Members of ransomware gang Lockbit arrested by law enforcement

International law enforcement, led by the UK’s National Crime Agency, have disrupted ransomware gang Lockbit's operation. The group behind notable hacks against aircraft manufacturer Boeing, chip giant Taiwan Semiconductor Manufacturing Company, sandwich chain Subway and thousands more had its site taken offline on Monday while authorities arrested major players behind the gang. "This site if now under the control of law enforcement," the website reads. According to malware repository Vx-underground, law enforcement took down at least 22 Lockbit-affiliated Tor sites.

"Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems," National Crime Agency Director General, Graeme Biggar, said in a statement. “As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity."

Lockbit admitted defeat, too. In a statement to Vx-underground, the group said "FBI pwned me." Operation Cronos, the name law enforcement used for their efforts, also resulted in the seizure of source code and other useful data related to Lockbit's operations. At the same time, authorities in Poland, Ukraine and the US arrested key members of the ransomware operation. There are sanctions out for two more Lockbit affiliates in Russia.

There's more good news for Lockbit victims, too: The operation obtained keys from Lockbit to create a decryption tool for victims to get their data back, according to US Attorney General Merrick Garland. The free decryptors can be found via the No More Ransom project

Since 2019 when Lockbit first entered the scene, it's squeezed victims for more than $120 million in ransomware payments, according to acting assistant AG Nicole Argentieri.

This article originally appeared on Engadget at

Defense Department alerts over 20,000 employees about email data breach

The Department of Defense sent a data breach notification letter to thousands of current and former employees alerting that their personal information had been leaked, DefenseScoop reported on Tuesday. While the department first detected the incident in early 2023, the notifications didn't begin to go out until earlier this month. More than 20,000 individuals appear to be affected by the breach. 

The letter explains that emails messages were "inadvertently exposed to the internet" by a Defense Department "service provider." The emails contained personally identifiable information. While the agency doesn't clarify what type of information, PII generally ranges from information like social security numbers, home address or other sensitive details. "While there is no evidence to suggest that your PII was misused, the department is notifying those individuals whose PII may have been breached as a result of this unfortunate situation," the letter says. It urges affected parties to sign up for identity theft protection.

According to TechCrunch, the breach stems from an unsecured cloud email server that leaked sensitive emails onto the web. The Microsoft server, which was likely misconfigured, could be accessed from the internet without so much as a password. 

"As a matter of practice and operations security, we do not comment on the status of our networks and systems. The affected server was identified and removed from public access on February 20, 2023, and the vendor has resolved the issues that resulted in the exposure," the Department of Defense said in a statement. "DOD continues to engage with the service provider on improving cyber event prevention and detection. Notification to affected individuals is ongoing."

This article originally appeared on Engadget at

HIPAA protects health data privacy, but not in the ways most people think

The “P” in HIPAA doesn’t stand for privacy. It’s one of the first things a lot of experts will say when asked to clear up any misconceptions about the health data law. Instead, it stands for portability — it’s called the Health Insurance Portability and Accountability Act —and describes how information can be transferred between providers. With misinterpretations of HIPAA starting with just its name, misunderstandings of what the law actually does greatly impact our ability to recognize how the kinds of data do and don't fall under its scope. That’s especially true as a growing number of consumer tech devices and services gather troves of information related to our health.

We often consider HIPAA a piece of consumer data privacy legislation because it did direct the Department of Health and Human Services to come up with certain security provisions, like breach notification regulations and a health privacy rule for protecting individually identifiable information. But when HIPAA went into effect in the 1990s, its primary aim was improving how providers worked with insurance companies. Put simply, “people think HIPAA covers more than it actually does,” said Daniel Solove, professor at George Washington University and CEO of privacy training firm TeachPrivacy.

HIPAA has two big restrictions in scope: a limited set of covered entities, and limited set of covered data, according to Cobun Zweifel-Keegan, DC managing director of the International Association of Privacy Professionals. Covered entities include healthcare providers like doctors and health plans like health insurance companies. The covered data refers to medical records and other individually identifiable health information used by those covered entities. Under HIPAA, your general practitioner can't sell data related to your vaccination status to an ad firm, but a fitness app (which wouldn't be a covered entity) that tracks your steps and heart rate (which aren't considered covered data) absolutely can.

