Congress May Be Close to Passing a Comprehensive Data Privacy Framework

Congress may be closer than ever to passing a comprehensive data privacy framework after key House and Senate committee leaders released a new proposal.

The bipartisan proposal, titled the American Privacy Rights Act, or APRA, would limit the types of consumer data companies can collect, retain, and use to what they need to operate their services. Users would also be allowed to opt out of targeted advertising and have the ability to view, correct, delete, and download their data from online services. The proposal would also create a national registry of data brokers and force those companies to allow users to opt out of having their data sold.

For decades, Congress has tried to put together a comprehensive federal law protecting user data. Lawmakers have remained divided on whether that legislation should prevent states from issuing stricter rules and whether to allow a “private right of action” that would enable people to sue companies in response to privacy violations.

Cathy McMorris Rodgers, House Energy and Commerce Committee chair, claimed that the draft’s language is stronger than any active laws, seemingly as an attempt to assuage the concerns of Democrats who have long fought attempts to preempt preexisting state-level protections. APRA does allow states to pass their own privacy laws related to civil rights and consumer protections, among other exceptions. (Makena Kelly / Wired)

Related: The Spokesman-Review, Energy and Commerce Committee, Energy and Commerce Committee Democrats, Silicon Republic, International Business Times, US Senate Committee on Commerce, Science, & Transportation, Reuters, Associated Press, Washington Post, The Hill, PC Gamer, PCMag, R Street Institute, Axios, The Verge, CircleID, Washington Examiner

The Maryland Legislature passed two sweeping privacy bills that aim to restrict how powerful tech platforms can harvest and use the personal data of consumers and young people despite strong objections from industry trade groups representing giants like Amazon, Google, and Meta.

One bill, the Maryland Online Data Privacy Act, would impose wide-ranging restrictions on how companies may collect and use consumers' personal data in the state. The other, the Maryland Kids Code, would prohibit certain social media, video games, and other online platforms from tracking people under 18 and using manipulative techniques, such as auto-playing videos or bombarding children with notifications, to keep young people glued online.

The new rules require approval by Gov. Wes Moore of Maryland, a Democrat, who has not taken a public stance on the measures.

With the passage of the bills, Maryland joins a small number of states, including California, Connecticut, Texas, and Utah, that have enacted comprehensive privacy legislation and children’s online privacy or social media safeguards. (Natasha Singer / New York Times)

Related: EPIC, Maryland General Assembly, Maryland General Assembly, PCMag

Hackers broke into the Israeli Justice Ministry's computer systems with a group called Anonymous for Justice claiming credit for the breach.

The group said the breach included the retrieval of nearly 300 gigabytes of data. On its website, the group said it would continue attacking Israel "until the war in Gaza stops.”

The group published files it said it obtained in the breach, such as legal documents, including drafts of bilateral agreements and contracts marked as confidential.

The Justice Ministry said it had prepared for such a scenario, and its operations remained uninterrupted. (Reuters)

Related: Times of Israel, The Cyber Express, Jerusalem Post

A security researcher, Netsecfish, disclosed a new arbitrary command injection and hardcoded backdoor flaw in multiple end-of-life D-Link Network Attached Storage (NAS) device models.

The researcher said the issue resides within the'/cgi-bin/nas_sharing.cgi' script and impacts its HTTP GET Request Handler component.

The two main issues contributing to the flaw tracked as CVE-2024-3273 are a backdoor facilitated through a hardcoded account (username: "message bus" and empty password) and a command injection problem via the "system" parameter. When chained together, any attacker can remotely execute commands on the device.

The command injection flaw arises from adding a base64-encoded command to the "system" parameter via an HTTP GET request, which is then executed. "Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the system, potentially leading to unauthorized access to sensitive information, modification of system configurations, or denial of service conditions," warns the researcher.

Netsecfish says network scans show over 92,000 vulnerable D-Link NAS devices exposed online and susceptible to attacks through these flaws.

"All D-Link Network Attached storage has been End of Life and of Service Life for many years [and] the resources associated with these products have ceased their development and are no longer supported," a D-Link spokesperson said. "D-Link recommends retiring these products and replacing them with products that receive firmware updates." (Bill Toulas / Bleeping Computer)

Related: Security Affairs, GitHub, Help Net Security

New research from DomainTools suggests that a Pakistan-based cybercrime group called The Manipulaters, a sprawling web hosting network of phishing and spam delivery platforms, is still engaged in illegal activities despite promising they have gone legitimate.

DomainTools.com found that several computers associated with The Manipulaters have been massively hacked by malicious data- and password-snarfing malware for quite some time.

DomainTools says the malware infections on Manipulaters PCs exposed “vast swaths of account-related data along with an outline of the group’s membership, operations, and position in the broader underground economy.”

These days, the core Manipulaters product is a spam delivery service called HeartSender. Its homepage openly advertises phishing kits targeting users of various Internet companies, including Microsoft 365, Yahoo, AOL, Intuit, iCloud, and ID.me.

