×
Privacy

Hackers Hit Rhode Island Benefits System In Major Cyberattack (apnews.com) 14

A cyberattack on Rhode Island's RIBridges system has exposed personal data of individuals involved in programs like Medicaid, SNAP, and others, with hackers demanding a ransom. The breach may include sensitive details like Social Security numbers and banking information. The Associated Press reports: Anyone who has been involved in Medicaid, the Supplemental Nutrition Assistance Program known as SNAP, Temporary Assistance for Needy Families, Childcare Assistance Program, Rhode Island Works, Long-term Services and Supports, the At HOME Cost Share Program and health insurance purchased through HealthSource RI may be impacted, McKee said Saturday.

The system known as RIBridges was taken offline on Friday, after the state was informed by its vendor, Deloitte, that there was a major security threat to the system. The vendor confirmed that "there is a high probability that a cybercriminal has obtained files with personally identifiable information from RIBridges," the state said. The state has contracted with Experian to run a toll-free hotline for Rhode Islanders to call to get information about the breach and how they can protect their data.

Transportation

Two Drone Pilots Arrested Near Boston, and Drones Cause One-Hour Runway Closure at North New York Airport (go.com) 84

Saturday night two men were arrested near Boston "following a hazardous drone operation near Logan Airport's airspace," according to a police statement. They credit an officer "leveraging advanced UAS monitoring technology" who "identified the drone's location, altitude, flight history, and the operators' position." Recognizing the serious risks posed by the drone's proximity to Logan's airspace, additional resources were mobilized. The Boston Police Department coordinated with Homeland Security, the Massachusetts State Police, the Joint Terrorism Task Force, the Federal Communications Commission (FCC), and Logan Airport Air Traffic Control to address the situation.
"Both suspects face charges of trespassing, with additional fines or charges potentially forthcoming."

Meanwhile on Friday night "Officials at Stewart International Airport, located roughly 60 miles north of New York City, said they shut down their runways for an hour," reports ABC News, after America's Federal Aviation Administration "alerted them that a drone was spotted in the area around 9:30 p.m." Though officials say flight operations weren't impacted during the closure, the article notes that New York's governor is now calling for federal assistance, including more federal law enforcement officers, saying "This has gone too far." [Governor Hochul] called on Congress to pass the Counter-UAS Authority Security, Safety, and Reauthorization Act, which would strengthen the FAA's oversight of drones and give more authority to state and local law enforcement agencies to investigate the activity.
The article explores the larger problem of Americans reporting drone sightings: Officials from a wide range of federal agencies spoke with reporters Saturday on a phone call and emphasized that the federal investigation into drone sightings in New Jersey is ongoing. One FBI official said that out of the nearly 5,000 tips they have received, less than 100 have generated credible leads for further investigation. A Department of Homeland Security official said that they are "confident that many of the reported drone sightings are, in fact, manned aircraft being misidentified as drones." The FBI official also talked about how investigators overlaid the locations of the reported drone sightings and found that "the density of reported sightings matches the approach pattern" of the New York area's busy airports including Newark-Liberty, JFK, and LaGuardia.

But, an FAA official says that there have "without a doubt" been drones flying over New Jersey, pointing to the fact that there are nearly a million drones registered in the U.S. "With nearly a million registered [unmanned aircraft systems] in the United States, there's no doubt many of them are owned and operated here within the state," the FAA official said... A Joint Chiefs of Staff official said that there have been visual sightings of drones reported by "highly trained security personnel" near Picatinny Arsenal and Naval Weapons Station Earle in New Jersey. The official said that they do not believe the sightings "were aligned with a foreign actor, or that they had malicious intent."

"We don't know what activity is. We don't know if it is criminal, but I will tell you that it is irresponsible," the official said. "Here on the military side, we are just as frustrated with the irresponsible nature of this activity."

Later ABC News reported that the FAA had imposed temporary drone flight restrictions in New Jersey over the Picatinny Arsenal military base. And they added that America's Homeland Security Secretary Alejandro Mayorkas "said the federal government is taking action to address the aerial drones that have prompted concern among New Jersey residents. "I want to assure the American public that we in the federal government have deployed additional resources, personnel, technology to assist the New Jersey State Police in addressing the drone sightings...." There have been numerous reports of drone activity along the East Coast since November. Mayorkas cited the 2023 change of a Federal Aviation Administration rule that allows drones to fly at night as to why there might be an uptick in sightings. "I want to assure the American public that we are on it," he said, before calling on Congress to expand local and state authority to help address the issue.

