US Government Bans the Sale of Kaspersky Lab Software Citing National Security Threat

In the first ban of its kind on a foreign company, the US Commerce Department said it would ban sales in the US of software built by Russian antivirus vendor Kaspersky Lab based on longstanding concerns that the software firm poses a significant national-security threat.

US officials described the ban as a “full prohibition” on selling to US businesses or individuals. Additionally, the administration is adding Kaspersky Lab to a list that limits US suppliers' ability to do business with the company.

For years, Kaspersky has struggled to quell Western security officials' concerns that it could be a digital Trojan horse that unwittingly allowed Russian entry into sensitive computer networks.

“When you think about national security, you may think about guns and tanks and missiles. But the truth is increasingly, it’s about technology,” Commerce Secretary Gina Raimondo said. She said installing software from adversaries like Russia and China “makes all Americans vulnerable.”

“Kaspersky believes that the Department of Commerce made its decision based on the present geopolitical climate and theoretical concerns,” the company said. “Kaspersky does not engage in activities which threaten U.S. national security.”

Raimondo said the ban resulted from an “extremely thorough investigation” into the firm. The investigation was motivated by Kaspersky Lab’s alleged ties to the Russian government, which Raimondo said could compel the company to abuse its software embedded on customer computers, as well as Russia’s continued offensive cyber operations against the US.

The prohibition is being enacted under the department’s online security rules, known as Information and Communications Technology and Services regulations. The rules aim to protect US internet users from various threats, including spying and disinformation, that could come from technologies and internet services based in potentially hostile countries. The rules allow the outright ban of particular apps, among other remedies.

The new actions bar Kaspersky Lab from entering into new agreements with U.S. customers beginning July 20. Officials said that the firm can provide existing customers with software and security updates until Sept. 29. Violations of these deadlines could be met with criminal or civil penalties. 

Individuals and businesses that continue to use Kaspersky Lab aren’t subject to any penalties, Raimondo said but added that she encouraged all Americans “in the strongest possible terms” to stop using the software “in order to protect yourself and your data and your family.” (Dustin Volz / Wall Street Journal)

Related: Commerce Department, OIC.bis.gov, OIC.bis.gov, TechCrunch, SC Media, iTnews - Security, Gizmodo, CRN, The Defense Post, Reddit cybersecurity, Reuters, Tech Times, BetaNews, Bleeping Computer, Silicon UK, CircleID, Big News Network, Deutsche Welle, DataBreachToday.com, PCMag.com, Law & Disorder – Ars Technica, Fast Company, Android Authority, Engadget, Security Affairs, SiliconANGLE, PaymentSecurity.io, Radio Free Europe / Radio Liberty, NBC News,  ZERO DAY, Cyberscoop, Nextgov, Slashdot, France 24, WIRED, TechCentral, The Register, Agence France-Presse, The Verge, iClarified, Reuters, Neowin, Gizmodo, Axios, Silicon Angle, BBC, The Record, BetaNews, Nextgov/FCW, Kaspersky, Benzinga, BBC News

Qilin, the ransomware group that carried out a devastating cyberattack on Synnovis, a private pathology firm that analyses blood tests for hospitals Guy’s and St Thomas’ NHS Foundation Trust (GSTT) and King’s College Trust, has allegedly published on its dark web site almost 400GB of data it stole during the attack.

NHS England said it had “been made aware that the cyber-criminal group published data last night which they claim belongs to Synnovis and was stolen as part of this attack. We know how worrying this development may be for many people. We are taking it very seriously.”

Qilin has published 104 files, each containing 3.7GB of data, on a dedicated dark website. The post is topped with an image of the Synnovis logo, a description of the company, and a link to its website.

The data purportedly includes patient names, dates of birth, NHS numbers, and descriptions of blood tests, although it is not known if test results have also been leaked. There are also business account spreadsheets detailing financial arrangements between hospitals and GP services and Synnovis. (Joe Tidy / BBC News and Geneva Abdul and Dan Milmo / The Guardian)

Related: BBC News, Daily Mail, The Times, The Independent, Bloomberg, The Sun, Sky News, The Standard, Homeland Security Today, Infosecurity Magazine

Auto retailers and dealerships across the US faced another day of outages after a second cyberattack targeted tech company CDK Global, which develops software for managing auto customers and their vehicles and serves 15,000 customers across the US.

In a message to customers, the company said the additional cyberattack late Wednesday may result in extended outages. “At this time, we do not have an estimated time frame for resolution and therefore our dealers’ systems will not be available at a minimum on Thursday,” the message read. 

CDK said that its customer support teams “remain unavailable” as a precautionary measure to maintain security. 

