US Fertility says patient data was stolen in a ransomware attack

U.S. Fertility, one of the largest networks of fertility clinics in the United States, has confirmed it was hit by a ransomware attack and that data was taken.

The company was formed in May as a partnership between Shady Grove Fertility, a fertility clinic with dozens of locations across the U.S. east coast, and Amulet Capital Partners, a private equity firm that invests largely in the healthcare space. As a joint venture, U.S. Fertility now claims 55 locations across the U.S., including California.

In a statement, U.S. Fertility said that the hackers “acquired a limited number of files” during the month that they were in its systems, until the ransomware was triggered on September 14. That’s a common technique of data-stealing ransomware, which steals data before encrypting the victim’s network for ransom. Some ransomware groups publish the stolen files on their websites if their ransom demand isn’t paid.

U.S. Fertility said some personal information, like names and addresses, were taken in the attack. Some patients also had their Social Security numbers taken. But the company warned that the attack may have involved protected health information. Under U.S. law, that can include information about a person’s health or medical conditions, like test results and medical records.

A spokesperson did not immediately respond to a request for comment about the incident. (Thursday is a national holiday in the U.S..)

U.S. Fertility didn’t say why it took more than two month to publicly disclose the attack, but said in the notice that its disclosure was not delayed at the request of law enforcement.

This is the latest attack targeting the healthcare sector. In September, one of the largest hospital systems in the U.S., Universal Health Services, was hit by the Ryuk ransomware, forcing some affected emergency rooms to close and to turn patients away. Several other fertility clinics have been attacked by ransomware in recent months.

Read more:

Australia’s spy agencies caught collecting COVID-19 app data

Australia’s intelligence agencies have been caught “incidentally” collecting data from the country’s COVIDSafe contact tracing app during the first six months of its launch, a government watchdog has found.

The report, published Monday by the Australian government’s inspector general for the intelligence community, which oversees the government’s spy and eavesdropping agencies, said the app data was scooped up “in the course of the lawful collection of other data.”

But the watchdog said that there was “no evidence” that any agency “decrypted, accessed or used any COVID app data.”

Incidental collection is a common term used by spies to describe the data that was not deliberately targeted but collected as part of a wider collection effort. This kind of collection isn’t accidental, but more of a consequence of when spy agencies tap into fiber optic cables, for example, which carries an enormous firehose of data. An Australian government spokesperson told one outlet, which first reported the news, that incidental collection can also happen as a result of the “execution of warrants.”

The report did not say when the incidental collection stopped, but noted that the agencies were “taking active steps to ensure compliance” with the law, and that the data would be “deleted as soon as practicable,” without setting a firm date.

For some, fears that a government spy agency could access COVID-19 contact tracing data was the worst possible outcome.

Since the start of the COVID-19 pandemic, countries — and states in places like the U.S. — have rushed to build contact tracing apps to help prevent the spread of the virus. But these apps vary wildly in terms of functionality and privacy.

Most have adopted the more privacy-friendly approach of using Bluetooth to trace people with the virus that you may have come into contact with. Many have chosen to implement the Apple-Google system, which hundreds of academics have backed. But others, like Israel and Pakistan, are using more privacy invasive techniques, like tracking location data, which governments can also use to monitor a person’s whereabouts. In Israel’s case, the tracking was so controversial that the courts shut it down.

Australia’s intelligence watchdog did not say specifically what data was collected by the spy agencies. The app uses Bluetooth and not location data, but the app requires the user to upload some personal information — like their name, age, postal code, and phone number — to allow the government’s health department to contact those who may have come into contact with an infected person.

Australia has seen more than 27,800 confirmed coronavirus cases and over 900 deaths since the start of the pandemic.

Biden-Harris team finally get their transition .gov domain

Finally. It only took almost three weeks, but the Biden-Harris transition has officially begun.

On Monday, the General Services Administration gave the green light for the Biden-Harris team to transition from political campaign to government administration, allowing the team to receive government resources like office space, but also classified briefings and secure computers. And, with it, comes a shiny new .gov domain.

