A little-known surveillance program tracks more than a trillion domestic phone records within the United States each year, according to a letter WIRED obtained that was sent by US senator Ron Wyden to the Department of Justice (DOJ) on Sunday, challenging the program’s legality.

According to the letter, a surveillance program now known as Data Analytical Services (DAS) has for more than a decade allowed federal, state, and local law enforcement agencies to mine the details of Americans’ calls, analyzing the phone records of countless people who are not suspected of any crime, including victims. Using a technique known as chain analysis, the program targets not only those in direct phone contact with a criminal suspect but anyone with whom those individuals have been in contact as well.

The DAS program, formerly known as Hemisphere, is run in coordination with the telecom giant AT&T, which captures and conducts analysis of US call records for law enforcement agencies, from local police and sheriffs’ departments to US customs offices and postal inspectors across the country, according to a White House memo reviewed by WIRED. Records show that the White House has, for the past decade, provided more than $6 million to the program, which allows the targeting of the records of any calls that use AT&T’s infrastructure—a maze of routers and switches that crisscross the United States.

In a letter to US attorney general Merrick Garland on Sunday, Wyden wrote that he had “serious concerns about the legality” of the DAS program, adding that “troubling information” he’d received “would justifiably outrage many Americans and other members of Congress.” That information, which Wyden says the DOJ confidentially provided to him, is considered “sensitive but unclassified” by the US government, meaning that while it poses no risk to national security, federal officials, like Wyden, are forbidden from disclosing it to the public, according to the senator’s letter.

AT&T spokesperson Kim Hart Jonson declined WIRED’s request to comment on the DAS program, saying only that the company is required by law to comply with a lawful subpoena.

There is no law requiring AT&T to store decades’ worth of Americans’ call records for law enforcement purposes. Documents reviewed by WIRED show that AT&T officials have attended law enforcement conferences in Texas as recently as 2018 to train police officials on how best to utilize AT&T’s voluntary, albeit revenue-generating, assistance.

In 2020, the transparency collective Distributed Denial of Secrets published hundreds of gigabytes of law enforcement data stolen from agencies around the US. A WIRED review of the files unearths extraordinary detail regarding the processes and justifications that agencies use to monitor the call records of not only criminal suspects, but of their spouses, children, parents, and friends. While DAS is managed under a program devoted to drug trafficking, a leaked file from the Northern California Regional Intelligence Center (NCRIC) shows that local police agencies, such as those in Daly City and Oakland, requested DAS data for unsolved cases seemingly unrelated to drugs.

In one instance, an officer with the Oakland Police Department asked for a “Hemisphere analysis” to identify the phone number of a suspect by analyzing the calls of the suspect’s close friends. In another, a San Jose law enforcement officer asked the Northern California Regional Intelligence Center to identify a victim and material witness in an unspecified case. One officer, soliciting information from AT&T under the program, wrote: “We obtained six months of call data for [suspect]'s phone, as well as several close associations (his girlfriend, father, sister, mother).” The records do not indicate how AT&T responds to every request.

Leaked law enforcement files further show that a range of officials—from a US Postal Service inspector to a New York Department of Corrections parole officer—participated in DAS training sessions. Other participants include port authorities and members of US Immigration & Customs Enforcement, National Guard, and California Highway Patrol, alongside scores of smaller agencies.

First disclosed by The New York Times in September 2013 as Hemisphere, the DAS program—renamed in 2013—has since flown largely under the radar. Internal records concerning the program’s secrecy that were obtained by the newspaper at the time show that law enforcement had long been instructed to never “refer to Hemisphere in any official document.”

Following the Times’ story, former US president Barack Obama reportedly suspended funding for the Hemisphere program in 2013. And while discretionary funding was withheld over the following three years, a White House memo obtained by WIRED shows that individual law enforcement organizations across the US were permitted to continue contracting with AT&T directly in order to maintain access to its data-mining service. Funding resumed under former president Donald Trump but was halted again in 2021, according to the White House memo. Last year, under president Joe Biden, the funding resumed once more, the memo says.

The White House acknowledged an inquiry from WIRED but has yet to provide a comment.

THE DAS PROGRAM is maintained under an affiliated program called HIDTA, funded by the White House’s Office of National Drug Control Policy (ONDCP). HIDTA, or “high-intensity drug trafficking area,” is a designation assigned to 33 different regions of the US, according to the White House. The first five regions, mapped out in 1990, included areas around Los Angeles, Houston, Miami, New York, and the entire US-Mexico border, some of the nation’s most active drug trafficking areas.

The collection of call record data under DAS is not wiretapping, which on US soil requires a warrant based on probable cause. Call records stored by AT&T do not include recordings of any conversations. Instead, the records include a range of identifying information, such as the caller and recipient’s names, phone numbers, and the dates and times they placed calls, for six months or more at a time. Documents released under public records laws show the DAS program has been used to produce location information on criminal suspects and their known associates, a practice deemed unconstitutional without a warrant in 2018.

“Requests concerning location information require the highest level of legal demand, which is a court-issued warrant, except in emergency situations,” AT&T’s Hart Jonson says.

Orders targeting a nexus of individuals are sometimes called “community of interest” subpoenas, a phrase that among privacy advocates is synonymous with dragnet surveillance.

“The scale of the data available to and routinely searched for the benefit of law enforcement under the Hemisphere Project is stunning in its scope,” Wyden’s letter to Garland says.

The White House has provided at least $6.1 million in discretionary funding to the DAS program since 2013, according to a two-page memo authored last year by White House officials. An internal HIDTA “participant guide” reviewed by WIRED shows that HIDTA funding exceeded $280 million in 2020 alone. It remains unclear how much HIDTA funding is spent to support AT&T’s vast collection of American call records.

It is not currently known how far back the call records accessible under DAS go. A slide deck released under the Freedom of Information Act in 2014 states that up to 10 years’ worth of records can be queried under the program, a statistic that contrasts with other internal documents that claimed AT&T could reach decades into the past. AT&T’s competitors, meanwhile, typically retain call records for no more than two years. (The necessity for phone companies to track call records for extended periods of time has gradually decreased with the disappearance of long-distance charges.)

THE DAS PROGRAM echoes multiple dragnet surveillance programs dating back decades, including a Drug Enforcement Agency program launched in 1992 that forced phone companies to surrender records of virtually all calls going to and from over 100 other countries; the National Security Agency’s bulk metadata collection program, which the US Second Circuit Court of Appeals deemed illegal in 2014; and the Call Details Records program, which suffered from “technical irregularities” leading the NSA to collect millions of calls it was “not authorized to receive.”

Unlike these past programs, which were subject to congressional oversight, DAS is not. A senior Wyden aide tells WIRED the program takes advantage of numerous “loopholes” in federal privacy law. The fact that it’s effectively run out of the White House, for example, means it is exempt from rules requiring assessments of its privacy impacts. The White House is also exempt from the Freedom of Information Act, reducing the public’s overall ability to shed light on the program.

Because AT&T’s call record collection occurs along a telecommunications “backbone,” protections enshrined under the Electronic Communications Privacy Act may not apply to the program.

Earlier this month, Wyden and other lawmakers in the House and Senate introduced comprehensive privacy legislation known as the Government Surveillance Reform Act. The bill contains numerous provisions that, if enacted, would patch most if not all of these loopholes, effectively rendering the DAS program, in its current form, explicitly illegal.

