The Washington Post writes that Telegram's "anything-goes approach" to its 950 million users "has also made it one of the internet's largest havens for child predators, experts say...."

"Durov's critics say his public idealism masks an opportunistic business model that allows Telegram to profit from the worst the internet has to offer, including child sexual abuse material, or CSAM... " [Telegram is] an app of choice for political organizing, including by dissidents under repressive regimes. But it is equally appealing for terrorist groups, criminal organizations and sexual predators, who use it as a hub to share and consume nonconsensual pornography, AI "deepfake" nudes, and illegal sexual images and videos of exploited minors, said Alex Stamos, chief information security officer at the cybersecurity firm SentinelOne. "Due to their advertised policy of not cooperating with law enforcement, and the fact that they are known not to scan for CSAM, Telegram has attracted large groups of pedophiles trading and selling child abuse materials," Stamos said.

That reach comes even though many Telegram exchanges don't actually use the strong forms of encryption available on true private messaging apps, he added. Telegram is used for private messaging, public posts and group chats. Only one-to-one conversations can be encrypted in a way that even Telegram can't access them. And that occurs only if users choose the option, meaning the company could turn over everything else to governments if it wanted to... French prosecutors argue that Durov is in fact responsible for Telegram's emergence as a global haven for illegal content, including CSAM, because of his reluctance to moderate it and his refusal to help authorities police it, among other allegations...

David Kaye, a professor at University of California, Irvine School of Law and former U.N. special rapporteur on freedom of expression... said that while Telegram has at times banned groups and taken down [CSAM] content in response to law enforcement, its refusal to share data with investigators sets it apart from most other major tech companies. Unlike U.S.-based platforms, Telegram is not required by U.S. law to report instances of CSAM to the National Center for Missing and Exploited Children, or NCMEC. Many online platforms based overseas do so anyway — but not Telegram. "NCMEC has tried to get them to report, but they have no interest and are known for not wanting to work with [law enforcement agencies] or anyone in this space," a NCMEC spokesperson said.
The Post also writes that Telegram "has repeatedly been revealed to serve as a tool to store, distribute and share child sexual imagery." (They cite several examples, including two different men convicted to minimum sentences of at least 10 years for using the service to purchase CSAM and solicit explicit photos from minors.)

An anonymous reader quotes a report from Ars Technica, written by Dan Goodin: A judge in Ohio has issued a temporary restraining order against a security researcher who presented evidence that a recent ransomware attack on the city of Columbus scooped up reams of sensitive personal information, contradicting claims made by city officials. The order, issued by a judge in Ohio's Franklin County, came after the city of Columbus fell victim to a ransomware attack on July 18 that siphoned 6.5 terabytes of the city's data. A ransomware group known as Rhysida took credit for the attack and offered to auction off the data with a starting bid of about $1.7 million in bitcoin. On August 8, after the auction failed to find a bidder, Rhysida released what it said was about 45 percent of the stolen data on the group's dark web site, which is accessible to anyone with a TOR browser.

Columbus Mayor Andrew Ginther said on August 13 that a "breakthrough" in the city's forensic investigation of the breach found that the sensitive files Rhysida obtained were either encrypted or corrupted, making them "unusable" to the thieves. Ginther went on to say the data's lack of integrity was likely the reason the ransomware group had been unable to auction off the data. Shortly after Ginther made his remarks, security researcher David Leroy Ross contacted local news outlets and presented evidence that showed the data Rhysida published was fully intact and contained highly sensitive information regarding city employees and residents. Ross, who uses the alias Connor Goodwolf, presented screenshots and other data that showed the files Rhysida had posted included names from domestic violence cases and Social Security numbers for police officers and crime victims. Some of the data spanned years.

On Thursday, the city of Columbus sued Ross (PDF) for alleged damages for criminal acts, invasion of privacy, negligence, and civil conversion. The lawsuit claimed that downloading documents from a dark web site run by ransomware attackers amounted to him "interacting" with them and required special expertise and tools. The suit went on to challenge Ross alerting reporters to the information, which ii claimed would not be easily obtained by others. "Only individuals willing to navigate and interact with the criminal element on the dark web, who also have the computer expertise and tools necessary to download data from the dark web, would be able to do so," city attorneys wrote. "The dark web-posted data is not readily available for public consumption. Defendant is making it so." The same day, a Franklin County judge granted the city's motion for a temporary restraining order (PDF) against Ross. It bars the researcher "from accessing, and/or downloading, and/or disseminating" any city files that were posted to the dark web. The motion was made and granted "ex parte," meaning in secret before Ross was informed of it or had an opportunity to present his case.

