c0mmando

A suspected developer of a new malware strain called Styx Stealer made a “significant operational security error” and leaked data from his computer, including details about clients and earnings, researchers have found.

Styx Stealer is “a powerful malware” capable of stealing browser data, instant messenger sessions from Telegram and Discord, and cryptocurrency. The Israel-based cybersecurity firm Check Point, which analyzed the malware, said that it was used against its customers, though further details were not provided.

“The developer made a fatal error and leaked data from his computer, which allowed Check Point to obtain a large amount of intelligence,” researchers said in a report published last week.

The developer of Styx Stealer was found to be linked to one of the Agent Tesla threat actors known as FucosReal, who was involved in a spam campaign also targeting the company’s customers. Agent Tesla is a remote access malware that has been targeting Windows systems since 2014.

According to Check Point, the creator of Styx Stealer revealed his personal details, including Telegram accounts, emails and contacts, by debugging the stealer on his own computer using a Telegram bot token provided by a customer involved in the Agent Tesla campaign in March 2024.

“This critical OpSec failure not only compromised Styx Stealer's anonymity but also provided valuable intelligence about other cybercriminals, including the originator of the Agent Tesla campaign,” researchers said.

Following the analysis, researchers were able to link Styx Stealer to a Turkish hacker known as Sty1x. This, in turn, allowed Check Point to track down FucosReal to an individual in Nigeria.

“The case of Styx Stealer is a compelling example of how even sophisticated cybercriminal operations can slip up due to basic security oversights,” researchers said.

One of the largest companies that conducts background checks confirmed that it is the source of a data breach causing national outrage due to the millions of Social Security numbers leaked.

In a statement on Friday, National Public Data said it detected suspicious activity in its network in late December, and subsequently a hacker leaked certain tranches of data in April and throughout the summer.

“The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024. We conducted an investigation and subsequent information has come to light,” the Florida-based company said.

“The information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).”

National Public Data said it “cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records.”

The company plans to notify those affected if there are other updates. It is unclear how someone would know they are affected by the breach, but the company urged people to monitor their financial accounts for unauthorized activity.

Cybersecurity experts have known about the leaks since April, but since then the company has refused to respond to repeated requests for comment from Recorded Future News. The company stayed tight-lipped about the incident until this week, when concern about the troves of Social Security numbers (SSNs) exposed went viral on social media.

Companies and private investigators pay National Public Data to obtain criminal records, background checks and more — with the company allowing them to search billions of records instantly.

On April 7, a well known hacker going by the name USDoD posted a database on the criminal marketplace Breached claiming it contained 2.9 billion records on U.S. citizens. The cybercriminal — best known for leaking data stolen from European aerospace giant Airbus — said it came from another hacker named “SXUL" and offered the information for $3.5 million.

While it is unclear whether anyone paid for the information, the hacker began leaking parts of the database in June and others continued to offer it for sale throughout the summer.

Several cybersecurity experts, including data breach expert Troy Hunt, have confirmed that while the database contains duplicates, much of the information is accurate.

The data contains a person’s first and last name, three decades of address history and Social Security number. Some experts said they were also able to find a person’s parents, siblings and immediate relatives. The database includes people living and dead.

Some have noted that people who use data opt-out services were not included in the database.

While some news outlets and social media platforms have erroneously reported that 2.9 billion people had information in the breach, Hunt estimated that the database included about 899 million unique SSNs.

The FBI and other U.S. cybersecurity agencies did not respond to requests for comment.

National Public Data is already facing lawsuits over the breach. A complaint was filed in the U.S. District Court for the Southern District of Florida two weeks ago after a California resident said he got a notice from his identity-theft protection service provider in July about the breach.

DataGrail vice president Chris Deibler said the breach shows we “are reaching the limits of what individuals can reasonably do to protect themselves in this environment.”

“The balance of power right now is not in the individual's favor. [The European Union’s] GDPR and the various state and national regulations coming online are good steps, but the prevention and consequence models in place today clearly do not disincentivize mass aggregation of data,” he said.

Akhil Mittal of Synopsys Software Integrity Group added that the number of records will draw headlines but the long tail of effects on people could last years. Millions of real people will be dealing with identity theft, fraud and more for years to come due to the breach, he said.

Mittal echoed Deibler’s comments, arguing that a larger conversation needs to be started about data privacy and protection.

“It’s time for stricter regulations and better enforcement to make sure companies are really protecting our information,” Mittal said.

Popular flight-tracking app FlightAware has admitted that it was exposing a bunch of users' data for more than three years.

It made the admission via a notification filed last week with Rob Bonta, California's attorney general, saying the leak began on January 1, 2021, but was only detected on July 25 of this year.