Transitioning is an obscure part of the law that’s rarely discussed, in large part because outgoing governments and incoming administrations largely get on and try to maintain continuity of government through a peaceful transition of power. The process is formally triggered by the General Services Administration, the lesser-known federal agency tasked with the basic functioning of government, and allows the incoming administration to receive funds, tools, and resources to prepare for entering government.

But this time around, the agency’s head Emily Murphy had been reluctant to trigger the formal transition period after the Trump campaign filed a number of lawsuits challenging the election.

Murphy finally approved the transition on Monday after Michigan certified its election results.

Up until now, the Biden-Harris team buildbackbetter.com to host its transition website. Now it’s hosted at buildbackbetter.gov, a departure from the ptt.gov domain used by the incoming Obama-Biden administration in 2008.

The Wall Street Journal reported last week that until now the Biden-Harris team was using a Google Workspace for email and collaboration, secured with hardware security keys that staff need to log into their accounts. That setup might suffice for an enterprise, but had security experts worried that the lack of government cybersecurity support could make the camp more vulnerable to attacks.

As for the domain, which you might not think much about, the shift to a .gov domain marks a significant step forwards in the camp’s cybersecurity efforts. Government domains, hosted on the .gov domain, are toughened to prevent against domain hijacking or spoofing. In simple terms, they’re far more resilient than your regular web hosting services.

Biden tweeted out the domain marking the change.

A bug meant Twitter Fleets could still be seen after they disappear

Twitter is the latest social media site to allow users to experiment with posting disappearing content. Fleets, as Twitter calls them, allows its mobile users post short stories, like photos or videos with overlaying text, that are set to vanish after 24 hours.

But a bug meant that fleets weren’t deleting properly and could still be accessed long after 24 hours had expired. Details of the bug were posted in a series of tweets on Saturday, less than a week after the feature launched.

The bug effectively allowed anyone to access and download a user’s fleets without triggering a notification that the user’s fleet had been read and by whom. The implication is that this bug could be abused to archive a user’s fleets after they expire.

Using an app that’s designed to interact with Twitter’s back-end systems via its developer API. What returned was a list of fleets from the server. Each fleet had its own direct URL, which when opened in a browser would load the fleet as an image or a video. But even after the 24 hours elapsed, the server would still return links to fleets that had already disappeared from view in the Twitter app.

When reached, a Twitter spokesperson said a fix was on the way. “We’re aware of a bug accessible through a technical workaround where some Fleets media URLs may be accessible after 24 hours. We are working on a fix that should be rolled out shortly.”

Twitter acknowledged that the fix means that fleets should now expire properly, it said it won’t delete the fleet from its servers for up to 30 days — and that it may hold onto fleets for longer if they violate its rules. We checked that we could still load fleets from their direct URLs even after they expire.

Fleet with caution.

FireEye acquires Respond Software for $186M, announces $400M investment

The security sector is ever frothy and acquisitive. Just last week Palo Alto Networks grabbed Expanse for $800 million. Today it was FireEye’s turn, snagging Respond Software, a company that helps customers investigate and understand security incidents, while reducing the need for highly trained (and scarce) security analysts. The deal has closed, according to the company.

FireEye had its eye on Respond’s Analyst product, which it plans to fold into its Mandiant Solutions platform. Like many companies today, FireEye is focused on using machine learning to help bolster its solutions and bring a level of automation to sorting through the data, finding real issues and weeding out false positives. The acquisition gives them a quick influx of machine learning-fueled software.

FireEye sees a product that can help add speed to its existing tooling. “With Mandiant’s position on the front lines, we know what to look for in an attack, and Respond’s cloud-based machine learning productizes our expertise to deliver faster outcomes and protect more customers,” Kevin Mandia, FireEye CEO said in a statement announcing the deal.

Mike Armistead, CEO at Respond, wrote in a company blog post that today’s acquisition marks the end of a four-year journey for the startup, but it believes it has landed in a good home with FireEye. “We are proud to announce that after many months of discussion, we are becoming part of the Mandiant Solutions portfolio, a solution organization inside FireEye,” Armistead wrote.

