From Digital Age to Nano Age. WorldWide.

Tag: government

Robotic Automations

US government says security flaw in Chirp Systems' app lets anyone remotely control smart home locks | TechCrunch

A vulnerability in a smart access control system used in thousands of U.S. rental homes allows anyone to remotely control any lock in an affected home. But Chirp Systems, the company that makes the system, has ignored requests to fix the flaw.

U.S. cybersecurity agency CISA went public with a security advisory last week saying that the phone apps developed by Chirp, which residents use in place of a key to access their homes, “improperly stores” hardcoded credentials that can be used to remotely control any Chirp-compatible smart lock.

Apps that rely on passwords stored in its source code, known as hardcoding credentials, are a security risk because anyone can extract and use those credentials to perform actions that impersonate the app. In this case, the credentials allowed anyone to remotely lock or unlock a Chirp-connected door lock over the internet.

In its advisory, CISA said that successful exploitation of the flaw “could allow an attacker to take control and gain unrestricted physical access” to smart locks connected to a Chirp smart home system. The cybersecurity agency gave the vulnerability severity score of 9.1 out of a maximum of 10 for its “low attack complexity” and for its ability to be remotely exploited.

The cybersecurity agency said Chirp Systems has not responded to either CISA or the researcher who found the vulnerability.

Security researcher Matt Brown told veteran security journalist Brian Krebs that he notified Chirp of the security issue in March 2021 but that the vulnerability remains unfixed.

Chirp Systems is one of a growing number of companies in the property tech space that provide keyless access controls that integrate with smart home technologies to rental giants. Rental companies are increasingly forcing renters to allow the installation of smart home equipment as dictated by their leases, but it’s murky at best who takes responsibility or ownership when security problems arise.

Real estate and rental giant Camden Property Trust signed a deal in 2020 to roll out Chirp-connected smart locks to more than 50,000 units across over a hundred properties. It’s unclear if affected properties like Camden are aware of the vulnerability or have taken action. Kim Callahan, a spokesperson for Camden, did not respond to a request for comment.

Chirp was bought by property management software giant RealPage in 2020, and RealPage was acquired by private equity giant Thoma Bravo later that year in a $10.2 billion deal. RealPage is facing several legal challenges over allegations its rent-setting software uses secret and proprietary algorithms to help landlords raise the highest possible rents on tenants.

Neither RealPage nor Thoma Bravo have yet to acknowledge the vulnerabilities in the software it acquired, nor say if they plan on notifying affected residents of the security risk.

Jennifer Bowcock, a spokesperson for RealPage, did not respond to requests for comment from TechCrunch. Megan Frank, a spokesperson for Thoma Bravo, also did not respond to requests for comment.

Software Development in Sri Lanka

Robotic Automations

US says Russian hackers stole federal government emails during Microsoft cyberattack | TechCrunch

U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that Russian government-backed hackers stole emails from several U.S. federal agencies as a result of an ongoing cyberattack at Microsoft.

In a statement published Thursday, the U.S. cyber agency said the cyberattack, which Microsoft initially disclosed in January, allowed the hackers to steal federal government emails “through a successful compromise of Microsoft corporate email accounts.”

The hackers, which Microsoft calls “Midnight Blizzard,” also known as APT29, are widely believed to work for Russia’s Foreign Intelligence Service, or SVR.

“Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” said CISA.

The federal cyber agency said it issued a new emergency directive on April 2 ordering civilian government agencies to take action to secure their email accounts, based on new information that the Russian hackers were ramping up their intrusions. CISA made details of the emergency directive public on Thursday after giving affected federal agencies a week to reset passwords and secure affected systems.

CISA did not name the affected federal agencies that had emails stolen, and a spokesperson for CISA did not immediately comment when reached by TechCrunch.

News of the emergency directive was first reported by Cyberscoop last week.

