More than two dozen Lenovo notebook models are vulnerable to malicious hacks that disable the UEFI secure-boot process and then run unsigned UEFI apps or load bootloaders that permanently backdoor a device, researchers warned on Wednesday. From a report: At the same time that researchers from security firm ESET disclosed the vulnerabilities, the notebook maker released security updates for 25 models, including ThinkPads, Yoga Slims, and IdeaPads. Vulnerabilities that undermine the UEFI secure boot can be serious because they make it possible for attackers to install malicious firmware that survives multiple operating system reinstallations.

Short for Unified Extensible Firmware Interface, UEFI is the software that bridges a computer's device firmware with its operating system. As the first piece of code to run when virtually any modern machine is turned on, it's the first link in the security chain. Because the UEFI resides in a flash chip on the motherboard, infections are difficult to detect and remove. Typical measures such as wiping the hard drive and reinstalling the OS have no meaningful impact because the UEFI infection will simply reinfect the computer afterward. ESET said the vulnerabilities -- tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432 -- "allow disabling UEFI Secure Boot or restoring factory default Secure Boot databases (incl. dbx): all simply from an OS." Secure boot uses databases to allow and deny mechanisms. The DBX database, in particular, stores cryptographic hashes of denied keys. Disabling or restoring default values in the databases makes it possible for an attacker to remove restrictions that would normally be in place.

Thomson Reuters, a multinational media conglomerate, left an open database with sensitive customer and corporate data, including third-party server passwords in plaintext format. Attackers could use the details for a supply-chain attack. Cybernews: The Cybernews research team found that Thomson Reuters left at least three of its databases accessible for anyone to look at. One of the open instances, the 3TB public-facing ElasticSearch database, contains a trove of sensitive, up-to-date information from across the company's platforms. The company recognized the issue and fixed it immediately. Thomson Reuters provides customers with products such as the business-to-business media tool Reuters Connect, legal research service and database Westlaw, the tax automation system ONESOURCE, online research suite of editorial and source materials Checkpoint, and other tools. The size of the open database the team discovered corresponds with the company using ElasticSearch, a data storage favored by enterprises dealing with extensive, constantly updated volumes of data.

An anonymous reader quotes a report from CNBC: About four years ago, former Google CEO Eric Schmidt was appointed to the National Security Commission on Artificial Intelligence by the chairman of the House Armed Services Committee. It was a powerful perch. Congress tasked the new group with a broad mandate: to advise the U.S. government on how to advance the development of artificial intelligence, machine learning and other technologies to enhance the national security of the United States. The mandate was simple: Congress directed the new body to advise on how to enhance American competitiveness on AI against its adversaries, build the AI workforce of the future, and develop data and ethical procedures.

In short, the commission, which Schmidt soon took charge of as chairman, was tasked with coming up with recommendations for almost every aspect of a vital and emerging industry. The panel did far more under his leadership. It wrote proposed legislation that later became law and steered billions of dollars of taxpayer funds to industry he helped build -- and that he was actively investing in while running the group. If you're going to be leading a commission that is steering the direction of government AI and making recommendations for how we should promote this sector and scientific exploration in this area, you really shouldn't also be dipping your hand in the pot and helping yourself to AI investments. His credentials, however, were impeccable given his deep experience in Silicon Valley, his experience advising the Defense Department, and a vast personal fortune estimated at about $20 billion.

Five months after his appointment, Schmidt made a little-noticed private investment in an initial seed round of financing for a startup company called Beacon, which uses AI in the company's supply chain products for shippers who manage freight logistics, according to CNBC's review of investment information in database Crunchbase. There is no indication that Schmidt broke any ethics rules or did anything unlawful while chairing the commission. The commission was, by design, an outside advisory group of industry participants, and its other members included well-known tech executives including Oracle CEO Safra Catz, Amazon Web Services CEO Andy Jassy and Microsoft Chief Scientific Officer Dr. Eric Horvitz, among others. Schmidt's investment was just the first of a handful of direct investments he would make in AI startup companies during his tenure as chairman of the AI commission. "Venture capital firms financed, in part, by Schmidt and his private family foundation also made dozens of additional investments in AI companies during Schmidt's tenure, giving Schmidt an economic stake in the industry even as he developed new regulations and encouraged taxpayer financing for it," adds CNBC. "Altogether, Schmidt and entities connected to him made more than 50 investments in AI companies while he was chairman of the federal commission on AI. Information on his investments isn't publicly available."