Source

Ransomware hackers warned aircraft industry giant Boeing they were going to leak data if their price wasn’t met—and on November 10, they did just that, publishing nearly 45 gigabytes of company data online.

LockBit, a Russia-linked hacking gang, claimed responsibility for the attack on Oct. 27. “Sensitive data was exfiltrated and ready to be published if Boeing do not contact within the deadline!” the gang posted on its data leak site. As IT Brew has reported, ransomware has been a major problem in 2023, and gangs are now able to deploy malware quicker than ever.

Boeing acknowledged the hack the same day. In a Nov. 2 email to Cybersecurity Dive, the company said that it was “aware of a cyber incident impacting elements of our parts and distribution business,” but “this issue does not affect flight safety.”

After the deadline came and went, LockBit followed through on its threat, posting a large amount of company information online. The leak included cloud computing company Citrix files, security controls, email backups, and more. Cybersecurity analyst Dominic Alvieri told The Register that corporate emails were included in the leak.

“I haven’t gone over the whole data set but Boeing emails and a few others stand out as useful for those with malicious intent,” Alvieri said.

MalwareHunter Team reviewed the leak and suggested it likely came from Aviall, the parts distributor Boeing purchased in 2006. Because of 17 years of Aviall integration with Boeing systems, MalwareHunter Team opined that the severity of the breach could be worse than is already known.

“Question is how much the networks of the companies got merged in the past 17 years,” the team tweeted. “Because if not too much & LockBit really only pwned the networks of Aviall, the problem is not very much bad, ‘simply’ bad for Boeing.”

Source

Microsoft is reportedly once again pushing its customers. Now, the Redmond-based tech giant reportedly wants to use your Edge browsing history for services like ads. 

Insiders in the browser’s community have spotted a new toggle in the Settings page for Edge Canary, the experimental channel of the browser, on Android. It says, “Allow Microsoft to save your browsing activity,” and it’s living in the Privacy and Security section ? Personalization & advertising. 

The toggle’s description reads, “Including history, usage, favorites, web content, and other browsing data to personalize Microsoft Edge and Microsoft services like ads, search, shopping, and news.” 

Take a look at the toggle below, as spotted and shared by @Leopeva64 on X (fka Twitter):

People call it “telemetry,” “spying”, or even “advertising terror although you still have some sort of control over it. And moreover, it’s not the first time Microsoft had ever pushed a dirty trick: they once pushed Bing Chat when users tried to access Google Bard on Edge browser.

The ability to share your browsing activity with Microsoft for personalized ads has been available on the desktop version for a while now. While it’s enabled by default, you can easily disable it by going to Settings ? Privacy and security ? Personalization & advertising.

What are your thoughts on this change? 

Source

SSH is a cryptographic network protocol for secure communication, widely employed in remote system access, file transfers, and system administration tasks.

RSA is a public-key cryptosystem used in SSH for user authentication. It uses a private, secret key to decrypt communication that is encrypted with a public, shareable key.

Exposing hardware errors

A paper published by university researchers Keegan Ryan, Kaiwen He, Nadia Heninger, and George Arnold Sullivan, shows that it’s possible for a passive network attacker to obtain a private RSA key from SSH servers experiencing faults during signature computation.

“If a signing implementation using CRT-RSA has a fault during signature computation, an attacker who observes this signature may be able to compute the signer’s private key,” the researchers say in the technical paper.

The Chinese Remainder Theorem (CRT) is used with the RSA algorithm to lower the bit size for the public key and speed up the decryption time.

“These attacks exploit the fact that if an error is made while computing modulo one prime, say q, then the resulting invalid signature “s” is equivalent to the correct signature modulo one prime factor p, but not q,” the researchers further explain.

Although errors of this kind are rare, they are unavoidable due to hardware flaws. Given a large enough pool of data, an attacker can find and leverage many opportunities for exploitation.

This is a known problem that impacts older of TLS versions. It was addressed in TLS 1.3 by encrypting the handshake that establishes the connection, thus preventing passive eavesdroppers from reading the signatures.

SSH was previously assumed to be safe from this attack but the researchers proved that it is possible to retrieve RSA secrets using lattice-based attacks that recover the private key from partially known nonces.

The researchers note that their tests do not include results "for RSA-1024,SHA512 because the number of unknown bits in the hash is well beyond what we can brute force or solve with  lattices."

However, they add that "the lattice attack is quite efficient" and that their tests had a 100% success rate.

Using their lattice attack, the researchers managed to find 4,962 invalid signatures that revealed the factorization of the corresponding RSA public key, thus allowing the retrieval of private keys corresponding to 189 unique RSA public keys.

Many of the retrieved secrets came from devices with vulnerable implementations, the largest number of signatures coming from Zyxel devices.

The researchers disclosed the issue to Cisco and Zyxel earlier this year and the vendors investigated for the cause.

Cisco determined that a suitable mitigation was introduced last year in Cisco ASA and FTD Software. The company told the researchers that it was looking into mitigations in Cisco IOS and IOS XE Software. 

Zyxel found that the ZLD firmware version the researchers used in the experiment had switched to using OpenSSL, which eliminates the risk.

The researchers warn that if signing implementations using the Chinese Remainder Theorem (CRT) algorithm with RSA have a fault when computing the signature, an attacker observing the signature may be able to computer the signer's private key.

To counter an attacker's ability to retrieve the secret key, the researchers recommend implementations that validate signatures before sending them, such as the OpenSSH suite that relies on OpenSSL to generate signatures.

Source

This phased approach begins with a 1% user testing period early in 2024, leading to a more extensive phase-out in the third quarter of 2024.

Third-party cookies are tracking codes set by websites other than the one you're currently visiting. These cookies are used primarily for online advertising and tracking user behavior across different sites. They help advertisers create a profile of your interests, leading to more personalized advertising experiences.

However, they can also be used to track your browsing habits and the sites you visit, which leads to a loss of privacy.

Google's decision to phase out third-party cookies, essential for many web functionalities, marks a significant shift in online privacy. This process aims to reduce user tracking across websites while ensuring essential online services remain freely accessible.

Google details the impact and testing

The initial 1% testing phase, set for early 2024, is crucial for identifying and addressing web compatibility issues. Google intends to manage this phase carefully to avoid significantly impacting user experience.

During this period, Google will introduce temporary solutions and user controls for managing temporary exceptions per top-level site in Chrome, aiming to mitigate potential disruptions.

"We're currently planning for early Jan, i.e. M120 would be the first release that contains the technical capabilities to ramp to 1% (breakage mitigations, quantitative testing)," Johann Hofmann, Senior Software Engineer at Google, noted in a post.

"The holiday freeze is definitely a risk to call out here."

Once third-party cookies are phased out, advertisers are expected to use Google's Privacy Sandbox APIs to show advertisements based on a user's computed interests.

Notably, Firefox and Safari have already stopped default access to third-party cookies.

Google plans to implement a more secure approach and anticipates other browsers will adopt similar strategies.

Despite differences in handling cookies, Google says it strives for interoperability, adhering to privacy and security standards.

It's important to understand that the move to phase out third-party cookies is a significant change for the web. Google acknowledges the diverse feedback from web developers and is committed to engaging with them.

The goal is to develop privacy-preserving solutions that support a dynamic and open web, balancing strong user protection with essential web functionalities.

Source

This has changed and it is now possible to use compatible authenticator apps, such as Google Authenticator, Microsoft Authenticator, Authy or Aegis for that.

