c0mmando

A suspected developer of a new malware strain called Styx Stealer made a “significant operational security error” and leaked data from his computer, including details about clients and earnings, researchers have found.

Styx Stealer is “a powerful malware” capable of stealing browser data, instant messenger sessions from Telegram and Discord, and cryptocurrency. The Israel-based cybersecurity firm Check Point, which analyzed the malware, said that it was used against its customers, though further details were not provided.

“The developer made a fatal error and leaked data from his computer, which allowed Check Point to obtain a large amount of intelligence,” researchers said in a report published last week.

The developer of Styx Stealer was found to be linked to one of the Agent Tesla threat actors known as FucosReal, who was involved in a spam campaign also targeting the company’s customers. Agent Tesla is a remote access malware that has been targeting Windows systems since 2014.

According to Check Point, the creator of Styx Stealer revealed his personal details, including Telegram accounts, emails and contacts, by debugging the stealer on his own computer using a Telegram bot token provided by a customer involved in the Agent Tesla campaign in March 2024.

“This critical OpSec failure not only compromised Styx Stealer's anonymity but also provided valuable intelligence about other cybercriminals, including the originator of the Agent Tesla campaign,” researchers said.

Following the analysis, researchers were able to link Styx Stealer to a Turkish hacker known as Sty1x. This, in turn, allowed Check Point to track down FucosReal to an individual in Nigeria.

“The case of Styx Stealer is a compelling example of how even sophisticated cybercriminal operations can slip up due to basic security oversights,” researchers said.

One of the largest companies that conducts background checks confirmed that it is the source of a data breach causing national outrage due to the millions of Social Security numbers leaked.

In a statement on Friday, National Public Data said it detected suspicious activity in its network in late December, and subsequently a hacker leaked certain tranches of data in April and throughout the summer.

“The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024. We conducted an investigation and subsequent information has come to light,” the Florida-based company said.

“The information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).”

National Public Data said it “cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records.”

The company plans to notify those affected if there are other updates. It is unclear how someone would know they are affected by the breach, but the company urged people to monitor their financial accounts for unauthorized activity.

Cybersecurity experts have known about the leaks since April, but since then the company has refused to respond to repeated requests for comment from Recorded Future News. The company stayed tight-lipped about the incident until this week, when concern about the troves of Social Security numbers (SSNs) exposed went viral on social media.

Companies and private investigators pay National Public Data to obtain criminal records, background checks and more — with the company allowing them to search billions of records instantly.

On April 7, a well known hacker going by the name USDoD posted a database on the criminal marketplace Breached claiming it contained 2.9 billion records on U.S. citizens. The cybercriminal — best known for leaking data stolen from European aerospace giant Airbus — said it came from another hacker named “SXUL" and offered the information for $3.5 million.

While it is unclear whether anyone paid for the information, the hacker began leaking parts of the database in June and others continued to offer it for sale throughout the summer.

Several cybersecurity experts, including data breach expert Troy Hunt, have confirmed that while the database contains duplicates, much of the information is accurate.

The data contains a person’s first and last name, three decades of address history and Social Security number. Some experts said they were also able to find a person’s parents, siblings and immediate relatives. The database includes people living and dead.

Some have noted that people who use data opt-out services were not included in the database.

While some news outlets and social media platforms have erroneously reported that 2.9 billion people had information in the breach, Hunt estimated that the database included about 899 million unique SSNs.

The FBI and other U.S. cybersecurity agencies did not respond to requests for comment.

National Public Data is already facing lawsuits over the breach. A complaint was filed in the U.S. District Court for the Southern District of Florida two weeks ago after a California resident said he got a notice from his identity-theft protection service provider in July about the breach.

DataGrail vice president Chris Deibler said the breach shows we “are reaching the limits of what individuals can reasonably do to protect themselves in this environment.”

“The balance of power right now is not in the individual's favor. [The European Union’s] GDPR and the various state and national regulations coming online are good steps, but the prevention and consequence models in place today clearly do not disincentivize mass aggregation of data,” he said.

Akhil Mittal of Synopsys Software Integrity Group added that the number of records will draw headlines but the long tail of effects on people could last years. Millions of real people will be dealing with identity theft, fraud and more for years to come due to the breach, he said.

Mittal echoed Deibler’s comments, arguing that a larger conversation needs to be started about data privacy and protection.