"All that activity meant that, at the same time Schmidt was wielding enormous influence over the future of federal AI policy, he was also potentially positioning himself to profit personally from the most promising young AI companies." Citing people close to Schmidt, the report says his investments were disclosed in a private filing to the U.S. government at the time and the public and news media had no access to that document.

A spokesperson for Schmidt told CNBC that he followed all rules and procedures in his tenure on the commission, "Eric has given full compliance on everything," the spokesperson said.

Google unveiled a new open source security project on Thursday centered around software supply chain management. The Record reports: Given the acronym GUAC -- which stands for Graph for Understanding Artifact Composition -- the project is focused on creating sets of data about a software's build, security and dependency. Google worked with Purdue University, Citibank and supply chain security company Kusari on GUAC, a free tool built to bring together many different sources of software security metadata. Google has also assembled a group of technical advisory members to help with the project -- including IBM, Intel, Anchore and more.

Google's Brandon Lum, Mihai Maruseac, Isaac Hepworth pitched the effort as one way to help address the explosion in software supply chain attacks -- most notably the widespread Log4j vulnerability that is still leaving organizations across the world exposed to attacks. "GUAC addresses a need created by the burgeoning efforts across the ecosystem to generate software build, security, and dependency metadata," they wrote in a blog post. "GUAC is meant to democratize the availability of this security information by making it freely accessible and useful for every organization, not just those with enterprise-scale security and IT funding."

Google shared a proof of concept of the project, which allows users to search data sets of software metadata. The three explained that GUAC effectively aggregates software security metadata into a database and makes it searchable. They used the example of a CISO or compliance officer that needs to understand the "blast radius" of a vulnerability. GUAC would allow them to "trace the relationship between a component and everything else in the portfolio." Google says the tool will allow anyone to figure out the most used critical components in their software supply chain ecosystem, the security weak points and any risky dependencies. As the project evolves, Maruseac, Lum and Hepworth said the next part of the work will center around scaling the project and adding new kinds of documents that can be submitted and ingested by the system.

An anonymous reader quotes a report from Bloomberg: TikTok users would still risk having personal data exposed to hacking and espionage by China even if the Biden administration forges a security agreement designed to spare the video platform from a total US ban. That's the conclusion of former national security officials and other experts as the Justice Department reviews an accord that would keep the popular video-streaming app, which is owned by China's ByteDance, accessible to its millions of US users.

TikTok has been under US scrutiny since 2019 over concerns that Chinese actors might tap those users' information for espionage or other harmful purposes. "They built the whole system in China," said Stewart Baker, a national security lawyer at Steptoe & Johnson LLP. "Unless they're going to rebuild the system in the United States at great expense, sooner or later, when something goes wrong, there's going to turn out to be only one engineer who knows how to fix it. And he or she is likely to be in China." This analysis of the agreement is based on interviews with former national security officials, lawyers who have worked on similar deals and experts who have studied data security, social media platforms and telecommunications companies. There's no indication a decision has been made.

TikTok is routing all its US user traffic through servers maintained by Oracle and the database giant is auditing the app's algorithms. Still, additional restrictions on how US user data is stored and accessed will be necessary -- and might not resolve US security concerns no matter how strong a deal looks on paper, the experts said. The experts' skepticism is shared by Senator Mark Warner, the Virginia Democrat who chairs the Senate Intelligence Committee. He said he's aware of the conversations around TikTok and couldn't give details. Nonetheless, he said the company has "a big mountain to climb with me to prove the case that it can really be safe." Warner said China has a bad track record on protecting users' privacy. "They've shown repeatedly the ability to create this surveillance state that ought to scare the dickens out of all of us." He added that it's much harder today to wall off TikTok's data technically or ban it outright than it was five or six years ago as the popularity of the app has surged. "The burden of proof that you can really segregate American data, particularly if the code is still being written in China -- that would be a tough case to make." Brooke Oberwetter, a spokesperson for TikTok, said that while the company would not comment on the specifics of its discussions with the US government, "We are confident that we are on a path to fully satisfy all reasonable U.S. national security concerns."