It is a major improvement, especially for eBay users who either don't want to use the official mobile app or have a preferred authenticator app.

Setting up the new functionality is quite easy. It requires the following steps:

1. Go to the eBay website of your choice and sign-in to your account.
2. Select the down arrow next to the "Hi" message in the top left corner on eBay and select Account Settings. You may also load this page directly.
3. Select Sign-in and security under Personal info.
4. Activate the "edit" link next to 2 step verification.
5. Select Authenticator app from the available choices and then Set up.
6. eBay displays information about the process. It is a two-step process, which requires that customers download an authenticator app to their devices and then link it to their eBay account. The company recommends Google Authenticator, Microsoft Authenticator or Authy. Other apps will work as well, though. I tested it using Aegis, but any good authenticator app will do.
7. Select get started to start the process.
8. You are asked to verify your identity (again). Either via text message or email.
9. eBay displays a QR code on the next page. Open the Authenticator app on the mobile device and use it to scan the QR code. Save the entry in the Authenticator app, then select Next on eBay.
10. You are asked to type the code now to verify that everything is set up correctly.
11. This completes setup. Note that eBay will sign you out of the account on any other device.

Whenever you sign-in to eBay, you are asked to provide a six digit code that the Authenticator app generates to complete the authentication.

Closing Words

Two-step verification improves login security significantly. EBay's decision to unlock support for third-party authenticators is a welcome step. Users of eBay are not informed about the new security option (yet) though.

Now You: do you use two-step verification?

Source

The threat actors exploit the Citrix Bleed vulnerability (CVE-2023-4966), which was disclosed last month and continues to be abused in attacks.

Security researcher Kevin Beaumont, who has been tracking the attacks, has found that many recent victims also utilized vulnerable Citrix Netscaler devices at the time of the attack, allowing initial access to the corporate network.

Some companies that recently suffered a cyberattack and utilized vulnerable Citrix Netscaler devices include Toyota Financial Services, Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing.

DP World running Citrix server vulnerable to Citrix Bleed flaw

Source: Kevin Beaumont

While it is known that affiliates for the LockBit and Medusa ransomware gangs are behind some of these attacks, it is likely widely being exploited by other criminal operations.

In other news, the BlackCat ransomware gang took the bold step of filing an SEC complaint on one of its victims for not disclosing they suffered a cyberattack.

The threat actors tried to get the company into trouble for a new SEC rule that requires publicly traded companies to report cyberattacks within four days if they have a material impact. However, this rule does not go into effect until December 15th, 2023.

While many ransomware gangs have threatened to report cyberattacks to the SEC if a ransom was not paid, this could be the first publicly disclosed use of the extortion strategy.

We also learned more about recent attacks and tactics used by ransomware threat actors, which are highlighted below:

• The FBI shared tactics of Scattered Spider, an English-speaking affiliate of BlackCat ransomware.
• The FBI says Royal ransomware demanded 350 victims to pay $275 million in ransoms.
• FBI and CISA released an advisory on the Rhysida ransomware operation.
• The Toronto Public Library confirmed data was stolen in a recent Black Basta ransomware attack.
• A Yamaha subsidiary and the British Library confirmed that ransomware caused recent attacks.

Contributors and those who provided new ransomware information and stories this week include: @serghei, @demonslay335, @billtoulas, @fwosar, @Seifreed, @malwrhunterteam, @BleepinComputer, @Ionut_Ilascu, @LawrenceAbrams, @GossiTheDog, @BrettCallow, @PogoWasRight, @pcrisk, and @NCCGroupInfosec.

November 13th 2023

FBI: Royal ransomware asked 350 victims to pay $275 million

The FBI and CISA revealed in a joint advisory that the Royal ransomware gang has breached the networks of at least 350 organizations worldwide since September 2022.

Don’t throw a hissy fit; defend against Medusa

Not to be confused with MedusaLocker, Medusa was first observed in 2021, is a Ransomware-as-a-Service (RaaS) often using the double extortion method for monetary gain. In 2023 the groups’ activity increased with the launch of the ‘Medusa Blog’. This platform serves as a tool for leaking data belonging to victims.

Key Ransomware Indicator Up 56% Year-on-Year: October Data

In October attacks fell by 15.12% from the prior month according to the volume of victims posted on ransomware leak sites, but remained high from a year-on-year perspective with a 54.67% increase over October 2022. Last month also marked the tenth consecutive with a YoY increase in ransomware victims posted to leak sites, and the eighth consecutive with a count above 300.

New 1337 Ransomware

PCrisk found a new 1337 Ransomware that appends the .1337 extension and drops a ransom note named yourhope.txt.

November 14th 2023

LockBit ransomware exploits Citrix Bleed in attacks, 10K servers exposed

The Lockbit ransomware attacks use publicly available exploits for the Citrix Bleed vulnerability (CVE-2023-4966) to breach the systems of large organizations, steal data, and encrypt files.

New GlobeImposter variant

PCrisk found a new GlobeImposter variant that appends the .Pig865qq extension.

November 15th 2023

Ransomware gang files SEC complaint over victim’s undisclosed breach

The ALPHV/BlackCat ransomware operation has taken extortion to a new level by filing a U.S. Securities and Exchange Commission complaint against one of their alleged victims for not complying with the four-day rule to disclose a cyberattack.

Toronto Public Library confirms data stolen in ransomware attack

The Toronto Public Library (TPL) confirmed that the personal information of employees, customers, volunteers, and donors was stolen from a compromised file server during an October ransomware attack.

FBI and CISA warn of opportunistic Rhysida ransomware attacks

The FBI and CISA warned today of Rhysida ransomware gang's opportunistic attacks targeting organizations across multiple industry sectors.

New ransomware variant

PCrisk found a new ransomware variant that appends the .shanova extension and drops a ransom note named read_it.txt.

November 16th 2023

FBI shares tactics of notorious Scattered Spider hacker collective

The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency released an advisory about the evasive threat actor tracked as Scattered Spider, a loosely knit hacking collective that now collaborates with the ALPHV/BlackCat Russian ransomware operation.

Toyota confirms breach after Medusa ransomware threatens to leak data

Toyota Financial Services (TFS) has confirmed that it detected unauthorized access on some of its systems in Europe and Africa after Medusa ransomware claimed an attack on the company.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .eqza and .eqew extensions.

November 17th 2023

British Library: Ongoing outage caused by ransomware attack

The British Library confirmed that a ransomware attack is behind a major outage that is still affecting services across several locations.

Yamaha Motor confirms ransomware attack on Philippines subsidiary

Yamaha Motor's Philippines motorcycle manufacturing subsidiary was hit by a ransomware attack last month, resulting in the theft and leak of some employees' personal information.

That's it for this week! Hope everyone has a nice weekend!

Source

Source

Earlier today, the threat actor listed the software company MeridianLink on their data leak with a threat that they would leak allegedly stolen data unless a ransom is paid in 24 hours.

MeridianLink is a publicly traded company that provides digital solutions for financial organizations such as banks, credit unions, and mortgage lenders.

Hackers snitch to the SEC

According to DataBreaches.net, the ALPHV ransomware gang said they breached MeridianLink’s network on November 7 and stole company data without encrypting systems.

The ransomware actor said that “it appears MeridianLink reached out, but we are yet to receive a message on their end” to negotiate a payment in exchange for not leaking the supposedly stolen data.

