CrowdStrike pushed a faulty update to its cybersecurity software in mid-July. Because CrowdStrike’s software runs at the kernel level in Windows—the most low-level part of the operating system—the update had devastating consequences, crippling millions of Windows PCs around the world. The airline industry was hit hard, with Delta being one of the ones impacted the worst.

Delta CEO Ed Bastian said the company may take legal action against CrowdStrike in response.

“We have no choice,” Bastian said in an interview. “Over five days, between lost revenue and the tens of millions of dollars per day in compensation and hotels, we did everything we could to take care of our customers. We have to protect our shareholders, our customers, and our employees from the damage.”

According to The Wall Street Journal, CrowdStrike is accusing Delta of creating a “misleading narrative,” and points to the airline’s response to the outage as the true culprit.

“Should Delta pursue this path, Delta will have to explain to the public, its shareholders, and ultimately a jury why CrowdStrike took responsibility for its actions—swiftly, transparently, and constructively—while Delta did not,” wrote Michael Carlinsky, an attorney at the Quinn Emanuel Urquhart & Sullivan law firm.

The letter goes on to say that CrowdStrike tried to assist Delta in its recovery, but was ultimately told its help was not needed. Interestingly, Bastian alluded to the offer in his interview, but seemed to indicate that any such offer held very little real-world value.

“Do you really want to know what they offered us? Nothing. Free consulting advice to help us. Exactly,” he said. “We have to ensure that this doesn’t happen again and that our stakeholders are compensated for the losses.”

Delta’s long recovery has been a big question mark in the aftermath of the incident, especially since other airlines were back up and running days sooner. Bastian says the blame lies with CrowdStrike and Microsoft, painting Delta as being caught between two competing companies that don’t always work well together.

“People wonder how this could happen if we have redundancies. We built hundreds of millions of dollars in redundancies. The issue is with Microsoft and CrowdStrike, and we are heavily invested in both,” he explained. “We got hit the hardest in terms of recovery capability.”

“Microsoft and CrowdStrike are the top two competitors in cybersecurity. They don’t necessarily partner at the level we need them to,” Bastian added. “This is a call to the industry. Everyone talks about making sure big tech is responsible. Well, guys, this cost us half a billion dollars.”

There’s no doubt that CrowdStrike is ultimately to blame for the outage. The company admittedly pushed a faulty update that bricked millions of computers, in many cases requiring physical access to the machines to fix them.

Only time will tell if Delta was also negligent in their response to the incident, or if they are just caught between two companies, a victim of their heavy reliance on both.

The top VPN options in the world guarantee a no-logs policy, meaning they do not log user activity. As founder Andy Yen points out, the company’s no-logs claim was tested in 2019. The company was ordered by Swiss authorities to turn over logs to help identify a user. The company could not comply because there were no logs to turn over.

Despite that endorsement, the company has had security firm Securitum perform regular audits on the company’s software, including Proton VPN, to make sure an accidental misconfiguration couldn’t leak user data.

According to Yen, the most recent audit “uncovered no significant security issues,” and he says the company’s security is aided by Proton apps’ code being open source and benefiting from the company’s bug bounty program.

“During the audit, it was confirmed that the Proton VPN product complies with the No-Log policy and offers the highest standards of security and privacy,” reads the Securitum report. “No traces of user logs were detected, and user privacy is protected through both technical and organizational measures. All changes and additional features are developed based on the fundamental principle of maximizing user security and privacy”.

The full report can be read here. In the meantime, however, Securitum’s report confirms that Proton VPN is one of the top VPNs.

According to the company’s System Status page, iCloud Private Relay was experiencing issues for more than 48 hours, from July 25 through July 27. The company has not provided any explanation regarding the cause of the issue, or why it took so long to resolve.

iCloud Private Relay is similar to a VPN, protecting a user’s privacy when they are browsing the web, as Apple explains in a support document:

Normally when you browse the web, information contained in your web traffic, such as your DNS records and IP address, can be seen by your network provider and the websites you visit. This information could be used to determine your identity and build a profile of your location and browsing history over time.

iCloud Private Relay is designed to protect your privacy by ensuring that when you browse the web in Safari, no single party — not even Apple — can see both who you are and what sites you’re visiting.

