An anonymous reader quotes a report from Ars Technica: Two researchers at the University of California, Davis -- Yanning Li and Alan Jenn -- have determined that nearly two-thirds of [California's] feeder lines don't have the capacity that will likely be needed for car charging. Updating to handle the rising demand might set its utilities back as much as 40 percent of the existing grid's capital cost. Li and Jenn aren't the first to look at how well existing grids can handle growing electric vehicle sales; other research has found various ways that different grids fall short. However, they have access to uniquely detailed data relevant to California's ability to distribute electricity (they do not concern themselves with generation). They have information on every substation, feeder line, and transformer that delivers electrons to customers of the state's three largest utilities, which collectively cover nearly 90 percent of the state's population. In total, they know the capacity that can be delivered through over 1,600 substations and 5,000 feeders.[...]

By 2025, only about 7 percent of the feeders will experience periods of overload. By 2030, that figure will grow to 27 percent, and by 2035 -- only about a decade away -- about half of the feeders will be overloaded. Problems grow a bit more slowly after that, with two-thirds of the feeders overloaded by 2045, a decade after all cars sold in California will be EVs. At that point, total electrical demand will be close to twice the existing capacity. The problems aren't evenly distributed, though. They appear first in high-population areas like the Bay Area. And throughout this period, most of the problems are in feeders that serve residential and mixed-use neighborhoods. The feeders that serve neighborhoods that are primarily business-focused don't see the same coordinated surge in demand that occurs as people get home from work and plug in; they're better able to serve the more erratic use of charging stations at office complexes and shopping centers. In terms of the grid, residential services will need to see their capacity expand by about 16 gigawatts by 2045. Public chargers will need nine gigawatts worth of added capacity by the same point. The one wild card is direct current fast charging. Eliminating fast chargers entirely would reduce the number of feeders that need upgrades by 12 percent. Converting all public stations to DC fast charging, in contrast, would boost that number by 15 percent. So the details of the upgrades that will be needed will be very sensitive to the impatience of EV drivers.

Paying for the necessary upgrades will be pricey, but there's a lot of uncertainty here. Li and Jenn came up with a range of anywhere between $6 billion and $20 billion. They put this in context in two ways. The total capital invested in the existing grid is estimated to be $51 billion, so the cost of updating it could be well over a third of its total value. At the same time, the costs will be spread out over decades and only total up to (at most) three times the grid's annual operation and maintenance costs. So in any one year, the costs shouldn't be crippling. All that might be expected to drive the cost of electricity up. But Li and Jenn suggest that the greater volume of electricity consumption will exert a downward pressure on prices (people will pay more overall but pay somewhat less per unit of electricity). Based on a few economic assumptions, the researchers conclude that this would roughly offset the costs of the necessary grid expansion, so the price per unit of electricity would be largely static. The findings have been published in the journal Proceedings of the National Academy of Sciences (PNAS).

Andy Greenberg reports via Wired: More than two months after the start of a ransomware debacle whose impact ranks among the worst in the history of cybersecurity, the medical firm Change Healthcare finally confirmed what cybercriminals, security researchers, and Bitcoin's blockchain had already made all too clear: that it did indeed pay a ransom to the hackers who targeted the company in February. And yet, it still faces the risk of losing vast amounts of customers' sensitive medical data. In a statement sent to WIRED and other news outlets on Monday evening, Change Healthcare wrote that it paid a ransom to a cybercriminal group extorting the company, a hacker gang known as AlphV or BlackCat. "A ransom was paid as part of the company's commitment to do all it could to protect patient data from disclosure," the statement reads. The company's belated admission of that payment accompanied a new post on its website where it warns that the hackers may have stolen health-related data that would "cover a substantial proportion of people in America."

Cybersecurity and cryptocurrency researchers told WIRED last month that Change Healthcare appeared to have paid that ransom on March 1, pointing to a transaction of 350 bitcoins or roughly $22 million sent into a crypto wallet associated with the AlphV hackers. That transaction was first highlighted in a message on a Russian cybercriminal forum known as RAMP, where one of AlphV's allegedly jilted partners complained that they hadn't received their cut of Change Healthcare's payment. However, for weeks following that transaction, which was publicly visible on Bitcoin's blockchain and which both security firm Recorded Future and blockchain analysis firm TRM Labs told WIRED had been received by AlphV, Change Healthcare repeatedly declined to confirm that it had paid the ransom.

Change Healthcare's confirmation of that extortion payment puts new weight behind the cybersecurity industry's fears that the attack -- and the profit AlphV extracted from it -- will lead ransomware gangs to further target health care companies. "It 100 percent encourages other actors to target health care organizations," Jon DiMaggio, a researcher with cybersecurity firm Analyst1 who focuses on ransomware, told WIRED at the time the transaction was first spotted in March. "And it's one of the industries we don't want ransomware actors to target -- especially when it affects hospitals." Compounding the situation, a conflict between hackers in the ransomware ecosystem has led to a second ransomware group claiming to possess Change Healthcare's stolen data and threatening to sell it to the highest bidder on the dark web. Earlier this month that second group, known as RansomHub, sent WIRED alleged samples of the stolen data that appeared to come from Change Healthcare's network, including patient records and a contract with another health care company.