“What HIPAA covers, is information that relates to health care or payment for health care, and sort of any piece of identifiable information that’s in that file,” Solove said. It doesn’t cover any health information shared with your employer or school, like if you turn in a sick note, but it does protect your doctor from sharing more details about your diagnosis if they call to verify.

A lot has changed in the nearly 30 years since HIPAA went into effect, though. The legislators behind HIPAA didn’t anticipate how much data we would be sharing about ourselves today, much of which can be considered personally identifiable. So, that information doesn’t fall under its scope. “When HIPAA was designed, nobody really anticipated what the world was going to look like,” Lee Tien, senior staff attorney at the Electronic Frontier Foundation said. It’s not badly designed, HIPAA just can’t keep up with the state we’re in today. “You're sharing data all the time with other people who are not doctors or who are not the insurance company,” said Tien.

Think of all the data collected about us on the daily that could provide insight into our health. Noom tracks your diet. Peloton knows your activity levels. Calm sees you when you’re sleeping. Medisafe knows your pill schedule. Betterhelp knows what mental health conditions you might have, and less than a year ago was banned by the FTC from disclosing that information to advertisers. The list goes on, and much of it can be used to sell dietary supplements or sleep aids or whatever else. “Health data could be almost limitless,” so if HIPAA didn’t have a limited scope of covered entities, the law would be limitless, too, Solove said.

Not to mention the amount of inferences that firms can make about our health based on other data. An infamous 2012 New York Times investigation detailed how just by someone’s online searches and purchases, Target can figure out that they’re pregnant. HIPAA may not protect your medical information from being viewed by law enforcement officers. Even without a warrant, cops can get your records just by saying that you’re a suspect (or victim) of a crime. Police have used pharmacies to gather medical data about suspects, but other types of data like location information can provide sensitive details, too. For example, it can show that you went to a specific clinic to receive care. Because of these inferences, laws like HIPAA won’t necessarily stop law enforcement from prosecuting someone based on their healthcare decision.

Today, state-specific laws crop up across the US to help target some of the health data privacy gaps that HIPAA doesn’t cover. This means going beyond just medical files and healthcare providers to encompass more of people’s health data footprint. It varies between states, like in California which provides options to charge anyone who negligently discloses medical information or some additional breach protections for consumers based in Pennsylvania, but Washington state recently passed a law specifically targeting HIPAA’s gaps.

Washington State’s My Health My Data Act, passed last year, aims to “protect personal health data that falls outside the ambit of the Health Insurance Portability and Accountability Act,” according to a press release from Washington’s Office of the Attorney General. Any entity that conducts business in the state of Washington and deals with personal information that identifies a consumer’s past, present or future physical or mental health status must comply with the act’s privacy protections. Those provisions include the right not to have your health data sold without your permission and having health data deleted via written request. Under this law, unlike HIPAA, an app tracking someone’s drug dosage and schedule or the inferences made by Target about pregnancy would be covered.

My Health My Data is still rolling out, so we’ll have to wait and see how the law impacts national health data privacy protections. Still, it’s already sparking copycat laws in states like Vermont.

This article originally appeared on Engadget at

US officials believe Chinese hackers lurk in critical infrastructure

Chinese hackers have been hiding in US critical infrastructure for at least the last five years, CNN reported on Wednesday. By lurking behind the scenes of transportation, water, electricity and other important systems, the hackers have the opportunity to strike whenever they deem the time is right, US officials say in a 50-page report on the subject. A public version of the full document is set to be released next week. 

Officials from the FBI and the Justice Department previously issued a court order to update software that could succumb to Chinese hacking. The effort aimed to fight Chinese hacking by remotely disabling certain affected systems. According to the department, it was able to remove code from hundreds of internet routers that could have let Chinese hackers in. 

