×
Oracle

Oracle Reaches $115 Million Consumer Privacy Settlement (aol.com) 15

Oracle agreed to pay $115 million to settle a lawsuit accusing the database software and cloud computing company of invading people's privacy by collecting their personal information and selling it to third parties. Reuters: The plaintiffs, who otherwise have no connection to Oracle, said the company violated federal and state privacy laws and California's constitution by creating unauthorized "digital dossiers" for hundreds of millions of people. They said the dossiers contained data including where people browsed online, and where they did their banking, bought gas, dined out, shopped and used their credit cards. Oracle then allegedly sold the information directly to marketers or through products such as ID Graph, which according to the company helps marketers "orchestrate a relevant, personalized experience for each individual."
Privacy

Little-Known Tool Is Giving Instant Access To Vast Amounts of Homebuyer Data (therecord.media) 98

An anonymous reader quotes a report from The Record: When Florida real estate professional Susan Hicks discovered the app Forewarn over a year ago, she was shocked to learn that for a service costing about $20 a month she could instantly retrieve detailed data on prospective clients with only their phone number. "For anybody who's had exposure to this, usually the first time they see it, it blows their mind," Hicks told Recorded Future News, adding that she enthusiastically recommends the tool to the brokers she manages. "It's incredible that there's that amount of information out there that you can just access with one click." "It can be real creepy and you have to swear that you're not going to use it in a wrong manner," Hicks added, referring to Forewarn rules which say real estate agents can't share data from the app publicly or with third parties, or use the app to pull information on non-professional contacts.

Forewarn is primarily marketed to and used by the real estate industry, and it has been penetrating that market at a rapid clip. Although some real estate agents say the financial information it returns saves time when finding clients most likely to have the budget for the houses they're looking at, most agents and associations tout it primarily as a safety tool because it also supplies criminal records. In addition to those records, the product -- owned by the data broker red violet -- also supplies a given individual's address history; phone, vehicle and property records; bankruptcies; and liens and judgements, including foreclosure histories. Although such data could generally be gleaned from public records, Forewarn delivers it at the press of a button -- a function real estate agents say allows them to gather publicly available information without having to visit courthouses and municipal offices, a process which would normally take days.

The power of Forewarn's technology has led to rapid adoption, but the company is still largely unknown outside the real estate industry. Several fair housing and civil rights advocates interviewed by Recorded Future News weren't aware of its existence. The individuals whose data it sells also have no idea their information is being shared with real estate agents, who potentially might choose not to work with them because of what they discover on the app. Forewarn did not respond to multiple requests for comment, however, statements made by one of its executives suggest that the company intentionally keeps a low profile. "Do not tell the prospect that they are not permitted or unqualified to purchase or sell property because of information you obtained from Forewarn," a company executive said at a recent training webinar with Illinois real estate agents. She emphasized that potential buyers "do not get notified" when they are screened with the app, a question she said many real estate agents ask. Real estate agents who, for example, discover a client has a lien filed against them, should consider telling the prospect they "obtained this information from a confidential service that bases their information on available public record information," the executive added.

Cellphones

FCC Closes 'Final Loopholes' That Keep Prison Phone Prices Exorbitantly High 72

An anonymous reader quotes a report from Ars Technica: The Federal Communications Commission today voted to lower price caps on prison phone calls and closed a loophole that allowed prison telecoms to charge high rates for intrastate calls. Today's vote will cut the price of interstate calls in half and set price caps on intrastate calls for the first time. The FCC said it "voted to end exorbitant phone and video call rates that have burdened incarcerated people and their families for decades. Under the new rules, the cost of a 15-minute phone call will drop to $0.90 from as much as $11.35 in large jails and, in small jails, to $1.35 from $12.10."