An anonymous reader quotes a report from Reuters: The Dutch privacy watchdog AP on Friday said it was recommending that government organizations should stop using Facebook as long as it is unclear what happens with personal data of users of the government's Facebook pages. "People that visit a government's page need to be able to trust that their personal and sensitive data is in safe hands," AP chairman Aleid Wolfsen said in a statement. Junior minister for digitalization Alexandra van Huffelen said Facebook parent company Meta had to make clear before the summer how it could take away the government's concerns on the safety of data. "Otherwise we will be forced to stop using Facebook, in line with this advice," she said.

An anonymous reader quotes a report from the New York Times: Consumers have grown accustomed to the prospect that their personal data, such as email addresses, social contacts, browsing history and genetic ancestry, are being collected and often resold by the apps and the digital services they use. With the advent of consumer neurotechnologies, the data being collected is becoming ever more intimate. One headband serves as a personal meditation coach by monitoring the user's brain activity. Another purports to help treat anxiety and symptoms of depression. Another reads and interprets brain signals while the user scrolls through dating apps, presumably to provide better matches. ("'Listen to your heart' is not enough," the manufacturer says on its website.) The companies behind such technologies have access to the records of the users' brain activity -- the electrical signals underlying our thoughts, feelings and intentions.

On Wednesday, Governor Jared Polis of Colorado signed a bill that, for the first time in the United States, tries to ensure that such data remains truly private. The new law, which passed by a 61-to-1 vote in the Colorado House and a 34-to-0 vote in the Senate, expands the definition of "sensitive data" in the state's current personal privacy law to include biological and "neural data" generated by the brain, the spinal cord and the network of nerves that relays messages throughout the body. "Everything that we are is within our mind," said Jared Genser, general counsel and co-founder of the Neurorights Foundation, a science group that advocated the bill's passage. "What we think and feel, and the ability to decode that from the human brain, couldn't be any more intrusive or personal to us." "We are really excited to have an actual bill signed into law that will protect people's biological and neurological data," said Representative Cathy Kipp, Democrat of Colorado, who introduced the bill.

An anonymous reader quotes a report from KrebsOnSecurity: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach at business intelligence company Sisense, whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard. CISA urged all Sisense customers to reset any credentials and secrets that may have been shared with the company, which is the same advice Sisense gave to its customers Wednesday evening. New York City based Sisense has more than 1,000 customers across a range of industry verticals, including financial services, telecommunications, healthcare and higher education. On April 10, Sisense Chief Information Security Officer Sangram Dash told customers the company had been made aware of reports that "certain Sisense company information may have been made available on what we have been advised is a restricted access server (not generally available on the internet.)" In its alert, CISA said it was working with private industry partners to respond to a recent compromise discovered by independent security researchers involving Sisense.

Sisense declined to comment when asked about the veracity of information shared by two trusted sources with close knowledge of the breach investigation. Those sources said the breach appears to have started when the attackers somehow gained access to the company's code repository at Gitlab, and that in that repository was a token or credential that gave the bad guys access to Sisense's Amazon S3 buckets in the cloud. Both sources said the attackers used the S3 access to copy and exfiltrate several terabytes worth of Sisense customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates.

The incident raises questions about whether Sisense was doing enough to protect sensitive data entrusted to it by customers, such as whether the massive volume of stolen customer data was ever encrypted while at rest in these Amazon cloud servers. It is clear, however, that unknown attackers now have all of the credentials that Sisense customers used in their dashboards. The breach also makes clear that Sisense is somewhat limited in the clean-up actions that it can take on behalf of customers, because access tokens are essentially text files on your computer that allow you to stay logged in for extended periods of time -- sometimes indefinitely. And depending on which service we're talking about, it may be possible for attackers to re-use those access tokens to authenticate as the victim without ever having to present valid credentials. Beyond that, it is largely up to Sisense customers to decide if and when they change passwords to the various third-party services that they've previously entrusted to Sisense. "If they are hosting customer data on a third-party system like Amazon, it better damn well be encrypted," said Nicholas Weaver, a researcher at University of California, Berkeley's International Computer Science Institute (ICSI) and lecturer at UC Davis. "If they are telling people to rest credentials, that means it was not encrypted. So mistake number one is leaving Amazon credentials in your Git archive. Mistake number two is using S3 without using encryption on top of it. The former is bad but forgivable, but the latter given their business is unforgivable."