CDK spokesperson Lisa Finney said, “In partnership with third party experts, we are assessing the impact and providing regular updates to our customers. We remain vigilant in our efforts to reinstate our services and get our dealers back to business as usual as quickly as possible.” (Zack Whittaker / TechCrunch)

Related: Axios, CNN, CBS News, The Detroit News, Motor Trend, Wall Street Journal, Reuters, Dark Reading, The Register, The Autopian, IT News

In a public notice about the February ransomware hack on its Change Healthcare unit, UnitedHealth Group said it is notifying the estimated one-third of the country whose private data may have been exposed in the attack.

UnitedHealth said it expects to begin mailing letters to potentially affected individuals in late July but may not have addresses for all of them. The company said individuals can enroll in free credit monitoring for two years.

Patient information is protected under the Health Insurance Portability and Accountability Act, or HIPAA. HIPAA regulation requires companies to notify patients of data exposures.

Information made vulnerable in the UnitedHealth attack is believed to include health insurance member IDs, patient diagnoses, treatment information, social security numbers, and billing codes used by providers.

In May, the US Department of Health and Human Services said healthcare providers can ask UnitedHealth to notify people impacted by the hack on their behalf. Following the hack, some providers urged HHS to make UnitedHealth solely responsible for issuing breach notifications. (Amina Niasse / Reuters)

Related: Business Wire, Associated Press, STAT, Wall Street Journal, Becker’s Hospital Review

Japan’s Chief Cabinet Secretary Yoshimasa Hayashi acknowledged that the Japan Aerospace Exploration Agency, or JAXA, has had “a number of” cyberattacks since late last year but said sensitive information related to rockets and satellites was unaffected.

He said JAXA has investigated the extent of illegal access, shut down the affected networks, and verified that they did not contain classified information about rocket and satellite operations and national security.

Hayashi vowed to strengthen Japan’s ability to counter cyberattacks. (Mari Yamaguchi / Associated Press)

Related: All - Kyodo News+, nippon.com / en, The Mainichi, Star Tribune, The Independent, The Japan Times, Nikkei Asia, NHK, The Asahi Shimbun, Republic World

According to a source, hackers are selling data about consumers of the LendingTree Inc. subsidiary QuoteWizard after the company detected unauthorized access on a cloud database hosted by Snowflake.

The source said the data is being sold to the highest bidder. The hack has had no impact on operations, and LendingTree is still investigating the size and scope of the theft.

“This is an ongoing investigation, and as soon as that investigation is complete we will notify all the impacted customers,” said Arun Sankaran, LendingTree’s chief information security officer.

LendingTree has said that the breach didn’t affect information linked to the parent company or financial account information of QuoteWizard customers. (Charles Gorrivan / Bloomberg)

Related: PYMNTS, Marketwatch

Information about more than 12,000 US-based employees of Spanish banking giant Santander was leaked in a May breach connected to the cloud storage provider Snowflake.

Santander was one of the first organizations to report a breach in the Snowflake incident, which involved a string of attacks on the storage provider’s customers.

Santander informed regulators of the breach on Wednesday, warning that the information of 12,786 employees was accessed during an incident the company believes began on April 17.

The bank said it learned of the breach on May 10 after discovering that hackers had accessed records from a third-party database used by one of its affiliates.

“Santander’s investigation subsequently determined that the records contained certain Company employee’s personal information that may have included your name, Social Security number, and bank account information used for direct deposit for payroll,” the breach notification letters said.

Victims are being given two years of free identity protection and credit monitoring services. (Jonathan Greig / The Record)

Related: Office of the Maine Attorney General

In legal filings, TikTok and Chinese parent ByteDance urged a US court to strike down a law they say will ban the popular short video app in the United States on Jan. 19, saying the US government refused to engage in any serious settlement talks after 2022.

Driven by worries among US lawmakers that China could access data on Americans or spy on them with the app, the law, signed by President Biden in April, gives ByteDance until Jan. 19 next year to divest TikTok's US assets or face a ban on the app used by 170 million Americans. ByteDance says a divestiture is "not possible technologically, commercially, or legally."

"This law is a radical departure from this country’s tradition of championing an open Internet, and sets a dangerous precedent allowing the political branches to target a disfavored speech platform and force it to sell or be shut down," ByteDance and TikTok argue in asking the court to strike down the law.