When Private Relay is enabled, your requests are sent through two separate, secure internet relays.

Hopefully Apple has been able to address the issue so that the service is more reliable moving forward.

The kernel is the core component in any operating system, the most low-level part controls the hardware, communicates with the software, manages processes, file systems, drivers, and more. Because the kernel is often one of the first elements of the boot process, protecting the kernel is a critical component of good security practices.

CrowdStrike’s cybersecurity software is designed to operate at the kernel level, which is why the results were disastrous when the company pushed a faulty update earlier this month. The update bricked millions of Windows PCs and brought multiple industries to a grinding halt.

In the aftermath of the incident, Microsoft is reevaluating best practices for Windows security, including the option to restrict kernel access, as the Microsoft VP John Cable outlines in a blog post:

This incident shows clearly that Windows must prioritize change and innovation in the area of end-to-end resilience. These improvements must go hand in hand with ongoing improvements in security and be in close cooperation with our many partners, who also care deeply about the security of the Windows ecosystem.

Examples of innovation include the recently announced VBS enclaves, which provide an isolated compute environment that does not require kernel mode drivers to be tamper resistant, and the Microsoft Azure Attestation service, which can help determine boot path security posture. These examples use modern Zero Trust approaches and show what can be done to encourage development practices that do not rely on kernel access. We will continue to develop these capabilities, harden our platform, and do even more to improve the resiliency of the Windows ecosystem, working openly and collaboratively with the broad security community.

Cable’s comments about encouraging “development practices that do not rely on kernel access” are telling, since CrowdStrike’s kernel access directly led to the issue. In contrast, Apple does not allow developers access to the macOS kernel, implementing that change in 2020. As a result, macOS is largely immune to a CrowdStrike-type issue.

See Also: Expert: “This Outage Is a Wake-Up Call To Re-Evaluate Cybersecurity Strategies”

Unfortunately for Microsoft, the reason the company still allows access to the kernel is because of a 2009 agreement with the EU that was designed to level the playing field and give third-party companies the same access to the Windows kernel as Microsoft has.

Competition vs Security

The issue underscores potential problems with the EU’s current regulatory path. The bloc is hell-bent on cracking open every platform, and make as level a playing field as possible. Apple has become a popular target, with the EU seemingly intent on making iOS function like—and be as open as—Android.

Unfortunately, while such goals are laudable, the reality is that breaking open legacy platforms often has unforeseen consequences, with the CrowdStrike incident being a case in point. Because the EU wanted third-party developers to have full access to the kernel that Microsoft developers and owns, the stage was set for one of the worst outages in computer history.

The reality is that some systems are simply not designed to be cracked open in such a way that anyone and everyone can have access, and doing so opens the door to serious issues.

What About Open-Source?

Critics will point to the open nature of open-source software as proof that prying open existing platforms is viable. Unfortunately, this is comparing apples to oranges.

In the case of true open-source software, all the various components are open and accessible, meaning the software entire stack can be inspected and audited. This helps ensure that flaws like the CrowdStrike flaw don’t make it into production systems.

In contrast, prying open a closed-source platform to allow third-parties to have access doesn’t mean that the entire stack is now open and auditable. Nor does it mean that any third-party software that hooks into the pried-open platform is open for inspection and audit.

As a result, the type of “openness” the EU forced on Microsoft is the worst of both worlds, not the best. It essentially reduces the security of closed-source Windows by prying it open so other closed-source applications can hook into in ways that cannot easily be inspected, tested, or verified before something bad happens.