“It’s time for stricter regulations and better enforcement to make sure companies are really protecting our information,” Mittal said.

Popular flight-tracking app FlightAware has admitted that it was exposing a bunch of users' data for more than three years.

It made the admission via a notification filed last week with Rob Bonta, California's attorney general, saying the leak began on January 1, 2021, but was only detected on July 25 of this year.

The incident was blamed on an unspecified configuration error. It led to the exposure of personal information, passwords, and various other personal data points you'd expect to see in a breach, depending on what information the user provided in their account.

The full list of potentially impacted data points is below:

• User ID
• Password
• Email address
• Full name
• Billing address
• Shipping address
• IP address
• Social media accounts
• Telephone numbers
• Year of birth
• Last four digits of your credit card number
• Information about aircraft owned
• Industry
• Title
• Pilot status (yes/no)
• Account activity (such as flights viewed and comments posted)
• Social Security Number

How was this data exposed? We asked FlightAware and will update the story if it responds.

The downside of filing data leak notifications in California is that the state doesn't require companies to publicly disclose how many people were affected, unlike Maine, for example, which does.

Although we cannot determine the exact number of affected users, FlightAware reports having 12 million registered users. If all were affected, that would be quite the security snafu indeed.

"FlightAware values your privacy and deeply regrets that this incident occurred," it wrote in a letter being sent to affected individuals.

"Once we discovered the exposure, we immediately remedied the configuration error. Out of an abundance of caution, we are also requiring all potentially impacted users to reset their password. You will be prompted to do so at your next log-in to FlightAware."

It's typical with these types of breach notifications to comment on whether the data in question had been accessed and/or misused by unauthorized third parties. The letter to affected users did not address this matter.

It's also typical for companies to offer free credit monitoring for users and the same is the case here. Anyone who receives a letter from FlightAware saying they may be affected was offered two years of service via Equifax.

A Kentucky man who hacked into a state registry and faked his own death to avoid paying child support was sentenced on Monday to 81 months in prison.

In January 2023, Jesse Kipf used stolen login credentials belonging to a physician to access the Hawaii Death Registry System, where he submitted and “certified” his own death — thereby avoiding paying more than $116,000 in owed child support.

He also hacked into other state death registry systems, as well as “governmental and corporate networks” using stolen credentials, and tried to sell access to those entities on the darkweb.

“Working in collaboration with our law enforcement partners, this defendant who hacked a variety of computer systems and maliciously stole the identity of others for his own personal gain, will now pay the price,” said Michael E. Stansbury, special agent in charge at the FBI’s Louisville Field Office. Kipf was convicted of computer fraud and aggravated identity theft.

In March 2023, Hawaii’s Department of Health began sending out breach notification letters after it was notified by the cybersecurity firm Mandiant that credentials belonging to an external medical death certifier account had been sold on the dark web. The account belonged to a medical certifier who worked for a local hospital but had left the job in 2021.

According to the Health Department release, the hacker accessed the account on January 20, 2023 — the same month Kipf breached the system.

That same year, Kipf also used stolen credentials to access networks belonging to Guest-Tek Interactive Entertainment Ltd. and Milestone, Inc. — specifically to networks related to the companies’ work with hotel chains, including internet connectivity services.

According to a sentencing memo from Assistant U.S. Attorney Kathryn M. Dieruf, Kipf offered for sale on darknet forums tips for how to access death registry systems, and he sold access to at least one company’s hacked databases to Russian customers. Other international buyers of stolen personal information were from Algeria and Ukraine, according to court documents.

While calling for a seven-year sentence — three more months than the one Kipf received — Dieruf asked the judge to send a message to cybercriminals.

“Similarly situated individuals must see the real danger they present to victims and be deterred from engaging in online criminal conduct by the fear of punishment,” she wrote.

“The cloak of anonymity afforded by the dark web is too alluring without the persistent threat of being brought to justice and serving a significant sentence.”

The District Court for the Eastern District of New York has ruled that the US government must reverse course on its policy of warrantless searches of US (and foreign) nationals’ electronic devices as they enter the country.

We obtained a copy of the ruling for you here.

This is not the only court decision on this issue, while this particular outcome, requiring that border agents obtain court-issued orders before performing such searches, concerns the district that is the court’s seat – therefore also a major port of entry, JFK International Airport.

It was precisely at this airport that an event unfolded which set in motion a legal case. In 2022, US citizen Kurbonali Sultanov was coerced (he was told he “had no choice”) into surrendering his phone’s passport to border officers.