The new rules are expected to take effect in January 2025 for all prisons and for jails with at least 1,000 incarcerated people. The rate caps would take effect in smaller jails in April 2025. Worth Rises, a nonprofit group advocating for prison reform, said it "estimates that the new rules will impact 83 percent of incarcerated people (about 1.4 million) and save impacted families at least $500 million annually."
The nonprofit Prison Policy Institute said that prison phone companies charge ancillary fees for things "like making a deposit to fund an account." The ban on those fees "also effectively blocks a practice that we have been campaigning against for years: companies charging fees to consumers who choose to make single calls rather than fund a calling account, and deliberately steering new consumers to this higher-cost option in order to increase fee revenue," the group said.

The ancillary fee ban is a "technical-sounding change," but will help "eliminate some of the industry's dirtiest tricks that shortchange both the families and the facilities," the group said.
Privacy

USPS Shared Customers Postal Addresses With Meta, LinkedIn and Snap (techcrunch.com) 25

An anonymous reader quotes a report from TechCrunch: The U.S. Postal Service was sharing the postal addresses of its online customers with advertising and tech giants Meta, LinkedIn and Snap, TechCrunch has found. On Wednesday, the USPS said it addressed the issue and stopped the practice, claiming that it was "unaware" of it. TechCrunch found USPS was sharing customers' information by way of hidden data-collecting code (also known as tracking pixels) used across its website. Tech and advertising companies create this kind of code to collect information about the user -- such as which pages they visit -- every time a webpage containing the code loads in the customer's browser.

In the case of USPS, some of that collected data included the postal addresses of logged-in USPS Informed Delivery customers, who use the service to see photos of their incoming mail before it arrives. It's not clear how many individuals had their information collected or for how long. Informed Delivery had more than 62 million users (PDF) as of March 2024. [...] The code also collected other data, such as information about the user's computer type and browser, which appeared as partly pseudonymized -- essentially scrambled in a way that makes it more difficult for humans to know where data came from, or who it relates to, by using randomized identifiers in place of real customer names. But researchers have long warned that pseudonymous data can still be used to re-identify seemingly anonymous individuals.

TechCrunch also found that tracking numbers entered into the USPS website were also shared with advertisers and tech companies, including Bing, Google, LinkedIn, Pinterest and Snap. Some in-transit tracking data was also shared, such as the real-world location of the mail in the postal system, even if the customer was not logged in to USPS' website.
USPS spokesperson Jim McKean said in a statement: "The Postal Service leverages an analytics platform for our own internal purposes, so that we understand the usage of our products and services and which we use on an aggregated basis to market our products. The Postal Service does not sell or provide any personal information that is collected from this analytics platform to any third party, and we were unaware of any configuration of the platform that collected personal information from the URL and that shared it without our knowledge with social media."

"We have taken immediate action to remediate this issue," the spokesperson added, without saying what action was taken.
Privacy

The Biggest Data Breaches In 2024: 1 Billion Stolen Records and Rising (techcrunch.com) 13

An anonymous reader quotes an excerpt from TechCrunch, written by Zack Whittaker: We're over halfway through 2024, and already this year we have seen some of the biggest, most damaging data breaches in recent history. And just when you think that some of these hacks can't get any worse, they do. From huge stores of customers' personal information getting scraped, stolen and posted online, to reams of medical data covering most people in the United States getting stolen, the worst data breaches of 2024 to date have already surpassed at least 1 billion stolen records and rising. These breaches not only affect the individuals whose data was irretrievably exposed, but also embolden the criminals who profit from their malicious cyberattacks. Travel with us to the not-so-distant past to look at how some of the biggest security incidents of 2024 went down, their impact and. in some cases, how they could have been stopped. These are some of the largest breaches highlighted in the report:

AT&T's Data Breaches: AT&T experienced two data breaches in 2024, affecting nearly all its customers and many non-customers. The breaches exposed phone numbers, call records, and personal information, risking account hijacks for 7.6 million customers.
Change Healthcare Hack: A ransomware attack on Change Healthcare resulted in the theft of sensitive medical data, affecting a substantial proportion of Americans. The breach caused widespread outages in healthcare services across the U.S. and compromised personal, medical, and billing information.
Synnovis Ransomware Attack: The cyberattack on U.K. pathology lab Synnovis disrupted patient services in London hospitals for weeks, leading to thousands of postponed operations and the exposure of data related to 300 million patient interactions.
Snowflake Data Theft (Including Ticketmaster): Cybercriminals stole hundreds of millions of records from Snowflake's corporate customers, including 560 million records from Ticketmaster. The breach affected data from multiple companies and institutions, exposing vast amounts of customer and employee information.
Privacy