"It is critical, as we all have said for a number of years, that we need from Congress additional authorities to address the drone situation," Mayorkas said. "Our authorities currently are limited and they are set to expire. We need them extended and expanded... We want state and local authorities to also have the ability to counter growing activity under federal supervision," he added, echoing sentiments from local officials...

Addressing national security concerns the sightings have prompted, Mayorkas said the U.S. knows of no foreign involvement and that it remains "vigilant" in investigating the drone sightings. [ABC News anchor George] Stephanopoulos pressed Mayorkas about past security threats drones have caused, including the arrest of a Chinese national last week who allegedly flew a drone over an Air Force base in California. "When a drone is flown over restricted airspace, we act very, very swiftly," the homeland security secretary said. "In fact, when an individual in California flew a drone over restricted airspace, that individual was identified, apprehended and is being charged by federal authorities."

Privacy

Wales Police Begin Using a Facial-Recognition Phone App (bbc.co.uk) 33

"There are concerns human rights will be breached," reports the BBC, as Wales police forces launch a facial-recognition app that "will allow officers to use their phones to confirm someone's identity." The app, known as Operator Initiated Facial Recognition (OIFR), has already been tested by 70 officers across south Wales and will be used by South Wales Police and Gwent Police. Police said its use on unconscious or dead people would help officers to identify them promptly so their family can be reached with care and compassion. In cases where someone is wanted for a criminal offence, the forces said it would secure their quick arrest and detention. Police also said cases of mistaken identity would be easily resolved without the need to visit a police station or custody suite.

Police said photos taken using the app would not be retained, and those taken in private places such as houses, schools, medical facilities and places of worship would only be used in situations relating to a risk of significant harm.

Liberty, a civil liberties group, is urging new privacy protections from the government, according to the article, which also includes this quote from Jake Hurfurt, of the civil liberties/privacy group Big Brother Watch. "In Britain, none of us has to identify ourselves to police without very good reason but this unregulated surveillance tech threatens to take that fundamental right away."
China

America Prepares New AI Chip Restrictions to Close China's Backdoor Access (msn.com) 20

The U.S. wants to limit China's access to advanced AI chips, reports the Wall Street Journal, with new rules to restrict sales in parts of the world.

"The rules are aimed at China, but they threaten to create conflict between the U.S. and nations that may not want their purchases of chips micromanaged from Washington. The latest round of curbs could come this month... Among the restrictions, the administration aims to introduce caps on shipments of AI chips to certain countries for use in large computing facilities, people familiar with the plans said. One grouping of countries — close U.S. allies — would be unrestricted, the people said, while another tier of countries would face limits on the number of chips that can go into data centers used for AI... The purchasing caps primarily apply to regions such as Southeast Asia and the Middle East, the people said...

The administration recently sent letters to major chip-makers including Taiwan Semiconductor Manufacturing and Samsung Electronics informing them about some of the restrictions, these people said. The letters said the companies needed to apply for a license to transfer chips to China that are manufactured using advanced chip-making technology or meet other criteria. These criteria include a size and transistor-number limit as well as any indication that the chips are for use in training AI models, the people said. Previous regulations already limit the shipment of advanced GPUs and memory chips to China, but the new rules spell out more clearly to manufacturers what is banned.

U.S. officials "are also considering other options," the article points out. "The administration is considering placing controls on exports of the so-called weights that underlie advanced AI models, according to people familiar with the matter, and weighing further China-specific restrictions on chip manufacturing."
Communications

America's FCC Opens 6-GHz Band to Unlicensed Very-Low-Power Devices (theregister.com) 11

America's telecom-regulating Federal Communications Commission "has opened up the entire 6 GHz frequency band to very low-power devices," reports the Register, "alongside other unlicensed applications such as Wi-Fi kits." The FCC said it has adopted extra rules to allow very low-power device operation across the entire 1,200 MHz of the 6 GHz band, from 5.925 to 7.125 GHz, within the US. The agency had already opened up 850 MHz of the band to small mobile devices a year ago, and has now decided to open up the remaining 350 MHz.

It hopes that this will give a shot in the arm to an ecosystem of short-range devices such as wearables, healthcare monitors, short-range mobile hotspots, and in-car devices that will be able to make use of this spectrum without the need of a license. These applications often call for low power transmission across short distances, but at very high connection speeds, the FCC says — otherwise, existing technologies like Bluetooth could suffice. "This 1,200 MHz means unlicensed bandwidth with a mix of high capacity and low latency that is absolutely prime for immersive, real-time applications," said Jessica Rosenworcel, the FCC's outgoing chair. "These are the airwaves where we can develop wearable technologies and expand access to augmented and virtual reality in ways that will provide new opportunities in education, healthcare, and entertainment."