While FireEye was at it, it also announced a $400 million investment from Blackstone Tactical Opportunities fund and ClearSky (an investor in Respond), giving the public company a new influx of cash to make additional moves like the acquisition it made today.

It didn’t come cheap. “Under the terms of its investment, Blackstone and ClearSky will purchase $400 million in shares of a newly designated 4.5% Series A Convertible Preferred Stock of FireEye (the ‘Series A Preferred’), with a purchase price of $1,000 per share. The Series A Preferred will be convertible into shares of FireEye’s common stock at a conversion price of $18.00 per share,” the company explained in a statement. The stock closed at $14.24 today.

Respond, which was founded in 2016, raised $32 million, including a $12 million Series A in 2017 led by CRV and Foundation Capital and a $20 million Series B led by ClearSky last year, according to Crunchbase data.

Facebook sues operator of Instagram clone sites

Facebook has today filed another lawsuit against a company acting in violations of its terms of service. In this case, the company has sued Ensar Sahinturk, a Turkish national who operated of a network of Instagram clone sites, according to court filings. Facebook says Sahinturk used automation software to scrape Instagram users’ public profiles, photos, and videos from over 100,000 accounts without permission, and this data was then published on his network of websites.

In the filing, Facebook says it became aware of the clone website network a year ago, in November 2019. It learned that the defendant had controlled a number of domains, many with names that were similar to Instagram, including jolygram.com, imggram.com, imggram.net, finalgram.com, pikdo.net, and ingram.ws. The first in that list, jolygram.com, had been in use since August 2017. The others were registered in later years as the network expanded. Finalgram.com was the latest that was put to use, and has been in operation since Oct. 2019.

Facebook doesn’t say how large these sites were, in terms of visitors, but described the clone network to TechCrunch as having “voluminous traffic.”

In addition to being what Facebook claims are trademark violations associated with these domains, the sites were populated with data that was pulled from Instagram’s website through automated scraping — that is, via specialized software that pretends to be a human instead of a bot to access data.

The defendant was able to evade Instagram’s security measures against automated tools of this nature by making it look like the requests to Facebook’s servers were coming from a person using the official Instagram app, the complaint states.

The defendant had programmed his scraping software by creating and using thousands of fake Instagram accounts that would mimic actions that real, legitimate users of the Instagram app could have taken. Facebook said the number of fake accounts used daily could be very high. On April 17, 2020, the defendant used over 7,700 accounts to make automated requests to Facebook servers, for example. On April 22, 2020, he used over 9,000.

On the clone websites created, users were able to enter in any Instagram username and then view their public profiles, photos, videos, Stories, hashtags, and location. The clone sites also allowed visitors to download the pictures and videos that had been posted on Instagram, a feature that Instagram doesn’t directly offer. (Its official website and app don’t offer a “save” button.)

Facebook attempted to protect against these various terms of service violations in 2019, when it disabled approximately 30,000 fake Instagram accounts operated by the defendant. It also sent a series of Cease and Desist letters and shut down further Instagram and Facebook accounts, including one Facebook Page belonging to the defendant. However, the defendant claimed he didn’t operate jolygram.com, it was just registered under his name. But he also said he had shut it down.

Facebook claims the resources it used to investigate and attempt to resolve the issues with the defendant’s operations have topped $25,000 and is asking for damages to be determined during the trial.

The lawsuit is now one of many Facebook has filed in the years that followed the Cambridge Analytica scandal, where millions of Facebook users’ data has harvested without their permission. Facebook has since sued analytics firms misusing its data, developers who violated its terms to sell fake “Likes,” and other marketing intelligence operations. However, the company tells TechCrunch this is the first Instagram lawsuit against clone websites.

FACEBOOK v ENSAR SAHINTURK by TechCrunch on Scribd

Google plans to test end-to-end encryption in Android messages

For the past year and a half, Google has been rolling out its next-generation messaging to Android users to replace the old, clunky, and insecure SMS text messaging. Now the company says that rollout is complete, and plans to bring end-to-end encryption to Android messages next year.