The Future

Hopefully, companies, organizations, and lawmakers learn from the CrowdStrike debacle and recognize that changes need to be made:

• Companies need to get behind the kind of Zero Trust methods Cable outlined and stop relying on kernel access.
• Microsoft should renegotiate its agreement with the EU to eliminate outside access to the Windows kernel.
• Lawmakers need to recognize that “openness” for the sake of openness sometimes creates more problems than it solves. Any such regulatory efforts need to be made with a greater understanding of the industry and potential issues of decisions that are made.

Until the above steps are universally taken, CrowdStrike-type incidents will keep happening.

First spotted by TechCrunch, CrowdStrike has been sending out $10 Uber Eats gift cards to apologize to those impacted when it sent out a faulty update that bricked millions of Windows PCs. A number of users took to X to post about receiving the gift card.

As if a mere $10 to apologize for an outage that crippled the world wasn’t already insulting enough, TechCrunch reports that the gift cards aren’t working when users try to redeem them. When the outlet reached out to Uber Eats, it was told the card “has been canceled by the issuing party and is no longer valid.”

CrowdStrike has been in the news for all the wrong reasons since the outage it caused. With moves like this, it’s safe to say its days of being in the news for all the wrong reasons are far from over.

CrowdStrike’s cybersecurity software runs at the lowest level of the operation system, the kernel, giving it access that goes far beyond ordinary software. Ideally, the kernel is well-protected against software wreaking havoc—either maliciously or through ineptness, as in the case of CrowdStrike.

Unfortunately, for Microsoft, the company is not able to lock down the kernel and protect it like it should be. According to The Wall Street Journal, a Microsoft spokesperson said the issue stems from a 2009 agreement Microsoft made with the EU in response to a complaint. The agreement stipulates that Microsoft will give third-party developers the same low-level access to the kernel that Microsoft has.

In contrast, Apple announced in 2020 that it would no longer allow developers to access the kernel, meaning macOS is inherently immune from CrowdStrike-like incidents. Put even more bluntly, it means that Microsoft Windows will never be as secure as macOS thanks to the deal it struck with the EU.

Microsoft’s predicament underscores growing concern about the EU’s regulatory efforts. The bloc has been aggressively cracking down on Big Tech, with the Digital Markets Act aimed at fostering a level playing field. Gatekeeper companies—companies that control an entire platform and meet users and income thresholds—have been especially targeted, with the EU trying to force them to open their platforms to third-party companies.

As Microsoft’s example shows, however, ripping platforms open so everyone and anyone can have unfettered access doesn’t always benefit users as much as lawmakers think it will. Instead, it can lead to disasters like CrowdStrike.

Impact and Fallout

The scale of the disruption has been unprecedented. Airports around the world have been shut down, with many airlines grounding their flights. In some cases, airlines have resorted to issuing handwritten boarding passes. Hospitals have faced critical operational failures, with trains in the United States and the United Kingdom coming to a halt. Entire companies have found themselves unable to operate as employees struggle to log into their systems.

“You wake up, and everything’s down,” said Sasha Yanshin, a YouTuber and IT expert who has been covering the outage extensively. “Airports, banks, hospitals, you name it. It’s like the internet just broke.”

CrowdStrike’s CEO George Kurtz addressed the issue in a public statement, acknowledging the severity of the situation. “We deeply apologize for the impact this has caused,” Kurtz said. “This is not a security incident or cyberattack. It was a content update issue that affected Windows hosts. We are working tirelessly to resolve it.”

Despite the apology, CrowdStrike has faced significant backlash for its handling of the situation. Critics have accused the company of gaslighting and failing to provide adequate support to affected customers. “CrowdStrike is busy mitigating risks and gaslighting instead of helping people fix the issue,” Yanshin commented. “How did a global security company send out an update that immediately disables millions of computers worldwide?”