The forthcoming report reveals just how long this has been going on, and how bad a potential cyberattack could be. It's set to detail hackers' techniques, while providing guidance to companies behind critical infrastructure systems on how to find Chinese hackers in their systems. There are no signs in the report that hackers have acted maliciously against US infrastructure yet. 

Hackers started by getting into IT systems and, from there, working their way into more important tech behind US infrastructure. They also broke into security cameras at some of the facilities and, in another case, accessed water treatment plants, the report says. 

Last week, FBI director Christopher Wray warned Congress that Chinese hackers were preparing to wreck havoc on US critical infrastructure systems. "Cyber threats to our critical infrastructure represent real world threats to our physical safety," he said at the hearing.

This article originally appeared on Engadget at

How security experts unravel ransomware

Hackers use ransomware to go after every industry, charging as much money as they can to return access to a victim's files. It’s a lucrative business to be in. In the first six months of 2023, ransomware gangs bilked $449 million from their targets, even though most governments advise against paying ransoms. Increasingly, security professionals are coming together with law enforcement to provide free decryption tools — freeing locked files and eliminating the temptation for victims to pony up.

There are a couple main ways that ransomware decryptors go about coming up with tools: reverse engineering for mistakes, working with law enforcement and gathering publicly available encryption keys. The length of the process varies depending on how complex the code is, but it usually requires information on the encrypted files, unencrypted versions of the files and server information from the hacking group. “Just having the output encrypted file is usually useless. You need the sample itself, the executable file,” said Jakub Kroustek, malware research director at antivirus business Avast. It’s not easy, but does pay dividends to the impacted victims when it works.

First, we have to understand how encryption works. For a very basic example, let's say a piece of data might have started as a cognizable sentence, but appears like "J qsfgfs dbut up epht" once it's been encrypted. If we know that one of the unencrypted words in "J qsfgfs dbut up epht" is supposed to be "cats," we can start to determine what pattern was applied to the original text to get the encrypted result. In this case, it's just the standard English alphabet with each letter moved forward one place: A becomes B, B becomes C, and "I prefer cats to dogs" becomes the string of nonsense above. It’s much more complex for the sorts of encryption used by ransomware gangs, but the principle remains the same. The pattern of encryption is also known as the 'key', and by deducing the key, researchers can create a tool that can decrypt the files.

Some forms of encryption, like the Advanced Encryption Standard of 128, 192 or 256 bit keys, are virtually unbreakable. At its most advanced level, bits of unencrypted "plaintext" data, divided into chunks called "blocks," are put through 14 rounds of transformation, and then output in their encrypted — or "ciphertext" — form. “We don’t have the quantum computing technology yet that can break encryption technology,” said Jon Clay, vice president of threat intelligence at security software company Trend Micro. But luckily for victims, hackers don’t always use strong methods like AES to encrypt files.

While some cryptographic schemes are virtually uncrackable it’s a difficult science to perfect, and inexperienced hackers will likely make mistakes. If the hackers don’t apply a standard scheme, like AES, and instead opt to build their own, the researchers can then dig around for errors. Why would they do this? Mostly ego. “They want to do something themselves because they like it or they think it's better for speed purposes,” Jornt van der Wiel, a cybersecurity researcher at Kaspersky, said.

For example, here’s how Kaspersky decrypted the Yanluowang ransomware strain. It was a targeted strain aimed at specific companies, with an unknown list of victims. Yanluowang used the Sosemanuk stream cipher to encrypt data: a free-for-use process that encrypts the plaintext file one digit at a time. Then, it encrypted the key using an RSA algorithm, another type of encryption standard. But there was a flaw in the pattern. The researchers were able to compare the plaintext to the encrypted version, as explained above, and reverse engineer a decryption tool now made available for free. In fact, there are tons that have already been cracked by the No More Ransom project.