Leaked Docs Show What Phones Cellebrite Can and Can't Unlock (404media.co) 41

Cellebrite, the well-known mobile forensics company, was unable to unlock a sizable chunk of modern iPhones available on the market as of April 2024, 404 Media reported Wednesday, citing leaked documents it obtained. From the report: Mobile forensics companies typically do not release details on what specific models their tools can or cannot penetrate, instead using vague terms in marketing materials. The documents obtained by 404 Media, which are given to customers but not published publicly, show how fluid and fast moving the success, or failure, of mobile forensic tools can be, and highlights the constant cat and mouse game between hardware and operating manufacturers like Apple and Google, and the hacking companies looking for vulnerabilities to exploit.

[...] For all locked iPhones able to run 17.4 or newer, the Cellebrite document says "In Research," meaning they cannot necessarily be unlocked with Cellebrite's tools. For previous iterations of iOS 17, stretching from 17.1 to 17.3.1, Cellebrite says it does support the iPhone XR and iPhone 11 series. Specifically, the document says Cellebrite recently added support to those models for its Supersonic BF [brute force] capability, which claims to gain access to phones quickly. But for the iPhone 12 and up running those operating systems, Cellebrite says support is "Coming soon."

The Courts

Puerto Rico Files $1 Billion Suit Against Fossil Fuel Companies (theverge.com) 112

An anonymous reader quotes a report from The Verge: Puerto Rico filed suit against fossil fuel companies this week, alleging that the oil and gas giants have misled the public about climate change and delayed a transition to clean energy. The suit seeks $1 billion in damages to help Puerto Rico defend itself against climate disasters. In a complaint (PDF) filed in San Juan yesterday, Puerto Rico's Department of Justice says that the companies violated trade law by promoting fossil fuels without adequately warning about the dangers. The defendants include ExxonMobil, BP, Chevron, Shell, ConocoPhillips, and other energy companies.

In the complaint, Puerto Rico says it expects to pay billions of dollars in the future to cope with catastrophes made worse by climate change -- including storms like Hurricane Maria, which killed thousands of people in 2017 and triggered monthslong power outages. The suit asks defendants to contribute to a fund that would be used to mitigate the consequences of climate change and pay for measures to strengthen Puerto Rico's infrastructure against future climate-related calamities.
After Hurricane Maria devastated the island in 2017, thirty-seven municipalities in Puerto Rico and the capital city of San Juan filed suit against fossil fuel companies, "seeking to hold them accountable for the devastation," notes The Verge.

Last week, Portland's Multnomah County filed a lawsuit against several fossil fuel companies, blaming their emissions for the 2021 heat dome that resulted in the deaths of 69 people.
Privacy

Rite Aid Says Breach Exposes Sensitive Details of 2.2 Million Customers (arstechnica.com) 9

Rite Aid, the third-largest U.S. drug store chain, reported it a ransomware attack that compromised the personal data of 2.2 million customers. The data exposed includes names, addresses, dates of birth, and driver's license numbers or other forms of government-issued ID from transactions between June 2017 and July 2018.

"On June 6, 2024, an unknown third party impersonated a company employee to compromise their business credentials and gain access to certain business systems," the company said in a filing. "We detected the incident within 12 hours and immediately launched an internal investigation to terminate the unauthorized access, remediate affected systems and ascertain if any customer data was impacted." Ars Technica's Dan Goodin reports: RansomHub, the name of a relatively new ransomware group, has taken credit for the attack, which it said yielded more than 10GB of customer data. RansomHub emerged earlier this year as a rebranded version of a group known as Knight. According to security firm Check Point, RansomHub became the most prevalent ransomware group following an international operation by law enforcement in May that took down much of the infrastructure used by rival ransomware group Lockbit.