Criticism and Response

The fallout has prompted questions about the testing and deployment processes at CrowdStrike. “If this is the level of attention they pay to updates, what about the actual security they provide?” Yanshin asked. “This incident highlights a major vulnerability in our reliance on third-party security solutions.”

Yanshin did not hold back in his critique of CrowdStrike’s response. “CrowdStrike CEO George Kurtz did a bit of gaslighting on Twitter, saying this is not a security incident or cyberattack. But breaking people’s computers, making companies unable to operate, and grounding airlines – many would argue these are indeed severe security incidents,” Yanshin remarked. “How did this happen? How did a global security company send out an update that immediately disables millions of computers worldwide? It’s mind-boggling.”

Government and Corporate Reactions

The Department of Homeland Security (DHS) and the National Security Council (NSC) have been actively involved in assessing the situation. “We are working closely with CrowdStrike and Microsoft to understand the full scope of the outages and mitigate any potential risks,” a DHS spokesperson said. President Biden has also been briefed on the incident, underscoring its significance at the highest levels of government.

Microsoft, whose Windows operating systems were directly affected, placed the blame squarely on CrowdStrike. “The CrowdStrike update forced Windows devices into a reboot loop, causing widespread disruptions,” Microsoft stated on its support page.

Yanshin offered his perspective on the broader implications: “This incident exposes a critical flaw in how interconnected our digital infrastructure has become. One untested update from a single cybersecurity firm can cause a ripple effect that paralyzes essential services worldwide.”

Economic Impact

The financial markets have reacted sharply to the news. Shares of cybersecurity firms like Palo Alto Networks and SentinelOne have risen as investors anticipate increased demand for robust cybersecurity solutions. Conversely, CrowdStrike’s shares plummeted by approximately 10%, reflecting investor concerns over the company’s role in the incident and potential liabilities.

The economic impact extends beyond the stock market. Businesses worldwide are grappling with significant losses as a result of the outage. “Every minute of downtime translates to millions in lost revenue,” said Dom Chu, a financial analyst. “This incident will likely have long-term repercussions for CrowdStrike and its customers.”

Yanshin pointed out the scale of the economic fallout: “Imagine the level of losses being reported across the world right now. In India, we are seeing the impact largely on flights, but globally, it’s extremely overwhelming to see what’s playing out right now.”

Ongoing Recovery Efforts

Recovery efforts are underway, but the process is labor-intensive and time-consuming. “Our IT workers are tirelessly working to manually reboot systems and restore normal operations,” reported Steve Kovach from the CNBC newsroom. CrowdStrike has provided a detailed workaround for affected users, but the solution requires technical expertise that many users lack.

“Boot Windows into safe mode or the Windows Recovery Environment, navigate to the CrowdStrike directory, and delete a specific file,” Kurtz explained. “We understand this is not an easy task for everyone, and we are providing as much support as possible.”

Yanshin criticized the complexity of the proposed solution: “How many regular everyday non-tech people know how to boot into recovery mode and would actually feel comfortable doing it by themselves? The level of gaslighting by CrowdStrike is incredible because this is significantly worse than they are making out.”

Lessons Learned and Future Implications

The incident has sparked a broader debate about the resilience of critical infrastructure and the need for improved oversight and contingency planning. “This outage serves as a wake-up call for industries worldwide to strengthen their defenses and ensure continuity in the face of unexpected failures,” said Katherine Manstead, a cybersecurity expert.

As businesses and governments work to restore normalcy, the lessons learned from this incident will likely drive significant changes in how cybersecurity is approached and managed globally. The collaborative efforts between corporate IT teams and national security agencies highlight the critical nature of cybersecurity in safeguarding not just business operations but national infrastructure.

The global IT outage caused by a CrowdStrike update has had far-reaching impacts, disrupting services across multiple sectors and highlighting vulnerabilities in digital infrastructure. While recovery efforts continue, the incident underscores the need for robust cybersecurity measures and contingency planning to mitigate the effects of such disruptions in the future. As the world grapples with the fallout, the focus remains on restoring full functionality and preventing similar incidents from occurring again.