The emergency directive comes as Microsoft faces increasing scrutiny of its security practices after a spate of intrusions by hackers of adversarial nations. The U.S. government is heavily reliant on the software giant for hosting government emails accounts.

Microsoft went public in January after identifying that the Russian hacking group broke into some corporate email systems, including the email accounts of “senior leadership team and employees in our cybersecurity, legal, and other functions.” Microsoft said the Russian hackers were searching for information about what Microsoft and its security teams knew about the hackers themselves. Later, the technology giant said the hackers also targeted other organizations outside of Microsoft.

Now it is known that some of those affected organizations included U.S. government agencies.

By March, Microsoft said it was continuing its efforts to expel the Russian hackers from its systems in what the company described as an “ongoing attack.” In a blog post, the company said the hackers were attempting to use “secrets” they had initially stolen in order to access other internal Microsoft systems and exfiltrate more data, such as source code.

Microsoft did not immediately comment when asked by TechCrunch on Thursday what progress the company is making in remediating the attack since March.

Earlier this month, the U.S. Cyber Safety Review Board (CSRB) concluded its investigation of an earlier 2023 breach of U.S. government emails attributed to China government-backed hackers. The CSRB, an independent body that includes representatives from government and cyber experts in the private sector, blamed a “cascade of security failures at Microsoft.” Those allowed the China-backed hackers to steal a sensitive email key that permitted broad access to both consumer and government emails.

In February, the U.S. Department of Defense notified 20,000 individuals that their personal information was exposed to the internet after a Microsoft-hosted cloud email server was left without a password for several weeks in 2023.

Software Development in Sri Lanka

Robotic Automations

Lawmakers vote to reauthorize US spying law that critics say expands government surveillance | TechCrunch

Lawmakers passed legislation early Saturday reauthorizing and expanding a controversial U.S. surveillance law shortly after the powers expired at midnight, rejecting opposition by privacy advocates and lawmakers.

The bill, which passed on a 60-34 vote, reauthorizes powers known as Section 702 under the Foreign Intelligence Surveillance Act (FISA), which allows the government to collect the communications of foreign individuals by accessing records from tech and phone providers. Critics, including lawmakers who voted against the reauthorization, say FISA also sweeps up the communications of Americans while spying on its foreign targets.

White House officials and spy chiefs rallied behind efforts to reauthorize FISA, arguing the law prevents terrorist and cyber attacks and that a lapse in powers would harm the U.S. government’s ability to gather intelligence. The Biden administration claims the majority of the classified information in the president’s daily intelligence briefing derives from the Section 702 program.

Privacy advocates and rights groups rejected the reauthorization of FISA, which does not require the FBI or the NSA to obtain a warrant before searching the Section 702 database for Americans’ communications. Accusations that the FBI and the NSA abused their authority to conduct warrantless searches on Americans’ communications became a key challenge for some Republicans initially seeking greater privacy protections.

Bipartisan efforts aimed to require the government obtain a warrant before searching its databases for Americans’ communications. But these failed ahead of the final vote on the Senate floor.

Following the passage in the early hours of today, Senator Mark Warner, who chairs the Senate Intelligence Committee, said that FISA was “indispensable” to the U.S. intelligence community.

The bill now goes to the President’s desk, where it will almost certainly pass into law.

FISA became law in 1978 prior to the advent of the modern internet. It started to come under increased public scrutiny in 2013 after a massive leak of classified documents exposed the U.S. government’s global wiretapping program under FISA, which implicated several major U.S. tech companies and phone companies as unwilling participants.

The Senate was broadly expected to pass the surveillance bill into law, but it faced fresh opposition after the House passed last week its version of the legislation that critics said would extend the reach of FISA to also include smaller companies and telecom providers not previously subject to the surveillance law.

Communications providers largely opposed the House’s expanded definition of an “electronic communications service provider,” which they said would unintentionally include companies beyond the big tech companies and telecom providers who are already compelled to hand over users’ data.

An amendment, introduced by Sen. Ron Wyden, to remove the expanded measure from the bill failed to pass in a vote.