The incident was blamed on an unspecified configuration error. It led to the exposure of personal information, passwords, and various other personal data points you'd expect to see in a breach, depending on what information the user provided in their account.

The full list of potentially impacted data points is below:

• User ID
• Password
• Email address
• Full name
• Billing address
• Shipping address
• IP address
• Social media accounts
• Telephone numbers
• Year of birth
• Last four digits of your credit card number
• Information about aircraft owned
• Industry
• Title
• Pilot status (yes/no)
• Account activity (such as flights viewed and comments posted)
• Social Security Number

How was this data exposed? We asked FlightAware and will update the story if it responds.

The downside of filing data leak notifications in California is that the state doesn't require companies to publicly disclose how many people were affected, unlike Maine, for example, which does.

Although we cannot determine the exact number of affected users, FlightAware reports having 12 million registered users. If all were affected, that would be quite the security snafu indeed.

"FlightAware values your privacy and deeply regrets that this incident occurred," it wrote in a letter being sent to affected individuals.

"Once we discovered the exposure, we immediately remedied the configuration error. Out of an abundance of caution, we are also requiring all potentially impacted users to reset their password. You will be prompted to do so at your next log-in to FlightAware."

It's typical with these types of breach notifications to comment on whether the data in question had been accessed and/or misused by unauthorized third parties. The letter to affected users did not address this matter.

It's also typical for companies to offer free credit monitoring for users and the same is the case here. Anyone who receives a letter from FlightAware saying they may be affected was offered two years of service via Equifax.

A Kentucky man who hacked into a state registry and faked his own death to avoid paying child support was sentenced on Monday to 81 months in prison.

In January 2023, Jesse Kipf used stolen login credentials belonging to a physician to access the Hawaii Death Registry System, where he submitted and “certified” his own death — thereby avoiding paying more than $116,000 in owed child support.

He also hacked into other state death registry systems, as well as “governmental and corporate networks” using stolen credentials, and tried to sell access to those entities on the darkweb.

“Working in collaboration with our law enforcement partners, this defendant who hacked a variety of computer systems and maliciously stole the identity of others for his own personal gain, will now pay the price,” said Michael E. Stansbury, special agent in charge at the FBI’s Louisville Field Office. Kipf was convicted of computer fraud and aggravated identity theft.

In March 2023, Hawaii’s Department of Health began sending out breach notification letters after it was notified by the cybersecurity firm Mandiant that credentials belonging to an external medical death certifier account had been sold on the dark web. The account belonged to a medical certifier who worked for a local hospital but had left the job in 2021.

According to the Health Department release, the hacker accessed the account on January 20, 2023 — the same month Kipf breached the system.

That same year, Kipf also used stolen credentials to access networks belonging to Guest-Tek Interactive Entertainment Ltd. and Milestone, Inc. — specifically to networks related to the companies’ work with hotel chains, including internet connectivity services.

According to a sentencing memo from Assistant U.S. Attorney Kathryn M. Dieruf, Kipf offered for sale on darknet forums tips for how to access death registry systems, and he sold access to at least one company’s hacked databases to Russian customers. Other international buyers of stolen personal information were from Algeria and Ukraine, according to court documents.

While calling for a seven-year sentence — three more months than the one Kipf received — Dieruf asked the judge to send a message to cybercriminals.

“Similarly situated individuals must see the real danger they present to victims and be deterred from engaging in online criminal conduct by the fear of punishment,” she wrote.

“The cloak of anonymity afforded by the dark web is too alluring without the persistent threat of being brought to justice and serving a significant sentence.”

“Categorically unconstitutional” – that is how the US Fifth Circuit Court of Appeals has ruled about the use of geofence warrants.

The part of the Constitution that this type of warrant, that enables dragnet-style mass surveillance, violates is the Fourth Amendment, the court found.

This amendment is meant to protect citizens from unreasonable searches or seizures – but, said the court of appeals, what geofence warrants do is allow for the opposite: “General, exploratory rummaging.”

We obtained a copy of the ruling for you here.

Geofencing works by essentially treating everyone who happens to be in a geographic area during a given time as a suspect, until established otherwise.

And, the Electronic Frontier Foundation (EFF), a digital rights group, an outspoken critic that often gets involved in legal cases to argue against this method of investigation, welcomed the court’s decision, noting that people should not have to fear having their phone with them in public because that could turn them into a criminal suspect.

The Circuit Court’s stance on geofence warrants came as it deliberated the United States v. Smith case, revolving around the police in Mississippi in 2018 resorting to obtaining this type of warrant to investigate an armed robbery and assault that took place in a post office.