The US Court of Appeals for the District of Columbia will hold oral arguments on lawsuits filed by TikTok and ByteDance along with TikTok users on Sept. 16. (David Shepardson / Reuters)

Related: New York Times, The Guardian, Firstpost, Washington Post, GigaLaw, CBS News, The Hill, Al Jazeera, The Verge, New York Times, CNN, US Court of Appeals, Axios, TikTok, Bloomberg, The Michigan Daily, Courthouse News Service, NewsBytes, National Review, Sky News, The Information, Benzinga, Irish Independent, Gulf Times, Bloomberg Law

The Ukrainian IT Army has claimed large-scale DDoS attacks on the Russian banking system, including the infrastructure of the National Payment Card System (NPCS), the operator of Mir cards, causing short-lived but significant problems with processing payments at major banks.

According to press reports, VTB, Sberbank, Tinkoff, Alfa-Bank, Beeline, MTS, Rostelecom, Gazprombank, Megafon, SBP, NSPK, EIRC, and many smaller services are currently not functioning.

"When we promised yesterday to take down the enemy banking system, those weren't empty words. Today, even more banks and their Mir card payment system are disconnected," the IT Army said.

The attack was also confirmed by the NPCS, noting that its impact on the operation of services was insignificant and short-lived. (Ukrainska Pravda)

Related: Reuters, The Kyiv Independent, Ukrainska Pravda, UNN

Last week, the US House of Representatives jammed a functional ban on DJI drones, called the “Countering CCP Drones Act,” into a military funding bill that it then passed that would put DJI drones, which are made in China, onto a Federal Communications Commission “covered list” alongside other banned Chinese tech companies, meaning that new drones would not be approved to use the communications infrastructure they need to operate.

The ban could possibly ground existing drones, as well.

Essentially, the US government pressured drone manufacturers to implement privacy and safety features that required internet infrastructure to operate. DJI built those features, and now lawmakers say China could use those same features to spy on Americans, and that is the reason for the ban.

Meanwhile, the only existing American drone manufacturers create far more invasive products that are sold exclusively to law enforcement and government entities, which are increasingly using them to conduct surveillance on American citizens and communities. This means that the US may face a situation where hobbyists, small businesses, and aerial photographers who make a living with drones can suddenly no longer fly them, but cops will. (Jason Koebler / 404 Media)

Related: The Hill, The Drone Girl, TechRadar, DroneDJ

An attorney for the subjects of a March 8 story on consumer data broker Radaris, which showed how the original Radaris owners are two brothers in Massachusetts who operated multiple Russian-language dating services and affiliate programs, threatened to sue author Brian Krebs unless the story was immediately retracted and an apology was issued to the two brothers named in the story.

That March story worked backward from the email address used to register radaris.com and charted an impressive array of data broker companies created over the past 15 years by Massachusetts residents Dmitry and Igor Lubarsky (also sometimes spelled Lybarsky or Lubarski). Dmitry goes by “Dan,” and Igor uses the name “Gary.”

In response to a threatening letter sent by the brothers’ attorney, Brian Krebs published further research that only more strongly substantiates his original piece. (Brian Krebs / Krebs on Security)

New York govern Kathy Hochul signed two bills into law clamping down on digital platforms’ algorithms and use of children’s data.

Under New York’s SAFE For Kids Act, social media platforms must display content chronologically by default for kids under 18. At the same time, the New York Child Data Protection Act will restrict websites from collecting or sharing the personal data of users under 18 without consent, expanding on existing federal privacy protections for children under 13.

The SAFE For Kids Act also requires platforms to limit late-night app notifications that state lawmakers say are engineered to drive user engagement and risk hindering sleep. Both pieces of legislation were introduced last fall and cleared the state legislature in early June.

The unprecedented move makes New York the first state to pass a law regulating social media algorithms amid nationwide allegations that apps such as Instagram or TikTok have hooked users with addictive features.

Hochul’s signature comes days after US Surgeon General Vivek Murthy called for warning labels to be applied to social media platforms, fueling a debate about social media’s potential impact on the mental health of users, particularly teens. (Brian Fung / CNN)

Related: Governor Kathy Hochul, CBS News Chicago, The Verge, New York Daily News

Best Thing of the Day: Feel Free to Spill the Tea on Your Cyber Incident

The SEC says that contrary to the assumption that some companies have that if they experience a material cybersecurity incident, the Commission’s new rules don’t prohibit them from discussing that incident beyond what was included in Item 1.05 Form 8-K disclosing the incident.

Worst Thing of the Day: Let’s Send Cops Into Low-Income Communities Whenever a Garbage Truck Goes By

ShotSpotter, the gunfire location and detection system long used by the New York Police Department and other law enforcement agencies nationwide, is sending police officers to respond to loud noises that don’t turn out to be confirmed shootings 87 percent of the time.

Closing Thought