Oberwetter said that while some employees based in China would have access to public data posted by users, they would not have access to private user information, and their use of the public data -- including videos and comments -- would be very limited.

An anonymous reader quotes a report from Ars Technica: Today, tech archivist Jason Scott announced a new website called Discmaster that lets anyone search through 91.7 million vintage computer files pulled from CD-ROM releases and floppy disks. The files include images, text documents, music, games, shareware, videos, and much more. The files on Discmaster come from the Internet Archive, uploaded by thousands of people over the years. The new site pulls them together behind a search engine with the ability to perform detailed searches by file type, format, source, file size, file date, and many other options.

Discmaster is the work of a group of anonymous history-loving programmers who approached Scott to host it for them. Scott says that Discmaster is "99.999 percent" the work of that anonymous group, right down to the vintage gray theme that is compatible with web browsers for older machines. Scott says he slapped a name on it and volunteered to host it on his site. And while Scott is an employee of the Internet Archive, he says that Discmaster is "100 percent unaffiliated" with that organization.

One of the highlights of Discmaster is that it has already done a lot of file format conversion on the back end, making the vintage files more accessible. For example, you can search for vintage music files -- such as MIDI or even digitized Amiga sounds -- and listen to them directly in your browser without any extra tools necessary. The same thing goes for early-90s low-resolution video files, images in obscure formats, and various types of documents. "It's got all the conversion to enable you to preview things immediately," says Scott. "So there's no additional external installation. That, to me, is the fundamental power of what we're dealing with here." "The value proposition is the value proposition of any freely accessible research database," Scott told Ars Technica. "People are enabled to do deep dives into more history, reference their findings, and encourage others to look in the same place."

"[Discmaster] is probably, to me, one of the most important computer history research project opportunities that we've had in 10 years," says Scott. "It's not done. They've analyzed 7,000 and some-odd CD-ROMs. And they're about to do another 8,000."

An anonymous reader quotes a report from BleepingComputer: Toyota Motor Corporation is warning that customers' personal information may have been exposed after an access key was publicly available on GitHub for almost five years. Toyota T-Connect is the automaker's official connectivity app that allows owners of Toyota cars to link their smartphone with the vehicle's infotainment system for phone calls, music, navigation, notifications integration, driving data, engine status, fuel consumption, and more. Toyota discovered recently that a portion of the T-Connect site source code was mistakenly published on GitHub and contained an access key to the data server that stored customer email addresses and management numbers. This made it possible for an unauthorized third party to access the details of 296,019 customers between December 2017 and September 15, 2022, when access to the GitHub repository was restricted.

On September 17, 2022, the database's keys were changed, purging all potential access from unauthorized third parties. The announcement explains that customer names, credit card data, and phone numbers have not been compromised as they weren't stored in the exposed database. Toyota blamed a development subcontractor for the error but recognized its responsibility for the mishandling of customer data and apologized for any inconvenience caused. The Japanese automaker concludes that while there are no signs of data misappropriation, it cannot rule out the possibility of someone having accessed and stolen the data. For this reason, all users of T-Connect who registered between July 2017 and September 2022 are advised to be vigilant against phishing scams and avoid opening email attachments from unknown senders claiming to be from Toyota.

The Federal Communications Commission is threatening to block calls from voice service providers that have yet to take meaningful action against illegal robocalls. The Verge reports: On Monday, the FCC announced that it was beginning the process to remove providers from the agency's Robocall Mitigation Database for failing to fully implement STIR/SHAKEN anti-robocall protocols into their networks. If the companies fail to meet these requirements over the next two weeks, compliant providers will be forced to block their calls. "This is a new era. If a provider doesn't meet its obligations under the law, it now faces expulsion from America's phone networks. Fines alone aren't enough," FCC Chairwoman Jessica Rosenworcel said in a statement on Monday. "Providers that don't follow our rules and make it easy to scam consumers will now face swift consequences."

The FCC's orders target seven carriers, including Akabis, Cloud4, Global UC, Horizon Technology Group, Morse Communications, Sharon Telephone Company, and SW Arkansas Telecommunications and Technology. "These providers have fallen woefully short and have now put at risk their continued participation in the U.S. communications system," Loyaan A. Egal, FCC acting chief of the enforcement standards, said in a Monday statement. "While we'll review their responses, we will not accept superficial gestures given the gravity of what is at stake."