Google, which is who law enforcement turns to with these warrants most of the time, obliged, turning over data from the phones to the police, who then managed to produce two suspects, later defendants.

But – even though it decided not to suppress the evidence, because it found the police were acting “in good faith” while geofencing was still a new phenomenon – the Fifth Circuit Court doesn’t think the warrants are inherently lawful, i.e., in compliance with the Constitution.

One problem cited by the judges is that police access to sensitive location data collected during the process of geofencing is “highly invasive” since it can reveal a lot about a person, including their associations, and, also lets the police “‘follow’ them into private spaces,” EFF explained the court’s decision.

Another is that the warrants never specify that they apply to a particular person, as law enforcement “have no idea who they are looking for, or whether the search will even turn up a result.”

You might still think about Eric Schmidt as a “(big) tech guy” and businessman, but his passion for (geo)politics was always evident, even while he served as Google’s CEO.

These days, Schmidt is the chair of the Special Competitive Studies Project (SCSP), a think tank that would like to position itself as a reference point to a military alliance, NATO, and get it to “monitor disinformation in real-time.”

SCSP’s ambition is no less than to help craft new national security strategies, always with an eye on the alleged attempts to increase disinformation (here AI is to blame) – but also ways to combat that, and here, SCSP says (the US) must strengthen its “AI competitiveness.”

The goal is to “win” what’s referred to as the techno-economic competition by 2030 – there’s that deadline, favored by many a controversial globalist initiative.

Here, the group would like NATO and its members to fight against what is described as AI disinformation, that new chapter in information warfare.

Schmidt’s think tank doesn’t like what’s seen as the current reactive approach and the tired old debunking. That means there must be an “active” one – and the replacement for debunking would logically be some form of the dystopian concept of “prebunking.”

(SCSP mentions both as desirable methods in a late 2022 report, but this time shies away from using the latter term.)

SCSP wants various actors to carry out real-time surveillance of “disinformation” by means of spending money on tools fed with publicly available online data (aka, the cynically named “open source” data).

In other words, real-time mass-scale internet data scraping. Such tools already exist and are used by law enforcement, causing various levels of controversy.

Next comes prebunking, even if the latest batch of SCSP recommendations stops short of calling it that.

But what would you call it?

“NATO should provide its own positive narrative to get out ahead of disinformation, and highlight failures of authoritarian regimes, especially on their own digital platforms.”

And to make this work, SCSP wants NATO to co-opt various governments and companies, as well as NGOs. Inside the alliance, a “disinformation unit” should be formed.

Last but not least, the think tank says – “Foster healthy skepticism.”

Perhaps starting with SCSP’s own roles, goals, and affiliations.

The Biden administration is working to expedite widespread adoption of digital IDs, including driver’s licenses, a draft executive order indicates.

Digital IDs are a contentious concept primarily because of the concentration of – eventually – the entirety of people’s sensitive private information in centralized databases controlled by the government, and on people’s phones, “client-side.”

That in turn brings up the issues of technical security, but also privacy, and the potential for dystopian-style mass surveillance.

Proponents, on the other hand, like to focus on the “convenience” that such a shift from physical to digital personal documents is promised to bring.

In the US, some states have started this process via digital driver’s licenses, and the executive order is urging (“strongly encouraging”) both federal and state authorities to accelerate this, as well as other types of digital ID.

Where this policy seems to be converging to is coming up, at long last, with a functional way to carry out online identity verification. Namely, digital ID would be combined with biometric data obtained through facial recognition, and other forms of biometrics harvesting.

Centralization of data – opponents say to better control it, even if that makes it less secure – is a key component of these schemes, and so the Biden executive order speaks about making it obligatory for federal agencies to join “a single government-run identity system, Login.gov,” reports say.

It is also noted that Biden initially mentioned such an executive order was coming during his 2022 State of the Union speech, but the wording reportedly became a cause of contention.

Now, that seems to have been resolved, and the only question for the administration is when Biden should sign the order, the same sources who saw the text, report.

At the same time, as states are launching their own (partial) digital ID programs, an increasing number are looking for ways to introduce online age verification and are enacting laws to this effect.

A federal-level digital ID scheme would help in these efforts to solve the “problem” of online anonymity – and in the process forever change the internet as we know it.

In Brazil, a significant upheaval in digital privacy and access to information is unfolding, as a notable number of reputable VPN services—including NordVPN, ExpressVPN, Surfshark, and VyprVPN—have vanished from the local iOS App Store. This move is widely believed to comply with Brazilian authorities’ directives, reflecting a concerning trend towards online censorship.