Google’s Rich Communications Services is Android’s answer to Apple’s iMessage, and brings typing indicators, read receipts, and you’d expect from most messaging apps these days.

In a blog post Thursday, Google said it plans to roll out end-to-end encryption — starting with one-on-one conversations — leaving open the possibility of end-to-end encrypted group chats. It’ll become available to beta testers, who can sign up here, beginning later in November and continue into the new year.

End-to-end encryption prevents anyone — even Google — from reading messages as they travel between sender and the recipient.

Google dipped its toes into the end-to-end encrypted messaging space in 2016 with the launch of Allo, an app that immediately drew criticism from security experts for not enabling the security feature by default. Two years later, Google killed off the project altogether.

This time around, Google learned its lesson. Android messages will default to end-to-end encryption once the feature becomes available, and won’t revert back to SMS unless the users in the conversation loses or disables RCS.

UK to invest in AI and cyber as part of major defense spending hike

The UK has announced a massive boost in defense spending — £16.5 billion ($21.8BN) over four years, the biggest such spending bump for 30 years — in what prime minister Boris Johnson has described as a “once in a generation modernization” of the UK’s armed forces and “the end of the era of retreat” on funding for defense.

Overall the UK prime minister said the spending hike will create 40,000 jobs, adding that it will cement the country’s position as the biggest military defense spender in Europe and the second largest in NATO after the US.

Johnson said the focus for investment will be on cutting edge technologies that can “revolutionize” warfare — implying a major role for artificial intelligence and sensor-laden connected hardware in “forging our military assets into a single network designed to overcome the enemy”, as he put it in a statement to parliament, setting out the first conclusions from an the (ongoing) review of security, defense, development and foreign policy.

“A soldier in hostile territory will be alerted to a distant ambush by sensors or satellites or drones instantly transmitting a warning using artificial intelligence to device the optimal response and offering an array of options — from summoning an air strike to ordering a swarm attack by drones, or paralyzing the enemy with cyber weapons,” Johnson told the House of Commons today, speaking via video conference as he continues to self isolate following a coronavirus contact.

“New advances will surmount the old limits of logistics,” he went on, fleshing out the rational for spending on upgrading military technology. “Our warships and combat vehicles will carry directed energy weapons — destroying targets with inexhaustible lasers. And for them the phrase out of ammunition will become redundant.”

“Nations are racing to master this new doctrine of warfare and our investment is designed to place Britain among the winners,” he added.

The review sets out at least £1.5BN extra — and £5.8BN total — spending on military R&D which Johnson said would be “designed to master the new technologies of warfare”.

There will also be a new R&D center set up with a dedicated focus on artificial intelligence, he added.

An RAF Space Command center is also in the works — with the aim of launching British satellites including the UK’s first rocket from Scotland in 2022.

While the airforce will get new fighter system that Johnson specified will incorporate AI and drone technology.

He also confirmed the existence of a National Cyber Force — a joint unit consisting of personnel from the UK’s intelligence agencies and military personnel which runs cyberops targeting terrorism, organized crime and hostile foreign state actors.

He suggested the hike in military spending on emerging technologies will filter down into wider societal tech gains, telling MPs: “The returns will go far beyond our armed forces — from aerospace to autonomous vehicles — these technologies have a vast array of civilian applications, opening up new vistas of economic progress.”

Responding to Johnson’s statement, the leader of the opposition, Keir Starmer, welcomed the announcement of increased spending for defense and the armed forces — but accused the government of issuing another “press release without a strategy” — pointing out that successive Conservative governments have eroded defense spending over the past ten years.

“This is a spending announcement without a strategy. The government has yet again pushed back vital parts of the integrated review and there’s no clarity over the government’s strategic priorities,” said Starmer, going on to query how the spending hike would be funded, given the economic crunch facing the UK as a result of the pandemic — asking whether it will require tax rises or cuts to public spending elsewhere, such as to the international development budget.

Starmer also raised the awkward matter of the Russia report — wondering why Johnson’s government has not acted on the “urgent” national security risks identified there.