An anonymous reader quotes a report from Ars Technica: Hardware sold for years by the likes of Intel and Lenovo contains a remotely exploitable vulnerability that will never be fixed. The cause: a supply chain snafu involving an open source software package and hardware from multiple manufacturers that directly or indirectly incorporated it into their products. Researchers from security firm Binarly have confirmed that the lapse has resulted in Intel, Lenovo, and Supermicro shipping server hardware that contains a vulnerability that can be exploited to reveal security-critical information. The researchers, however, went on to warn that any hardware that incorporates certain generations of baseboard management controllers made by Duluth, Georgia-based AMI or Taiwan-based AETN are also affected.

BMCs are tiny computers soldered into the motherboard of servers that allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of servers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control just about every other aspect of the system -- even when it's turned off. BMCs provide what's known in the industry as "lights-out" system management. AMI and AETN are two of several makers of BMCs. For years, BMCs from multiple manufacturers have incorporated vulnerable versions of open source software known as lighttpd. Lighttpd is a fast, lightweight web server that's compatible with various hardware and software platforms. It's used in all kinds of wares, including in embedded devices like BMCs, to allow remote administrators to control servers remotely with HTTP requests. [...] "All these years, [the lighttpd vulnerability] was present inside the firmware and nobody cared to update one of the third-party components used to build this firmware image," Binarly researchers wrote Thursday. "This is another perfect example of inconsistencies in the firmware supply chain. A very outdated third-party component present in the latest version of firmware, creating additional risk for end users. Are there more systems that use the vulnerable version of lighttpd across the industry?"

The vulnerability makes it possible for hackers to identify memory addresses responsible for handling key functions. Operating systems take pains to randomize and conceal these locations so they can't be used in software exploits. By chaining an exploit for the lighttpd vulnerability with a separate vulnerability, hackers could defeat this standard protection, which is known as address space layout randomization. The chaining of two or more exploits has become a common feature of hacking attacks these days as software makers continue to add anti-exploitation protections to their code. Tracking the supply chain for multiple BMCs used in multiple server hardware is difficult. So far, Binarly has identified AMI's MegaRAC BMC as one of the vulnerable BMCs. The security firm has confirmed that the AMI BMC is contained in the Intel Server System M70KLP hardware. Information about BMCs from ATEN or hardware from Lenovo and Supermicro aren't available at the moment. The vulnerability is present in any hardware that uses lighttpd versions 1.4.35, 1.4.45, and 1.4.51. "A potential attacker can exploit this vulnerability in order to read memory of Lighttpd Web Server process," Binarly researchers wrote in an advisory. "This may lead to sensitive data exfiltration, such as memory addresses, which can be used to bypass security mechanisms such as ASLR." Advisories are available here, here, and here.

Personal data from 73 million AT&T customers has leaked onto the dark web, reports CNN — both current and former customers.

AT&T has launched an investigation into the source of the data leak... In a news release Saturday morning, the telecommunications giant said the data was "released on the dark web approximately two weeks ago," and contains information such as account holders' Social Security numbers. ["The information varied by customer and account," AT&T said in a statement, " but may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and passcode."]

"It is not yet known whether the data ... originated from AT&T or one of its vendors," the company added. "Currently, AT&T does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set."

The data seems to have been from 2019 or earlier. The leak does not appear to contain financial information or specifics about call history, according to AT&T. The company said the leak shows approximately 7.6 million current account holders and 65.4 million former account holders were affected.
CNN says the first reports of the leak came two weeks ago from a social media account claiming "the largest collection of malware source code, samples, and papers. Reached for a comment by CNN, AT&T had said at the time that "We have no indications of a compromise of our systems."

AT&T's web site now includes a special page with an FAQ — and the tagline that announces "We take cybersecurity very seriously..."

"It has come to our attention that a number of AT&T passcodes have been compromised..."

The page points out that AT&T has already reset the passcodes of "all 7.6 million impacted customers." It's only further down in the FAQ that they acknowledge that the breach "appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and 65.4 million former account holders." Our internal teams are working with external cybersecurity experts to analyze the situation... We encourage customers to remain vigilant by monitoring account activity and credit reports. You can set up free fraud alerts from nationwide credit bureaus — Equifax, Experian, and TransUnion. You can also request and review your free credit report at any time via Freecreditreport.com...

We will reach out by mail or email to individuals with compromised sensitive personal information and offering complimentary identity theft and credit monitoring services... If your information was impacted, you will be receiving an email or letter from us explaining the incident, what information was compromised, and what we are doing for you in response.

America's Department of Homeland Security "is expected to stop buying access to data showing the movement of phones," reports the U.S. news site NOTUS.

They call the purchasers "a controversial practice that has allowed it to warrantlessly track hundreds of millions of people for years." Since 2018, agencies within the department — including Immigration and Customs Enforcement, U.S. Customs and Border Protection and the U.S. Secret Service — have been buying access to commercially available data that revealed the movement patterns of devices, many inside the United States. Commercially available phone data can be bought and searched without judicial oversight.

