a "secure" government messaging app this year, raising concerns about the state's security standards. None of that is deterring the French interior ministry. "The government wants to funnel people to use Alicem and facial recognition," said Martin Drago, a lawyer member of the privacy group La Quadrature du Net that filed the suit against the state. "We're heading into mass usage of facial recognition. (There's) little interest in the importance of consent and choice." The case, filed in July, won't suspend Alicem.

Dunkin' Donuts is facing a lawsuit from the New York attorney general over its failure to disclose a data breach affecting nearly 20,000 people. The hack affected thousands of people signed up for the company's "DD Perks" loyalty program. From a report: The lawsuit alleges that Dunkin' Donuts failed to protect its customers, and knew about the cyberattacks for years before warning the public. In Dunkin' Brand's public notification from last November, it said that it learned about the hack on October 31, 2018, and warned its customers a month later. New York attorney general Letitia James said the company knew it was suffering cyberattacks as early as 2015, and violated the state's data breach notification law. "Dunkin' failed to protect the security of its customers," James said in a statement. "And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin' sat idly by, putting customers at risk."

Slashdot reader Cameyo shares a report from TechRepublic: Remote Desktop Protocol (RDP) is -- to the frustration of security professionals -- both remarkably insecure and indispensable in enterprise computing. The September 2019 Patch Tuesday round closed two remote code execution bugs in RDP, while the high-profile BlueKeep and DejaBlue vulnerabilities from earlier this year have sent IT professionals in a patching frenzy. With botnets brute-forcing over 1.5 million RDP servers worldwide, a dedicated RDP security tool is needed to protect enterprise networks against security breaches. Cameyo released on Wednesday an open-source RDP monitoring tool -- appropriately titled RDPmon -- for enterprises to identify and secure against RDP attacks in its environment. The tool provides a visualization of the total number of attempted RDP connections to servers, as well as a view of the currently running applications, the number of RDP users, and what programs those users are running, likewise providing insight to the existence of unapproved software. RDPmon operates entirely on-premise, the program data is not accessible to Cameyo.

Customers of Cameyo's paid platform can also utilize the RDP Port Shield feature, also released Wednesday, which opens RDP ports for authenticated users by setting IP address whitelists in Windows Firewall when users need to connect. RDP was designed with the intent to be run inside private networks, not accessible over the internet. Despite that, enterprise use of RDP over the internet is sufficiently widespread that RDP servers are a high-profile, attractive target for hackers. The report says Cameyo found that Windows public cloud machines on default settings -- that is, with port 3389 open -- experience more than 150,000 login attempts per week.

An anonymous reader quotes a report from ProPublica: Medical images and health data belonging to millions of Americans, including X-rays, MRIs, and CT scans, are sitting unprotected on the Internet and available to anyone with basic computer expertise. The records cover more than 5 million patients in the United States and millions more around the world. In some cases, a snoop could use free software programs -- or just a typical Web browser -- to view the images and private data, an investigation by ProPublica and the German broadcaster Bayerischer Rundfunk found.

We identified 187 servers -- computers that are used to store and retrieve medical data -- in the U.S. that were unprotected by passwords or basic security precautions. The computer systems, from Florida to California, are used in doctors' offices, medical-imaging centers, and mobile X-ray services. The insecure servers we uncovered add to a growing list of medical records systems that have been compromised in recent years. Unlike some of the more infamous recent security breaches, in which hackers circumvented a company's cyber defenses, these records were often stored on servers that lacked the security precautions that long ago became standard for businesses and government agencies. The exposed data varied depending on the health provider and the software they use. "For instance, the server of U.S. company MobilexUSA displayed the names of more than a million patients -- all by typing in a simple data query," reports ProPublica. "Their dates of birth, doctors, and procedures were also included."

"Another imaging system, tied to a physician in Los Angeles, allowed anyone on the Internet to see his patients' echocardiograms," the report adds. "All told, medical data from more than 16 million scans worldwide was available online, including names, birthdates, and, in some cases, Social Security numbers."

The authors of the report recommend you ask your health care provider or doctor if access to your images requires a login and password, and to ask if they conduct a regular security assessment as required by HIPAA.