Wyden, a Democratic privacy hawk and member of the Senate Intelligence Committee, accused senators of waiting “until the 11th hour to ram through renewal of warrantless surveillance in the dead of night.”

“Time after time anti-reformers pledge that their band-aid changes to the law will curb abuses, and yet every time, the public learns about fresh abuses by officials who face little meaningful oversight,” said Wyden in a statement.

In the end, the bill passed soon after midnight.

Despite the last-minute rush to pass the bill, a key provision in FISA prevents the government’s programs under Section 702 from suddenly shutting down in the event of lapsed legal powers. FISA requires the government to seek an annual certification from the secretive FISA Court, which oversees and approves the government’s surveillance programs. The FISA Court last certified the government’s surveillance program under Section 702 in early April, allowing the government to use its lapsed authority until at least April 2025.

FISA will now expire at the end of 2026, setting up a similar legislative showdown midway through the next U.S. administration.

Software Development in Sri Lanka

Robotic Automations

US government urges Sisense customers to reset credentials after hack | TechCrunch

U.S. cybersecurity agency CISA is warning Sisense customers to reset their credentials and secrets after the data analytics company reported a security incident.

In a brief statement on Thursday, CISA said it was responding to a “recent compromise” at Sisense, which provides business intelligence and data analytics to companies around the world.

CISA urged Sisense customers to “reset credentials and secrets potentially exposed to, or used to access, Sisense services,” and report to the agency any suspicious activity involving the use of compromised credentials.

The exact nature of the cybersecurity incident is not clear yet.

Founded in 2004, Sisense develops business intelligence and data analytics software for big companies, including telcos, airlines and tech giants. Sisense’s technology allows organizations to collect, analyze and visualize large amounts of their corporate data by tapping directly into their existing technologies and cloud systems.

Companies like Sisense rely on using credentials, such as passwords and private keys, to access a customer’s various stores of data for analysis. With access to these credentials, an attacker could potentially also access a customer’s data.

CISA said it is “taking an active role in collaborating with private industry partners to respond to this incident, especially as it relates to impacted critical infrastructure sector organizations.”

Sisense counts Air Canada, PagerDuty, Philips Healthcare, Skullcandy and Verizon as its customers, as well as thousands of other organizations globally.

News of the incident first emerged on Wednesday after cybersecurity journalist Brian Krebs published a note sent by Sisense Chief Information Security Officer Sangram Dash urging customers to “rotate any credentials that you use within your Sisense application.”

Neither Dash nor a spokesperson for Sisense responded to an email seeking comment.

Israeli media reported in January that Sisense had laid off about half of its employees since 2022. It is unclear if the layoffs impacted the company’s security posture. Sisense has taken in close to $300 million in funding from investors, which include Insight Partners, Bessemer Ventures Partners and Battery Ventures.

Do you know more about the Sisense breach? To contact this reporter, get in touch on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop.

Software Development in Sri Lanka

Robotic Automations

Hackers stole 340,000 Social Security numbers from government consulting firm | TechCrunch

U.S. consulting firm Greylock McKinnon Associates (GMA) disclosed a data breach in which hackers stole as many as 341,650 Social Security numbers.

The data breach was disclosed on Friday on Maine’s government website, where the state posts data breach notifications.

In its data breach notice sent by mail to affected victims, GMA said it was hit by an unspecified cyberattack in May 2023 and “promptly took steps to mitigate the incident.”

GMA provides economic and litigation support to companies and U.S. government agencies, including the U.S. Department of Justice, bringing civil litigation. According to its data breach notice, GMA told affected individuals that their personal information “was obtained by the U.S. Department of Justice (“DOJ”) as part of a civil litigation matter” supported by GMA.

The reasons and target of the DOJ’s civil litigation are not known. A spokesperson for the Justice Department did not respond to a request for comment.