Hackers infiltrated Fast Company's push notifications to send out racial slurs on Tuesday night. They also stole a database that includes employees' emails, password hashes for some of them and unpublished drafts, among other information. Customer records are safe, though, most likely because they're kept in a separate database. Engadget reports: In a statement, Fast Company has told Engadget that its Apple News account was hacked and was used to send "obscene and racist" push notifications." It added that the breach was related to another hack that happened on Sunday afternoon and that it has gone as far as shutting down the whole FastCompany.com domain for now. [...] Apple has addressed the situation in tweet, confirming that the website has been hacked and that it has suspended Fast Company's account.

At the moment, Fast Company's website loads a "404 Not Found" page. Before it was taken down, though, the bad actors managed to post a message detailing how they were able to infiltrate the publication, along with a link to a forum where stolen databases are made available for other users. They said that Fast Company had a default password for WordPress that was much too easy to crack and used it for a bunch of accounts, including one for an administrator. From there, they were able to grab authentication tokens, Apple News API keys, among other access information. The authentication keys, in turn, gave them the power to grab the names, email addresses and IPs of a bunch of employees. In a statement, Fast Company said: "Fast Company's content management system account was hacked on Tuesday evening. As a result, two obscene and racist push notifications were sent to our followers in Apple News about a minute apart. The messages are vile and are not in line with the content and ethos of Fast Company. We are investigating the situation and have shut down FastCompany.com until the situation has been resolved. Tuesday's hack follows an apparently related hack of FastCompany.com that occurred on Sunday afternoon, when similar language appeared on the site's home page and other pages. We shut down the site that afternoon and restored it about two hours later. Fast Company regrets that such abhorrent language appeared on our platforms and in Apple News, and we apologize to anyone who saw it before it was taken down."

A listing on a popular hacker forum offers 350 million Ask.FM user records for sale in what might be one of the biggest breaches of all time. Cybernews reports: The listing allegedly includes 350 million Ask.FM user records, with the threat actor also offering 607 repositories plus their Gitlab, Jira, and Confluence databases. Ask.FM is a question and answer network launched in June 2010, with over 215 million registered users. The posting also includes a list of repositories, sample git, and sample user data, as well as mentions of the fields in the database: user_id, username, mail, hash, salt, fbid, twitterid, vkid, fbuid, iguid. It appears that Ask.FM is using the weak hashing algorithm SHA1 for passwords, putting them at risk of being cracked and exposed to threat actors.

In response to DataBreaches, the user who posted the database -- Data -- explained that initial access was gained via a vulnerability in Safety Center. The server was first accessed in 2019, and the database was obtained on 2020-03-14. Data also suggested that Ask.FM knew about the breach as early as back in 2020. While the breach has not been confirmed, the seller called "Data" says he will "vouch all day and night for" listed user data from Ask.FM (ASKfm), the social networking site. "I'm selling the users database of Ask.fm and ask.com," Data wrote. "For connoisseurs, you can also get 607 repositories plus their Gitlab, Jira, Confluence databases."

After a Florida man was accused of vehicular homicide, his lawyer used Clearview AI's facial recognition software to prove his innocence. But other defense lawyers say Clearview's offer rings hollow. From a report: It was the scariest night of Andrew Grantt Conlyn's life. He sat in the passenger seat of a two-door 1997 Ford Mustang, clutching his seatbelt, as his friend drove approximately 100 miles per hour down a palm tree-lined avenue in Fort Myers, Fla. His friend, inebriated and distraught, occasionally swerved onto the wrong side of the road to pass cars that were complying with the 35 mile-an-hour speed limit. "Someone is going to die tonight," Mr. Conlyn thought. And then his friend hit a curb and lost control of the car. The Mustang began spinning wildly, hitting a light pole and three palm trees before coming to a stop, the passenger's side against a tree. At some point, Mr. Conlyn blacked out. When he came to, his friend was gone, the car was on fire and his seatbelt buckle was jammed. Luckily, a good Samaritan intervened, prying open the driver's side door and pulling Mr. Conlyn out of the burning vehicle.