Sultanov later became a defendant in a criminal case but argued that evidence from the phone should not be admitted because the device was accessed in violation of the Fourth Amendment (which protects Americans against unreasonable and warrantless searches).

Of course, all these envisaged protections refer to US citizens, and even there prove to be sketchy in many instances. Foreign travelers (even though entering the country legally) are effectively left without any protections regarding their privacy.

Sultanov’s argument was supported in an amicus brief filed the following year by the Knight First Amendment Institute and the Reporters Committee for Freedom of the Press, who said that the First Amendment is violated as well when law enforcement gains access to phones without a warrant since it invalidates constitutional protections of speech, freedom of the press, religion, and association.

The New York Eastern District Court’s decision is by and large based precisely on that amicus brief. One of the arguments from it is that journalists entering the US are often forced to hand over their devices.

The court agreed that “letting border agents freely rifle through journalists’ work product and communications whenever they cross the border would pose an intolerable risk to press freedom,” said Reporters Committee for Freedom of the Press attorney Grayson Clary in a press statement.

Meanwhile, US Customs and Border Protection (CBP) said they were reviewing this ruling – and would not comment on what the agency said are “pending criminal cases.”

The online digital ID age verification creep in the US continues from a number of directions, through “recommendations” and “studies” – essentially, the government is nudging the industry to move in the direction of implementing digital ID age verification tools.

At this point, it is happening via various initiatives and legislation, still, without being formally mandated.

One instance is a recommendation coming from the Biden-Harris Administration’s Kids Online Health and Safety Task Force, which is telling online service providers they should “develop and inform parents about age verification tools built into the app or available at the device level.”

The task force is led by the Department of Health and Human Services, HHS (its Substance Abuse and Mental Health Service Administration, SAMHSA,) in what is referred to in official statements as “close partnership” with the Department of Commerce.

This initiative is presented as an industry guidance that will ensure the safety of youths on the internet, as well as their health and privacy.

One of the steps presented in the fact sheet refers to age verification. This is a hot-button issue, particularly among privacy and security advocates, considering the methods that would be necessary to prove somebody’s real-life identity online, and that this would have to apply to all users of a site or app.

Yet, the current White House is now “urging” the tech industry to, among other “critical steps” inform parents about developing and building digital ID tools into either apps or devices themselves.

The setting up of the task force and its recommendations are supposed to contribute to Biden’s “Unity Agenda,” while a report released last week talks about an “unprecedented youth mental crisis” as the reason for coming up with these recommendations for families and industry.

The initiative, announced in May, bases its claims about the metal crisis of previously unwitnessed proportions on a report put together by the US surgeon-general and his advisory concerning social platforms.

In addition to “sneaking in” the mention of age verification, the report also talks about the need to enact bipartisan federal legislation aimed at protecting the health, safety, and privacy of young people online.

Another point is urging the industry to advance “action to implement age-appropriate health, safety, and privacy best practices on online platforms through federal legislation and voluntary commitments.”

The documents’ authors from the several departments behind the task force also want platform data to become available to “independent researchers.”

Odysee, the blockchain-based video-sharing service, has announced that it will remove all advertisements from its platform effective immediately.

The company expressed confidence in its innovative monetization programs, which are designed to support creators financially while maintaining the platform’s operational costs. “We don’t need ads to make money as a platform,” the announcement read, highlighting their commitment to creating a more open and creatively free environment.

Odysee’s move comes at a time when many media platforms increasingly rely on advertising revenue, which can lead to conflicts of interest and potential demonetization from pro-censorship activists.

By eliminating ads, Odysee aims to set a new standard for platform independence and user-centric service.

The announcement also pointed to the aggressive advertising tactics employed by platforms like YouTube and others, which Odysee believes detracts from the user experience. “Our approach may be considered niche or unconventional,” Odysee CEO Julian Chandra stated, emphasizing that their model aims to be sustainable financially and uphold an incorruptible user experience.

This strategic pivot is expected to resonate well with Odysee’s user base, who have expressed displeasure with intrusive ads on other platforms. Odysee’s leadership believes that this ad-free model will not only benefit users but also ensure the platform’s sustainability and integrity in the long run.