First spotted by BleepingComputer, a hackers going by the name ’emo’ began selling 15 million Trello profiles in January. The hacker told the outlet that the data “was collected using an unsecured REST API that allowed developers to query for public information about a profile based on users’ Trello ID, username, or email address.”

Although Trello parent Atlassian failed to provide comment in January, the company acknowledged to BleepingComputer this week how the data was exfiltrated.

“Enabled by the Trello REST API, Trello users have been enabled to invite members or guests to their public boards by email address. However, given the misuse of the API uncovered in this January 2024 investigation, we made a change to it so that unauthenticated users/services cannot request another user’s public information by email. Authenticated users can still request information that is publicly available on another user’s profile using this API. This change strikes a balance between preventing misuse of the API while keeping the ‘invite to a public board by email’ feature working for our users. We will continue to monitor the use of the API and take any necessary actions.”

❖ Atlassian

Most of the information in the profiles is publicly available, but the information does contain non-public email addresses.

All-in-all, the Trello incident is not one of the most devastating cybersecurity breaches, but does continue to demonstrate the risks associated with unsecured APIs.

In a letter to customers that was filed with the Massachusetts attorney general, Rite Aid says bad actors gained access to the company’s systems by impersonating an employee and “compromise their business credentials.” The company says it detected the issue within 12 hours and immediately investigated to understand the scope of the breach.

According to the company, data that includes “purchaser name, address, date of birth and driver’s license number or other form of government-issued ID presented at the time of a purchase between June 6, 2017, and July 30, 2018,” was stolen by the hackers. Rite Aid said no Social Security numbers, financial information, or patient information was compromised.

Rite Aid is working with federal and state regulators, as well as as law enforcement in the wake of the breach. The company has also secured the services of Kroll to provide customers with identity monitoring services at no cost.

Interestingly, Ars Technica reports that RansomHub—the group responsible—claimed to be in advanced negotiations with Rite Aid officials over the stolen data when the company suddenly broke off communications and went radio silent.

It’s unclear if Rite Aid stopped communicating with the ransomware group over the price being demanded, or in response to law enforcement involvement, since law enforcement usually advocates against paying the ransom.

The Apache Software Foundation revealed in April that a remote command execution vulnerability impacts all versions of Apache HugeGraph-Server prior to 1.3.0.

Users are recommended to upgrade to version 1.3.0 with Java11 & enable
the Auth system, which fixes the issue.

As noted by The Hacker News, cybersecurity firm SecureLayer7 provided details on the exploit, including how dangerous it is.

CVE-2024-27348 is a Remote Code Execution (RCE) vulnerability that exists in Apache HugeGraph Server in versions before 1.3.0. An attacker can bypass the sandbox restrictions and achieve RCE through Gremlin, resulting in complete control over the server. This CVE scored 9.8 on the CVSS base scale

During this analysis, we learned how the vulnerability allows attackers to bypass sandbox restrictions and achieve RCE via Gremlin by exploiting missing reflection filtering in the SecurityManager. This allowed us to access and manipulate various methods, ultimately enabling us to change the task/thread name to bypass all security checks. It was patched by filtering critical system classes and adding new security checks in HugeSecurityManager.

According to The Shadowserver Foundation—a nonprofit cybersecurity security organization—said on its Mastodon account that it is observing active attempts to exploit the HugeGraph vulnerability.

We are observing Apache HugeGraph-Server CVE-2024-27348 RCE “POST /gremlin” exploitation attempts from multiple sources. PoC code is public since early June. If you run HugeGraph, make sure to update: https://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9

NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2

The Shadowserver Foundation (@shadowserver@infosec.exchange) | July 16, 2024

Needless to say, users and organizations should update immediately to protect themselves against this exploit.