Mr. Conlyn didn't learn his savior's name that Wednesday night in March 2017, nor did the police, who came to the scene and found the body of his friend, Colton Hassut, in the bushes near the crash; he'd been ejected from the car and had died. In the years that followed, the inability to track down that good Samaritan derailed Mr. Conlyn's life. If Clearview AI, which is based in New York, hadn't granted his lawyer special access to a facial recognition database of 20 billion faces, Mr. Conlyn might have spent up to 15 years in prison because the police believed he had been the one driving the car. For the last few years, Clearview AI's tool has been largely restricted to law enforcement, but the company now plans to offer access to public defenders. Hoan Ton-That, the chief executive, said this would help "balance the scales of justice," but critics of the company are skeptical given the legal and ethical concerns that swirl around Clearview AI's groundbreaking technology. The company scraped billions of faces from social media sites, such as Facebook, LinkedIn and Instagram, and other parts of the web in order to build an app that seeks to unearth every public photo of a person that exists online.

SpzToid writes: U.S. government officials are adding data from as many as 10,000 electronic devices each year to a massive database they've compiled from cellphones, iPads and computers seized from travelers at the country's airports, seaports and border crossings, leaders of Customs and Border Protection told congressional staff in a briefing this summer. The rapid expansion of the database and the ability of 2,700 CBP officers to access it without a warrant -- two details not previously known about the database -- have raised alarms in Congress about what use the government has made of the information, much of which is captured from people not suspected of any crime. CBP officials told congressional staff the data is maintained for 15 years.

Details of the database were revealed Thursday in a letter to CBP Commissioner Chris Magnus from Sen. Ron Wyden (D-Ore.), who criticized the agency for "allowing indiscriminate rifling through Americans' private records" and called for stronger privacy protections. The revelations add new detail to what's known about the expanding ways that federal investigators use technology that many Americans may not understand or consent to. Agents from the FBI and Immigration and Customs Enforcement, another Department of Homeland Security agency, have run facial recognition searches on millions of Americans' driver's license photos. They have tapped private databases of people's financial and utility records to learn where they live. And they have gleaned location data from license-plate reader databases that can be used to track where people drive.

Bruce66423 shares a report from the Associated Press: A rape victim whose DNA from her sexual assault case was used by San Francisco police to arrest her in an unrelated property crime on Monday filed a lawsuit against the city. During a search of a San Francisco Police Department crime lab database, the woman's DNA was tied to a burglary in late 2021. Her DNA had been collected and stored in the system as part of a 2016 domestic violence and sexual assault case, then-District Attorney Chesa Boudin said in February in a shocking revelation that raised privacy concerns. "This is government overreach of the highest order, using the most unique and personal thing we have -- our genetic code -- without our knowledge to try and connect us to crime," the woman's attorney, Adante Pointer, said in a statement.

The revelation prompted a national outcry from advocates, law enforcement, legal experts and lawmakers. Advocates said the practice could affect victims' willingness to come forward to law enforcement authorities. Federal law already prohibits the inclusion of victims' DNA in the national Combined DNA Index System. There is no corresponding law in California to prohibit local law enforcement databases from retaining victims' profiles and searching them years later for entirely different purposes.

Boudin said the report was found among hundreds of pages of evidence against a woman who had been recently charged with a felony property crime. After learning the source of the DNA evidence, Boudin dropped the felony property crime charges against the woman. The police department's crime lab stopped the practice shortly after receiving a complaint from the district attorney's office and formally changed its operating procedure to prevent the misuse of DNA collected from sexual assault victims, Police Chief Bill Scott said. Scott said at a police commission meeting in March that he had discovered 17 crime victim profiles, 11 of them from rape kits, that were matched as potential suspects using a crime victims database during unrelated investigations. Scott said he believes the only person arrested was the woman who filed the lawsuit Monday.

