Tag Archive for: millions

Millions of hacked toothbrushes could be used in cyber attack, researchers warn

/in


Security researchers have warned that millions of hacked toothbrushes could be used in a massive cyber attack.

Internet-connected toothbrushes could be linked together in something known as a botnet, which would allow them to perform a distributed denial of service (DDoS) attack that overloads websites and servers with huge amounts of web traffic.

Major websites could be knocked offline as a result of the attack, according to Swiss newspaper Aargauer Zeitung, who first reported the threat, resulting in millions of dollars of lost revenue.

The issue was initially reported as an actual incident, but Fortinet has since clarified to The Independent that it was a hypothetical scenario.

“The topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs,” a spokesperson said.

“It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred.”

Fortinet warned of the dangers of smart devices, which can include web cams, baby monitors, doorbells and domestic appliances.

“Every device that is connected to the Internet is a potential target – or can be misused for an attack,” said Stefan Züger, head of system technology at Fortinet Switzerland. Mr Züger advised owners of smart technologies to take measures to protect themselves.

“Otherwise, sooner or later you will become a victim – or your own device will be misused for attacks,” he said.

The growing trend of internet-connected and AI-enabled devices was on display at the CES tech conference in Las Vegas last month, with everything from pillows to mirrors now embedded with the technology.

The continued rise in popularity of such devices has coincided with fresh security concerns about the risks they may pose if protections are not put in place.

A recent report from network performance firm Netscout noted an “unprecedented growth” in malicious botnets, with activity doubling in January.

Source…

FTC slams Blackbaud for “shoddy security” after hacker stole data belonging to thousands of non-profits and millions of people

/in


Data and software services firm Blackbaud’s cybersecurity was criticised as “lax” and “shoddy” by the United States Federal Trade Commission (FTC) in a damning post-mortem of the business’s February 2020 data breach.

According to the FTC, Blackbaud’s poor security breach in February 2020 led to a hacker accessing the company’s customer databases and stealing personal information of millions of consumers in the United States, Canada, the UK, and the Netherlands.

Blackbaud’s affected customers are mainly non-profits, such as healthcare agencies, charities, and educational organizations.

Data stolen by the hacker included unencrypted personal information, such as consumers’ and donors’ full names, ages, dates of birth, social security numbers, addresses, phone numbers, email addresses, financial details (bank account information, estimated wealth, and identified assets), medical and health insurance information, gender, religious beliefs, marital status, spouse names, spouses’ donation history, employment details, salaries, education, and account credentials.

The security failure was exacerbated by Blackbaud not enforcing its own data retention policies, causing customer data to be kept for years longer than necessary. Blackbaud also retained data of former and potential customers for years longer than required.

All of which was a treasure trove for the attacker, who demanded a ransom from Blackbaud or threatened to expose the stolen data. The company paid 24 Bitcoin (worth US $235,000) to the hacker, but was not able to verify if the deleted the data.

The poor data retention practices were not the FTC’s only complaints about Blackbaud’s handling of the incident.

The FTC criticized the company for not notifying customers of the breach for two months after detection, saying Blackbaud had “misrepresented the scope and severity of the breach after an exceedingly inaccurate investigation.”

According to Blackbaud’s customer breach notification of July 16, 2020, “The cybercriminal did not access credit card information, bank account information, or social security numbers… No action is required on your end because no personal information about your constituents was…

Source…

A Flaw in Millions of Apple, AMD, and Qualcomm GPUs Could Expose AI Data

/in


As more companies ramp up development of artificial intelligence systems, they are increasingly turning to graphics processing unit (GPU) chips for the computing power they need to run large language models (LLMs) and to crunch data quickly at massive scale. Between video game processing and AI, demand for GPUs has never been higher, and chipmakers are rushing to bolster supply. In new findings released today, though, researchers are highlighting a vulnerability in multiple brands and models of mainstream GPUs—including Apple, Qualcomm, and AMD chips—that could allow an attacker to steal large quantities of data from a GPU’s memory.

The silicon industry has spent years refining the security of central processing units, or CPUs, so they don’t leak data in memory even when they are built to optimize for speed. However, since GPUs were designed for raw graphics processing power, they haven’t been architected to the same degree with data privacy as a priority. As generative AI and other machine learning applications expand the uses of these chips, though, researchers from New York–based security firm Trail of Bits say that vulnerabilities in GPUs are an increasingly urgent concern.

“There is a broader security concern about these GPUs not being as secure as they should be and leaking a significant amount of data,” Heidy Khlaaf, Trail of Bits’ engineering director for AI and machine learning assurance, tells WIRED. “We’re looking at anywhere from 5 megabytes to 180 megabytes. In the CPU world, even a bit is too much to reveal.”

To exploit the vulnerability, which the researchers call LeftoverLocals, attackers would need to already have established some amount of operating system access on a target’s device. Modern computers and servers are specifically designed to silo data so multiple users can share the same processing resources without being able to access each others’ data. But a LeftoverLocals attack breaks down these walls. Exploiting the vulnerability would allow a hacker to exfiltrate data they shouldn’t be able to access from the local memory of vulnerable GPUs, exposing whatever data happens to be there for the taking, which could include queries…

Source…

McLaren Health Care Hack Affected Millions; Lawsuits Pile Up

/in


Breach Notification
,
HIPAA/HITECH
,
Security Operations

Michigan Healthcare Provider Faces 7 Federal Lawsuits in Alphv/BlackCat Data Theft

Marianne Kolbasuk McGee (HealthInfoSec) •
November 13, 2023    

McLaren Health Care Hack Affected Millions; Lawsuits Pile Up
McLaren Health Care is facing seven proposed federal class action lawsuits following a recent data theft affecting nearly 2.2 million patients. (Image: McLaren)

McLaren Health Care is notifying 2.2 million individuals of a data breach weeks after ransomware group Alphv/BlackCat claimed to have stolen 6 terabytes of patient records in an August attack. In the meantime, the number of federal lawsuits filed against the Michigan-based healthcare system has more than doubled over the last month.

See Also: Live Webinar | Generative AI: Myths, Realities and Practical Use Cases

McLaren Health Care on Thursday reported the hacking incident to Maine’s attorney general as affecting nearly 2.19 million individuals, including 77 Maine residents.

The compromised information includes individuals’ name, Social Security number, health insurance information, birthdate, and medical information including billing or claims information, diagnosis, physician information, medical record number, Medicare/Medicaid information, prescription/medication information, diagnostic results and treatment information, McLaren said.

McLaren also reported the incident to federal regulators on Oct. 20 with a placeholder estimate of 501 individuals affected at that time. But based on McLaren’s current estimate of nearly 2.2 million individuals affected,…

Source…