HeartSender customers can interact with the subscription service via the website, but the product appears to be far more effective and user-friendly if one downloads HeartSender as a Windows executable program. Whether that HeartSender program was somehow compromised and used to infect the service’s customers is unknown.

However, DomainTools also found that the hosted version of the HeartSender service leaks an extraordinary amount of user information that is probably not intended to be publicly accessible. The HeartSender web interface has several pages that are accessible to unauthenticated users, exposing customer credentials and supporting requests to HeartSender developers. (Brian Krebs / Krebs on Security)

Related: DomainTools

Researchers at BitDefender report that hackers are using Facebook advertisements and hijacked pages to promote fake artificial intelligence services, such as MidJourney, OpenAI's SORA and ChatGPT-5, and DALL-E, to infect unsuspecting users with password-stealing malware.

The malvertising campaigns are created by hijacked Facebook profiles that impersonate popular AI services, pretending to offer a sneak preview of new features. Instead of using Dropbox and Google Drive links to host the payloads, the operators of this campaign set up multiple sites that cloned the official Midjourney landing page, tricking users into downloading what they thought was the latest version of the art-generating tool via a GoFile link.

Users tricked by the ads become members of fraudulent Facebook communities, where the threat actors post news, AI-generated images, and other related info to make the pages look legitimate.

The community posts often promote limited-time access to upcoming and eagerly anticipated AI services, tricking users into downloading malicious executables that infect Windows computers with information-stealing malware like Rilide, Vidar, IceRAT, and Nova.

In one of the cases, a malicious Facebook page impersonating Midjourney amassed 1.2 million followers and remained active for nearly a year before it was eventually taken down.

The page wasn't created from scratch; the attackers hijacked an existing profile in June 2023 and converted it to a fake Midjourney page. Facebook shut down the page on March 8, 2024. (Bill Toulas / Bleeping Computer)

Related: Bitdefender Labs, Tom's Guide, The Record

Hardware store giant Home Depot confirmed that it suffered a data breach after one of its SaaS vendors mistakenly exposed a small sample of limited employee data, and threat actor IntelBroker leaked limited data for approximately 10,000 Home Depot employees on a hacking forum.

The company confirmed that one of its third-party SaaS vendors mistakenly exposed sample employee data. "A third-party Software-as-a-Service (SaaS) vendor inadvertently made public a small sample of Home Depot associates' names, work email addresses, and User IDs during testing of their systems," Home Depot said. (Lawrence Abrams / Bleeping Computer)

Related: Tech Times, Hack Read, Cybernews, Cyber Express

UK veterinarian group CVS Group told the UK’s Information Commissioner’s Office about a possible breach of personal information after it was hit by a cyberattack.

CVS Group said hackers had gained unauthorized external access to a limited number of IT systems. The company continued to have problems with slow-running systems on Monday after disruption across the UK business.

It added that it had endured “considerable operational disruption over the past week” after discovering the intruders in its systems. The company was forced to shut down computer systems at its practices and in some broader business functions for several days last week.

“IT services to our practices and business functions have now been securely restored across the majority of the estate; however, due to the increased levels of security and monitoring, some systems are not working as efficiently as previously, and this is likely to result in an ongoing operational impact,” CVS said.

The chain has more than 500 locations worldwide, most of which are in Britain, and is one of the big six groups of UK veterinary practices. (Jasper Jolly / The Guardian)

Related: Dow Jones News Wire, Reuters, Investing.com, The Times, The Mirror, Sky News

Cloud security provider Wiz found two critical architecture flaws in generative AI models uploaded to Hugging Face, the leading hub for sharing AI models and applications.

Wiz Research described the two flaws and the risk they could pose to AI-as-a-service providers as shared Inference infrastructure takeover risk and shared continuous integration and continuous deployment (CI/CD) takeover risk.

Wiz researchers found that attackers may attempt to take over the CI/CD pipeline itself and perform a supply chain attack.

Wiz said that very few tools are available to examine the integrity of a given model and verify that it is indeed not malicious. However, Hugging Face does offer Pickle Scanning, which helps verify AI models.

“Developers and engineers must be very careful deciding where to download the models from. Using an untrusted AI model could introduce integrity and security risks to your application and is equivalent to including untrusted code within your application,” they warned. (Kevin Poireault / Infosecurity Magazine)

Related: Wiz Blog, CTech, Hugging Face, SC Media, Cyber Kendra, The Information, Cybernews, The Hacker News, Dark Reading, Hackread, Forbes, Tech Radar, Gigazine, Hack Read, GBHackers

A hacker named ShopifyGUY has made for sale around 2 GB of data for over 7.5 million customers of Indian audio products and smartwatch maker boAt on a dark web breach forum.

The threat actor dumped files with access to the PII information of customers, which has 75,50,000 entries.

Forbes India verified the information by speaking to some customers who confirmed purchasing boAt products recently. (Naandika Tripathi / Forbes India)

Related: Gizmochina, The Economic Times, Mint, Zee News, Beebom, India Today, Times Now

Government officials are weighing the implications of the near-miss catastrophe of XZ Utils backdoor implanted by a likely state actor who operated under the persona of Jia Tan.