Initial reports indicated agents in Pennsylvania were unable to access the phone’s contents, necessitating it be sent to FBI headquarters in Quantico. The FBI has updated its status, saying it was able to successfully crack the phone’s security and access its content.

FBI technical specialists successfully gained access to Thomas Matthew Crooks’ phone, and they continue to analyze his electronic devices.

There is still no word on what kind of phone Crooks had, or what methods were used to crack it.

Crooks is something of a mystery to law enforcement, an individual that was not on any agency’s radar, and whose motives remain unknown. According to an update provided by the FBI, the agency is now in possession of Crooks’ phone.

While the investigation to date indicates the shooter acted alone, the FBI continues to conduct logical investigative activity to determine if there were any co-conspirators associated with this attack. At this time, there are no current public safety concerns.

The FBI has not identified a motive for the shooter’s actions, but we are working to determine the sequence of events and the shooter’s movements prior to the shooting, collecting and reviewing evidence, conducting interviews, and following up on all leads. We have also obtained the shooter’s telephone for examination.

There has been no word on what kind of phone Crooks used, although The New York Times reported that officials said agents in Pennsylvania had been unable to unlock the device, necessitating it being sent to FBI headquarters.

AT&T revealed in mid-July that it had suffered a breach impacting the “phone call and text message records of nearly all of AT&T cellular customers” from May 1, 2022 to October 31, 2022, along with January 2, 2023. The company said call and text content was not compromised, nor were personal details, such as Social Security numbers and other personally identifiable information. Nonetheless, it’s a relatively easy matter to conduct a reverse lookup on the phone numbers in the data and see who AT&T customers are contacting.

According to Wired, negotiations between the hacker—part of the ShinyHunters group—and AT&T were facilitated by a sevurity researcher going by the handle Reddington, no doubt a nod to Raymond Reddington from the The Blacklist TV show. Reddington was paid a fee by AT&T for his assistance negotiating the deal that saw the hacker drop his demand from $1 million to $370,000.

In exchange for the payment, the hacker provided video proving he deleted the data in question. Wired reports that Reddington has brokered a number of deals for victims of the Snowflake account breaches. Based on that experience, Reddington believes the Ticketmaster breach occurred first, showing the hackers how to then go after AT&T.

“Analysis of the data samples [the hackers] provided from other victims indicated that the hack of Ticketmaster occurred first,” he told the outlet. “From there, it seems the actors figured out they could target ‘snowflakecomputing.com’ domains by looking for stolen credentials. It did not take them long to compile a list and write a script to hit all of the Snowflake victims simultaneously.”

While it certainly would have been better for the breach to have never occurred, AT&T is to be commended for being willing to do what was necessary to ensure the data’s destruction and keep it from falling into the hands of yet other bad actors.

Ransomware attacks may be the most popular, and lucrative, form of cyberattack that many organizations deal with, but the Fujitsu incident was something entirely different. According to the company’s latest advisory, malware infiltrated one of the cocmpany’s business PCs, before spreading onto other machines.

The investigation confirmed that the malware was initially stored on one of Fujitsu’s business PCs and then spread to other business PCs. This malware was particularly difficult to detect as it used sophisticated techniques to evade detection, unlike ransomware.

The company says 49 machines were infected in total, although there is no evidence customer services were impacted.

Following a comprehensive investigation, it was confirmed that the number of infected business PCs and the number of other devices where the copy instruction command was executed, and information was transferred, was no other than the 49 PCs initially detected. These devices were all used within Fujitsu’s internal network in Japan, and the investigation has not detected any impact on business PCs connected to network environments outside of Japan.

The affected computers were not managed through the cloud services provided by Fujitsu. Additionally, no trace of access to the services provided by Fujitsu to customers was found. The investigation concluded that the damage did not spread outside of the company’s business computers, including to customer’s network environments.

The malware did manage to exfiltrate some data.