GMA said that individuals notified of the data breach are “not the subject of this investigation or the associated litigation matters,” and that the cyberattack “does not impact your current Medicare benefits or coverage.”

“We consulted with third-party cybersecurity specialists to assist with our response to the incident, and we notified law enforcement and the DOJ. We received confirmation of which individuals’ information was affected and obtained their contact addresses on February 7, 2024,” the firm wrote.

GMA told victims that “your personal and Medicare information was likely affected in this incident,” which includes names, dates of birth, home address, some medical information and health insurance information, and Medicare claim numbers, which included Social Security numbers.

It’s unclear why it took GMA nine months to determine the extent of the breach and notify victims.

GMA, and the firm’s outside legal counsel, Linn Freedman of Robinson & Cole LLP, did not immediately respond to a request for comment.

Software Development in Sri Lanka

Robotic Automations

GovDash aims to help businesses use AI to land government contracts | TechCrunch

Tim Goltser and Curtis Mason have been building things together since high school, when the two were the co-captains of their school’s robotics team. In college, Goltser and Mason teamed up to create an app — Hang, for scheduling hangouts with friends — with Sean Doherty, who Mason had met while an undergrad at Boston University.

Fast forward to 2022, and Goltser and Mason — along with Doherty — felt the entrepreneurial itch strike again. After considering a few ideas, they decided to go after what they saw as a largely unaddressed market: Tools to help small businesses secure U.S. government contracts.

“The federal contracting community has seen a shrinking of the small business industrial base for much of the past decade,” Doherty told TechCrunch. “It’s hard for these companies to compete against giants like Lockheed Martin or Northrop Grumman. It’s also expensive for them to bid on contracts — if they don’t win, they may run out of cash.”

As a result of labyrinthine systems and mountains of paperwork, finding and bidding for U.S. federal contracts is a laborious process. It takes weeks at a minimum to complete, according to Doherty — and often the best-resourced companies are the most successful.

In a 2023 survey from Setscale, a purchase order financing startup, small business owners cited insufficient cash flow and working capital — and a lack of time and resources — as their top roadblocks to securing government contracts.

To attempt to give these small businesses a boost, Goltser, Mason and Doherty founded GovDash, a platform that provides workflows to support government contract capture, proposal, development and management processes. GovDash was accepted to Y Combinator in 2022; Goltser dropped out of college to help spearhead it.

GovDash is essentially a contract proposal generator. The platform automatically finds contracts possibly relevant to a business, reads through the requests for proposals and — leveraging generative AI — writes proposals

GovDash can trawl through solicitation documents to identify requirements, requested formats, evaluation factors and submission schedules for contracts, Doherty says. It can also identify contracts a business might be qualified for based on their past performance, sending alerts to the inbox of a customer’s choosing, according to Doherty.

“When a contractor wants to respond to a government solicitation, they can run that through GovDash to produce a proposal in a fraction of the time,” Doherty said.

Now, generative AI makes mistakes. It’s a well-established fact. So why should businesses expect GovDash to be any different?

Two reasons, argues Doherty.

One, GovDash built a system that cross-checks a businesses’ info to see just how relevant the business is to a given federal contract. If the relevancy — as judged by the system — isn’t obvious, GovDash prompts the business to template out sections of the contract proposal with more information.

GovDash’s platform tries to automate many of the more tedious aspects of going after — and securing — U.S. federal contracts.

Two, GovDash involves heavy human review. At each stage of the proposal-generating process, the platform checks in with a human reviewer to get their seal of approval.

These steps — cross-checking and human review — aren’t infallible, Doherty admits. But he claims they’re better than what a lot of the competition’s doing.

“Companies now have one place where their business development data flows seamlessly, with an AI agent at its core to automate tedious workflows,” Doherty said. “This is a huge win for the C-suite as they can get out more proposals, at a higher quality level, in a fraction of the time, and put all the associated workflows on autopilot.”

GovDash’s competition is growing — and quickly.