On its dark web site, RansomHub said it was in advanced stages of negotiation with Rite Aid officials when the company suddenly cut off communications. A Rite Aid official didn't respond to questions sent by email. Rite Aid has also declined to say if the employee account compromised in the breach was protected by multifactor authentication.

Bitcoin

Craig Wright Faces Perjury Investigation Over Claims He Created Bitcoin (wired.com) 17

A judge in the UK High Court has directed prosecutors to consider bringing criminal charges against computer scientist Craig Wright, after ruling that he lied "extensively and repeatedly" and committed forgery "on a grand scale" in service of his quest to prove he is Satoshi Nakamoto, creator of bitcoin. From a report: In a judgment published Tuesday, Justice James Mellor outlined various injunctions to be imposed upon Wright, after finding in May that he had "engaged in the deliberate production of false documents to support false claims [to be Satoshi] and use the Courts as a vehicle for fraud."

By order of the judge, Wright will be prevented from claiming publicly that he is Satoshi and from bringing or threatening legal action in any jurisdiction on that basis. He will be required to pin a notice to the front page of his personal website and X feed detailing the findings against him. The matter, Mellor writes, will also be referred to the Crown Prosecution Service (CPS), the body responsible for prosecuting criminal cases in the UK, "for consideration of whether a prosecution should be commenced against Dr Wright." It will be up to the CPS to decide whether the available evidence is sufficient to bring charges against Wright "for his wholescale perjury and forgery of documents" and "whether a warrant for his arrest should be issued."

AI

Senate Introduces Bill To Setup Legal Framework For Ethical AI Development (techspot.com) 48

Last week, the U.S. Senate introduced a new bill to outlaw the unethical use of AI-generated content and deepfake technology. Called the Content Origin Protection and Integrity from Edited and Deepfaked Media Act (COPIED Act), the bill would "set new federal transparency guidelines for marking, authenticating and detecting AI-generated content, protect journalists, actors and artists against AI-driven theft, and hold violators accountable for abuses." TechSpot reports: Proposed and sponsored by Democrats Maria Cantwell of Washington and Martin Heinrich of New Mexico, along with Republican Marsha Blackburn of Tennessee, the aims to establish enforceable transparency standards in AI development [such a through watermarking]. The legislation also wants to curb unauthorized data use in training models. The senators intend to task the National Institutes of Standards and Technology with developing sensible transparency guidelines should the bill pass. [...] The senators feel that clarifying and defining what is okay and what is not regarding AI development is vital in protecting citizens, artists, and public figures from the harm that misuse of the technology could cause, particularly in creating deepfakes. The text of the bill can be read here.
Piracy

Record Labels Sue Verizon After ISP 'Buried Head In Sand' Over Subscribers' Piracy (torrentfreak.com) 144

An anonymous reader quotes a report from TorrentFreak: Just before the weekend, dozens of record labels including UMG, Warner, and Sony, filed a massive copyright infringement lawsuit against Verizon at a New York federal court. In common with previous lawsuits that accused rivals of similar inaction, Verizon Communications Inc., Verizon Services Corp., and Cellco Partnership (dba Verizon Wireless), stand accused of assisting subscribers to download and share pirated music, by not doing enough to stop them. The labels' complaint introduces Verizon as one of the largest ISPs in the country, one that "knowingly provides its high-speed service to a massive community of online pirates."

Knowledge of infringement, the labels say, was established at Verizon over a period of several years during which it received "hundreds of thousands" of copyright notices, referencing instances of infringement allegedly carried out by its subscribers. The complaint cites Verizon subscribers' persistent use of BitTorrent networks to download and share pirated music, with Verizon allegedly failing to curtail their activity. "While Verizon is famous for its 'Can you hear me now?' advertising campaign, it has intentionally chosen not to listen to complaints from copyright owners. Instead of taking action in response to those infringement notices as the law requires, Verizon ignored Plaintiffs' notices and buried its head in the sand," the labels write.