In the wake of recent riots in the UK, Tobias Ellwood, former lawmaker, British Army reservist and a senior officer in the 77th Brigade, has voiced strong opinions on the role of social media in fueling public disorder. Ellwood, known for his previous support of vaccine passports and online vaccine certificate databases, emphasized the alleged negative impacts of online anonymity in a recent interview.

The UK’s 77th Brigade, officially known as the 77th Brigade of the British Army, is a unit that focuses on non-traditional warfare, including what is known as “information warfare” or “psychological operations.” Formed in 2015, it includes personnel from various sections of the military as well as reservists with expertise in a range of disciplines such as media, marketing, and public relations.

According to Ellwood, the swift spread of misinformation and the organization of disruptive activities are significantly enhanced by social media platforms. He proposed that no one should be able to maintain a social media account without full accountability, suggesting a nominal annual fee to remove anonymity for the use of such platforms as a measure to enforce responsibility among users.

The lawmaker drew a stark contrast between the positive representation of Britain at the Paris Olympics and the destructive behavior of rioters back home, stating that the ease of rallying and mobilizing through social media platforms exacerbates such issues.

“Have we advanced the rules to keep up with how social media is now dominating our society? ” Ellwood remarked, in an interview with GB News. However, the proposal has met with criticism. Benjamin Jones, Director of Case Operations at the Free Speech Union, who also appeared on GB News, argued that such measures could inadvertently harm vulnerable individuals who rely on anonymity for safety and expression. Citing the example of a young ex-Muslim lesbian woman, Jones pointed out that stripping anonymity could sever critical lifelines for those in oppressive situations.

Jones further suggested that the focus on social media’s role in societal issues distracts from deeper, long-standing problems within the country, such as community segregation and integration challenges that predate social media.

CrowdStrike – a company that advertises itself as stopping breaches using “AI-native cybersecurity” – recently failed to deliver in a spectacular fashion.

One of its faulty updates (for Windows) caused a massive global outage across different industries and services, including hospitals and airports.

This latest poster child for “single point of failure,” and why IT systems should not be centralized to the degree they are, now apparently sees making false copyright claims, thus abusing the DMCA, as one way of damage control.

The recipient of the takedown attempt is a parody site, ClownStrike. Created by IT consultant David Senk, clownstrike.lol went online on July 24, in the wake of the embarrassing and costly (damages are said to run into billions) episode caused by CrowdStrike.

But despite ostensibly having more pressing issues to deal with, a week later Cloudflare (that hosted the parody site) sent Senk a DMCA notice issued on behalf of CrowdStrike by CSC Digital Brand Services.

CrowdStrike wanted its logo, which is seen “fading into a cartoon clown” on Senk’s site removed, and threatened that otherwise the site would be shut down, writes Ars Technica.

But the site is clearly a parody one, which would protect Senk’s display of the logo as fair use under the DMCA. However, this story has two “bad guys” – in addition to CrowdStrike, there’s Cloudflare.

When Senk contested the takedown notice on fair use grounds, Cloudflare ignored it, and then sent him another email reiterating the copyright infringement accusations – and then, again ignored the site creator’s counterclaim.

Senk has switched to a server in Finland, where he feels companies are “less susceptible to DMCA takedown requests.”

Now the site also features the CSC logo (with a clown wig). And it’s been updated with Senk’s thoughts on corporate cyberbullies, Cloudflare’s “hilariously ineffective” system of countering copyright notices, and other rant-worthy topics.

Ars Technica suggests that ClownStrike may have simply got caught up in as many as 500 notices CrowdStrike has been sending left and right these days to ensure “proactive fraud management activities (…) to help prevent bad actors from exploiting current events.”

Senk’s description of this statement? “Typical corporate bullshit (taking) zero accountability.”

The Russian government is intensifying its drive to expand the use of biometric technologies across the nation. This push comes amid growing fears over personal data security, highlighted by a surge in data breaches in recent years. In 2023 alone, RBC, a Russian research agency, reported that data breaches at Russian financial institutions escalated 3.2 times compared to 2022, with about 170 million personal records compromised.

Despite these security challenges, the Russian state has placed a significant focus on biometrics. In 2018, authorities established the Unified Biometric System (UBS), a pivotal element in Russia’s digital infrastructure which was later designated as a state information system. Maksut Shadayev, Russia’s minister of digital development, noted that biometric data submissions have been noteworthy, with figures continuously climbing. As of now, approximately 18 million Russians have comprehensive biometric profiles, with 70 million having submitted some form of biometric data to various state or private institutions, according to Riddle Russia.