A recent indictment (PDF) of an Alaska man stands out due to the sophisticated use of multiple encrypted communication tools, privacy-focused apps, and dark web technology. "I've never seen anyone who, when arrested, had three Samsung Galaxy phones filled with 'tens of thousands of videos and images' depicting CSAM, all of it hidden behind a secrecy-focused, password-protected app called 'Calculator Photo Vault,'" writes Ars Technica's Nate Anderson. "Nor have I seen anyone arrested for CSAM having used all of the following: [Potato Chat, Enigma, nandbox, Telegram, TOR, Mega NZ, and web-based generative AI tools/chatbots]." An anonymous reader shares the report: According to the government, Seth Herrera not only used all of these tools to store and download CSAM, but he also created his own -- and in two disturbing varieties. First, he allegedly recorded nude minor children himself and later "zoomed in on and enhanced those images using AI-powered technology." Secondly, he took this imagery he had created and then "turned to AI chatbots to ensure these minor victims would be depicted as if they had engaged in the type of sexual contact he wanted to see." In other words, he created fake AI CSAM -- but using imagery of real kids.

The material was allegedly stored behind password protection on his phone(s) but also on Mega and on Telegram, where Herrera is said to have "created his own public Telegram group to store his CSAM." He also joined "multiple CSAM-related Enigma groups" and frequented dark websites with taglines like "The Only Child Porn Site you need!" Despite all the precautions, Herrera's home was searched and his phones were seized by Homeland Security Investigations; he was eventually arrested on August 23. In a court filing that day, a government attorney noted that Herrera "was arrested this morning with another smartphone -- the same make and model as one of his previously seized devices."

The government is cagey about how, exactly, this criminal activity was unearthed, noting only that Herrera "tried to access a link containing apparent CSAM." Presumably, this "apparent" CSAM was a government honeypot file or web-based redirect that logged the IP address and any other relevant information of anyone who clicked on it. In the end, given that fatal click, none of the "I'll hide it behind an encrypted app that looks like a calculator!" technical sophistication accomplished much. Forensic reviews of Herrera's three phones now form the primary basis for the charges against him, and Herrera himself allegedly "admitted to seeing CSAM online for the past year and a half" in an interview with the feds.

"I've been somewhat okay about backing up our home data," writes long-time Slashdot reader 93 Escort Wagon.

But they could use some good advice: We've got a couple separate disks available as local backup storage, and my own data also gets occasionally copied to encrypted storage at BackBlaze. My daughter has her own "cloud" backups, which seem to be a manual push every once in a while of random files/folders she thinks are important. Including our media library, between my stuff, my daughter's, and my wife's... we're probably talking in the neighborhood of 10 TB for everything at present. The whole setup is obviously cobbled together, and the process is very manual. Plus it's annoying since I'm handling Mac, Linux, and Windows backups completely differently (and sub-optimally). Also, unsurprisingly, the amount of data we possess does seem to be increasing with time.

I've been considering biting the bullet and buying an NAS [network-attached storage device], and redesigning the entire process — both local and remote. I'm familiar with Synology and DSM from work, and the DS1522+ looks appealing. I've also come across a lot of recommendations for QNAP's devices, though. I'm comfortable tackling this on my own, but I'd like to throw this out to the Slashdot community.

What NAS do you like for home use. And what disks did you put in it? What have your experiences been?
Long-time Slashdot reader AmiMoJo asks "Have you considered just building one?" while suggesting the cheapest option is low-powered Chinese motherboards with soldered-in CPUs. And in the comments on the original submission, other Slashdot readers shared their examples:

• destined2fail1990 used an AMD Threadripper to build their own NAS with 10Gbps network connectivity.
• DesertNomad is using "an ancient D-Link" to connect two Synology DS220 DiskStations
• Darth Technoid attached six Seagate drives to two Macbooks. "Basically, I found a way to make my older Mac useful by simply leaving it on all the time, with the external drives attached."

But what's your suggestion? Share your own thoughts and experiences. What NAS do you like for home use? What disks would you put in it?

And what have your experiences been?