"Undeterred, infringing subscribers identified in Plaintiffs' notices continued to use Verizon's services to infringe Plaintiffs' copyrights with impunity. Meanwhile, Verizon continued to provide its high-speed service to thousands of known repeat infringers so it could continue to collect millions of dollars from them." Through this lawsuit, which references piracy of songs recorded by artists including The Rolling Stones, Ariana Grande, Bob Dylan, Bruno Mars, Elvis Presley, Dua Lipa, Drake, and others, the labels suggest that Verizon will have no choice but to hear them now. [...]

Attached to the complaint, Exhibit A contains a non-exhaustive list of the plaintiffs' copyright works allegedly infringed by Verizon's subscribers. The document is over 400 pages long, with each track listed representing potential liability for Verizon as a willful, intentional, and purposeful contributory infringer, the complaint notes. This inevitably leads to claims based on maximum statutory damages of $150,000 per copyrighted work infringed on Count I (contributory infringement). The statutory maximum of $150,000 per infringed work is also applied to Count II (vicarious infringement), based on the labels' claim that Verizon derived a direct financial benefit from the direct infringements of its subscribers.
The labels' complaint can be found here (PDF).
AI

Gemini AI Platform Accused of Scanning Google Drive Files Without User Permission (techradar.com) 23

Last week, Senior Advisor on AI Governance at the Center for Democracy & Technology, Kevin Bankston, took to X to report that Google's Gemini AI was caught summarizing his private tax return on Google Drive without his permission. "Despite attempts to disable the feature, Bankston found that Gemini's continued to operate in Google Drive, raising questions about Google's handling of user data and privacy settings," writes TechRadar's Craig Hale. From the report: After failing to find the right controls to disable Gemini's integration, the Advisor asked Google's ChatGPT-rivalling AI chatbot on two occasions to pinpoint the settings. A second, more detailed response still brought no joy: "Gemini is *not* in Apps and services on my dashboard (1st option), and I didn't have a profile pic in the upper right of the Gemini page (2nd)."

With help from another X user, Bankston found the control, which was already disabled, highlighting either a malfunctioning control or indicating that further settings are hidden elsewhere. However, previous Google documentation has confirmed that the company will not use Google Workspace data to train or improve its generative AI services or to feed targeted ads. Bankston theorizes that his previous participation in Google Workspace Labs might have influenced Gemini's behavior. The Gemini side panel in Google Drive for PDFs can be closed if a user no longer wishes to access generative AI summaries.

The Courts

Federal Court Blocks Net Neutrality Rules (theverge.com) 54

An anonymous reader quotes a report from The Verge: A federal appeals court has agreed to halt the reinstatement of net neutrality rules until August 5th, while the court considers whether more permanent action is justified. It's the latest setback in a long back and forth on net neutrality -- the principle that internet service providers (ISPs) should not be able to block or throttle internet traffic in a discriminatory manner. The Federal Communications Commission has sought to achieve this by reclassifying ISPs under Title II of the Communications Act, which gives the agency greater regulatory oversight. The Democratic-led agency enacted net neutrality rules under the Obama administration, only for those rules to be repealed under former President Donald Trump's FCC. The current FCC, which has three Democratic and two Republican commissioners, voted in April to bring back net neutrality. The 3-2 vote was divided along party lines.

Broadband providers have since challenged the FCC's action, which is potentially more vulnerable after the Supreme Court's recent decision to strike down Chevron deference -- a legal doctrine that instructed courts to defer to an agency's expert decisions except in a very narrow range of circumstances. Bloomberg Intelligence analyst Matt Schettenhelm said in a report prior to the court's ruling that he doesn't expect the FCC to prevail in court, in large part due to the demise of Chevron. A panel of judges for the Sixth Circuit Court of Appeals said in an order that a temporary "administrative stay is warranted" while it considers the merits of the broadband providers' request for a permanent stay. The administrative stay will be in place until August 5th. In the meantime, the court requested the parties provide additional briefs about the application of National Cable & Telecommunications Association v. Brand X Internet Services to this lawsuit.