The investigation into various logs (communication logs and operation logs) held by Fujitsu confirmed that some files could have been fraudulently taken out due to the malware’s behavior, and commands for replication instructions were executed. These files contained personal or business-related information about certain customers, who have been informed separately and necessary actions taken. At present, Fujitsu has not received any reports of misuse of personal or information related to customer’s business.

The attack is interesting in that it is reminiscent of traditional computer worms that are designed to attack system and continue to replicate onto new systems. Unlike ransomware, which announces its presence, a worm is designed to disguise itself and evade detection while it accomplishes its goals—in this case data exfiltration.

Apple sent a similar notice in April 2024, informing users in 92 countries that they had been targeted. According to TechCrunch, Apple is now notifying users in 98 countries that they may have been targeted.

Apple’s threat notifications are designed to “inform and assist users who may have been individually targeted by mercenary spyware attacks.” The company goes on to explain that these kind of attacks are far more complex and dangerous than basic cybercriminal or malware attacks, but that the vast majority of users will never be the target of this type of attack.

Individuals who are usually targeted by the kind of attacks covered by threat notifications are activists, diplomats, journalists, and politicians.

Mercenary spyware attacks are exceptionally well funded and they evolve over time. Apple relies solely on internal threat-intelligence information and investigations to detect such attacks. Although our investigations can never achieve absolute certainty, Apple threat notifications are high-confidence alerts that a user has been individually targeted by a mercenary spyware attack and should be taken very seriously. We are unable to provide information about what causes us to issue threat notifications, as that may help mercenary spyware attackers adapt their behaviour to evade detection in the future.

Apple outlines what users should do if they have received a threat notification.

We strongly suggest that you enlist expert help, such as the rapid-response emergency security assistance provided by the Digital Security Helpline at the non-profit Access Now. Apple threat notification recipients can contact the Digital Security Helpline 24 hours a day, 7 days a week through their website. Outside organisations do not have any information about what caused Apple to send a threat notification, but they can assist targeted users with tailored security advice.

In total, Apple has notified users in 150 countries since it began sending threat notifications 2021.

According to the company, bad actors accessed company data via a third-party cloud platform workspace. The downloaded records were from May 1, 2022 to October 31, 2022, as well as January 2, 2023.

The downloaded data includes the following:

The call and text records identify the phone numbers with which an AT&T number interacted during this period, including AT&T landline (home phone) customers. It also included counts of those calls or texts and total call durations for specific days or months.

The following data was not compromised:

The downloaded data doesn’t include the content of any calls or texts. It doesn’t have the time stamps for the calls or texts. It also doesn’t have any details such as Social Security numbers, dates of birth, or other personally identifiable information.

While the data doesn’t include customer names, there are often ways to find a name associated with a phone number using publicly available online tools.

The company is notifying impacted customers, both current and former.

Google announced in April that it was killing off its Google One VPN service, but at least one of its best features will live, and serve more customers than it originally did.

The company announced the change in a support article:

Dark web report will become available to all users with a consumer Google Account. Dark web report is integrated with Results about you as a combined solution to help users protect their online presence.

Results about you is a feature that helps you find out if your personal contact info, like your home address, phone number, or email address shows up in search results.

The company specified what users can expect from the service:

What’s the difference?

• Both dark web report and Results about you are features that help you understand and protect your online presence.
• Dark web report is a feature that helps you monitor if your personal information, such as your name, address, phone number, and email, is found among data breaches discovered on the dark web.
• Results about you is a feature that enables you to find and remove results that contain your personal contact info from search results.

Eligibility

• Dark web report is available to users signed into their consumer Google Accounts.
• Dark web report is available across 46 countries.

The iPhone vs Android debate is one of the hottest in tech, with security being one of the biggest points of contention. Apple and its supports maintain that the iPhone is more secure, thanks not only to architecture but also Apple’s walled garden approach. It’s a stand that many security experts agree with, and apparently Microsoft does too.