Indonesia said it is beginning to recover data that had been encrypted in a major ransomware attack last month which affected more than 160 government agencies. From a report: The attackers identified as Brain Cipher asked for $8 million in ransom to unlock the data before later apologising and releasing the decryption key for free, according to Singapore-based cybersecurity firm StealthMole. The attack has disrupted multiple government services including immigration and operations at major airports. Indonesian officials have acknowledged that the bulk of the data had not been backed up. Chief Security Minister Hadi Tjahjanto said in a statement late on Thursday that data for 30 public services overseen by 12 ministries had been recovered using a "decryption strategy" without elaborating.

Indonesian President Joko Widodo ordered on Friday an audit of government data centres after officials said the bulk of data affected by a recent ransomware cyberattack was not backed up, exposing the country's vulnerability to such attacks. From a report: Last week's cyberattack, the worst in Indonesia in recent years, has disrupted multiple government services including immigration and operations at major airports. The government has said more than 230 public agencies, including ministries, had been affected, but has refused to pay an $8 million ransom demanded to retrieve the encrypted data.

Responding to the cyberattack, Indonesia's state auditor said the president instructed it to examine the country's data centres. The audit would cover "governance and the financial aspect", said Muhammad Yusuf Ateh, who heads Indonesia's Development and Finance Controller, after attending a cabinet meeting led by Widodo on Friday. Hinsa Siburian, an official who chairs Indonesia's cyber security agency known by its acronym BSSN, has said 98% of the government data stored in one of the two compromised data centres had not been backed up.

An anonymous reader shares a report: Over the weekend, a clip from a recent interview with Telegram's founder Pavel Durov went semi-viral on X (previously Twitter). In the video, Durov tells right-wing personality Tucker Carlson that he is the only product manager at the company, and that he only employs "about 30 engineers." Security experts say that while Durov was bragging about his Dubai-based company being "super efficient," what he said was actually a red flag for users.

"Without end-to-end encryption, huge numbers of vulnerable targets, and servers located in the UAE? Seems like that would be a security nightmare," Matthew Green, a cryptography expert at Johns Hopkins University, told TechCrunch. (Telegram spokesperson Remi Vaughn disputed this, saying it has no data centers in the UAE.) Green was referring to the fact that -- by default -- chats on Telegram are not end-to-end encrypted like they are on Signal or WhatsApp. A Telegram user has to start a "Secret Chat" to switch on end-to-end encryption, making the messages unreadable to Telegram or anyone other than the intended recipient.

Also, over the years, many people have cast doubt over the quality of Telegram's encryption, given that the company uses its own proprietary encryption algorithm, created by Durov's brother, as he said in an extended version of the Carlson interview. Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation and a longtime expert in the security of at-risk users, said that it's important to remember that Telegram, unlike Signal, is a lot more than just a messaging app.

The New York Times has confirmed that its internal source code was leaked on 4chan after being stolen from the company's GitHub repositories in January 2024. BleepingComputer reports: As first seen by VX-Underground, the internal data was leaked on Thursday by an anonymous user who posted a torrent to a 273GB archive containing the stolen data. "Basically all source code belonging to The New York Times Company, 270GB," reads the 4chan forum post. "There are around 5 thousand repos (out of them less than 30 are additionally encrypted I think), 3.6 million files total, uncompressed tar."

While BleepingComputer did not download the archive, the threat actor shared a text file containing a complete list of the 6,223 folders stolen from the company's GitHub repository. The folder names indicate that a wide variety of information was stolen, including IT documentation, infrastructure tools, and source code, allegedly including the viral Wordle game. A 'readme' file in the archive states that the threat actor used an exposed GitHub token to access the company's repositories and steal the data. The company said that the breach of its GitHub account did not affect its internal corporate systems and had no impact on its operations. The Times said in a statement to BleepingComputer: "The underlying event related to yesterday's posting occurred in January 2024 when a credential to a cloud-based third-party code platform was inadvertently made available. The issue was quickly identified and we took appropriate measures in response at the time. There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event. Our security measures include continuous monitoring for anomalous activity."

An anonymous reader quotes a report from BleepingComputer: The FBI urges past victims of LockBit ransomware attacks to come forward after revealing that it has obtained over 7,000 LockBit decryption keys that they can use to recover encrypted data for free. FBI Cyber Division Assistant Director Bryan Vorndran announced this on Wednesday at the 2024 Boston Conference on Cyber Security. "From our ongoing disruption of LockBit, we now have over 7,000 decryption keys and can help victims reclaim their data and get back online," the FBI Cyber Lead said in a keynote. "We are reaching out to known LockBit victims and encouraging anyone who suspects they were a victim to visit our Internet Crime Complaint Center at ic3.gov."