AT&T

AT&T Paid $370,000 For the Deletion of Stolen Phone Call Records (wired.com) 40

AT&T paid more than $300,000 to a member of the team that stole call records for tens of millions of customers, reports Wired — "to delete the data and provide a video demonstrating proof of deletion." The hacker, who is part of the notorious ShinyHunters hacking group that has stolen data from a number of victims through unsecured Snowflake cloud storage accounts, tells WIRED that AT&T paid the ransom in May. He provided the address for the cryptocurrency wallet that sent the currency to him, as well as the address that received it. WIRED confirmed, through an online blockchain tracking tool, that a payment transaction occurred on May 17 in the amount of 5.7 bitcoin... The hacker initially demanded $1 million from AT&T but ultimately agreed to a third of that. WIRED viewed the video that the hacker says he provided to AT&T as proof to the telecom that he had deleted its stolen data from his computer...

AT&T is one of more than 150 companies that are believed to have had data stolen from poorly secured Snowflake accounts during a hacking spree that unfolded throughout April and May. It's been previously reported that the accounts were not secured with multi-factor authentication, so after the hackers obtained usernames and passwords for the accounts, and in some cases authorization tokens, they were able to access the storage accounts of companies and siphon their data. Ticketmaster, the banking firm Santander, LendingTree, and Advance Auto Parts were all among the victims publicly identified to date...

The timeline suggests that if [John] Binns is responsible for the AT&T breach, he allegedly did it when he was likely already aware that he was under indictment for the T-Mobile hack and could face arrest for it.

The Courts

California Prohibited From Enforcing PI Licensing Law Against Anti-Spam Crusader (ij.org) 49

Long-time Slashdot reader schwit1 shared this report from non-profit libertarian law firm, the Institute for Justice: U.S. District Judge Rita Lin has permanently enjoined the California Bureau of Security and Investigative Services from enforcing its private-investigator licensing requirement against anti-spam entrepreneur Jay Fink. The order declares that forcing Jay to get a license to run his business is so irrational that it violates the Due Process Clause of the Fourteenth Amendment...

Jay's business stems from California's anti-spam act, which allows individuals to sue spammers. But to sue, they have to first compile evidence. To do that, recipients often have to wade through thousands of emails. For more than a decade, Jay has offered a solution: he and his team will scour a client's junk folder and catalog the messages that likely violate the law. But last summer, Jay's job — and Californians' ability to bring spammers to justice — came to a screeching halt when the state told him he was a criminal. A regulator told Jay he needed a license to read through emails that might be used as evidence in a lawsuit. And because Jay didn't have a private investigator license, the state shut him down.

The state of California has since "agreed to jointly petition the court for an order that forever prohibits it from enforcing its licensure law against Jay," according to the article.

Otherwise the anti-spam crusader would've had to endure thousands of hours of private investigator training...
Government

Admiral Grace Hopper's Landmark Lecture Is Found, But the NSA Won't Release It (muckrock.com) 68

MuckRock is a U.S.-based 501(c)(3) non-profit collaborative news site to "request, analyze and share government documents," according to its web site.

And long-time Slashdot reader schwit1 shared their report about a lecture by Admiral Grace Hopper: In a vault at the National Security Agency lies a historical treasure: two AMPEX 1-inch open reel tapes containing a landmark lecture by Admiral Grace Hopper, a giant in the field of computer science. Titled 'Future Possibilities: Data, Hardware, Software, and People,' this lecture, recorded on August 19, 1982, at the NSA's Fort Meade headquarters, and stored in the video archives of the National Cryptographic School, offers a rare glimpse into the mind of a pioneer who shaped the very fabric of technology. Yet this invaluable artifact remains inaccessible, trapped in an obsolete format that the NSA will not release, stating that the agency is unable to play it back.
"NSA is not required to find or obtain new technology (outdated or current) in order to process a request," states the official response from the agency. But MuckRock adds that on June 25, "responding to a follow-up request, the NSA at least provided an image of the tape labels," leading MuckRock to complain that the NSA "is well-positioned to locate, borrow and use a working VTR machine to access Admiral Hopper's lectures... The NSA, with its history of navigating complex technological landscapes and decrypting matters of national significance, does not typically shy away from a challenge." The challenge of accessing these recordings is not just technical, but touches on broader issues around preserving technological heritage.... It is our shared obligation to safeguard such pivotal elements of our nationâ(TM)s history, ensuring they remain within reach of future generations. While the stewardship of these recordings may extend beyond the NSAâ(TM)s typical purview, they are undeniably a part of Americaâ(TM)s national heritage.
The Courts