Three people familiar with the matter said the Department of Homeland Security isn't expected to buy access to more of this data, nor will the agency make any additional funding available to buy access to this data. The agency "paused" this practice after a 2023 DHS watchdog report [which had recommended they draw up better privacy controls and policies]. However, the department instead appears to be winding down the use of the data...

"The information that is available commercially would kind of knock your socks off," said former top CIA official Michael Morell on a podcast last year. "If we collected it using traditional intelligence methods, it would be top-secret sensitive. And you wouldn't put it in a database, you'd keep it in a safe...." DHS' internal watchdog opened an investigation after a bipartisan outcry from lawmakers and civil society groups about warrantless tracking...
"Meanwhile, U.S. spy agencies are fighting to preserve the same capability as part of the renewal of surveillance authorities," the article adds.

"A bipartisan coalition of lawmakers, led by Democratic Sen. Ron Wyden in the Senate and Republican Rep. Warren Davidson in the House, is pushing to ban U.S. government agencies from buying data on Americans."

Lindsay Clark reports via The Register: The UK Information Commissioner's Office has received a complaint detailing the mismanagement of personal data at the Nursing and Midwifery Council (NMC), the regulator that oversees worker registration. Employment as a nurse or midwife depends on enrollment with the NMC in the UK. According to whistleblower evidence seen by The Register, the databases on which the personal information is held lack rudimentary technical standards and practices. The NMC said its data was secure with a high level of quality, allowing it to fulfill its regulatory role, although it was on "a journey of improvement." But without basic documentation, or the primary keys or foreign keys common in database management, the Microsoft SQL Server databases -- holding information about 800,000 registered professionals -- are difficult to query and manage, making assurances on governance nearly impossible, the whistleblower told us.

The databases have no version control systems. Important fields for identifying individuals were used inconsistently -- for example, containing junk data, test data, or null data. Although the tech team used workarounds to compensate for the lack of basic technical standards, they were ad hoc and known by only a handful of individuals, creating business continuity risks should they leave the organization, according to the whistleblower. Despite having been warned of the issues of basic technical practice internally, the NMC failed to acknowledge the problems. Only after exhausting other avenues did the whistleblower raise concern externally with the ICO and The Register. The NMC stores sensitive data on behalf of the professionals that it registers, including gender, sexual orientation, gender identity, ethnicity and nationality, disability details, marital status, as well as other personal information.

The whistleblower's complaint claims the NMC falls well short of [the standards required under current UK law for data protection and the EU's General Data Protection Regulation (GDPR)]. The statement alleges that the NMC's "data management and data retrieval practices were completely unacceptable." "There is not even much by way of internal structure of the databases for self-documentation, such as primary keys, foreign keys (with a few honorable exceptions), check constraints and table constraints. Even fields that should not be null are nullable. This is frankly astonishing and not the practice of a mature, professional organization," the statement says. For example, the databases contain a unique ten-digit number (or PRN) to identify individuals registered to the NMC. However, the fields for PRNs sometimes contain individuals' names, start with a letter or other invalid data, or are simply null. The whistleblower's complaint says that the PRN problem, and other database design deficiencies, meant that it was nearly impossible to produce "accurate, correct, business critical reports ... because frankly no one knows where the correct data is to be found." A spokesperson for the NMC said the register was "organized and documented" in the SQL Server database. "For clarity, the register of all our nurses, midwives and nursing practitioners is held within Dynamics 365 which is our system of record. This solution and the data held within it, is secure and well documented. It does not rely on any SQL database. The SQL database referenced by the whistleblower relates to our data warehouse which we are in the process of modernizing as previously shared."

The U.S. Department of Transportation has announced it will conduct a review of the data practices of the country's ten largest airlines, amid concerns over potential misuse of customer information for upselling, overcharging, targeted advertising, and third-party data sales, as well as the security of systems handling sensitive data such as passport numbers. From a report: The probe will look at air carriers' policies and procedures to determine if they are safeguarding personal info properly, unfairly or deceptively monetizing it, or sharing it with third parties, the agency said yesterday. If they're indeed doing anything "problematic," they can look forward to scrutiny, fines, and new rules, says the DOT. "Airline passengers should have confidence that their personal information is not being shared improperly with third parties or mishandled by employees," said US Transportation Secretary Pete Buttigieg.

"This review of airline practices is the beginning of a new initiative by DOT to ensure airlines are being good stewards of sensitive passenger data." The ten airlines going under the magnifying glass are Delta, United, American, Southwest, Alaska, JetBlue, Spirit, Frontier, Hawaiian and Allegiant.

An anonymous reader quotes a report from Wired: When thousands of security researchers descend on Las Vegas every August for what's come to be known as "hacker summer camp," the back-to-back Black Hat and Defcon hacker conferences, it's a given that some of them will experiment with hacking the infrastructure of Vegas itself, the city's elaborate array of casino and hospitality technology. But at one private event in 2022, a select group of researchers were actually invited to hack a Vegas hotel room, competing in a suite crowded with their laptops and cans of Red Bull to find digital vulnerabilities in every one of the room's gadgets, from its TV to its bedside VoIP phone. One team of hackers spent those days focused on the lock on the room's door, perhaps its most sensitive piece of technology of all. Now, more than a year and a half later, they're finally bringing to light the results of that work: a technique they discovered that would allow an intruder to open any of millions of hotel rooms worldwide in seconds, with just two taps.