This call to action comes after law enforcement took down LockBit's infrastructure in February 2024 in an international operation dubbed "Operation Cronos." At the time, police seized 34 servers containing over 2,500 decryption keys, which helped create a free LockBit 3.0 Black Ransomware decryptor. After analyzing the seized data, the U.K.'s National Crime Agency and the U.S. Justice Department estimate the gang and its affiliates have raked in up to $1 billion in ransoms following 7,000 attacks targeting organizations worldwide between June 2022 and February 2024. However, despite law enforcement efforts to shut down its operations, LockBit is still active and has since switched to new servers and dark web domains. After disrupting LockBit in February, the U.S. State Department said it is offering a reward of up to $15 million for information leading to the identification or location of the leaders of the ransomware group.

An anonymous reader quotes a report from Wired: When Microsoft CEO Satya Nadella revealed the new Windows AI tool that can answer questions about your web browsing and laptop use, he said one of the"magical" things about it was that the data doesn't leave your laptop; theWindows Recall system takes screenshots of your activity every five seconds and saves them on the device. But security experts say that data may not stay there for long. Two weeks ahead ofRecall's launch on new Copilot+ PCs on June 18, security researchers have demonstrated how preview versions of the tool store the screenshots in an unencrypted database. The researchers say the data could easily be hoovered up by an attacker. And now, in a warning about how Recall could be abused by criminal hackers, Alex Hagenah, a cybersecurity strategist and ethical hacker, has released a demo tool that can automatically extract and display everything Recall records on a laptop.

Dubbed TotalRecall -- yes, after the 1990 sci-fi film -- the tool can pull all the information that Recall saves into its main database on a Windows laptop. "The database is unencrypted. It's all plain text," Hagenah says. Since Microsoft revealed Recall in mid-May, security researchers have repeatedly compared it to spyware or stalkerware that can track everything you do on your device. "It's a Trojan 2.0 really, built in," Hagenah says, adding that he built TotalRecall -- which he's releasing on GitHub -- in order to show what is possible and to encourage Microsoft to make changes before Recall fully launches. [...] TotalRecall, Hagenah says, can automatically work out where the Recall database is on a laptop and then make a copy of the file, parsing all the data as it does so. While Microsoft's new Copilot+ PCs aren't out yet, it's possible to use Recall by emulating a version of the devices. "It does everything automatically," he says. The system can set a date range for extracting the data -- for instance, pulling information from only one specific week or day. Pulling one day of screenshots from Recall, which stores its information in an SQLite database, took two seconds at most, Hagenah says.

Included in what the database captures are screenshots of whatever is on your desktop -- a potential gold mine for criminal hackers or domestic abusers who may physically access their victim's device. Images include captures of messages sent on encrypted messaging apps Signal and WhatsApp, and remain in the captures regardless of whether disappearing messages are turned on in the apps. There are records of websites visited and every bit of text displayed on the PC. Once TotalRecall has been deployed, it will generate a summary about the data; it is also possible to search for specific terms in the database. Hagenah says an attacker could get a huge amount of information about their target, including insights into their emails, personal conversations, and any sensitive information that's captured by Recall. Hagenah's work builds on findings from cybersecurity researcher Kevin Beaumont, who has detailed how much information Recall captures and how easy it can be to extract it.

Slashdot reader storagedude shares a provocative post from the cybersecurity news blog of Cyble Inc. (a Ycombinator-backed company promising "AI-powered actionable threat intelligence").

The post delves into concerns that the new "Recall" feature planned for Windows (on upcoming Copilot+ PCs) is "a security and privacy nightmare." Copilot Recall will be enabled by default and will capture frequent screenshots, or "snapshots," of a user's activity and store them in a local database tied to the user account. The potential for exposure of personal and sensitive data through the new feature has alarmed security and privacy advocates and even sparked a UK inquiry into the issue. In a long Mastodon thread on the new feature, Windows security researcher Kevin Beaumont wrote, "I'm not being hyperbolic when I say this is the dumbest cybersecurity move in a decade. Good luck to my parents safely using their PC."

In a blog post on Recall security and privacy, Microsoft said that processing and storage are done only on the local device and encrypted, but even Microsoft's own explanations raise concerns: "Note that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers. That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry." Security and privacy advocates take issue with assertions that the data is stored securely on the local device. If someone has a user's password or if a court orders that data be turned over for legal or law enforcement purposes, the amount of data exposed could be much greater with Recall than would otherwise be exposed... And hackers, malware and infostealers will have access to vastly more data than they would without Recall.