Because these are such low-power devices, no restrictions have been placed on where they can be used, and they will not be required to operate under the control of an automatic frequency coordination system, as some Wi-Fi equipment must to avoid interference with existing services that use the 6 GHz spectrum. However, to minimize the risk of any potential interference, the devices will be required to implement a transmit power control mechanism and employ a contention-based protocol, requiring a device to listen to the channel before transmission. They are, however, prohibited from operating as part of any fixed outdoor infrastructure.

Security

Yearlong Supply-Chain Attack Targeting Security Pros Steals 390,000 Credentials (arstechnica.com) 8

An anonymous reader quotes a report from Ars Technica: A sophisticated and ongoing supply-chain attack operating for the past year has been stealing sensitive login credentials from both malicious and benevolent security personnel by infecting them with Trojanized versions of open source software from GitHub and NPM, researchers said. The campaign, first reported three weeks ago by security firm Checkmarx and again on Friday by Datadog Security Labs, uses multiple avenues to infect the devices of researchers in security and other technical fields. One is through packages that have been available on open source repositories for over a year. They install a professionally developed backdoor that takes pains to conceal its presence. The unknown threat actors behind the campaign have also employed spear phishing that targets thousands of researchers who publish papers on the arXiv platform.

The objectives of the threat actors are also multifaceted. One is the collection of SSH private keys, Amazon web Services access keys, command histories, and other sensitive information from infected devices every 12 hours. When this post went live, dozens of machines remained infected, and an online account on Dropbox contained some 390,000 credentials for WordPress websites taken by the attackers, most likely by stealing them from fellow malicious threat actors. The malware used in the campaign also installs cryptomining software that was present on at least 68 machines as of last month. It's unclear who the threat actors are or what their motives may be. Datadog researchers have designated the group MUT-1244, with MUT short for "mysterious unattributed threat."

Transportation

Postal Service's Plan To Electrify Mail Trucks Falling Far Short of Its Goal (engadget.com) 99

An anonymous reader quotes a report from Engadget: The United States Postal Service unveiled a plan to buy a fleet of all-electric mail trucks for its mail carriers back in 2022, of which 3,000 were supposed to be delivered by now. Unfortunately, those plans aren't even close to fruition. The Washington Post reported that defense contractor Oshkosh has only delivered 93 vehicles so far. [...]

The Washington Post obtained nearly 21,000 government and internal company records and spoke with 20 people familiar with the trucks' manufacturing and design process. Its reporting shows that Oshkosh ran into significant manufacturing delays of the electric NGDVs that caused lower than expected delivery numbers. Some of the anonymous sources said that engineers struggled to calibrate the mail trucks' airbags, and the vehicles' body and internal components are unable to contain water leaks to an alarming degree. The turnaround time for building these new mail trucks is also very slow. The Post reports that the South Carolina factory can only build one truck per day even though Oshkosh hoped it could build at least 80 vehicles a day by now.

Oshkosh also failed to inform the Postal Service about these delays. Four of the background sources say a senior company executive tried to update the Postal Service about these manufacturing issues only to have those efforts blocked by their corporate superiors. An Oshkosh spokesperson said in a statement that the defense contractor is still "fully committed to being a strong and reliable partner" with the Postal Services and insists "we remain on track to meet all delivery deadlines," according to The Post.

Government

Officials Demand Explanation On Mysterious Drone Sightings (thehill.com) 111

An anonymous reader quotes a report from The Hill: Shaun Golden, the sheriff of Monmouth County, N.J., wants feds to get to the bottom of recent mysterious drone activity in his state. Local officials, including Golden, are urging Gov. Phil Murphy (D) to declare a state of emergency. "We continue to urge our governor to press the federal government to put more resources out here," Golden said Thursday on NewsNation's "Dan Abrams Live." "The only way we're going to solve this is by the federal government coming in here and doing full investigations as to what these things are, how their movements are made," he added.

The White House insist that the drones do not represent a threat. The Pentagon also said it currently does not appear that a foreign enemy is behind the mysterious drones in the New Jersey sky. Rep. Jeff Van Drew (R-N.J.) claimed the drones are being launched by an Iranian "mothership," but Pentagon spokesperson Sabrina Singh said during a briefing there is "not any truth to that." With the investigation ongoing, Golden has called for the governor to declare a state of emergency and to issue an executive order banning nighttime use of recreational drones.
Even more drone sightings are being reported in New York, Pennsylvania and Maryland, reports NBC News. "What is happening is outrageous. Thousands of drones and unmanned aerial systems flying above us, and our government is not telling us who's operating them and for what purpose," Rep. Nicole Malliotakis, R-N.Y., said a press conference in Staten Island on Friday. "I don't believe that the United States of America, with its military capabilities, does not know what these objects are. And what I'm asking, and what we're all asking, is for you to be straight with us and just tell us what is going on."