TikTok is denying reports that it was breached after a hacking group posted images of what they claim is a TikTok database that contains the platform's source code and user information. In response to these allegations, TikTok said its team "found no evidence of a security breach." From a report: According to Bleeping Computer, hackers shared the images of the alleged database to a hacking forum, saying they obtained the data on a server used by TikTok. It claims the server stores over 2 billion records and 790GB worth of user data, platform statistics, code, and more. "We have confirmed that the data samples in question are all publicly accessible and are not due to any compromise of TikTok systems, networks, or databases," TikTok spokesperson Maureen Shanahan said in a statement to The Verge. "We do not believe users need to take any proactive actions, and we remain committed to the safety and security of our global community."

A simple digital card praising Islamist militants for an attack on a Taliban position in Afghanistan last month is the first known nonfungible token created and disseminated by a terrorist sympathizer, according to former senior U.S. intelligence officials. From a report: It is a sign that Islamic State and other terror groups may be preparing to use the emerging financial technology to sidestep Western efforts to eradicate their online fundraising and messaging, they said. The NFT, visible on at least one NFT trading website and titled "IS-NEWS #01," bears Islamic State's emblem. It was created by a supporter of the group, likely as an experiment to test a new outreach and funding strategy for ISIS, the former officials said.

Regulators and national-security officials have expressed concern about the potential for terrorists to exploit new financial technologies and markets, including NFTs. "It was only a matter of time," said Yaya Fanusie, a former economic and counterterrorism analyst at the Central Intelligence Agency. An NFT is a unit of data stored on a blockchain -- a database of transactions organized without the need for a central trusted authority. The technology first emerged as a means of tracking, valuing and trading digital assets, but developers say that it has much broader applications, such as digital concert tickets and branded collectibles like digital trading cards.

A massive Chinese database storing millions of faces and vehicle license plates was left exposed on the internet for months before it quietly disappeared in August. From a report: While its contents might seem unremarkable for China, where facial recognition is routine and state surveillance is ubiquitous, the sheer size of the exposed database is staggering. At its peak the database held over 800 million records, representing one of the biggest known data security lapses of the year by scale, second to a massive data leak of 1 billion records from a Shanghai police database in June. In both cases, the data was likely exposed inadvertently and as a result of human error.

The exposed data belongs to a tech company called Xinai Electronics based in Hangzhou on China's east coast. The company builds systems for controlling access for people and vehicles to workplaces, schools, construction sites, and parking garages across China. Its website touts its use of facial recognition for a range of purposes beyond building access, including personnel management, like payroll, monitoring employee attendance and performance, while its cloud-based vehicle license plate recognition system allows drivers to pay for parking in unattended garages that are managed by staff remotely. It's through a vast network of cameras that Xinai has amassed millions of face prints and license plates, which its website claims the data is "securely stored" on its servers. But it wasn't. Security researcher Anurag Sen found the company's exposed database on an Alibaba-hosted server in China and asked for TechCrunch's help in reporting the security lapse to Xinai. Sen said the database contained an alarming amount of information that was rapidly growing by the day, and included hundreds of millions of records and full web addresses of image files hosted on several domains owned by Xinai.

The world's largest comprehensive database on Japanese anime, Anime Taizen, was opened to the public today, August 25, at 13:00 (JST). Taizen means "A book that collects all things related to the matter" in Japanese. Crunchyroll reports: Since 2015, The Association of Japanese Animations (AJA) has been promoting the "Anime NEXT_100" project to commemorate the 100th anniversary of Japanese animation. As a major initiative of the project, this database was first released on a trial basis on October 22, 2021, and after confirming functionality and operation, and making improvements and updates, it has now been released to the public. As of the end of July 2022, Anime Taizen has approximately 15,000 registered titles, mainly Japanese commercial anime works released from 1917 to the present. In addition to title name searches, the database has search functions for chronology, Japanese syllabary, keywords, etc. As a result of the research to date, the number of episodes amounts to approximately 180,000.

The popular nutrition and weight loss app MyFitnessPal is moving its free barcode scanning feature behind the paywall. The Verge reports: For years, users with free accounts have been able to use this tool to scan food barcodes for easy logging and tracking of daily calorie intake, but the company recently announced that beginning October 1st, a premium account will be required. MyFitnessPal's daily calorie counting is a key component of the app, with the barcode scanner offering a shortcut to finding nutritional value for a specific food item in the app's vast database of food. Much of that database is user-generated, with both free and premium users able to add any food by entering the nutrition facts and barcode off a label. Once October 1st rolls around, free users will still be able to search the database for their food entries, but the barcode scanner will cost $19.99 per month or $79.99 for an annual plan, along with other premium features. And any new users that create a free account on or after September 1st will be shut out from scanning barcodes even earlier unless they pay. "By losing the barcode scanner, MyFitnessPal is doing its users an egregious disservice," writes The Verge's Antonio G. Di Benedetto. "Losing weight and being cognizant of what you eat is hard enough."