This development is particularly alarming in light of the recent decision X made to shutdown its operations in the country. X terminated its operations after a protracted legal confrontation with Brazilian officials, who had accused the platform of insufficient efforts to combat disinformation, specifically its failure to block accounts spreading false information and hate speech. Despite the shutdown, X’s app is still accessible in Brazil.

The closure of X’s offices and the removal of VPNs from the App Store have spurred a significant shift toward VPN usage among Brazilians, seeking to bypass increasing online restrictions. Proton VPN reported a staggering 580% surge in new registrations recently, highlighting the growing reliance on VPNs to maintain internet freedom.

Nevertheless, acquiring these tools has become challenging. Attempts to install these apps from the iOS App Store are met with no option to download, indicating a blockade rather than a mere removal.

The current scenario underscores the critical importance of VPN services in safeguarding internet freedom in Brazil. As digital platforms face governmental pressures and the landscape of internet accessibility continues to evolve, the role of VPNs as tools for ensuring unrestricted access to information becomes ever more vital.

California is one of the US states that have introduced digital license plates, amid opposition from a number of rights advocates.

Now, there is a legislative effort to have GPS location tracking embedded in these, to all intents and purposes, devices attached to the car.

Sponsored by Democrat Assemblywoman Lori Wilson, Bill 3138 is currently making its way through the state’s legislature. It refers to “License plates and registration cards: alternative devices,” and the bill has another sponsor – Reviver.

The company was founded by Neville Boston, formerly of the Department of Motor Vehicles (DMV), and promotes itself as the first digital license plates platform. It has made its way to both this proposal, and the law the current draft builds on – AB 984 (also sponsored by Wilson) – which was signed into law two years ago.

The problem with Reviver is that it has already had a security breach that allowed hackers to track those using the company’s digital plates in real-time. It doesn’t help, either, that the company is effectively a monopoly – the only one, the Electronic Frontier Foundation (EFF) notes, “that currently has state authorization to sell digital plates in California.”

Meanwhile, the key problem with AB 3138, warns EFF, is that it “directly undoes the deal from 2022 and explicitly calls for location tracking in digital license plates for passenger cars.”

The deal in question refers to the way AB 984 eventually managed to become law, signed by Governor Gavin Newsom: a provision that would have allowed for location tracking of private vehicles was removed at the time.

But clearly, that was just a temporary move to pacify opponents, and now Wilson – and Reviver – are back to “complete” the original effort.

EFF is urging the legislature not to approve AB 2138 and is choosing to highlight those scenarios where such GPS tracking would be detrimental to those who are ostensibly among the voters or sympathizers of Wilson and her party.

Thus, the digital rights group speaks about those seeking abortion traveling (and being tracked, unawares) from state to state, the Immigration and Customs Enforcement (ICE) using the tech, etc.

However, it’s difficult to see how adding another way for the authorities to track vehicles in real-time is not potentially detrimental to any person, as a form of invasive mass surveillance.

Free speech group the Foundation for Individual Rights (FIRE) has gone to court in a bid to block Texas state age verification law, Securing Children Online through Parental Empowerment Act (SCOPE Act, HB 18).

We obtained a copy of the complaint for you here.

This largely Republican-backed law will take effect on September 1, starting when online platforms will be under obligation to register and verify the age of all users.

This will apply if “more than a third” of content on the platforms is considered “harmful” or “obscene.”

But FIRE believes this is a form of pressure to make sure sites collect biometric and ID data from adults in Texas as they access what is lawful (to them) content.

Hence the case, Students Engaged in Advancing Texas v. Paxton, where FIRE is suing state Attorney General Ken Paxton on behalf of four plaintiffs that the group says would have their rights threatened by the SCOPE Act – unless the US District Court for the Western District of Texas issues declaratory and injunctive relief.

In other words, FIRE wants the judges to stop the enforcement of the law, which the filing brands as unconstitutional.

Said FIRE Chief Counsel Bob Corn-Revere: “In a misguided attempt to make the internet ‘safe’, Texas’ law treats adults like children. But even minors have First Amendment rights. Whether they’re 16 or 65, this law infringes on the rights of all Texans.”

This is by no means a sole voice expressing disagreement with the idea that more, and more invasive online censorship and surveillance will result in better protection of children.

Senator Rand Paul has penned an opinion piece where he goes after the Kids Online Safety Act (KOSA), which has raised privacy, censorship, and digital ID concerns among civil rights activists.

According to Paul, what motivated those behind the legislation to come up with it is not questionable, but the actual bill falls short to the point where it “promises to be a Pandora’s box of unintended consequences.”