The alleged lack of response from the company likely prompted the hackers to exert more pressure by sending a complaint to the U.S. Securities and Exchange Commission (SEC) about MeridianLink not disclosing a cybersecurity incident that impacted “customer data and operational information.”

To show that their complaint is real, ALPHV published on their site a screenshot of the form they filled out on SEC’s Tips, Complaints, and Referrals page.

In their own words, the attacker told the SEC that MeridianLink suffered a “significant breach” and did not disclose it as required in Form 8-K, under Item 1.05.

ALPHV ransomware SEC complaint against MeridianLInksource: BleepingComputer

Following a barrage of security incidents at U.S. organizations, the SEC adopted new rules that require publicly traded companies to report cyberattacks that have a material impact, i.e. influence investment decisions.

Cybersecurity incident reporting is “due four business days after a registrant determines that a cybersecurity incident is material,” the new rule states.

However, the SEC’s new cybersecurity rules are set to take effect on December 15, 2023, Reuters explained at the beginning of October.

ALPHV also provided on their site the reply they received from the SEC to the complaint against MeridianLink, to show that the submission was received.

Automated reply from SEC to ALPHV complaint against MeridianLInksource: BleepingComputer

MeridianLink confirms cyberattack

In a statement for BleepingComputer, MeridianLink said that after identifying the incident it acted immediately to contain the threat and engaged a team of third-party experts to investigate.

The company added that it is still working to determine if any consumer personal information was impacted by the cyberattack and it will notify affected parties if so.

“Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.” - MeridianLink

While many ransomware and extortion gangs have threatened to report breaches and data theft to the SEC, this may be the first public confirmation that they have done so.

Previously, ransomware actors exerted pressure on victims by contacting customers to let them know of the intrusion. Sometimes, they would also try to intimidate the victim by contacting them directly over the phone.

Source

Source

The company says that the cyberattack impacted only customers who made purchases from the Samsung UK online store between July 1, 2019, and June 30, 2020.

Hacker exploits bug in third-party app

Samsung discovered the data breach two days ago, on November 13, and determined that it was the result of a hacker exploiting a vulnerability in a third-party application the company used.

No details have been provided about the security issue leveraged in the attack or the vulnerable application that enabled the attacker to access Samsung customer's personal information.

The notification to customers says that exposed data may include names, phone numbers, postal and email addresses. The company underlines that credentials or financial information remains unaffected by the incident.

Samsung alerts customers of a new data breach

source: Michael Valentine

A Samsung spokesperson told BleepingComputer that the company was recently alerted of a cybersecurity incident that is limited to the UK region and does not affect data belonging to customers in the U.S., employees, or retailers.

“We were recently alerted to a cybersecurity incident, which resulted in certain contact information of some Samsung UK e-store customers being unlawfully obtained. No financial data, such as bank or credit card details, or customer passwords, were impacted. The incident is limited to the UK and does not affect U.S. customers, employees or retailer data” - Samsung

The company has taken all necessary steps to address the security issue, the representative told BleepingComputer, adding that the incident has also been reported to the UK’s Information Commissioner’s Office.

This is the third data breach Samsung has suffered in two years. The previous one occurred in late July, 2023 - discovered on August 4, when hackers accessed and stole Samsung customers' names, contacts and demographic information, dates of birth, and product registration data.

In March 2023, the data extortion group Lapsus$ breached Samsung’s network and stole confidential information, including source code for Galaxy smartphones.

Samsung confirmed that “certain internal data” had fallen into the hands of an unauthorized party after Lapsus$ leaked about 190GB of archived files along with a description of the contents.

Source

Source

Source

One of Neowin's forum members d3rf3l noticed this and opened a thread on the issue. German outlet Heise came across a cautionary notice about it when testing the New Outlook. The screenshot below says that their IMAP (Internet Message Access Protocol) data can be synced with Microsoft's cloud servers with options to either proceed or opt-out.

Here is what the English (Google translated) version of the above message reads:

Synchronize your IMAP account rei@ct.de To add your IMAP account to Outlook, We need to share your emails with Microsoft Sync cloud. Existing contacts and events are not synchronized, but everything you create in Outlook is saved in stored in the Microsoft cloud. More information

 

Further Cancel

When one clicks on the "More information" option to learn more about what this is about, a support article on Microsoft's official website launches explaining in detail what this is about:

To enhance your Microsoft 365 experience in New Outlook for Windows, Outlook.com, Outlook for iOS, Outlook for Android, and new Outlook for Mac, you can now sync your non-Microsoft accounts (including their emails, contacts, and events) to the Microsoft Cloud. This is available for Gmail, Yahoo, iCloud, and IMAP accounts in Outlook for iOS, Outlook for Android, and new Outlook for Mac. Also available for Gmail and Yahoo accounts in New Outlook for Windows and available for Gmail accounts in Outlook.com.

 

What happens when I sync my account to the Microsoft Cloud?

 

Syncing your account to the Microsoft Cloud means that a copy of your email, calendar, and contacts will be synchronized between your email provider and Microsoft data centers. Having your mailbox data in the Microsoft Cloud lets you use the new features of the Outlook client (New Outlook for Windows, Outlook for iOS, Outlook for Android, Outlook.com, or Outlook for Mac) with your non-Microsoft account, just like with your Microsoft accounts.

Hence, according to Microsoft itself, the change is to enhance the experience of users such that they can enjoy the benefits of the new app on their non-MSA accounts too, which makes sense, though surely not all users will, understandably, want that. Thankfully, the option to reject the advances of Microsoft exists at the moment.

You can learn more about this on the support document webpage on Microsoft's official website.

Source

Before the leak, LockBit hackers said that Boeing ignored warnings that data would become publicly available and threatened to publish a sample of about 4GB of the most recent files.

Backup data published

LockBit ransomware has leaked more than 43GB of files from Boeing after the company refused to pay a ransom.

Most of the data listed on the hacker group’s leak site are backups for various systems, the most recent of them with an October 22 timestamp.

The ransomware actor posted Boeing on their site on October 27 and gave the company a November 2nd deadline to contact them and engage in negotiations.

The hackers said at the time they had stolen “a tremendous amount of sensitive data” and were ready to publish it.

Boeing page on LockBit data leak sitesource: BleepingComputer

Boeing disappeared from LockBit’s list of victims for a period but was listed again on November 7, when the hackers announced that their warnings had been ignored.

When the company continued to be silent, the LockBit ransomware gang decided to show that they had a bargaining chip and threatened to publish “just around 4GB of sample data (most recent).”

The hackers also threatened that they would publish the databases “if we do not see a positive cooperation from Boeing.”

LockBit ransomware threatens Boeing with leaking stolen filessource: FalconFeed

On November 10, LockBit released on their site all the data they had from Boeing. Among the files are configuration backups for IT management software, and logs for monitoring and auditing tools.

Backups from Citrix appliances are also listed, which sparked speculation about LockBit ransomware using the recently disclosed Citrix Bleed vulnerability (CVE-2023-4966), for which proof-of-concept exploit code was published on October 24.

While Boeing confirmed the cyberattack, the company did not provide any details about the incident or how the hackers breached its network.

LockBit is one of the most resilient ransomware-as-a-service (RaaS) operations, having been active for more than four years and making thousands of victims across various sectors.

Among the victims are Continental automotive giant, the UK Royal Mail, the Italian Internal Revenue Service, and the City of Oakland.