The personal records of most of Ecuador's population, including children, has been left exposed online due to a misconfigured database, ZDNet reported Monday. From the report: The database, an Elasticsearch searver, was discovered two weeks ago by vpnMentor security researchers Noam Rotem and Ran Locar, who shared their findings exclusively with ZDNet. Together, we worked to analyze the leaking data, verify its authenticity, and contact the server owner. The leaky server is one of the, if not the biggest, data breaches in Ecuador's history, a small South American country with a population of 16.6 million citizens. The Elasticsearch server contained a total of approximately 20.8 million user records, a number larger than the country's total population count. The bigger number comes from duplicate records or older entries, containing the data of deceased persons.

An anonymous reader quotes a report from ZDNet: Australia is once again deciding to follow in the tracks of the United Kingdom, with the House of Representatives Standing Committee on Social Policy and Legal Affairs to look into age verification for online pornography and online wagering. The matter was referred to the committee by the Minister for Families and Social Services, Senator Anne Ruston and Minister for Communications, Cyber Safety, and the Arts, Paul Fletcher. The terms of reference for the inquiry state that it will be looking into age verification under the auspices of protecting children online.

The committee will look into "the potential benefits of further online age verification requirements, including to protect children from potential harm, and business and non-government organizations from reputation, operational and legal risks," the terms state. Potential risks and unintended consequences for age verification will be looked into as well, the terms state, including privacy breaches, freedom of expression, false assurance, and whether adults are pushing into "unregulated/illegal environments or to other legal forms of these activities." The committee will also examine the economic impact of age verification, and the impact on "eSafety resourcing, education, and messaging." The UK's age verification system for online pornography became mandatory on July 15.

Longtime Slashdot reader Merovech shares a report from ZDNet: Thousands of web servers have been infected and had their files encrypted by a new strain of ransomware named Lilocked (or Lilu). Infections have been happening since mid-July, and have intensified in the past two weeks, ZDNet has learned. Based on current evidence, the Lilocked ransomware appears to target Linux-based systems only. The way the Lilocked gang breaches servers and encrypts their content is currently unknown. A thread on a Russian-speaking forum puts forward the theory that crooks might be targeting systems running outdated Exim (email) software. It also mentions that the ransomware managed to get root access to servers by unknown means.

Lilocked doesn't encrypt system files, but only a small subset of file extensions, such as HTML, SHTML, JS, CSS, PHP, INI, and various image file formats. This means infected servers continue to run normally. According to French security researcher Benkow, Lilocked has encrypted more than 6,700 servers, many of which have been indexed and cached in Google search results. However, the number of victims is suspected to be much much higher. Not all Linux systems run web servers, and there are many other infected systems that haven't been indexed in Google search results. Why it should scare you:
- affects Linux servers
- so far the vector of infection / vulnerability is unknown
- you can craft a Google search to watch it spread!

An anonymous reader quotes a report from Forbes: Own a rifle? Got a scope to go with it? The government might soon know who you are, where you live and how to reach you. That's because Apple and Google have been ordered by the U.S. government to hand over names, phone numbers and other identifying data of at least 10,000 users of a single gun scope app, Forbes has discovered. It's an unprecedented move: never before has a case been disclosed in which American investigators demanded personal data of users of a single app from Apple and Google. And never has an order been made public where the feds have asked the Silicon Valley giants for info on so many thousands of people in one go.

According to a court order filed by the Department of Justice (DOJ) on 5 September, investigators want information on users of Obsidian 4, a tool used to control rifle scopes made by night vision specialist American Technologies Network Corp. The app allows gun owners to get a live stream, take video and calibrate their gun scope from an Android or iPhone device. According to the Google Play page for Obsidian 4, it has more than 10,000 downloads. Apple doesn't provide download numbers, so it's unclear how many iPhone owners have been swept up in this latest government data grab. The Immigration and Customs Enforcement (ICE) department is seeking information as part of a broad investigation into possible breaches of weapons export regulations. It's looking into illegal exports of ATN's scope, though the company itself isn't under investigation, according to the order. As part of that, investigators are looking for a quick way to find out where the app is in use, as that will likely indicate where the hardware has been shipped. ICE has repeatedly intercepted illegal shipments of the scope, which is controlled under the International Traffic in Arms Regulation (ITAR), according to the government court filing. They included shipments to Canada, the Netherlands and Hong Kong where the necessary licenses hadn't been obtained. The two companies must hand over names, telephone numbers and IP addresses of anyone who downloaded the scope app from August 1, 2017, to the current date. The government also wants to know when users were operating the app.

The fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees, was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks, The Guardian reported Wednesday. From the report: Suprema is the security company responsible for the web-based Biostar 2 biometrics lock system that allows centralised control for access to secure facilities like warehouses or office buildings. Biostar 2 uses fingerprints and facial recognition as part of its means of identifying people attempting to gain access to buildings. Last month, Suprema announced its Biostar 2 platform was integrated into another access control system -- AEOS. AEOS is used by 5,700 organisations in 83 countries, including governments, banks and the UK Metropolitan police. The Israeli security researchers Noam Rotem and Ran Locar working with vpnmentor, a service that reviews virtual private network services, have been running a side project to scans ports looking for familiar IP blocks, and then use these blocks to find holes in companies' systems that could potentially lead to data breaches. In a search last week, the researchers found Biostar 2's database was unprotected and mostly unencrypted. They were able to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data.

Epic Games is being sued over security breaches that allowed hackers to access the personal information of Epic Games accounts. From a report: The class-action lawsuit, filed by Franklin D. Azar & Associates in U.S. District Court in North Carolina, alleges Epic's "failure to maintain adequate security measures and notify users of the security breach in a timely manner." The lawsuit states that "there are more than 100 class members." In January, Epic acknowledged that a bug in Fortnite may have exposed personal information for millions of user accounts.

An anonymous reader quotes The Verge: Cybersecurity stock images are predictable at this point: a hooded man with a shadowy face in front of a keyboard or a mysterious person in front of binary code. A design firm called OpenIDEO thinks these images can be better, so it's hosting a contest to entice visual creators to make images that are eye-catching, informative, and clear.

"Cybersecurity," which could mean data breaches, hacks, or policy changes, is a difficult concept to visually represent, so OpenIDEO is going to reward creators for their work. The group, in association with a private organization called the William and Flora Hewlett Foundation, issued an open call late last month for cybersecurity-related image submissions with plans to award $7,000 to up to five people.
The contest rules specify they're not looking for "Overused, stereotypical, fear-inducing images of cybersecurity. These create personal misperceptions and aversions, and may lead to a series of repercussions regarding public understanding of cybersecurity and data safety." And there's even a helpful collection of images providing examples of "What we're not looking for."

The deadline for submissions in August 16th, and all finalists must agree to using a Creative Commons license. "We believe that this type of licensing helps ensure your work reaches the widest possible audience..."

An anonymous reader shares a report: Another day, another massive data breach. This time it's the financial giant and credit card issuer Capital One, which revealed on Monday a credit file breach affecting 100 million Americans and 6 million Canadians. Sound familiar? It should. Just last week, credit rating giant Equifax settled for more than $575 million over a date breach it had -- and hid from the public for several months -- two years prior. Why should we be surprised? Equifax faced zero fallout until its eventual fine. All talk, much bluster, but otherwise little action. Equifax's chief executive Richard Smith "retired" before he was fired, allowing him to keep his substantial pension packet. Lawmakers grilled the company but nothing happened.

An investigation launched by the former head of the Consumer Financial Protection Bureau, the governmental body responsible for protecting consumers from fraud, declined to pursue the company. The FTC took its sweet time to issue its fine -- which amounted to about 20% of the company's annual revenue for 2018. For one of the most damaging breaches to the U.S. population since the breach of classified vetting files at the Office of Personnel Management in 2015, Equifax got off lightly. Legislatively, nothing has changed. Equifax remains as much of a "victim" in the eyes of the law as it was before -- technically, but much to the ire of the millions affected who were forced to freeze their credit as a result.

Many of us have given up on the idea of carrying around a dedicated work phone. After all, why bother when you can get everything you need on your personal smartphone? Here's one reason: Your work account might be spying on you in the background. From a column: When you add a work email address to your phone, you'll likely be asked to install something called a Mobile Device Management (MDM) profile. Chances are, you'll blindly accept it. (What other choice do you have?) MDM is set up by your company's IT department to reach inside your phone in the background, allowing them to ensure your device is secure, know where it is, and remotely erase your data if the phone is stolen. From your company's perspective, there are obvious security reasons for installing an MDM on an employee's phone. But for employees, it's difficult to tell what these invisible profiles are collecting behind the scenes, as they provide people at your company with invisible control over your device. That's why when it comes to your phone, no matter how much you trust your IT department, it's a good idea to keep work and pleasure separate.

MDM profiles, paired with device management tools, allow companies to track employee phones in a single dashboard. They can mitigate security breaches or potential harm from a rogue employee; if you work for a law firm, say, and your boss worries you're leaking sensitive emails from your smartphone, they could remotely wipe your data. MDM profiles can also force you to use a long password on your device, rather than a simple PIN, among other policies.