Today, Ian Carroll, Lennert Wouters, and a team of other security researchers are revealing a hotel keycard hacking technique they call Unsaflok. The technique is a collection of security vulnerabilities that would allow a hacker to almost instantly open several models of Saflok-brand RFID-based keycard locks sold by the Swiss lock maker Dormakaba. The Saflok systems are installed on 3 million doors worldwide, inside 13,000 properties in 131 countries. By exploiting weaknesses in both Dormakaba's encryption and the underlying RFID system Dormakaba uses, known as MIFARE Classic, Carroll and Wouters have demonstrated just how easily they can open a Saflok keycard lock. Their technique starts with obtaining any keycard from a target hotel -- say, by booking a room there or grabbing a keycard out of a box of used ones -- then reading a certain code from that card with a $300 RFID read-write device, and finally writing two keycards of their own. When they merely tap those two cards on a lock, the first rewrites a certain piece of the lock's data, and the second opens it.

Dormakaba says that it's been working since early last year to make hotels that use Saflok aware of their security flaws and to help them fix or replace the vulnerable locks. For many of the Saflok systems sold in the last eight years, there's no hardware replacement necessary for each individual lock. Instead, hotels will only need to update or replace the front desk management system and have a technician carry out a relatively quick reprogramming of each lock, door by door. Wouters and Carroll say they were nonetheless told by Dormakaba that, as of this month, only 36 percent of installed Safloks have been updated. Given that the locks aren't connected to the internet and some older locks will still need a hardware upgrade, they say the full fix will still likely take months longer to roll out, at the very least. Some older installations may take years.

"The environment in which kids grow up today is hostile to human development," argues Jonathan Haidt, a social psychologist and business school ethics professor, saying that since the early 2010s, "something went suddenly and horribly wrong for adolescents."

The Atlantic recently published an excerpt from his book The Anxious Generation: How the Great Rewiring of Childhood Is Causing an Epidemic of Mental Illness.: By a variety of measures and in a variety of countries, the members of Generation Z (born in and after 1996) are suffering from anxiety, depression, self-harm, and related disorders at levels higher than any other generation for which we have data... I think the answer can be stated simply, although the underlying psychology is complex: Those were the years when adolescents in rich countries traded in their flip phones for smartphones and moved much more of their social lives online — particularly onto social-media platforms designed for virality and addiction. Once young people began carrying the entire internet in their pockets, available to them day and night, it altered their daily experiences and developmental pathways across the board. Friendship, dating, sexuality, exercise, sleep, academics, politics, family dynamics, identity — all were affected...

There's an important backstory, beginning as long ago as the 1980s, when we started systematically depriving children and adolescents of freedom, unsupervised play, responsibility, and opportunities for risk taking, all of which promote competence, maturity, and mental health. But the change in childhood accelerated in the early 2010s, when an already independence-deprived generation was lured into a new virtual universe that seemed safe to parents but in fact is more dangerous, in many respects, than the physical world. My claim is that the new phone-based childhood that took shape roughly 12 years ago is making young people sick and blocking their progress to flourishing in adulthood. We need a dramatic cultural correction, and we need it now...

A simple way to understand the differences between Gen Z and previous generations is that people born in and after 1996 have internal thermostats that were shifted toward defend mode. This is why life on college campuses changed so suddenly when Gen Z arrived, beginning around 2014. Students began requesting "safe spaces" and trigger warnings. They were highly sensitive to "microaggressions" and sometimes claimed that words were "violence." These trends mystified those of us in older generations at the time, but in hindsight, it all makes sense. Gen Z students found words, ideas, and ambiguous social encounters more threatening than had previous generations of students because we had fundamentally altered their psychological development.
The article argues educational scores also began dropping around 2012, while citing estimates that America's average teenager spends seven to nine hours a day on screen-based activities. "Everything else in an adolescent's day must get squeezed down or eliminated entirely to make room for the vast amount of content that is consumed... The main reason why the phone-based childhood is so harmful is because it pushes aside everything else." (For example, there's "the collapse of time spent interacting with other people face-to-face.")

The article warns of fragmented attention, disrupted learning, social withdrawal, and "the decay of wisdom and the loss of meaning." ("This rerouting of enculturating content has created a generation that is largely cut off from older generations and, to some extent, from the accumulated wisdom of humankind, including knowledge about how to live a flourishing life.") Its proposed solution?

• No smartphones before high school
• No social media before 16
• Phoneâfree schools
• More independence, free play, and responsibility in the real world

"We didn't know what we were doing in the early 2010s. Now we do. It's time to end the phone-based childhood."