Beaumont said the screenshots are stored in a SQLite database, "and you can access it as the user including programmatically. It 100% does not need physical access and can be stolen.... Recall enables threat actors to automate scraping everything you've ever looked at within seconds."
Beaumont's LinkedIn profile and blog say that starting in 2020 he worked at Microsoft for nearly a year as a senior threat intelligence analyst. And now Beaumont's Mastodon post is also raising other concerns (according to Cyble's blog post):

• "Sensitive data deleted by users will still be saved in Recall screenshots... 'If you or a friend use disappearing messages in WhatsApp, Signal etc, it is recorded regardless.'"

• "Beaumont also questioned Microsoft's assertion that all this is done locally."

The blog post also notes that Leslie Carhart, Director of Incident Response at Dragos, had this reaction to Beaumont's post. "The outrage and disbelief are warranted."

Microsoft's Windows Recall feature is attracting controversy before even venturing out of preview. From a report: The principle is simple. Windows takes a snapshot of a user's active screen every few seconds and dumps it to disk. The user can then scroll through the snapshots and, when something is selected, the user is given options to interact with the content.

Mozilla's Chief Product Officer, Steve Teixeira, told The Register: "Mozilla is concerned about Windows Recall. From a browser perspective, some data should be saved, and some shouldn't. Recall stores not just browser history, but also data that users type into the browser with only very coarse control over what gets stored. While the data is stored in encrypted format, this stored data represents a new vector of attack for cybercriminals and a new privacy worry for shared computers.

"Microsoft is also once again playing gatekeeper and picking which browsers get to win and lose on Windows -- favoring, of course, Microsoft Edge. Microsoft's Edge allows users to block specific websites and private browsing activity from being seen by Recall. Other Chromium-based browsers can filter out private browsing activity but lose the ability to block sensitive websites (such as financial sites) from Recall. "Right now, there's no documentation on how a non-Chromium based, third-party browser, such as Firefox, can protect user privacy from Recall. Microsoft did not engage our cooperation on Recall, but we would have loved for that to be the case, which would have enabled us to partner on giving users true agency over their privacy, regardless of the browser they choose."

Researchers have discovered a new attack that can force VPN applications to route traffic outside the encrypted tunnel, thereby exposing the user's traffic to potential snooping or manipulation. This vulnerability, named TunnelVision, is found in almost all VPNs on non-Linux and non-Android systems. It's believe that the vulnerability "may have been possible since 2002 and may already have been discovered and used in the wild since then," reports Ars Technica. From the report: The effect of TunnelVision is "the victim's traffic is now decloaked and being routed through the attacker directly," a video demonstration explained. "The attacker can read, drop or modify the leaked traffic and the victim maintains their connection to both the VPN and the Internet." The attack works by manipulating the DHCP server that allocates IP addresses to devices trying to connect to the local network. A setting known as option 121 allows the DHCP server to override default routing rules that send VPN traffic through a local IP address that initiates the encrypted tunnel. By using option 121 to route VPN traffic through the DHCP server, the attack diverts the data to the DHCP server itself. [...]

The attack can most effectively be carried out by a person who has administrative control over the network the target is connecting to. In that scenario, the attacker configures the DHCP server to use option 121. It's also possible for people who can connect to the network as an unprivileged user to perform the attack by setting up their own rogue DHCP server. The attack allows some or all traffic to be routed through the unencrypted tunnel. In either case, the VPN application will report that all data is being sent through the protected connection. Any traffic that's diverted away from this tunnel will not be encrypted by the VPN and the Internet IP address viewable by the remote user will belong to the network the VPN user is connected to, rather than one designated by the VPN app.

Interestingly, Android is the only operating system that fully immunizes VPN apps from the attack because it doesn't implement option 121. For all other OSes, there are no complete fixes. When apps run on Linux there's a setting that minimizes the effects, but even then TunnelVision can be used to exploit a side channel that can be used to de-anonymize destination traffic and perform targeted denial-of-service attacks. Network firewalls can also be configured to deny inbound and outbound traffic to and from the physical interface. This remedy is problematic for two reasons: (1) a VPN user connecting to an untrusted network has no ability to control the firewall and (2) it opens the same side channel present with the Linux mitigation. The most effective fixes are to run the VPN inside of a virtual machine whose network adapter isn't in bridged mode or to connect the VPN to the Internet through the Wi-Fi network of a cellular device. You can learn more about the research here.