GovDash competes with Govly, whose platform lets companies assess, search and analyze government contracting requirements across disparate sources. A more recent rival, Hazel, aims to use AI to automate government contracting discovery, drafting and compliance. Both — like GovDash — are Y Combinator-backed, interestingly.

But Doherty claims that GovDash is positioned well for expansion.

Having raised $12 million from investors including Northzone and Y Combinator, inclusive of a $10 million Series A funding tranche this month, GovDash plans to grow its engineering team, hire additional federal proposal managers to guide its product efforts and add new capabilities to its existing platform.

New York-based, six-employee GovDash currently works with around 30 federal contractors across the U.S., Doherty said, and is “nearly” cash-flow positive.

“We’re building for the long term for our customer base,” Doherty said. “[We’re] well-capitalized for eventual market tailwinds.”

Software Development in Sri Lanka

Robotic Automations

Hoping to stall a ban, TikTok says it generated $14.7B for US small businesses last year | TechCrunch

As U.S. lawmakers weigh a possible TikTok ban, the ByteDance-owned short-form video app released an economic impact report on Thursday. In it, the company touts the platform generated $14.7 billion for small- to mid-size businesses (SMBs) last year, and a further $24.2 billion in total economic activity, supported through small business’s use of TikTok.

In addition, it says that over 7 million U.S. businesses rely on TikTok and that 224,000 jobs were supported by small business activity on the platform in 2023. Of those, 98,000 jobs were supported directly within SMBs on TikTok. The states with the largest impacts included California, Texas, Florida, New York and Illinois.

The study was performed by the economics forecasting group, Oxford Economics. It measured SMB activity on TikTok, along with ad spend and ROI, and leveraged census data and other measurements to come to its conclusions.

While a report of this size and scope couldn’t be thrown together overnight, the timing of its release is likely not coincidental.

In March, a bill that could ban TikTok passed in the House of Representatives. President Biden said he would sign it into law if it also passes in the Senate. Of concern to TikTok, is that the bill gained bipartisan support, passing the House with a 362-65 vote, despite former President Trump’s change of position on the matter. The Trump administration had previously sought to ban TikTok, calling it a national security risk, but Trump now opposes a ban, saying that Meta would benefit.

Meta is clearly preparing for a possible future where TikTok could be banned, if not spun out from ByteDance. On Wednesday, Facebook was updated to support a new video player across its social network;  it will recommend Reels, long-form and Live videos, but default to showing them in vertical format, as on TikTok.

YouTube and other short-form video platforms could also gain increased exposure if TikTok were to be banned, and could pave the way for startups competing in the space, as well.

TikTok’s economic report is a clear attempt to make a case for why the app should be allowed to continue to operate, noting that $5.3 billion in tax revenue last year was supported by small business activity on TikTok, including as a marketing and advertising platform.

The company also presented a variety of case studies where business owners claim that TikTok helped to drive sales, website traffic, and other forms of additional revenue.

Tying the ban to the app’s economic impact is a solid PR strategy — especially since a group of TikTok creators got a judge to successfully block Trump’s TikTok ban in 2020 by saying it would affect their professional opportunities, like brand sponsorships, and ability to make an income.

Though TikTok has been urging users via in-app messages to call Congress to protest a ban, the bill still faces a more difficult path to pass in the Senate — and more so now that the Republican party’s leader has reversed his position on the ban.

Software Development in Sri Lanka

Robotic Automations

Government spyware is another reason to use an ad blocker | TechCrunch

Ad blockers might seem like an unlikely defense in the fight against spyware, but new reporting casts fresh light on how spyware makers are weaponizing online ads to allow governments to conduct surveillance.

Spyware makers are reportedly capable of locating and stealthily infecting specific targets with spyware using banner ads.

One of the startups that worked on an ad-based spyware infection system is Intellexa, a European company that develops the Predator spyware. Predator is able to access the full contents of a target’s phone in real time.