Apple Watch Is Cleared By the CBP of Infringing On the ECG Patent (cbp.gov) 20

Slashdot reader Kirschey writes: The U.S. Customs and Border Protection determined that the redesigned Apple Watch models do not violate AliveCor's electrocardiogram patents, allowing them to be imported. This decision comes before a consolidated hearing at the Federal Circuit Court regarding the same patents.
From the decision: We find that Apple Inc. ("Apple") has met its burden to show that certain redesigned wearable devices ("articles at issue") do not infringe one or more of claims 12, 13, and 19-23 of U.S. Patent No. 10,638,941 ("the '941 Patent") and claims 1, 3, 5, 8-10, 12, 15, and 16 of U.S. Patent No. 10,595,731 ("the '731 Patent). Thus, CBP's position is that the articles at issue are not subject to the limited exclusion order that the U.S. International Trade Commission ("Commission" or "ITC") issued in Investigation No. 337-TA-1266 ("the underlying investigation" or "the 1266 investigation"), pursuant to Section 337 of the Tariff Act of 1930, as amended, 19 U.S.C. 1337 ("Section 337").
Security

CISA Broke Into a US Federal Agency, No One Noticed For a Full 5 Months (theregister.com) 35

A 2023 red team exercise by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) at an unnamed federal agency exposed critical security failings, including unpatched vulnerabilities, inadequate incident response, and weak credential management, leading to a full domain compromise. According to The Register's Connor Jones, the agency failed to detect or remediate malicious activity for five months. From the report: According to the agency's account of the exercise, the red team was able to gain initial access by exploiting an unpatched vulnerability (CVE-2022-21587 - 9.8) in the target agency's Oracle Solaris enclave, leading to what it said was a full compromise. It's worth noting that CVE-2022-21587, an unauthenticated remote code execution (RCE) bug carrying a near-maximum 9.8 CVSS rating, was added to CISA's known exploited vulnerability (KEV) catalog in February 2023. The initial intrusion by CISA's red team was made on January 25, 2023. "After gaining access, the team promptly informed the organization's trusted agents of the unpatched device, but the organization took over two weeks to apply the available patch," CISA's report reads. "Additionally, the organization did not perform a thorough investigation of the affected servers, which would have turned up IOCs and should have led to a full incident response. About two weeks after the team obtained access, exploit code was released publicly into a popular open source exploitation framework. CISA identified that the vulnerability was exploited by an unknown third party. CISA added this CVE to its Known Exploited Vulnerabilities Catalog on February 2, 2023." [...]

After gaining access to the Solaris enclave, the red team discovered they couldn't pivot into the Windows part of the network because missing credentials blocked their path, despite enjoying months of access to sensitive web apps and databases. Undeterred, CISA managed to make its way into the Windows network after carrying out phishing attacks on unidentified members of the target agency, one of which was successful. It said real adversaries may have instead used prolonged password-praying attacks rather than phishing at this stage, given that several service accounts were identified as having weak passwords. After gaining that access, the red team injected a persistent RAT and later discovered unsecured admin credentials, which essentially meant it was game over for the agency being assessed. "None of the accessed servers had any noticeable additional protections or network access restrictions despite their sensitivity and critical functions in the network," CISA said.