An anonymous reader quotes a report from Futurism: In a new blog post from LastPass, the password management firm used by countless personal and corporate clients to help protect their login information, the company explains that someone used AI voice-cloning tech to spoof the voice of its CEO in an attempt to trick one of its employees. As the company writes in the post, one of its employees earlier this week received several WhatsApp communications -- including calls, texts, and a voice message -- from someone claiming to be its CEO, Karim Toubba. Luckily, the LastPass worker didn't fall for it because the whole thing set off so many red flags. "As the attempted communication was outside of normal business communication channels and due to the employee's suspicion regarding the presence of many of the hallmarks of a social engineering attempt (such as forced urgency)," the post reads, "our employee rightly ignored the messages and reported the incident to our internal security team so that we could take steps to both mitigate the threat and raise awareness of the tactic both internally and externally."

While this LastPass scam attempt failed, those who follow these sorts of things may recall that the company has been subject to successful hacks before. In August 2022, as a timeline of the event compiled by the Cybersecurity Dive blog detailed, a hacker compromised a LastPass engineer's laptop and used it to steal source code and company secrets, eventually getting access to its customer database -- including encrypted passwords and unencrypted user data like email addresses. According to that timeline, the clearly-resourceful bad actor remained active in the company's servers for months, and it took more than two months for LastPass to admit that it had been breached. More than six months after the initial breach, Toubba, the CEO, provided a blow-by-blow timeline of the months-long attack and said he took "full responsibility" for the way things went down in a February 2023 blog post.

An anonymous reader quotes a report from KrebsOnSecurity: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach at business intelligence company Sisense, whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard. CISA urged all Sisense customers to reset any credentials and secrets that may have been shared with the company, which is the same advice Sisense gave to its customers Wednesday evening. New York City based Sisense has more than 1,000 customers across a range of industry verticals, including financial services, telecommunications, healthcare and higher education. On April 10, Sisense Chief Information Security Officer Sangram Dash told customers the company had been made aware of reports that "certain Sisense company information may have been made available on what we have been advised is a restricted access server (not generally available on the internet.)" In its alert, CISA said it was working with private industry partners to respond to a recent compromise discovered by independent security researchers involving Sisense.

Sisense declined to comment when asked about the veracity of information shared by two trusted sources with close knowledge of the breach investigation. Those sources said the breach appears to have started when the attackers somehow gained access to the company's code repository at Gitlab, and that in that repository was a token or credential that gave the bad guys access to Sisense's Amazon S3 buckets in the cloud. Both sources said the attackers used the S3 access to copy and exfiltrate several terabytes worth of Sisense customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates.

The incident raises questions about whether Sisense was doing enough to protect sensitive data entrusted to it by customers, such as whether the massive volume of stolen customer data was ever encrypted while at rest in these Amazon cloud servers. It is clear, however, that unknown attackers now have all of the credentials that Sisense customers used in their dashboards. The breach also makes clear that Sisense is somewhat limited in the clean-up actions that it can take on behalf of customers, because access tokens are essentially text files on your computer that allow you to stay logged in for extended periods of time -- sometimes indefinitely. And depending on which service we're talking about, it may be possible for attackers to re-use those access tokens to authenticate as the victim without ever having to present valid credentials. Beyond that, it is largely up to Sisense customers to decide if and when they change passwords to the various third-party services that they've previously entrusted to Sisense. "If they are hosting customer data on a third-party system like Amazon, it better damn well be encrypted," said Nicholas Weaver, a researcher at University of California, Berkeley's International Computer Science Institute (ICSI) and lecturer at UC Davis. "If they are telling people to rest credentials, that means it was not encrypted. So mistake number one is leaving Amazon credentials in your Git archive. Mistake number two is using S3 without using encryption on top of it. The former is bad but forgivable, but the latter given their business is unforgivable."

New documents from a class action against Meta "reveal some of the specific ways it tackled rivals in recent years," reports the Observer.

"One of them was using software made by a mobile data analytics company called Onavo in 2016 to access user activities on Snapchat, and eventually Amazon and YouTube, too." Facebook acquired Onavo in 2013 and shut it down in 2019 after a TechCrunch report revealed that the company was paying teenagers to use the software to collect user data.