However, many Russians are hesitant to embrace this technology. Concerns stem from not only frequent data leaks but also from a general lack of understanding of biometric technologies, which have been evolving in Russia for over a decade. Furthermore, a notable event in September 2023 saw a large number of citizens submitting petitions to halt further biometric data collection following widespread rumors about invasive data capture methods via ATMs and smartphones.

The historical trajectory of biometric data collection in Russia reflects a broad and deep integration of such technologies in everyday transactions and interactions.

Internationally, the government is also extending the reach of these technologies to Russians living abroad, enabling them to access financial services through biometric registration.

Amid these developments, privacy experts and concerned citizens argue for greater scrutiny and a reconsideration of the data collection process.

America First Legal (AFL) has disclosed documents obtained through a lawsuit against the FBI and the Department of Justice (DOJ), accusing them of concealing federal records that detail government-sponsored censorship by the Biden-Harris administration before the 2022 midterm elections.

The documents revealed that the FBI’s National Election Command Post (NECP) had compiled lists of social media accounts posting what they considered “misinformation,” extending from New York to San Francisco. This included the Right Side Broadcasting Network, cited by Matt Taibbi as targeted for “additional action” by the FBI.

These lists were so extensive that they were compiled into Word documents “due to the volume of posts.” NECP, operating from the FBI Headquarters and aided by DOJ attorneys and liaisons from five non-DOJ agencies, was responsible for vetting the information and directing actions across various field offices. They focused not only on foreign threats but also on cyber intrusions and potential criminal violations linked to election law.

Domestically, accounts like “@RSBNetwork” were flagged for issues related to election law violations, seemingly unconnected to foreign influence or cyber threats. NECP specifically instructed the San Francisco field office to send “preservation letters” to maintain relevant user information until legal actions could be formally initiated.

The Inspector General’s report outlines the legal procedures the FBI might use to compel evidence production from third parties. These range from grand jury subpoenas for current subscriber information, including personal details and payment methods, to district court orders for historical data under the Electronic Communications Privacy Act. In more severe cases, the FBI might request a search warrant for detailed content or ongoing investigation data.

This pattern of surveillance and legal pressure reflects a broader governmental approach that views alleged “misinformation” as a law enforcement issue. This stance has led to significant concerns about free speech, especially given recent cases where individuals faced prosecution for online activities deemed misleading by authorities.

Russia’s official telecommunications regulator, Roskomnadzor, disclosed on Friday that it has banned the Signal messaging app from operating in the country. This action is part of a wider pattern of widespread repression of information channels that hinder the state’s agenda, in light of the ongoing conflict in Ukraine.

The regulator unmasked the reasoning behind the decision, citing Signal’s “violation of the requirements of Russian legislation which must be observed to prevent the messenger’s use for terrorist and extremist purposes.”

Signal’s trademark feature is its end-to-end encryption, which fortifies the platform against government scrutiny of private conversations. Russian leaders, however, have grown wary of such platforms.

In a series of additional restrictions imposed on media freedom in Russia, the authorities have cornered numerous independent outlets delivering news in Russian that dare to critique the Kremlin. Access to major social media platforms such as X has also been barred. Meta’s Facebook and Instagram have not been spared either.

In response to the Roskomnadzor ban on the Signal messaging app in Russia, users might seek ways to circumvent the restriction and continue using the app:

Virtual Private Networks (VPNs): VPNs can help users disguise their internet traffic and appear as if they are accessing the internet from a different country. This can bypass geographic restrictions imposed by a government.

Proxy Servers: Similar to VPNs, proxy servers allow users to access the internet from a different IP address, potentially bypassing censorship imposed on specific services or apps.

Using Signal over Bridges: Signal provides a feature called “Signal Proxy” designed to help users in censored areas access the service. Users can connect via a proxy URL provided by someone outside the censored region, helping them bypass blocks.

Alternative App Stores: Sometimes, apps banned in official app stores might be available in alternative app stores or via direct downloads from trusted sources on the internet.

Encrypted DNS: Using encrypted DNS services can sometimes help bypass blocks that rely on DNS filtering, allowing users to resolve domain names that might be restricted.

Each of these methods has its risks and benefits, and the effectiveness can vary based on the specific technical measures implemented by local authorities to enforce the ban. Users should also be aware of the legal risks involved in circumventing government-imposed censorship.