XZ Utils is a suite of file compression tools packaged into distributions of the open-source Linux operating system. It was long maintained by volunteer Lasse Collin, who handed the reins over to Tan after experiencing difficulties. German Microsoft developer Andres Freund discovered the backdoor.

The Cybersecurity and Infrastructure Security Agency (CISA) says it has been leaning on US companies that use open-source software to plow resources back into the communities that build and maintain it. CISA adviser Jack Cable said the burden was on tech companies not just to vet open software but to “contribute back and help build the sustainable open source ecosystem that we get so much value from.”

It’s not clear that software companies are properly incentivized to do so. Online open-source mailing lists are teeming with complaints about tech giants demanding that volunteers troubleshoot issues with open-source software that those companies use to make billions of dollars. (Raphael Satter / Reuters)

Related: Tenable, Decipher

According to Crowdfense’s updated pricing list for zero-day exploits, it is now offering between $5 and $7 million for zero-days to break into iPhones, up to $5 million for zero-days to break into Android phones, up to $3 million and $3.5 million for Chrome and Safari zero-days respectively, and $3 to $5 million for WhatsApp and iMessage zero-days.

In its previous price list, published in 2019, the highest payouts that Crowdfense was offering were $3 million for Android and iOS zero-days.

The increase in prices comes as companies like Apple, Google, and Microsoft are making it harder to hack their devices and apps, which means their users are better protected. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Crowdfense

Thijs Alkemade, an ethical hacker from Computest Security, discovered a process injection vulnerability using nib files (a particular type of resource file used to store the user interfaces of iOS and Mac apps) that allows access to webcams, microphones, and sensitive information, circumventing security measures within Apple’s operating system.

Alkemade discovered that executing shell commands leads to obtaining the application’s TCC (transparency, consent, and control) permissions. With each command the ethical hacker executed, he could gain access to the microphone and webcam provided the original application already had permission.

He was also able to access the user’s geolocation and sensitive files from the Mail.app database.

Apple fixed the problem in October 2022 with macOS 13.0, but it proved easy to bypass. The release of macOS 14.0 in September 2023 did bring the correct fix. allowing Alkemade to go public with the details. (Berry Zwets / Techzine)

Related: Computest

Hong Kong’s Office of the Privacy Commissioner for Personal Data said there were five deficiencies behind Cyberport’s defense against a cyber attack last September, which involved the personal data of some 13,000 people, with data being kept unnecessarily despite having expired the statutory time limit for record-keeping.

The five deficiencies included lacking efficient detection measures in the IT system, not enabling multi-factor authentication for remote access, insufficient security assessment and audits, lacking detailed IT security measures, and unnecessarily keeping personal data.

The Commissioner said Cyberport didn’t take practical steps to ensure the personal data was protected from unauthorized or accidental access and handling. Cyberport also didn’t ensure that the time spent storing the data wouldn’t exceed the actual time spent using the data, which was, therefore, in breach of relevant personal data regulations.

According to the Commissioner, the lack of efficient protocol also made Cyberport vulnerable to hackers’ “violent” attacks against its IT system, allowing hackers to successfully obtain authentication to the managing account. (The Standard)

Related: South China Morning Post, Hong Kong Free Press

Ivanti CEO Jeff Abbott published an open letter and 6-minute video to customers pledging to overhaul how the technology-management company builds its products and how it communicates with customers about vulnerabilities.

“Events in recent months have been humbling, and I want you to hear directly from me about the actions we are taking to ensure we emerge stronger and our customers are more secure,” Abbott said.

Those events included breaches at the top US cybersecurity agency and government agencies in Norway.

“We will use this opportunity to begin a new era at Ivanti. We have challenged ourselves to look critically at every phase of our processes and every product to ensure the highest level of protection for our customers,” Abbott said. “We have already begun applying learnings from recent incidents to make immediate improvements to our own engineering and security practices. And there is more to come.”

The CEO explained that Ivanti has worked with its board and customers to change its “core engineering, security, and vulnerability management practices” while providing customers with resources to deploy Ivanti tools safely.

He said the company plans to adhere to the Secure-By-Design ethos, embedding security "into every stage of the software development lifecycle." This includes threat modeling, 'isolation and anti-exploit technologies'’ and an improved vulnerability portal with more information on patches. (Jonathan Greig / The Record)

Related: Ivanti, The Stack, The Register, Dark Reading

Best Thing of the Day: Clearly Ted Cruz Was Not the Zodiac Killer

Virginia Tech cryptographers David Oranchak, Sam Blake, and Jarl Van Eycke solved the second cipher used by the Zodiac killer after 51 years, discovering it to be a transposition and homophonic substitution cipher with unusual qualities,

Worst Thing of the Day: Now Is Not the Time for Microsoft to Push This Envelope

IT consultant Christoph Kolbicz discovered that Microsoft is now using a Windows driver to prevent users from changing the configured Windows 10 and Windows 11 default browser through software or by manually modifying the Registry.

Closing Thought