In 2020, two Facebook users filed a class action lawsuit in the U.S. District Court for the Northern District of California against Meta, then called Facebook, alleging the company engaged in anticompetitive practices and exploited user data. In 2023, the plaintiffs' attorney Brian J. Dunne submitted documents listing how Facebook used Onavo's software to spy on competitors, including Snapchat. According to the documents, made public this week, the Onavo team pitched and launched a project codenamed "Ghostbusters" — in reference to the Snapchat logo — where they developed "kits that can be installed on iOS or Android that intercept traffic for specific sub-domains," allowing them "to read what would otherwise be encrypted traffic so we can measure in-app usage."

The documents also included a presentation from the Onavo team to Mark Zuckerberg showing that they had the ability to track "detailed in-app activity" by "parsing Snapchat analytics collected from incentivized participants in Onavo's program...." The technology was used to do the same to YouTube from 2017 to 2018 and Amazon in 2018, according to the documents. "The intended and actual result of this program was to harm competition, including Facebook's then-nascent Social Advertising competitor Snapchat," the document alleged.

Court filings unsealed last week allege Meta created an internal effort to spy on Snapchat in a secret initiative called "Project Ghostbusters." Gizmodo: Meta did so through Onavo, a Virtual Private Network (VPN) service the company offered between 2016 and 2019 that, ultimately, wasn't private at all. "Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted we have no analytics about them," said Mark Zuckerberg in an email to three Facebook executives in 2016, unsealed in Meta's antitrust case on Saturday. "It seems important to figure out a new way to get reliable analytics about them... You should figure out how to do this."

Thus, Project Ghostbusters was born. It's Meta's in-house wiretapping tool to spy on data analytics from Snapchat starting in 2016, later used on YouTube and Amazon. This involved creating "kits" that can be installed on iOS and Android devices, to intercept traffic for certain apps, according to the filings. This was described as a "man-in-the-middle" approach to get data on Facebook's rivals, but users of Onavo were the "men in the middle."

Meta's Onavo unit has a history of using invasive techniques to collect data on Facebook's users. Meta acquired Onavo from an Israeli firm over 10 years ago, promising users private networking, as most VPNs do. However, the service was reportedly used to spy on rival social media apps through tens of millions of people who downloaded Onavo. It gave Facebook valuable intel about competitors, and this week's court filings seem to confirm that. A team of senior executives and roughly 41 lawyers worked on Project Ghostbusters, according to court filings. The group was heavily concerned with whether to continue the program in the face of press scrutiny. Facebook ultimately shut down Onavo in 2019 after Apple booted the VPN from its app store.

An anonymous reader quotes a report from BleepingComputer: AT&T says a massive trove of data impacting 71 million people did not originate from its systems after a hacker leaked it on a cybercrime forum and claimed it was stolen in a 2021 breach of the company. While BleepingComputer has not been able to confirm the legitimacy of all the data in the database, we have confirmed some of the entries are accurate, including those whose data is not publicly accessible for scraping. The data is from an alleged 2021 AT&T data breach that a threat actor known as ShinyHunters attempted to sell on the RaidForums data theft forum for a starting price of $200,000 and incremental offers of $30,000. The hacker stated they would sell it immediately for $1 million.

AT&T told BleepingComputer then that the data did not originate from them and that its systems were not breached. "Based on our investigation today, the information that appeared in an internet chat room does not appear to have come from our systems," AT&T told BleepingComputer in 2021. When we told ShinyHunters that AT&T said the data did not originate from them, they replied, "I don't care if they don't admit. I'm just selling." AT&T continues to tell BleepingComputer today that they still see no evidence of a breach in their systems and still believe that this data did not originate from them.

Today, another threat actor known as MajorNelson leaked data from this alleged 2021 data breach for free on a hacking forum, claiming it was the data ShinyHunters attempted to sell in 2021. This data includes names, addresses, mobile phone numbers, encrypted date of birth, encrypted social security numbers, and other internal information. However, the threat actors have decrypted the birth dates and social security numbers and added them to another file in the leak, making those also accessible. BleepingComputer has reviewed the data, and while we cannot confirm that all 73 million lines are accurate, we verified some of the data contains correct information, including social security numbers, addresses, dates of birth, and phone numbers. Furthermore, other cybersecurity researchers, such as Dark Web Informer, who first told BleepingComputer about the leaked data, and VX-Underground have also confirmed some of the data to be accurate. Despite AT&T's statement, BleepingComputer says if you were an AT&T customer before and through 2021, it's "[safe] to assume that your data was exposed and can be used in targeted attacks."