The U.S. government said in June that the gang extorted about $91 million since 2020 in close to 1,700 attacks against various organizations in the country.

However, the gang operates internationally. In August, the Spanish National Police warned of a phishing campaign that targeted architecture firms in the country to encrypt systems with LockBit’s locker malware.

Source

Revealed in September 2023 for the first time, it is an attempt by Meta to appease EU regulators.

The prompt is displayed automatically to users and there is no option to use Facebook until a choice has been made. The choice, in this case, is to either pay a monthly subscription free to use Facebook and Instagram without ads, or to continue using the two services for free but with ads.

Meta writes: "Laws are changing in your region, so we're introducing a new choice about how we use your info for ads. You'll learn more about what each option means for you before you confirm your choice. Your choice will apply to the accounts in this Account Center".

The Account Center page can be opened, but it is one of the few pages on Facebook that works while the prompt is open.

The two choices are:

• Subscribe to use without ads -- Subscribe to use your Facebook and Instagram accounts without ads, starting at €9.99 per month (inclusive of applicable taxes). Your info won't be used for ads.
• Use for free with ads -- Discover products and brands through personalized ads, while using your Facebook and Instagram accounts for free. Your info will be used for ads.

Meta highlights the current experience and provides a link to compare the choices and how they may affect the experience on Facebook and Instagram. The link points to a support article on the Facebook website.

There, Meta highlights the following differences between the two options. Free with ads users will continue to see ads on the platforms. They won't pay for the service and information of users will be used for ads.

Paying subscribers won't see ads in the products. They pay a monthly subscription fee and their information is not used for ads.

The subscription fee depends on the platform. All users who plan to subscribe should do so in a web browser and not in apps on mobile devices. Meta charges extra in this case to take into account the fees that Google's and Apple's platforms charge.

Meta displays more information once users make a choice. Those who select the free route will see the following screen.

Users agree to let Meta use information from accounts for ads and to give Meta the right to use cookies on its products to personalize ads and measure their performance.

Meta users who select the subscribe option see the following screen.

There, users are informed that the price of 9.99 EUR per month is valid through March 1. After the day, users will have to pay 9.99 per month for a single account and 6 EUR extra for any additional account. In other words, if you have one Facebook and one Instagram account, you pay 15.99 EUR after March 1, 2024.

Facebook users may change the choice they have made at any time in the Ad Preferences.

A click or tap on the current status, e.g., free with ads, displays a prompt to switch to the other product.

Meta notes that users may do so at any time.

Closing Words

Facebook users from the aforementioned regions have a new choice, which is good. Whether it is reasonable to pay roughly 120 EUR per year to Meta for an ad-free experience is up to each individual user.

Now You: would you pay Meta money to use Instagram and Facebook ad-free?

Source

The security pros were generally concerned about disruptions in workflow for companies that use ChatGPT for coding and attempts by threat actors to launch more targeted attacks on customer networks.

This most recent outage comes on the heels of another ChatGPT outage that  took down its application programming interface (API) earlier on Wednesday, partial ChatPT outages on Tuesday, and elevated error rates on it's text-to-image model Dall-E on Monday.

“The recent service interruptions of OpenAI's ChatGPT have presented challenges for developers, particularly those who rely on its APIs for coding-related tasks,” said Callie Guenther, senior manager, cyber threat research at Critical Start. “These outages have temporarily affected workflows, as developers are accustomed to using these tools for code completion, debugging, and learning new coding practices. Consequently, some projects may experience delays.”

Guenther added that productivity may also be impacted, given the role of AI in streamlining coding processes. Developers might find themselves spending more time on tasks typically accelerated by AI, such as generating code snippets or refining algorithms, said Guenther. For those who have incorporated OpenAI's services into their products, Guenther said the downtime may prompt a review of their current dependencies and an exploration of alternative options to bolster their systems against similar incidents in the future.

Patrick "Pat" Arvidson, chief strategist/evangelist at Interpres Security, called the recent DDoS attack on ChatGPT “extremely serious” as sophisticated hackers are known to use these types of attacks as obfuscation for more serious longer term plans. Arvidson said they count on the distraction to divert the SecOps team away from their true objective: place stealthy implants in the targeted network. 

“In the case of a GenAI, this could be anything from an attempt to poison the LLM [large language model] to provide bad and false information, to attempting to force the API into delivering information that the hacker wants to exploit,” said Arvidson. “For organizations that use the LLM, either as a business function or as part of a capability from a second party, they will need to validate any and all information submitted to, and received from the LLM. Further, all responses should be tested and evaluated for malicious software before it’s deployed. They should also verify with any cyber insurance coverage that they are covered from supply side attacks."

The plot thickens: are the Russians involved?

OpenAI has not yet attributed the DDoS attacks, but suspected Russian threat actor Anonymous Sudan claimed the attacks, posting on Telegram Wednesday that it targeted OpenAI and its ChatGPT services because of OpenAI’s sympathies with Israel.

In citing reasons for the attack, the threat groups said it was because of “OpenAI's cooperation with the occupation state of Israel and the CEO of OpenAI saying he's willing to invest into Israel more, and his several meetings with Israeli officials like Netanyahu, as Reuters reported."

The Telegram post goes on to say: “AI is now being used in the development of weapons and by intelligence agencies like Mossad, and Israel also employs AI to further oppress the Palestinians.”

Critical Start’s Guenther pointed out that the lack of attribution by OpenAI could stem from several reasons: it could be because of insufficient evidence to definitively attribute the attack to a particular actor, or OpenAI could have made a strategic decision to avoid giving undue attention to the attackers or encouraging further incidents.

“Attribution in cybersecurity is complex and challenging,” said Guenther. “Cyber attackers often use sophisticated techniques to conceal their identities and locations, making it difficult to pinpoint the true source of an attack. Moreover, even when an actor claims responsibility, verifying the authenticity of such claims requires careful analysis and often, substantial evidence that links the attack to the claimant’s capabilities and motives.”

Guenther added that the possibility of a publicity stunt by Anonymous Sudan cannot be entirely dismissed without concrete evidence. Groups may claim responsibility for various reasons, including drawing attention to their cause or demonstrating their capabilities to potential recruits or sympathizers.

“On the other hand, if the claim by Anonymous Sudan aligns with the technical evidence of the attack and their known capabilities, it might lend more credibility to their claim,” said Guenther. “Either way, without access to detailed forensic data and the ongoing investigation's insights, any analysis is purely speculative.”

Source

I tried to warn you last year about clicking on Google Ads in search results but it appears those warnings have gone unheeded as hackers are still using malicious ads to infect unsuspecting users with malware.

Malvertising or malicious advertising has become increasingly popular among cybercriminals as phishing attacks and bad apps just aren’t as effective as they used to be. Instead, hackers are now buying ad space on Google Search and other search engines as a means to trick users into installing malware.

One of the ways in which they do this is by impersonating popular brands. So far, we’ve seen hackers impersonating Amazon, USPS, CCleaner, Notepad++ and other household names. However, Facebook and Microsoft have remained the most impersonated brands since 2020 according to a report from the email security firm Vade. 

Now though, it appears that hackers have started impersonating a popular PC tool used by both PC enthusiasts and gamers. If you just got a new gaming laptop in an early Black Friday sale or finished building your first PC, you’re going to want to be especially careful when searching for this extremely useful utility online.