"MyFitnessPal is obviously looking to maximize profits, but if the popular r/loseit subreddit is any indication, many users may consider switching to competing apps like Cronometer, Loseit, or Macros over this loss."

Slashdot reader storagedude writes: Hackers are stealing cookies from current or recent web sessions to bypass multi-factor authentication (MFA), according to an eSecurity Planet report.

The attack method, reported by Sophos researchers, is already growing in use. The "cookie-stealing cybercrime spectrum" is broad, the researchers wrote, ranging from "entry-level criminals" to advanced adversaries, using various techniques.

Cybercriminals collect cookies or buy stolen credentials "in bulk" on dark web forums. Ransomware groups also harvest cookies and "their activities may not be detected by simple anti-malware defenses because of their abuse of legitimate executables, both already present and brought along as tools," the researchers wrote.

Browsers allow users to maintain authentication, remember passwords and autofill forms. That might seem convenient, but attackers can exploit this functionality to steal credentials and skip the login challenge.

Behind the scenes, browsers use SQLite database files that contain cookies. These cookies are composed of key-value pairs, and the values often contain critical information such as tokens and expiration dates.

Adversaries know the exact name and location of these files for all major browsers such as Chrome, Firefox, and even Brave, on various operating systems. That's why the attack can be scripted. It's not uncommon to find such scripts along with other modules in info-stealing and other malware.

For example, the latest version of the Emotet botnet targets cookies and credentials stored by browsers, which include saved credit cards. According to the Sophos researchers, "Google's Chrome browser uses the same encryption method to store both multi-factor authentication cookies and credit card data."

To gain initial access, attackers can also perform phishing and spear-phishing campaigns to implant droppers that can deploy cookie-stealer malware stealthily.

The cookies are then used for post-exploitation and lateral movements. Cybercriminals can use them to change passwords and emails associated with user accounts, or trick the victims into downloading additional malware, or even deploy other exploitation tools such as Cobalt Strike and Impacket kit.

Users should not use built-in features to save passwords unless the browser encrypts them with, at least, a master password. It's recommended that users uncheck the setting called "remember passwords," and users should probably not allow persistent sessions as well.

Developers can be part of the problem if they don't secure authentication cookies properly. Such cookies must have a short expiration date. Otherwise, the persistent authentication could turn into a persistent threat. You can have great security processes and still get hacked because the cookies do not have the necessary flags (e.g., HttpOnly, Secure attribute). For example, authentication cookies must be sent using SSL/TLS channels. Otherwise the data could be sent in plain text and attackers would only have to sniff traffic to intercept credentials.

The Mount Sinai Health System began an effort this week to build a vast database of patient genetic information that can be studied by researchers -- and by a large pharmaceutical company. From a report: The goal is to search for treatments for illnesses ranging from schizophrenia to kidney disease, but the effort to gather genetic information for many patients, collected during routine blood draws, could also raise privacy concerns. The data will be rendered anonymous, and Mount Sinai said it had no intention of sharing it with anyone other than researchers. But consumer or genealogical databases full of genetic information, such as Ancestry.com and GEDmatch, have been used by detectives searching for genetic clues that might help them solve old crimes.

Vast sets of genetic sequences can unlock new insights into many diseases and also pave the way for new treatments, researchers at Mount Sinai say. But the only way to compile those research databases is to first convince huge numbers of people to agree to have their genomes sequenced. Beyond chasing the next breakthrough drug, researchers hope the database, when paired with patient medical records, will provide new insights into how the interplay between genetic and socio-economic factors -- such as poverty or exposure to air pollution -- can affect people's health. The health system hopes to eventually amass a database of genetic sequences for 1 million patients, which would mean the inclusion of roughly one out of every 10 New York City residents. The effort began this week, a hospital spokeswoman, Karin Eskenazi, said.