The senator notes that those pushing the bill insist the goal is not to regulate content, but he believes online platforms would face unprecedented demands regarding mental health harms, like anxiety, depression, and eating disorders.

However, Paul believes – “imposing a duty of care on internet platforms associated with mental health can only lead to one outcome: the stifling of First Amendment–protected speech” while at the same time empowering “speech police” to “silence important and diverse discussions that are essential to a free society.”

Paul speaks in favor of making sure those protections continue to apply and suggests coming up with “clear” rules for platforms, allowing them to comply with the law.

But KOSA, according to him, “fails to do that in almost every respect.”

The senator sees it as (yet another) bill that is too vague for (legal) comfort, so much so that “many of its key provisions are completely undefined.”

Although a lower court had dismissed the case, the Court of Appeals for the Ninth Circuit has decided that Google will have to go to trial after all, for allegedly secretly collecting data from Chrome users, regardless of whether they chose to sync information from the browser with their Google account.

The class action lawsuit, Calhoun v. Google LLC., accuses the tech giant of using the browser, by far the most dominant in its market, to collect browsing history, IP addresses, unique browser identifiers, and persistent cookie identifiers – all without consent.

The case was initially filed in 2020 and then dismissed in December 2022, but now the appellate court – in a ruling signed by Judge Milan D. Smith Jr. – said that the decision failed to take into account, looking into Google’s disclosures, i.e., the privacy policy agreement, “whether a reasonable user reading them would think that he or she was consenting to the data collection.”

The plaintiffs are certain this was in fact happening without explicit permission, and consider the way Chrome was set up to work in this context is “intentional and unlawful.”

Google on the other hand defended its actions when the case was originally filed by saying that explicit permission happened when users accepted its privacy policy. The lower court judge, Yvonne Gonzalez Rogers, accepted this argument to dismiss the case, saying Google’s disclosure about the data collection was “adequate,” and therefore had the users’ consent.

According to Judge Smith, despite its general policy, Google was pushing Chrome “by suggesting that certain information would not be sent to Google unless a user turned on sync.”

Interestingly enough, Google is removing the sync option from all versions of Chrome – after iOS, this will now be the case on desktops and Android as well. All it will take is to sign into the Google account on Chrome to link the data from the browser to the account – although signing in is not mandatory, at least for now.

A Google spokesman who commented on the decision of the court of appeals – which sent the case back to a lower court – confirmed that the change “is not related to the litigation.”

As for the litigation – “We disagree with this ruling and are confident the facts of the case are on our side. Chrome Sync helps people use Chrome seamlessly across their different devices and has clear privacy controls,” claims Jose Castaneda.

The push to develop digital ID and expand its use in the US is receiving a boost as the country’s National Institute of Standards and Technology (NIST) is launching a new project.

NIST’s National Cybersecurity Center of Excellence (NCCoE) has teamed up with 15 large financial and state institutions, as well as tech companies, to research and develop a way of integrating Mobile Driver’s License (mDL) into financial services. But according to NIST, this is just the start and the initial focus of the program.

The agreement represents an effort to tie in yet more areas of people’s lives in their digital ID (“customer identification program requirements” is how NIST’s announcement describes the focus of this particular initiative). These schemes are often criticized by rights advocates for their potential to be used as mass surveillance tools.

Now NIST’s initiative brings together this institution and the American Association of Motor Vehicle Administrators (AAMVA), California Department of Motor Vehicles, Department of Homeland Security (DHS) – Science and Technology Directorate, New York State Department of Motor Vehicles, JP Morgan Chase, Wells Fargo, Microsoft.

Among the other participants are companies specializing in digital ID IDEMIA, MATTR Limited, iLabs, SpruceID, and the OpenID Foundation (plus US Bank, and Block Inc.)

They were chosen after submitting a response regarding their capabilities via the Federal Register, and have now received collaborative research and development agreements, known as CRADA.

Those who are now in will work within the project’s three phases, dubbed, Define, Assemble, and Build. The first will set the scope of work along with industry participants, the second should produce teams with members from the industry, government, and academia, while the “Build” phase is to focus on “creating practical modules and prototypes to address cybersecurity challenges.”

They will now collaborate with NCCoE to speed up the adoption of digital ID standards, a press release said, as well as best practices by developing “reference architectures, representative workflows, and implementation guides to address real-world cybersecurity, privacy, and usability challenges faced by the adoption of mDL in the financial sector.”

NIST’s NCCoE itself is set up as a hub dealing with cybersecurity and often works with government, industry, and academia on developing precisely this type of standards.

The call to respond to the mobile driver’s license project collaboration was first issued a year ago, in late August 2023.