Impersonating a popular PC tool

As reported by The Hacker News and discovered by the cybersecurity firm Malwarebytes, the tool in question is CPU-Z and it’s used to quickly find information about your processor, motherboard, RAM, graphics card and more.

While you can download it here directly from CPUID, hackers are now preying on PC users that don’t bother scrolling further down in search results. You see, Google and other search engines place ads at the top of their search results to earn revenue. Although most of these ads are harmless, hackers have begun weaponizing them in their attacks.

(Image credit: Malwarebytes/Tom's Guide)

In this new campaign, unsuspecting PC users that click on an ad like the one seen above are taken to a fake download portal that appears legitimate to the untrained eye. However, instead of CPU-Z, the site contains a digitally signed MSIX installer that contains a malicious PowerShell script for a loader known as FakeBat.

As their name suggests, malware loaders are used to infect your computer with malicious software and they work in a similar way to malware droppers on your smartphone. Once installed on a targeted PC, this loader downloads and installs the Redline stealer. This malware is capable of stealing a victim’s personal data including their browser history, browser cookies, saved browser passwords, credit cards, VPN passwords, system information and cryptocurrency wallets.

One other interesting thing about this campaign is not all users that click on these malicious ads for CPU-Z are taken to a fake download portal. Instead, those who aren’t being targeted are taken to what appears to be a standard blog with a number of articles on it.

How to stay safe from malicious ads

(Image credit: Pinone Pantone/Shutterstock)

The internet and online ads go hand in hand but to stay safe from malicious ads, you’re going to need to change your browsing and shopping habits.

Since hackers can pose as legitimate businesses and buy ads on any site or search engine, your best bet is to avoid clicking on ads altogether or at least until Google and other tech giants figure out a way to nip this problem in the bud once and for all. 

So for instance, let’s say you want to download reWASD to customize one of the best PC game controllers. Instead of clicking on the first search result you see, you’re going to want to scroll down past all of the ads and sponsored results to find the actual program you’re looking for. Another good way to avoid malicious ads is by going to a company’s website directly as opposed to just searching for the software or product you’re interested in.

At the same time, you may also want to consider using an ad blocker for browsing the web, even if YouTube is currently cracking down on them. If you can't see ads, you're going to be way less likely to click on them.

Besides changing your browsing and shopping habits, installing one of the best antivirus software solutions on your computer can help you stay safe from malware and other attacks that can occur when you click on a malicious ad. Likewise, the best identity theft protection services can help you recover stolen funds and your identity if you do happen to fall victim to fraud.

The tactics used by hackers and other cybercriminals are constantly evolving as people become wise to their schemes. While malicious ads are popular now because they work, once more people become aware of them, we’ll likely see hackers pivot to a new, lesser known attack method.

Source

In ransomware attacks, hackers encrypt an organization's systems and demand ransom payments in exchange for unlocking them. It was not immediately clear who was behind the attack.

The Financial Times reported earlier on Thursday that the U.S. Securities Industry and Financial Markets Association (SIFMA) told members that ICBC (601398.SS) had been hit by ransomware that disrupted the U.S. Treasury market by preventing it from settling trades on behalf of other market players.

"We are aware of the cybersecurity issue and are in regular contact with key financial sector participants, in addition to federal regulators. We continue to monitor the situation," a Treasury spokesperson said in a response to a question about the FT report.

ICBC, China's largest commercial lender by assets, was beginning to restore services as of Thursday afternoon, the newspaper said, citing people briefed on the ransomware attack, which paralyses computer systems unless a payment is made.

SIFMA and ICBC were not immediately available to comment to on the reported incident.

Source

The new campaign was spotted by Malwarebytes analysts who, based on the backing infrastructure, asses that it is part of the same operation that used Notepad++ malvertising to deliver malicious payloads.

Campaign details

The malicious Google advertisement for the trojanized CPU-Z, a tool that profiles computer hardware on Windows, is hosted on a cloned copy of the legitimate Windows news site WindowsReport.

CPU-Z is a popular free utility that can help users monitor different hardware components, from fan speeds, to CPU clock rates, voltage, and cache details.

Clicking the ad takes the victim through a redirect step that tricks Google’s anti-abuse crawlers by sending invalid visitors to an innocuous site.

Those deemed valid to receive the payload are redirected to a Windows news site lookalike hosted on one of the following domains:

• argenferia[.]com
• realvnc[.]pro
• corporatecomf[.]online
• cilrix-corp[.]pro
• thecoopmodel[.]com
• winscp-apps[.]online
• wireshark-app[.]online
• cilrix-corporate[.]online
• workspace-app[.]online

The reason behind using a clone of a legitimate site is to add another layer of trust to the infection process, as users are familiar with tech news sites hosting download links for useful utilities.

Clicking on the ‘Download now’ button results in receiving a digitally-signed CPU-Z installer (MSI file) containing a malicious PowerShell script identified as the ‘FakeBat’ malware loader.

Signing the file with a valid certificate makes it unlikely that Windows security tools or third-party antivirus products running on the device will serve a warning for the user.

The loader fetches a Redline Stealer payload from a remote URL and launches it on the victim’s computer.

Redline is a powerful stealer able to collect passwords, cookies, and browsing data from a range of web browsers and applications, as well as sensitive data from cryptocurrency wallets.

To minimize the chances of malware infections when looking for specific software tools, users should pay attention when clicking on promoted results in Google Search and check the if the loaded site and the domain match, or use an ad-blocker that hides them automatically.

Source

While the company didn't immediately provide any details on the root cause of these incidents, OpenAI confirmed earlier today that they're linked to ongoing distributed denial-of-service (DDoS) attacks.

"We are dealing with periodic outages due to an abnormal traffic pattern reflective of a DDoS attack. We are continuing work to mitigate this," OpenAI said in an update to an incident report published 11 hours ago.

Those affected by these issues see "something seems to have gone wrong" errors, with ChatGPT adding that "There was an error generating a response" to their queries.

This comes after the company addressed another ChatGPT major outage that also took down its Application Programming Interface (API) on Wednesday, partial ChatPT outages on Tuesday, and Dall-E elevated error rates on Monday.

"We're experiencing exceptionally high demand. Please hang tight as we work on scaling our systems," a banner displayed across ChatGPT's interface warned users during yesterday's incident.

DDoS attacks claimed by Anonymous Sudan

While OpenAI has yet to attribute these DDoS attacks, a threat actor known as Anonymous Sudan claimed the attacks on Wednesday, saying that the reason behind them is the company's "general biasness towards Israel and against Palestine."

"CHATGPT link completely dead now worldwide, thousands of reports all over twitter and social media, let us see if they will admit it's a DDOS attack," the attackers said on their Telegram channel.

The group also confirmed using the SkyNet botnet in these attacks, which has been providing stresser services since October and added support for application layer attacks or Layer 7 (L7) DDoS attacks last week.

In Layer 7 DDoS attacks, threat actors target the application level to overwhelm services with a massive volume of requests, causing the services to hang as they cannot process them all.

They are highly effective as they significantly strain the targets' server and network resources, in contrast to reflection-based volumetric DNS amplification network layer attacks focusing on bandwidth consumption.

In June, Anonymous Sudan also took down Microsoft's Outlook.com, OneDrive, and Azure Portal in Layer 7 DDoS attacks, with the company confirming their claims and saying it tracks their activity as Storm-1359. Redmond said that Anonymous Sudan uses three types of Layer 7 DDoS attacks: HTTP (S) flood attacks, Cache bypass, and Slowloris.