The report, by parliament’s intelligence and security committee, found the UK lacks a comprehensive and cohesive strategy to respond to the cyber threat posed by Russia and other hostile states that are deploying online disinformation and influence ops to target democratic institutions and values.

It also sounded the alarm about how much Russian money is finding its way into UK political party coffers.

“The prime minister speaks of tackling global security threats, improving cyber capability — and that is all welcome, and we welcome it — but four months after the intelligence and security committee published its report concluding that Russia posed… an immediate and urgent threat to our national security,” noted Starmer.

Replying, Johnson dodged all Starmer’s questions — branding his criticisms “humbug [that] takes the cake” and opting to attack the Labour leader for having served under the party’s former leader, Jeremy Corbyn, who did not support increasing UK defense spending.

Cryptocurrency exchange Liquid confirms hack

Cryptocurrency exchange Liquid has confirmed it was hacked, but that the scope of the incident is still under investigation.

The company’s chief executive Mike Kayamori said in a blog post the attack happened on November 13. The hacker gained access to the company’s domain records, allowing the hacker to take control of several employee email accounts, and later compromised the company’s network.

Kayamori said that while cryptocurrency funds are “accounted for,” the hacker may have accessed the company’s document storage. “We believe the malicious actor was able to obtain personal information from our user database. This may include data such as your email, name, address and encrypted password,” he said.

The company said it was “continuing to investigate” if the hacker gained access to documents that users submitted to verify their identity with the exchange, such as a government-issued ID, selfie, or proof of address, which could put users at a heightened risk of identity theft or for targeted attacks.

Liquid told users in an email that they should change their passwords to be safe.

Attacks that target a company’s network infrastructure take advantage of weak or reused passwords that were used to register the company’s domain name. By breaking in and changing those network settings, attackers can invisibly control the network and gain access to email accounts and systems that would be far more difficult through other routes of attack.

Cryptocurrency startups and exchanges are high-value targets for hackers, given the potential for massive financial rewards of a successful breach. In 2018, Nano saw $170 million stolen in a breach, Coinrail lost $40 million after a hack, Bithumb lost $30 million, and Binance and Coincheck each lost a massive $400 million after hackers broke in.

Liquid was founded in 2014, and claims to have facilitated the trade of $50 billion in cryptocurrency over the past year.

More:

Trump fires top US cybersecurity official Chris Krebs for debunking false election claims

Chris Krebs, one of the most senior cybersecurity officials in the U.S. government, has been fired.

Krebs served as the director of the Cybersecurity and Infrastructure Security Agency (CISA) since its founding in November 2018 until he was removed from his position on Tuesday. It’s not immediately clear who is currently heading the agency. A spokesperson for CISA did not immediately comment.

President Trump fired Krebs in a tweet late on Tuesday, citing a statement published by CISA last week, which found there was “no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.” Trump, who has repeatedly made claims of voter fraud without providing evidence, alleged that CISA’s statement was “highly inaccurate.”

Shortly after, Twitter labeled Trump’s tweet for making a “disputed” claim about election fraud.

Reuters first reported the news of Krebs’ potential firing last week.

Krebs was appointed by President Trump to head the newly created cybersecurity agency in November 2018, just days after the conclusion of the midterm elections. He previously served as an under secretary for CISA’s predecessor, the National Protection and Programs Directorate, and also held cybersecurity policy roles at Microsoft.

During his time in government, Krebs became one of the most vocal voices in election security, taking the lead during 2018 and in 2020, which largely escaped from disruptive cyberattacks, thanks to efforts to prepare for cyberattacks and misinformation that plagued the 2016 presidential election.

He was “one of the few people in this administration respected by everyone on both sides of the aisle,” said Sen. Mark Warner, a member of the Senate Intelligence Committee, in a tweet.

Krebs is the latest official to leave CISA in the past year. Brian Harrell, who oversaw infrastructure protection at the agency, resigned in August after less than a year on the job, and Jeanette Manfra, who left for a role at Google at the end of last year. Cyberscoop reported Thursday that Bryan Ware, CISA’s assistant director for cybersecurity, resigned for a position in the private sector.