Ransomware decryptors will use their knowledge of software engineering and cryptography to get the ransomware key and, from there, create a decryption tool, according to Kroustek. More advanced cryptographic processes may require either brute forcing, or making educated guesses based on the information available. Sometimes hackers use a pseudo-random number generator to create the key. A true RNG will be random, duh, but that means it won’t be easily predicted. A pseudo-RNG, as explained by van der Wiel, may rely on an existing pattern in order to appear random when it's actually not — the pattern might be based on the time it was created, for example. If researchers know a portion of that, they can try different time values until they deduce the key.

But getting that key often relies on working with law enforcement to get more information about how the hacking groups work. If researchers are able to get the hacker’s IP address, they can request the local police to seize servers and get a memory dump of their contents. Or, if hackers have used a proxy server to obscure their location, police might use traffic analyzers like NetFlow to determine where the traffic goes and get the information from there, according to van der Wiel. The Budapest Convention on Cybercrime makes this possible across international borders because it lets police request an image of a server in another country urgently while they wait for the official request to go through.

The server provides information on the hacker’s activities, like who they might be targeting or their process for extorting a ransom. This can tell ransomware decryptors the process the hackers went through in order to encrypt the data, details about the encryption key or access to files that can help them reverse engineer the process. The researchers comb through the server logs for details in the same way you may help your friend dig up details on their Tinder date to make sure they’re legit, looking for clues or details about malicious patterns that can help suss out true intentions. Researchers may, for example, discover part of the plaintext file to compare to the encrypted file to begin the process of reverse engineering the key, or maybe they’ll find parts of the pseudo-RNG that can begin to explain the encryption pattern.

Working with law enforcement helped Cisco Talos create a decryption tool for the Babuk Tortilla ransomware. This version of ransomware targeted healthcare, manufacturing and national infrastructure, encrypting victims' devices and deleting valuable backups. Avast had already created a generic Babuk decryptor, but the Tortilla strain proved difficult to crack. The Dutch Police and Cisco Talos worked together to apprehend the person behind the strain, and gained access to the Tortilla decryptor in the process.

But often the easiest way to come up with these decryption tools stems from the ransomware gangs themselves. Maybe they’re retiring, or just feeling generous, but attackers will sometimes publicly release their encryption key. Security experts can then use the key to make a decryption tool and release that for victims to use going forward.

Generally, experts can’t share a lot about the process without giving ransomware gangs a leg up. If they divulge common mistakes, hackers can use that to easily improve their next ransomware attempts. If researchers tell us what encrypted files they’re working on now, gangs will know they’re on to them. But the best way to avoid paying is to be proactive. “If you’ve done a good job of backing up your data, you have a much higher opportunity to not have to pay,” said Clay.

This article originally appeared on Engadget at

Fallout from the Fulton County cyberattack continues, key systems still down

Key systems in Fulton County, Georgia have been offline since last week when a 'cyber incident' hit government systems. While the county has tried its best to continue operations as normal, phone lines, court systems, property records and more all went down. The county has not yet confirmed details of the cyber incident, such as what group could be behind it or motivations for the attack. As of Tuesday, there did not appear to be a data breach, according to Fulton County Board of Commissioners Chairman Robb Pitts.

Fulton County made headlines in August as the place where prosecutors chose to bring election interference charges against former president Donald Trump. But don't worry, officials assured the public that the case had not been impacted by the attack. “All material related to the election case is kept in a separate, highly secure system that was not hacked and is designed to make any unauthorized access extremely difficult if not impossible,” said Fulton County District Attorney Fani Willis.

Despite this, Fulton County election systems did not appear to be the target of the attack. While Fulton County's Department of Registration and Elections went down, “there is no indication that this event is related to the election process,” Fulton County said in a statement. “In an abundance of caution, Fulton County and the (Georgia) Secretary of State’s respective technology systems were isolated from one another as part of the response efforts.”

So far, the impact of the attack ranges widely from delays getting marriage certificates to disrupted court hearings. On Wednesday, a miscommunication during the outage even let a murder suspect out of custody. A manhunt continues after officials mistakenly released the suspect while being transferred between Clayton County and Fulton County for a hearing.

The county has not released information on when it expects systems to be fully restored, but it is working with law enforcement on recovery efforts. In the meantime, while constituents have trouble reaching certain government services, Fulton County put out a list of contact information for impacted departments. Fulton County also released a full list of impacted systems.