Anonymous Sudan launched in January 2023, announcing that they'll target anyone opposing Sudan. Subsequently, they directed their attacks towards global organizations and government agencies, disrupting web-facing infrastructure.

However, some cybersecurity researchers believe this is a false flag and that the group might be linked to Russia instead.

OpenAI has yet to respond to BleepingComputer's requests for comment on ongoing outages and DDoS attacks.

Source

The internet can be a really confusing place. As simple as it is to surf the web, it's the technology behind how it works that can sometimes be perplexing. And this technology changes quickly – often without warning. If you're not caught up, it's easy to get left behind.

So it would make sense that you may not know much about VPNs, or virtual private networks, which are pivotal to protecting your privacy online.

A VPN can provide you with a secure and private connection over the internet, by creating a virtual tunnel between your device and a remote server, so that your IP address is masked and your internet traffic is encrypted.

That's easy enough to understand, but how much do you really know about VPNs, and how they can protect you? Does a VPN make you completely anonymous? Does it protect you from viruses and malware? Is it really only for illegal activity?

In this story, we'll take a look at 7 common VPN myths you should know the truth about. Here's what you need to know. 

Myth No. 1. VPNs are mostly for illegal activity

A VPN can definitely be used to aid in illegal activities, like downloading copyrighted material, but that's not its primary purpose. The primary use of a VPN is to enhance your online privacy, which is legitimate and legal. By encrypting your internet traffic, you actually protect yourself from cybercriminals or hackers or even prying governments.

VPNs, as a service, are illegal in certain countries that have strict censorship laws, like North Korea and Iraq. In China and Russia, only government-approved VPNs are allowed.

Myth No. 2. VPNs make you completely anonymous

A VPN works by encrypting your internet traffic and masking your IP address, and while that makes it much more challenging for websites, advertisers and ISPs to track your online activities, it doesn't mean you're completely anonymous.

Whichever VPN you use, the company behind the service may have access to your real IP address and all the websites you visit, which means they could potentially trace all your activities back to you. This is why it's important to choose a reputable VPN provider that has a strict no-logs policy to ensure that they don't keep records of what you do online.

In addition, law enforcement or other legal authorities could potentially request data from a VPN provider for a criminal investigation, which could lead to your private information being disclosed unless your VPN service has a strict no-logs policy.

Complete anonymity isn't realistic or necessary, which is perfectly fine for most people who use VPNs to protect their privacy.

Myth No. 3. Free VPNs are just as good as paid VPNs

You may be inclined to skip out on another monthly paid subscription, but if you're adamant about getting a VPN for your privacy, think twice about using a free VPN.

Free VPNs typically don't have the same commitment to privacy as paid VPNs, because well, if you're not paying the VPN, the service still needs to find a way to make money. And that may include sharing your user data with third parties, which can compromise your privacy and security.

A free VPN may also have limited server options, and so you might experience slower speeds, especially during peak usage times. Paid VPNs are typically faster and provide more reliable connections, thanks to a larger number of servers in locations across the world.

If you decide to use a free VPN instead of a paid one, you may also not get much customer support, have to deal with bandwidth and data limits, get bombarded with advertisements and not have access to features you may need..

The only free VPN we recommend is Proton VPN, because it has unlimited bandwidth and data.

Myth No. 4. VPNs speed up your internet

Network latency is the time that it takes your online data to go from one place to the other. If you're using a VPN, your data goes through an encrypted tunnel, which is a private route to the internet via third-party servers.

Encryption takes time, and if VPN servers are far away from you, then your latency and speeds may be slower than you're used to when you're not using a VPN.

Still, even if a VPN does slow down your data speed, it may not be noticeable if you're simply surfing the web or performing other low-intensity tasks. If you're streaming or playing video games, you may notice lag, in which case you may want to connect to a VPN server near you or try other techniques to help improve your speeds.

The only exception is if your ISP is throttling your internet connection, in which case a VPN could actually speed up your connection.

Myth No. 5. VPNs can bypass any geo-restrictions

By using a VPN server in a different country than where you live, you can spoof your IP address and access content or services that are typically restricted to those that live in that region. For example, if you pay for a US-based streaming account, and you're traveling abroad, you may not be able to access that content, unless you use a VPN to change your IP address back to your home country.

However, this doesn't always work. Some websites and streaming services use VPN detection mechanisms that can recognize if you're using a VPN and block you from accessing any of their content unless you turn your VPN off.

Myth No. 6. VPNs are too complex to use

A VPN may sound complicated to use, but that's not always the case. VPN services provide user-friendly applications, available on your computer, phone and tablet, with intuitive interfaces and straightforward guides you can follow to quickly and easily enable set up your VPN.

Typically, after installing a VPN, it really only takes a few clicks or taps to create an account, select a server and connect to the VPN service. After you use your VPN for the first time, and configure your settings, you may only need to tap or click once to connect to the VPN from then on.

If the VPN offers it, you may have the option to allow the VPN to choose a server for you based on best connection speeds at the moment, and to automatically connect to the server as well, to ensure you're always protected without having to manually enable the VPN.

And paid VPNs typically come with customer support, in case you have any trouble. You may find FAQs, online guides, live chat or email support options to guide you through any issues.

Myth No. 7. VPNs protect against malware and viruses

VPNs may encrypt your data and mask your IP address, but that doesn't mean they are a one-stop-shop for all things privacy -- they're just a part of the equation. A VPN does provide indirect benefits related to cybersecurity, like securing your connection when you're on public Wi-Fi, but they do not replace antivirus, antimalware and password tools.

To protect your devices against viruses and malware, you need dedicated software that is specifically designed to identify and remove malicious software, so that your computer or phone is protected.

The best thing you can do to maintain comprehensive cybersecurity is to have both a VPN, for safeguarding your online privacy and security, and antivirus/antimalware software, to get rid of anything malicious on your device.

Source : https://www.cnet.com/tech/services-and-software/dont-fall-for-these-7-vpn-myths/

A Beyoncé gig, the coronation of King Charles, and the British Formula One Grand Prix all have one thing in common: Thousands of people at the events, which all took place earlier this year, had their faces scanned by police-operated face recognition tech.

Backed by the Conservative government, police forces across England and Wales are being told to rapidly expand their use of the highly controversial technology, which globally has led to false arrests, misidentifications, and lives derailed. Police have been told to double their use of face searches against databases by early next year—45 million passport photos could be opened up to searches—and police are increasingly working with stores to try to identify shoplifters. Simultaneously, more regional police forces are testing real-time systems in public places.

The rapid expansion of face recognition comes at a time when trust in policing levels are at record lows, following a series of high-profile scandals. Civil liberties groups, experts, and some lawmakers have called for bans on the use of face recognition technology, particularly in public places, saying it infringes on people’s privacy and human rights, and isn’t a “proportionate” way to find people suspected of committing crimes.

“In the democratic world, we are an outlier at the moment,” says Madeleine Stone, a senior advocacy officer with Big Brother Watch, a privacy-focused group that has called for a ban and “immediate stop” on live face recognition, a proposal backed by 65 UK lawmakers. The EU, which the UK left in 2016, may ban the real-time use of face recognition systems, and one of its highest courts has called the technology “highly intrusive.” Various US states have banned police from using the technology.