Have I Been Pwned's Troy Hunt writes: "I have proven, with sufficient confidence, that the data is real and the impact is significant."

"A ransomware gang once thought to have been crippled by law enforcement has snarled prescription processing for millions of Americans over the past week..." reports the Washington Post.

"The hackers stole data about patients, encrypted company files and demanded money to unlock them, prompting the company to shut down most of its network as it worked to recover." Insurance giant UnitedHealthcare Group said the hackers struck its Change Health business unit, which routes prescription claims from pharmacies to companies that determine whether patients are covered by insurance and what they should pay... Change Health and a rival, CoverMyMeds, are the two biggest players in the so-called switch business, charging pharmacies a small fee for funneling claims to insurers. "When one of them goes down, obviously it's a major problem," said Patrick Berryman, a senior vice president at the National Community Pharmacists Association...

UnitedHealth estimated that more than 90 percent of the nation's 70,000-plus pharmacies have had to alter how they process electronic claims as a result of the Change Health outage. But it said only a small number of patients have been unable to get their prescriptions at some price. At CVS, which operates one of the largest pharmacy networks in the nation, a spokesperson said there are "a small number of cases in which our pharmacies are not able to process insurance claims" as a result of the outage. It said workarounds were allowing it to fill prescriptions, however...

For pharmacies that were not able to quickly route claims to a different company, the Change Health outage left pharmacists to try to manually calculate a patient's co-pay or offer them the cash price. Compounding the impact, thousands of organizations cut off Change Health from their systems to ensure the hackers did not infect their networks as well... The attack on Change Health has left many pharmacies in a cash-flow bind, as they face bills from the companies that deliver the medication without knowing when they will be reimbursed by insurers. Some pharmacies are requiring customers to pay full price for their prescriptions when they cannot tell if they are covered by insurance. In some cases, that means people are paying more than $1,000 out of pocket, according to social media posts.

The situation has been "extremely disruptive," said Erin Fox, associate chief pharmacy officer at University of Utah Health. "At our system, our retail pharmacies were providing three-day gratis emergency supplies for patients who could not afford to pay the cash price," Fox said by email. "In some cases, like for inhalers, we had to send product out at risk, not knowing if we will ever get paid, but we need to take care of the patients." Axis Pharmacy Northwest near Seattle is "going out on a limb and dispensing product with absolutely no inkling if we'll get paid or not," said Richard Molitor, the pharmacist in charge. UPDATE: CNN reports Change Healthcare has now announced "plans for a temporary loan program to get money flowing to health care providers affected by the outage." It's a stop-gap measure meant to give some financial relief to health care providers, which analysts say are losing millions of dollars per day because of the outage. Some US officials and health care executives told CNN it may be weeks before Change Healthcare returns to normal operations.
"Once standard payment operations resume, the funds will simply need to be repaid," the company said in a statement. Change Healthcare has been under pressure from senior US officials to get their systems back online. Officials from the White House and multiple federal agencies, including the department of Health and Human Services, have been concerned by the broad financial and health impact of the hack and have been pressing for ways to get Change Healthcare back online, sources told CNN...

In a message on its website Friday afternoon, Change Healthcare also said that it was launching a new version of its online prescribing service following the cyberattack.
Thanks to Slashdot reader CaptainDork for sharing the news.

Apple is rolling out an upgrade to its iMessage texting platform to defend against future encryption-breaking technologies. From a report: The new protocol, known as PQ3, is another sign that U.S. tech firms are bracing for a potential future breakthrough in quantum computing that could make current methods of protecting users' communications obsolete. "More than simply replacing an existing algorithm with a new one, we rebuilt the iMessage cryptographic protocol from the ground up," an Apple blog post published on Wednesday reads. "It will fully replace the existing protocol within all supported conversations this year."

The Cupertino, California-based iPhone maker says its encryption algorithms are state-of-the-art and that it has found no evidence so far of a successful attack on them. Still, government officials and scientists are concerned that the advent of quantum computers, advanced machines that tap in to the properties of subatomic particles, could suddenly and dramatically weaken those protections. Late last year, a Reuters investigation explored how the United States and China are racing to prepare for that moment, dubbed "Q-Day," both by pouring money into quantum research and by investing in new encryption standards known as post-quantum cryptography. Washington and Beijing have traded allegations of intercepting massive amounts of encrypted data in preparation for Q-Day, an approach sometimes dubbed "catch now, crack later." More on Apple's security blog.