A senior official said there have been 79 sightings across New Jersey alone last night. "The sightings -- which occur up to 180 times per night, according to several New Jersey officials -- have remained consistent for nearly a month," adds NBC News.

Police in New Jersey are investigating a possible drone crash in Hillsborough, NJ. Police were called out at approximately 8:35 p.m. but are being extremely tightlipped, referring all questions to the FBI. A reporter asked a firefighter leaving the scene if they found anything and he said that he is not at liberty to say.

Additionally, at least four commercial airline pilots encountered mysterious, colorful circular lights "moving at extreme speeds" through the skies above Oregon this past weekend. You can listen to air traffic control audio archives from Dec. 7 via OregonLive.

German broadcaster Deutsche Welle is reporting that drones were spotted over sensitive military and industrial sites, including the U.S. air base at Ramstein in the western state of Rhineland-Palatinate.

Developing...
Privacy

UnitedHealthcare's Optum Left an AI Chatbot, Used By Employees To Ask Questions About Claims, Exposed To the Internet (techcrunch.com) 22

Healthcare giant Optum has restricted access to an internal AI chatbot used by employees after a security researcher found it was publicly accessible online, and anyone could access it using only a web browser. TechCrunch: The chatbot, which TechCrunch has seen, allowed employees to ask the company questions about how to handle patient health insurance claims and disputes for members in line with the company's standard operating procedures (SOPs).

While the chatbot did not appear to contain or produce sensitive personal or protected health information, its inadvertent exposure comes at a time when its parent company, health insurance conglomerate UnitedHealthcare, faces scrutiny for its use of artificial intelligence tools and algorithms to allegedly override doctors' medical decisions and deny patient claims.

Mossab Hussein, chief security officer and co-founder of cybersecurity firm spiderSilk, alerted TechCrunch to the publicly exposed internal Optum chatbot, dubbed "SOP Chatbot." Although the tool was hosted on an internal Optum domain and could not be accessed from its web address, its IP address was public and accessible from the internet and did not require users to enter a password.

Bitcoin

Texas House Introduces Bill To Establish a Strategic Bitcoin Reserve 162

An anonymous reader quotes a report from CNBC: Legislation was introduced in the Texas House of Representatives on Thursday to establish a strategic bitcoin reserve, which could serve as a proving ground for the U.S. Treasury. The proposed bill would enable the state to start building a strategic bitcoin reserve by accepting taxes, fees and donations in bitcoin that would be held for a minimum of five years, Republican state Rep. Giovanni Capriglione announced on an X Spaces event Thursday.

The Texas bill aims to provide a way to strengthen the state's fiscal stability and establish it as a leader in bitcoin innovation, according to the Satoshi Action Fund, a nonprofit bitcoin advocacy group that worked with Capriglione on the bill. "Probably the biggest enemy of our investments is inflation," Capriglione said. "A strategic bitcoin reserve, investing in bitcoin, would be a win-win for the state." "I just filed the bill ... entitled 'An act relating to the establishment of a bitcoin reserve within the state treasury of Texas and the management of cryptocurrencies by governmental entities,'" he said later.
"My goal is to make this bill as big and as broad as possible," Capriglione said. "This initial step is to allow some optionality and flexibility on it, but if I am able to get support from other legislators, we will make it even stronger."

It's "unlikely" a U.S. strategic bitcoin reserve will be established, "but it helps get animal spirits back into the market," Needham's John Todaro told CNBC. He said it's also "unlikely to drive material price gains, as we do not expect the U.S. government will purchase bitcoin in any meaningful capacity, but it's an item that drives excitement and optimism."
Privacy

BeReal Accused of Annoying Users Into Sharing Their Data 17

An anonymous reader shares a report: BeReal, the in the moment social media platform, is far from its 2022 heyday, but that hasn't stopped one organization from going after it. Austrian advocacy group Noyb has filed a complaint surrounding the platform's data consent banner practices. The organization claims that the banner disappears if users accept that their personal data can inform advertising practices, but if they click reject then the banner appears daily.