Cops in England and Wales can hunt for potential criminals using two main kinds of face recognition. First, there are live face recognition systems (LFR): These usually include cameras mounted on police vans that scan people’s faces as they walk by and check them against a “watchlist” of wanted people. The LFR technology is deployed for some big events and announced in advance by the police. Second, there’s retrospective face recognition (RFR), where images from CCTV, smartphones, and doorbell cameras can be fed into a system that tries to identify the person based on millions of existing photos. Police use of both systems is increasing.

Two police forces in England and Wales—London’s Metropolitan Police and South Wales Police—have embraced LFR, using the technology for multiple years. (Police in Scotland, where policing is overseen locally, don’t use live systems but are reportedly increasing their use of RFR). So far this year, the Met and South Wales Police have used LFR on 22 separate occasions, according to statistics published on their websites.

Across 13 deployments, an estimated 247,764 people have passed the Met’s cameras this year, including at the King’s coronation and a soccer match between Arsenal and Tottenham. In 2023 so far, the Met’s system has pinged 18 times when it has matched a person with someone on the predetermined watchlist. Twelve of those people have been arrested. South Wales Police has used LFR nine times this year, scanning an estimated 705,290 faces and arresting two people.

Researchers and academics have long shownface recognition technologies to be biased or less accurate for people of colour, particularly Black people. In all of the LFR uses by the Met and South Wales police forces this year, their figures show, there have been no false alerts or misidentifications. In short, every time the system made a match, it was correct, according to the departments’ data. The data published by the police forces show the LFR systems they are using are set to an accuracy threshold of either 0.6 or 0.64. A study conducted by the National Physical Laboratory, a UK public sector research organization, recommended the threshold setting of 0.64 as a way to reduce biased and incorrect matches.

Pete Fussey, a professor at the University of Essex who previously audited the Met’s face recognition, says that the report shows the algorithms may still be discriminatory and biased, but setting the thresholds neutralizes the system entirely. “If you desensitize the system, then you'll get fewer matches and fewer of those will be wrong,” Fussey says. Big Brother Watch’s Stone says it “brings into question the necessity and proportionality of the whole endeavor if you’re having dozens of police officers standing around the street looking at iPads just to make one arrest.” Stone argues “it’s not a good use of time.”

A spokesperson for the Home Office, the government department responsible for policing in England and Wales, says it is “committed” to giving police the technology they need to help solve crimes. “Technology such as facial recognition helps the police quickly and accurately identify those wanted for serious crimes, as well as missing or vulnerable people,” the spokesperson says, claiming it “frees up police time and resources.” They point to a blog post about police use of face recognition technologies.

“Live facial recognition isn't just deployed on its own. It's in support of wider policing operations,” says detective chief inspector Jamie Townsend, who is the operational lead for the Met's face recognition. A policing operation may make 30 arrests in an area with face recognition contributing two or three of them, he says.

Townsend says that the biometric data of people isn’t stored when they are scanned by LFR cameras, and he considers the system to be “precision policing” as it allows for the identification of specific individuals. The Home Office’s blog post claims LFR has led to the arrest of sex offenders and someone wanted for possessing a knife. South Wales Police did not respond to WIRED’s request for comment at the time of writing.

Two other UK police forces have tried LFR in recent months, raising concerns about how the technology will be used going forward and who is put on the watchlists of people the systems are looking for. There are more than 30 police forces that have not used LFR, although the government has said it is “very supportive” of more forces using it.

Around 380,000 people had their faces scanned by Northamptonshire police over three days at the British Grand Prix in July, according to public records requests. No arrests were made. A Freedom of Information Act request from Big Brother Watch revealed the force had placed 790 people on the watchlist for the event while only 234 were wanted for arrest. “It was largely individuals who were not wanted for any criminal reasons, which leads us to believe that these were protesters who were being put on watchlists,” Stone says. The previous year’s British Grand Prix was disrupted by protesters.

A statement from Northamptonshire Police says the watchlist “included a range of offences from organized crime to aggravated trespass, which had the potential of leading to the death or serious injury of the public, racing drivers and staff, especially if there was a repeat of the 2022 track incursion. We were not targeting those taking part in lawful, peaceful protests.”

Police forces are also being encouraged to ramp up the use of after-the-fact, retrospective face recognition. All police forces across the UK have the ability to run searches for faces against the Police National Database, which has more than 16 million photos and includes millions of images that should have been deleted years ago. In 2022, according to data from freedom of information requests, there were 85,158 face searches—up 330 percent on the previous year. Policing minister Chris Philp said in October that he wants the number of searches to double by May 2024.

Fussey, the University of Essex professor, says retrospective face recognition is often thought to be more “benign” than live face recognition, but he doesn't believe it is the case. “The issues and harms and human rights implications are the same, whether it's live or retrospective,” he says, adding there is a lot of ambiguity around how the technology is being used.

In August 2020, the UK’s Court of Appeal ruled that South Wales Police’s use of LFR was unlawful. Since then, police forces using the technology say they have changed their procedures in response to the court decision, and the Home Office spokesperson says there is a “comprehensive legal framework in the UK” that requires police to use the technology only when it is “necessary, proportionate, and fair.”

Many disagree. A wide-ranging review from the Ada Lovelace Institute, a nonprofit, says there is “legal uncertainty” about the use of LFR. Another report by University of Cambridge academics, from the Minderoo Centre for Technology and Democracy, concluded that three examined police deployments of face recognition “failed to meet the minimum ethical and legal standards.”

“It’s wholly legitimate for police to use technology to keep the public safe,” says Fussey, who recently completed a report on proposals to change the oversight of biometrics in the UK. “The question is about how lawful and necessary it is,” he says. “At the moment, we’re in a situation where the legal basis isn’t clear. There’s no external oversight of how it’s used, how it’s authorized, who’s on the watchlist.”

Source

Source

One of the world's most iconic casinos has been hit by a cyberattack that affected hundreds of thousands of its customers.

The Marina Bay Sands (MBS) luxury resort and casino in Singapore posted an announcement explaining that threat actors accessed its systems on October 19 and 20 2023. 

During that time, they managed to steal “some of our customers’ loyalty program membership data,” the company said.

Was it ransomware?

“Investigations have since determined that an unknown third party accessed customer data of about 665,000 non-casino rewards program members,” the announcement reads.

The unidentified hackers stole MBS’ customers’ data, including names, email addresses, mobile phone numbers, landline numbers, countries of residence, and membership numbers and tiers. 

Hackers usually use this type of information in identity theft or phishing attacks, so users of the MBS rewards program should be wary of any emails they receive, claiming to be coming from the casino.

MBS stressed that casino members weren’t impacted by the incident. Apparently, no payment data was accessed. The victims were (or will be) notified individually, the company added, saying that it already reported the incident to the police and other relevant law enforcement agencies and authorities. 

Some media speculate that the data theft might be a part of a ransomware attack, as ransomware threat actors often steal sensitive data and then demand payment not to leak it on the dark web. 

However, ransomware also usually includes the deployment of an encryptor that cripples systems and renders endpoints inaccessible, which doesn’t seem to have been the case here.

Marina Bay Sands is not the only casino company being targeted by cybercriminals this year. In mid-September this year, we reported a major outage at MBM Resorts International, which was most likely the result of a ransomware attack. It was big enough to draw the attention of the FBI.

The attack was attributed to a threat actor by the name Scattered Spider. 

Via BleepingComputer

Source