Thanks to long-time Slashdot reader schwit1 and sinij for sharing the article.

The Federal Trade Commission (FTC) filed a legal complaint against two companies based in Cyprus on Wednesday that it claims are behind a wave of malicious pop-ups that trick people into downloading a fake piece of antivirus software that generated tens of millions of dollars for its operators, according to court records. From a report: The scam also involved misrepresenting results on malware repository VirusTotal as infections on the user's own computer. (Update: after the publication of this piece the FTC announced that Restoro and Reimage will pay $26 million to settle the FTC's charges.)

The move is the latest from the FTC in a series of actions in the privacy and cybersecurity space. In January, the FTC banned a data broker called X-Mode from selling sensitive location data after I revealed it was harvesting location data from Muslim prayer and dating apps. In this case, the FTC says it went "undercover" against the two related companies, called Restoro and Reimage, to buy the deceiving software and have phone calls with company representatives. "Since at least January 2018, Defendants have operated a tech support scheme that has bilked tens of millions of dollars from consumers, particularly older consumers," the FTC's complaint reads. The complaint is seeking a permanent injunction against the two companies as well as monetary relief.

Controversial eyeball scanning startup Worldcoin has failed to get an injunction against a temporary suspension ordered Wednesday by Spain's data protection authority, the AEPD. TechCrunch: The authority used emergency powers contained in the European Union's General Data Protection Regulation (GDPR) to make the local order, which can apply for up to three months. It said it was taking the precautionary measure against Worldcoin's operator, Tools for Humanity, in light of the sensitive nature of the biometric data being collected, which could pose a high risk to the rights and freedoms of individuals. It also raised specific concerns about risks to minors, citing complaints received.

Today a Madrid-based High Court declined to grant an injunction against the AEPD's order, saying that the "safeguarding of public interest" must be prioritized. As we reported Friday, the crypto blockchain biometrics digital identity firm shuttered scanning in the market shortly after the AEPD order -- which gave it 72 hours to comply. Today's court decision means Worldcoin's services remain suspended in Spain -- for up to three months.

An anonymous reader shared this report from the Guardian: The U.S. is not secretly hiding alien technology or extraterrestrial beings from the public, according to a defense department report.

On Friday, the Pentagon 'published the findings of an investigation conducted by the All-Domain Anomaly Resolution Office (AARO), a government office established in 2022 to detect and, as necessary, mitigate threats including "anomalous, unidentified space, airborne, submerged and transmedium objects"....

AARO investigators, which were "granted full access to all pertinent sensitive [U.S. government] programs", reviewed all official government investigatory efforts since 1945. Investigators also researched classified and unclassified archives, conducted approximately 30 interviews, and collaborated with intelligence community and defense department officials responsible for controlled and special access program oversight, the report revealed.
NPR writes that "Many of the sightings turned out to be drones, weather balloons, spy planes, satellites, rockets and planets, according to the report..." "AARO has found no evidence that any U.S. government investigation, academic-sponsored research, or official review panel has confirmed that any sighting of a UAP represented extraterrestrial technology," Pentagon Press Secretary Maj. Gen. Pat Ryder said in a statement Friday. All investigative efforts concluded that most sightings were ordinary objects and the result of misidentification, Ryder said... The office plans to publish a second volume of the report later this year that covers findings from interviews and research done between November 2023 and April 2024."
The report finds no evidence of any confirmed alien technology, the Guardian notes: It added that sensors and visual observations are imperfect, the vast majority of cases lack actionable data and such available data is limited or of poor quality. The report also said resources and staffing for such programs have largely been irregular and sporadic and that the vast majority of reports "almost certainly" are the result of misidentification. In addition, the report found "no empirical evidence for claims that the [U.S. government] and private companies have been reverse-engineering extraterrestrial technology"...

The report's public release comes as AARO's acting director, Timothy Phillips, told reporters on Wednesday that the US military is developing a UFO sensor and detection system called Gremlin. "If we have a national security site and there are objects being reported that [are] within restricted airspace or within a maritime range or within the proximity of one of our spaceships, we need to understand what that is ... and so that's why we're developing sensor capability that we can deploy in reaction to reports," Phillips said, CNN reports.

" A federal agency in charge of cybersecurity discovered it was hacked last month..." reports CNN.

Last month the U.S. Department of Homeland Security experienced a breach at its Cybersecurity and Infrastructure Security Agency, reports the Record, "through vulnerabilities in Ivanti products, officials said..."

"The impact was limited to two systems, which we immediately took offline," the spokesperson said. We continue to upgrade and modernize our systems, and there is no operational impact at this time."

"This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience." CISA declined to answer a range of questions about who was behind the incident, whether data had been accessed or stolen and what systems were taken offline.