Noyb filed its complaint with the French data protection authority (CNIL) as Voodoo, a French company, bought BeReal in June -- the practice in question started in July. "BeReal's daily attempt to pressure its users into accepting the tracking for personalised advertising has a significant impact on user behaviour. Consent given under these circumstances is not freely given, which means it doesn't meet the requirements established in Article 4(11) GDPR," Noyb argued in its complaint. It asked the CNIL to fine BeReal and force it to be compliant.
AI

Photobucket Sued Over Plans To Sell User Photos, Biometric Identifiers To AI Companies (arstechnica.com) 22

Photobucket was sued Wednesday after a recent privacy policy update revealed plans to sell users' photos -- including biometric identifiers like face and iris scans -- to companies training generative AI models. From a report: The proposed class action seeks to stop Photobucket from selling users' data without first obtaining written consent, alleging that Photobucket either intentionally or negligently failed to comply with strict privacy laws in states like Illinois, New York, and California by claiming it can't reliably determine users' geolocation.

Two separate classes could be protected by the litigation. The first includes anyone who ever uploaded a photo between 2003 -- when Photobucket was founded -- and May 1, 2024. Another potentially even larger class includes any non-users depicted in photographs uploaded to Photobucket, whose biometric data has also allegedly been sold without consent.

Photobucket risks huge fines if a jury agrees with Photobucket users that the photo-storing site unjustly enriched itself by breaching its user contracts and illegally seizing biometric data without consent. As many as 100 million users could be awarded untold punitive damages, as well as up to $5,000 per "willful or reckless violation" of various statutes.

The Courts

WordPress Parent Company Must Stop Blocking WP Engine, Judge Rules (theverge.com) 66

WP Engine just won a preliminary injunction against WordPress.com parent company Automattic. On Tuesday, a California District Court judge ordered Automattic to stop blocking WP Engine's access to WordPress.org resources and interfering with its plugins. From a report: The preliminary injunction comes after WP Engine, a third-party WordPress hosting service, filed a lawsuit that accused Automattic and its CEO, Matt Mullenweg, of "multiple forms of immediate irreparable harm." It later asked the court to stop Mullenweg from restricting WP Engine's access to WordPress.org.

Mullenweg waged a public campaign against WP Engine in September, accusing the service of misusing the WordPress trademark and not contributing enough to the WordPress community. After blocking WP Engine from WordPress.org's servers, Automattic took control of WP Engine's ACF Plugin.

Music

Musicians Rally Behind Internet Archive in $621 Million Music Label Battle 65

Over 300 musicians have signed an open letter defending the Internet Archive against a $621 million copyright infringement lawsuit over its preservation of 78 rpm records. The letter, organized by Fight for the Future, opposes the lawsuit filed by major record labels including Universal Music Group and Sony Music.

The labels claim the Archive's Great 78 Project, which digitizes shellac discs from the 1890s-1950s, amounts to widespread copyright infringement. Musicians argue the lawsuit prioritizes corporate profits over artists' interests.
China

America's Phone Networks Could Soon Face Financial - and Criminal - Penalties for Insecure Networks (msn.com) 55

The head of America's FCC "has drafted plans to regulate the cybersecurity of telecommunications companies," reports the Washington Post, and the plans could include financial penalties phone network operators with insufficient security — "the first time the agency has asserted such powers under federal wiretapping law." Rosenworcel said the FCC's authority in this matter comes from Section 105 of the Communications Assistance for Law Enforcement Act [passed in 1994] — a single sentence that stipulates, without elaboration, that telecommunications carriers should ensure systems security "in accordance with regulations prescribed by the Commission." As one of the measures, she is seeking to require network providers to submit an annual certification to the FCC that they are implementing a cybersecurity risk management plan. In addition to imposing fines, the FCC could coordinate with other agencies to pursue criminal penalties against carriers deemed too careless on cybersecurity...

Biden administration officials said voluntary efforts to protect against aggressive Chinese hacking activity have fallen short. "We've had for the last decade voluntary public-private partnership efforts," Neuberger told The Post in a recent interview. "But we continue to see successful breaches, and in many cases, as with ransomware attacks, we continue to see pretty basic cybersecurity practices not being followed." With China's hackers becoming more brazen, pre-positioning themselves in U.S. critical networks, "we need to lock our digital doors," Neuberger said...

Cyber requirements can make a difference, she said. After the Colonial Pipeline ransomware attack in 2021 shut down one of the nation's largest energy pipelines for several days, creating a national security scare, the Transportation Security Administration issued several security directives, and today, all of the country's several dozen critical pipeline companies are in compliance, she said. Similar directives were subsequently issued for rail and aviation sectors, and the compliance rates in those industries are now at 68 and 57 percent respectively, she said.

Slashdot Top Deals