CISA described this as a "full domain compromise" that gave the attackers access to tier zero assets -- the most highly privileged systems. "The team found a password file left from a previous employee on an open, administrative IT share, which contained plaintext usernames and passwords for several privileged service accounts," the report reads. "With the harvested Lightweight Directory Access Protocol (LDAP) information, the team identified one of the accounts had system center operations manager (SCOM) administrator privileges and domain administrator privileges for the parent domain. "They identified another account that also had administrative permissions for most servers in the domain. The passwords for both accounts had not been updated in over eight years and were not enrolled in the organization's identity management (IDM)." From here, the red team realized the victim organization had trust relationships with multiple external FCEB organizations, which CISA's team then pivoted into using the access they already had.

The team "kerberoasted" one partner organization. Kerberoasting is an attack on the Kerberos authentication protocol typically used in Windows networks to authenticate users and devices. However, it wasn't able to move laterally with the account due to low privileges, so it instead used those credentials to exploit a second trusted partner organization. Kerberoasting yielded a more privileged account at the second external org, the password for which was crackable. CISA said that due to network ownership, legal agreements, and/or vendor opacity, these kinds of cross-organizational attacks are rarely tested during assessments. However, SILENTSHIELD assessments are able to be carried out following new-ish powers afforded to CISA by the FY21 National Defense Authorization Act (NDAA), the same powers that also allow CISA's Federal Attack Surface Testing (FAST) pentesting program to operate. It's crucial that these avenues are able to be explored in such exercises because they're routes into systems adversaries will have no reservations about exploring in a real-world scenario. For the first five months of the assessment, the target FCEB agency failed to detect or remediate any of the SILENTSHIELD activity, raising concerns over its ability to spot genuine malicious activity.
CISA said the findings demonstrated the need for agencies to apply defense-in-depth principles. The cybersecurity agency recommended network segmentation and a Secure-by-Design commitment.
AT&T

American Hacker In Turkey Linked To Massive AT&T Breach (404media.co) 7

An anonymous reader quotes a report from 404 Media: John Binns, a U.S. citizen who has been incarcerated in Turkey, is linked to the massive data breach of metadata belonging to nearly all of AT&T's customers that the telecommunications giant announced on Friday, three sources independently told 404 Media. [...] As 404 Media reported in January, Binns has already been indicted for allegedly breaking into T-Mobile in 2021 and selling stolen data on more than 40 million people. Now, he is allegedly connected to the latest breach against AT&T, which the company said it detected in April.

The AT&T data was lifted from a Snowflake instance, a data warehousing tool, AT&T told 404 Media. Snowflake has been at the center of a series of massive and high profile breaches, including Ticketmaster and Santander. In a blog post published in June which covered a threat actor targeting Snowflake instances, cybersecurity company Mandiant said the threat actor, which it dubs UNC5537, "comprises members based in North America, and collaborates with an additional member in Turkey." In its breach announcement, AT&T said authorities had already apprehended one of the people involved in the breach. Binns was recently arrested and detained in Turkey, The Desk reported in May. That report, which is the last public information about his whereabouts, says he was detained following an extradition request from the U.S. Before he was arrested, Binns told 404 Media in January that he had "reasons to not be concerned" about being extradited.

Security

AT&T Says Criminals Stole Phone Records of 'Nearly All' Customers in New Data Breach (techcrunch.com) 82

U.S. phone giant AT&T confirmed Friday it will begin notifying millions of consumers about a fresh data breach that allowed cybercriminals to steal the phone records of "nearly all" of its customers. TechCrunch: In a statement, AT&T said that the stolen data contains phone numbers of both cellular and landline customers, as well as AT&T records of calls and text messages -- such as who contacted who by phone or text -- during a six-month period between May 1, 2022 and October 31, 2022. AT&T said some of the stolen data includes more recent records from January 2, 2023 for a smaller but unspecified number of customers.

The stolen data also includes call records of customers with phone service from other cell carriers that rely on AT&T's network, the company said. [...] In all, the phone giant said it will notify around 110 million AT&T customers of the data breach, company spokesperson Andrea Huguely told TechCrunch.

Slashdot Top Deals