While the government IT outages occurred, a local student also hacked into Fulton County Schools systems, according to StateScoop on Friday. The school system is still determining if any personal information may have been breached, but most services came back online by Monday.

This article originally appeared on Engadget at

LoanDepot discloses that hackers breached personal data of 16 million customers

As mortgage lender LoanDepot continues recovery efforts from a ransomware attack, it revealed on Monday that hackers stole data from more than 16 million customers. A Securities and Exchange Commission filing from the mortgage lender did not detail what kind of information the hackers breached, only that "an unauthorized third party gained access to sensitive personal information."

LoanDepot first revealed it has fallen victim to attack on January 8. The company took some IT systems offline, but it faced a slow recovery. Customers took to social media to complain payment issues, struggles to access their accounts and even trouble closing deals on mortgages. By Friday, about two weeks since LoanDepot first came forward about the incident, systems like customer portals and other internal sites returned back online. It appears that LoanDepot fell victim to a ransomware attack, where hackers demand money in exchange for access or information, according to reporting from TechCrunch.

"Unfortunately, we live in a world where these types of attacks are increasingly frequent and sophisticated, and our industry has not been spared. We sincerely regret any impact to our customers,” LoanDepot CEO Frank Martell said in a statement.

Still, the true aftermath of the attack is still coming to light. LoanDepot did not provide additional comment, or explain what types of sensitive information may have been revealed. It did say it would offer free credit monitoring and identity protection services to impacted customers. Notably, three other major financial institutions — Mr. Cooper Group, Fidelity National Financial, First American Financial — have also been hit by cyberattacks in recent months. 

This article originally appeared on Engadget at

Carnegie Mellon reveals it was hit by a cyberattack over the summer

A cyberattack hit Carnegie Mellon University last summer and the attackers breached personal data, according to a disclosure from the school last week. The Pittsburgh-based university known for its top tech and computer science programs said on Friday that the attack impacted 7,300 students, employees, contractors and other affiliates.

"There is no evidence of fraud or inappropriate use of the information from those files," a statement from CMU said. Still, the attackers likely accessed and copied data that included names, social security numbers and birth dates. With help from law enforcement, CMU disabled any access to that copied data, according to the school.

It started on August 25 when unauthorized users accessed CMU's systems. The university says it began recovery processes and an investigation into the incident that included months later in December, while notifications to impacted parties began to go out last week. Impacted parties will receive credit monitoring services to mitigate further damage.

CMU did not respond to a request for comment and further information about the attack by the time of publication.

This article originally appeared on Engadget at

Apparel supplier for North Face, Vans admits its cyberattack led to a data breach of 35 million customers

Major apparel supplier VF Corp followed up on its December cyberattack disclosure, with its latest Securities and Exchange Commission form admitting to a data breach impacting up to 35.5 million customers. That means if you've purchased from its major brands like Vans, North Face, Timberland, Dickies and more, you may have been impacted. But VF Corp still insists that the incident won't hurt its financial performance.

Initially, VF Corp warned customers that the cyberattack it experienced in December could have an impact on its holiday order fulfillment. The company said "unauthorized occurrences" on its IT systems caused operational disruptions, and the attackers likely stole personal information. Now, it's come out just how widespread the damage from the attack could be. 

VF Corp did not respond to a request for comment clarifying what type of data the hackers stole. In the SEC filing, however, the company said it did not collect consumer social security numbers, bank account information or payment card information, and that there is no evidence the hackers stole passwords. It also said that the unauthorized users were "ejected" from its systems by December 15, after being discovered two days earlier. 

"Since the filing of the Original Report, VF has substantially restored the IT systems and data that were impacted by the cyber incident, but continues to work through minor operational impacts," the latest filing states. VF still has not confirmed who was behind the attack.