According to documents seen by Israeli news outlet Haaretz, Intellexa presented a proof-of-concept system in 2022 called Aladdin that enabled the planting of phone spyware through online ads. The documents included a demo of the Aladdin system with technical explanations on how the spyware infects its targets and examples of malicious ads: by “seemingly targeting graphic designers and activists with job offers, through which the spyware will be introduced to their device,” Haaretz reported.

It’s unclear if Aladdin was fully developed or was sold to government customers.

Another private Israeli company called Insanet succeeded in developing an ad-based infection system capable of locating an individual within an advertising network, Haaretz revealed last year.

Online ads help website owners, including this one, generate revenue. But online ad exchanges can be abused to push malicious code to a target’s device.

Delivering malware through malicious ads, often referred to as malvertising, works by injecting malicious code into the ads displayed on websites on computer and phone browsers. Much of these attacks rely on some interaction with the victim, such as tapping a link or opening a malicious file.

But the global ubiquity of online advertising vastly increases the reach that government customers have to target individuals — including their critics — with stealthy spyware.

While no phone or computer can ever be completely unhackable, ad blockers can be effective in stopping malvertising and ad-based malware before it ever hits the browser.

Ad blockers — as the name suggests — prevent ads from displaying in web browsers. Ad blockers don’t just hide the ads, but rather block the underlying website from loading the ads to begin with. That’s also good for privacy, since it means ad exchanges cannot use tracking code to see which sites users visit as they browse the web. Ad-blocking software is available for phones, as well.

Security experts have long advised using an ad blocker to prevent malvertising attacks. In 2022, the FBI said in a public service announcement to use an ad blocker as an online safety precaution.

“Everyone should block ads,” tweeted John Scott-Railton, a Citizen Lab senior researcher who has investigated government spyware, in response to the Haaretz report. “It’s a matter of safety.”

Software Development in Sri Lanka

Robotic Automations

US offers $10M to help catch Change Healthcare hackers | TechCrunch

The U.S. government said it is extending its reward for information on key leadership of the ALPHV/BlackCat cybercrime gang to its affiliate members, one of which last month took credit for a massive ransomware attack on a U.S. health tech giant.

In a statement Wednesday, the U.S. Department of State said it is offering a reward of up to $10 million for information that identifies or locates any person associated with ALPHV/BlackCat, including “their affiliates, activities, or links to a foreign government.”

The Russia-based ALPHV/BlackCat is a ransomware-as-a-service operation, which recruits affiliates — effectively contractors who earn a commission for launching ransomware attacks — and takes a cut of whatever ransom demand the victim pays. Although security researchers have not yet drawn a connection between ALPHV/BlackCat and a foreign government, the State Department implied in its statement that the gang may be “acting at the direction or under the control of a foreign government,” such as Russia.

The State Department blamed the prolific ransomware group for targeting U.S. critical infrastructure, including healthcare services.

Last month, an affiliate group of the ALPHV/BlackCat gang took credit for a cyberattack and weekslong outage at U.S. health tech giant Change Healthcare, which processes around one in three U.S. patient medical records. The cyberattack knocked out much of the U.S. healthcare system’s access to patient records and billing information, causing massive outages and delays in fulfilling medications and prescriptions and surgical authorizations for weeks.

The affiliate group went public after accusing the main ALPHV/BlackCat gang of swindling the contract hackers out of $22 million in ransom that Change Healthcare allegedly paid to prevent the mass leak of patient records.

The group said ALPHV/BlackCat carried out an “exit scam,” where the hackers run off with their fortune to avoid paying their affiliates and keep the stolen funds for themselves.

Despite having lost their cut of the ransom demand, the affiliate group claimed to still have access to a huge amount of stolen sensitive patient data.

Change Healthcare has since said that it ejected the hackers from its network and restored much of its systems. U.S. health insurance giant UnitedHealth Group, the parent company of Change Healthcare, has not yet confirmed if any patient data was stolen.

Software Development in Sri Lanka