Ivanti makes software that organizations use to manage IT, including security and system access. A source with knowledge of the situation told Recorded Future News that the two systems compromised were the Infrastructure Protection (IP) Gateway, which houses critical information about the interdependency of U.S. infrastructure, and the Chemical Security Assessment Tool (CSAT), which houses private sector chemical security plans. CISA declined to confirm or deny whether these are the systems that were taken offline. CSAT houses some of the country's most sensitive industrial information, including the Top Screen tool for high-risk chemical facilities, Site Security Plans and the Security Vulnerability Assessments.

CISA said organizations should review an advisory the agency released on February 29 warning that threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways including CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893.
"Last week, several of the world's leading cybersecurity agencies revealed that hackers had discovered a way around a tool Ivanti released to help organizations check if they had been compromised," the article points out.

The statement last week from CISA said the agency "has conducted independent research in a lab environment validating that the Ivanti Integrity Checker Tool is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets."

UPDATE: The two systems run on older technology that was already set to be replaced, sources told CNN..." While there is some irony in it, even cybersecurity agencies or officials can be victims of hacking. After all, they rely on the same technology that others do. The US' top cybersecurity diplomat Nate Fick said last year that his personal account on social media platform X was hacked, calling it part of the "perils of the job."

An anonymous reader quotes a report from Krebs on Security: There are indications that U.S. healthcare giant Change Healthcare has made a $22 million extortion payment to the infamous BlackCat ransomware group (a.k.a. "ALPHV") as the company struggles to bring services back online amid a cyberattack that has disrupted prescription drug services nationwide for weeks. However, the cybercriminal who claims to have given BlackCat access to Change's network says the crime gang cheated them out of their share of the ransom, and that they still have the sensitive data Change reportedly paid the group to destroy. Meanwhile, the affiliate's disclosure appears to have prompted BlackCat to cease operations entirely. [...]

The affiliate claimed BlackCat/ALPHV took the $22 million payment but never paid him his percentage of the ransom. BlackCat is known as a "ransomware-as-service" collective, meaning they rely on freelancers or affiliates to infect new networks with their ransomware. And those affiliates in turn earn commissions ranging from 60 to 90 percent of any ransom amount paid. "But after receiving the payment ALPHV team decide to suspend our account and keep lying and delaying when we contacted ALPHV admin," the affiliate "Notchy" wrote. "Sadly for Change Healthcare, their data [is] still with us." [...] On the bright side, Notchy's complaint seems to have been the final nail in the coffin for the BlackCat ransomware group, which was infiltrated by the FBI and foreign law enforcement partners in late December 2023. As part of that action, the government seized the BlackCat website and released a decryption tool to help victims recover their systems. BlackCat responded by re-forming, and increasing affiliate commissions to as much as 90 percent. The ransomware group also declared it was formally removing any restrictions or discouragement against targeting hospitals and healthcare providers. However, instead of responding that they would compensate and placate Notchy, a representative for BlackCat said today the group was shutting down and that it had already found a buyer for its ransomware source code. [...] BlackCat's website now features a seizure notice from the FBI, but several researchers noted that this image seems to have been merely cut and pasted from the notice the FBI left in its December raid of BlackCat's network.

Fabian Wosar, head of ransomware research at the security firm Emsisoft, said it appears BlackCat leaders are trying to pull an "exit scam" on affiliates by withholding many ransomware payment commissions at once and shutting down the service. "ALPHV/BlackCat did not get seized," Wosar wrote on Twitter/X today. "They are exit scamming their affiliates. It is blatantly obvious when you check the source code of their new takedown notice." Dmitry Smilyanets, a researcher for the security firm Recorded Future, said BlackCat's exit scam was especially dangerous because the affiliate still has all the stolen data, and could still demand additional payment or leak the information on his own. "The affiliates still have this data, and they're mad they didn't receive this money, Smilyanets told Wired.com. "It's a good lesson for everyone. You cannot trust criminals; their word is worth nothing."

Long-time Slashdot reader Greymane shared this article from Wired: [I]n a demonstration of the risks of connected, autonomous AI ecosystems, a group of researchers has created one of what they claim are the first generative AI worms — which can spread from one system to another, potentially stealing data or deploying malware in the process. "It basically means that now you have the ability to conduct or to perform a new kind of cyberattack that hasn't been seen before," says Ben Nassi, a Cornell Tech researcher behind the research. Nassi, along with fellow researchers Stav Cohen and Ron Bitton, created the worm, dubbed Morris II, as a nod to the original Morris computer worm that caused chaos across the Internet in 1988. In a research paper and website shared exclusively with WIRED, the researchers show how the AI worm can attack a generative AI email assistant to steal data from emails and send spam messages — breaking some security protections in ChatGPT and Gemini in the process...in test environments [and not against a publicly available email assistant]...