This article originally appeared on Engadget at

The year of the passkey is still far away

In 2023, passkeys popped up all over the place. Big tech companies embraced them, which trickled down to smaller firms, until passkeys became a ubiquitous part of any security conversation. To give passkeys the credit they deserve, top security experts agree that the new way of logging in comes with greater security. Like every other security advancement from SMS-based multifactor authentication to hardware authentication keys, however, adoption lags because people still hesitate to make the leap.

Passkeys let you log in without a password. Instead, it creates a digital authentication credential, or a "key," between your device and where you want to login to verify your identity. In practice, this usually looks like a fingerprint or face scan to prove that its really you, and the rest happens on the cryptographic backend. Support for the new way of logging in skyrocketed in 2023, going from “a handful of sites with no users to hundreds of sites with billions of accounts” that could potentially log in using passkeys, according to Andrew Shikiar, executive director of the FIDO Alliance, one of the organizations driving passkey adoption.

To understand the scope of end user passkey adoption, I asked around a bit. Companies that touted passkey compliance, like password manager Bitwarden, declined to share specific figures about adoption. Competitor Dashlane’s chief product officer Donald Hasson shared that the company is seeing about 20,000 passkey-based sign-ins per month, “with growth doubling quarter over quarter.” It’s impressive, but worth noting that it still appears to be a small fraction of actual Dashlane users.

Travel company Kayak told Engadget that it switched completely over to passkeys at the end of last year, which is certainly one way to push people on board. Users can either use single-sign on, passkeys or an email to log on. There are still some legacy password users, but they’re being fazed out by being pushed to switch to the other options when they attempt to log on, said Matthias Keller, chief scientist and senior vice president of technology at KAYAK. “Sign in with Google and sign in with Apple are very popular because they're probably still the easiest experience if you're already logged into these systems,” Keller said. “For new account creation, we see, I would say, around two-thirds of users taking the passkey option.” Still, he declined to share specific login figures. We reached out to Adobe, Apple, GitHub, LinkedIn, Nintendo, PayPal, Roblox, Robinhood, TikTok, and Uber about passkey implementation, but none have responded by time of publication.

Shikiar sees the switch to passkeys playing out like biometrics (e.g. fingerprint and face ID). Switching to passkeys aligns more with the seamless single action you get from just looking at your phone to unlock it, not the clunky steps of MFA that involve another device or extra time to access an account, Shikiar said. The problem, in short, is that we’re stuck in our ways. We love our passwords, no matter how many times we’re told that they’re fallible. The username and password combination has been our comfort zone for logging in since the dawn of computer accounts, and users will drag their heels to avoid any change. We saw this with the slow adoption of multifactor authentication that still falls behind today.

Users are slow to adopt passkeys, and companies are still catching up, too. It is getting easier for smaller companies to adopt passkeys because they no longer need to build out support in-house. For example, password manager 1Password launched Passage last year as a way for businesses to support passkey authentication without having to DIY the infrastructure. But while passkeys have caught on in principle, a year of transformative passkey adoption is still far away.

Security analyst and consultant Cole Grolmus detailed why consumers have been slow to adopt passkeys in October. He set out to change as many logins as possible from passwords to passkeys and, despite being all in on passkeys in principle, ran into roadblock after roadblock. Out of the 374 apps Grolmus uses, only 17 supported passkeys, which led him to conclude we’ll be stuck with passwords for the foreseeable future. “The hype is very well merited,” Grolmus told Engadget. “At the same time, I think you just have to be realistic about the amount of time that it takes for any technological change, particularly ones involving consumer adoption, to play out.”

Still, passkeys could mark a shift in personal security if we give it time to play out. New ways of doing things often struggle to replace the entrenched patterns we’ve gotten used to, even if the new paradigm is superior on paper. At least passkeys smooth out the login experience, as opposed to adding another security hurdle like we saw with MFA. Once people see that passkeys can be a “wonderful experience,” they’ll make the switch, said Grolmus.

If you have the chance to switch to passkeys, it's worth a shot. If you use PayPal, Shopify, Uber, Roblox or other big name companies (the list goes way on), you can get it set up today, but keep in mind, most services probably don't have the option, and might not for a while.

This article originally appeared on Engadget at