To create the generative AI worm, the researchers turned to a so-called "adversarial self-replicating prompt." This is a prompt that triggers the generative AI model to output, in its response, another prompt, the researchers say. In short, the AI system is told to produce a set of further instructions in its replies... To show how the worm can work, the researchers created an email system that could send and receive messages using generative AI, plugging into ChatGPT, Gemini, and open source LLM, LLaVA. They then found two ways to exploit the system — by using a text-based self-replicating prompt and by embedding a self-replicating prompt within an image file.

In one instance, the researchers, acting as attackers, wrote an email including the adversarial text prompt, which "poisons" the database of an email assistant using retrieval-augmented generation (RAG), a way for LLMs to pull in extra data from outside its system. When the email is retrieved by the RAG, in response to a user query, and is sent to GPT-4 or Gemini Pro to create an answer, it "jailbreaks the GenAI service" and ultimately steals data from the emails, Nassi says. "The generated response containing the sensitive user data later infects new hosts when it is used to reply to an email sent to a new client and then stored in the database of the new client," Nassi says. In the second method, the researchers say, an image with a malicious prompt embedded makes the email assistant forward the message on to others. "By encoding the self-replicating prompt into the image, any kind of image containing spam, abuse material, or even propaganda can be forwarded further to new clients after the initial email has been sent," Nassi says.

In a video demonstrating the research, the email system can be seen forwarding a message multiple times. The researchers also say they could extract data from emails. "It can be names, it can be telephone numbers, credit card numbers, SSN, anything that is considered confidential," Nassi says.
The researchers reported their findings to Google and OpenAI, according to the article, with OpenAI confirming "They appear to have found a way to exploit prompt-injection type vulnerabilities by relying on user input that hasn't been checked or filtered." OpenAI says they're now working to make their systems "more resilient."

Google declined to comment on the research.

An anonymous reader quotes a report from TechCrunch: A technology company that routes millions of SMS text messages across the world has secured an exposed database that was spilling one-time security codes that may have granted users' access to their Facebook, Google and TikTok accounts. The Asian technology and internet company YX International manufactures cellular networking equipment and provides SMS text message routing services. SMS routing helps to get time-critical text messages to their proper destination across various regional cell networks and providers, such as a user receiving an SMS security code or link for logging in to online services. YX International claims to send 5 million SMS text messages daily. But the technology company left one of its internal databases exposed to the internet without a password, allowing anyone to access the sensitive data inside using only a web browser, just with knowledge of the database's public IP address.

Anurag Sen, a good-faith security researcher and expert in discovering sensitive but inadvertently exposed datasets leaking to the internet, found the database. Sen said it was not apparent who the database belonged to, nor who to report the leak to, so Sen shared details of the exposed database with TechCrunch to help identify its owner and report the security lapse. Sen told TechCrunch that the exposed database included the contents of text messages sent to users, including one-time passcodes and password reset links for some of the world's largest tech and online companies, including Facebook and WhatsApp, Google, TikTok, and others. The database had monthly logs dating back to July 2023 and was growing in size by the minute. In the exposed database, TechCrunch found sets of internal email addresses and corresponding passwords associated with YX International, and alerted the company to the spilling database. The database went offline a short time later.

In a series of tests using fake data, a U.S. government watchdog was able to steal more than 1GB of seemingly sensitive personal data from the cloud systems of the U.S. Department of the Interior. The experiment is detailed in a new report by the Department of the Interior's Office of the Inspector General (OIG), published last week. TechCrunch reports: The goal of the report was to test the security of the Department of the Interior's cloud infrastructure, as well as its "data loss prevention solution," software that is supposed to protect the department's most sensitive data from malicious hackers. The tests were conducted between March 2022 and June 2023, the OIG wrote in the report. The Department of the Interior manages the country's federal land, national parks and a budget of billions of dollars, and hosts a significant amount of data in the cloud. According to the report, in order to test whether the Department of the Interior's cloud infrastructure was secure, the OIG used an online tool called Mockaroo to create fake personal data that "would appear valid to the Department's security tools."

The OIG team then used a virtual machine inside the Department's cloud environment to imitate "a sophisticated threat actor" inside of its network, and subsequently used "well-known and widely documented techniques to exfiltrate data." "We used the virtual machine as-is and did not install any tools, software, or malware that would make it easier to exfiltrate data from the subject system," the report read. The OIG said it conducted more than 100 tests in a week, monitoring the government department's "computer logs and incident tracking systems in real time," and none of its tests were detected nor prevented by the department's cybersecurity defenses.

"Our tests succeeded because the Department failed to implement security measures capable of either preventing or detecting well-known and widely used techniques employed by malicious actors to steal sensitive data," said the OIG's report. "In the years that the system has been hosted in a cloud, the Department has never conducted regular required tests of the system's controls for protecting sensitive data from unauthorized access." That's the bad news: The weaknesses in the Department's systems and practices "put sensitive [personal information] for tens of thousands of Federal employees at risk of unauthorized access," read the report. The OIG also admitted that it may be impossible to stop "a well-resourced adversary" from breaking in, but with some improvements, it may be possible to stop that adversary from exfiltrating the sensitive data.