According to Bloomberg, as part of its initiative to improve its security, Microsoft has told staff in China that they cannot use Android phones in the workplace and must use iPhones instead, especially for verifying their identity when logging in.

Microsoft has been under fire—deservedly so—for egregious security breaches that have seen individuals, companies, organizations, and government agencies compromised. In response, CEO Satya Nadella said the company would pivot to security above all else, even tying executives’ compensation to the company’s security performance.

Given the company’s new direction, it’s not surprising that Microsoft is throwing its weight behind the iPhone over Android. It is certainly possible to run a very secure Android phone, especially when using a security hardened Android ROM. For example, GrapheneOS is an Android ROM based on the Android Open Source Project that is considered to be even more secure than an iPhone. It’s a popular option among journalists and even Edward Snowden.

For the average user, running the standard Android OS, Apple’s iPhone and iOS offers a superior degree of security. Apple locks down features that are standard on Android, minimizing possible attack vectors. In addition, outside of a couple of jurisdictions, Apple still maintains tight control over its walled garden, eliminating the ability to side-load apps from sources outside the App Store. Side-loading is an option on Android, and represents one of the biggest risks to security.

Microsoft and Apple may compete on many fronts, and have a long history of doing so, but Microsoft’s embrace of the iPhone and its security is a major feature of in Apple’s cap.

According to new research by VPN provider SurfShark, the US government makes the most requests for user data from Big Tech companies than any other jurisdiction in the world. The company analyzed data requests to Apple, Google, Meta, and Microsoft by “government agencies of 177 countries between 2013 and 2021.”

The US came in first with 2,451,077 account requests, more than four times the number of Germany, the number two country on the list. In fact, the US made more requests than all of Europe, including the UK, which collectively came in under 2 million.

While the US and EU were responsible for a combined total of 60% of all data requests, the US “made 8 times more requests than the global average (87.9/100k).”

The number of accounts being accessed is also growing, with a five-times increase in requests from 2013 to 2021. The US alone saw a 348% increase during the time frame, and the scope and purpose of the requests are expanding.

“Besides requesting data from technology companies, authorities are now exploring more ways to monitor and tackle crime through online services. For instance, the EU is considering a regulation that would require internet service providers to detect, report, and remove abuse-related content,” says Gabriele Kaveckyte, Privacy Counsel at Surfshark. “On one hand, introducing such new measures could help solve serious criminal cases, but civil society organizations expressed their concerns of encouraging surveillance techniques which may later be used, for example, to track down political rivals.”

The report also sheds light on which companies comply the most versus which ones push back against requests. For all of its privacy-oriented marketing — “what happens on your iPhone stays on your iPhone” — Apple complies with data requests more than any other company, handing it over 82% of the time.

In contrast, Meta complies 72% of the time, and Google does 71% of the time. Microsoft, on the other hand, pushes back the most among Big Tech companies, only handing data over 68% of the time.

The findings may also put a dent in US efforts to ban TikTok and other foreign apps under the guise of protecting user privacy and data.

According to BleepingComputer, the issue was first reported to Cisco by cybersecurity firm Sygnia. The Velvet Ant group is actively targeting the vulnerability, which is what first tipped it off to the issue.

“Sygnia detected this exploitation during a larger forensic investigation into the China-nexus cyberespionage group we are tracking as Velvet Ant,” Amnon Kushnir, Director of Incident Response at Sygnia, told BleepingComputer.

“The threat actors gathered administrator-level credentials to gain access to Cisco Nexus switches and deploy a previously unknown custom malware that allowed them to remotely connect to compromised devices, upload additional files and execute malicious code.”

Cisco described the exploit in more detail:

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device.

This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of root.

Cisco says the following devices are vulnerable:

• MDS 9000 Series Multilayer Switches (CSCwj97007)
• Nexus 3000 Series Switches (CSCwj97009)1
• Nexus 5500 Platform Switches (CSCwj97011)
• Nexus 5600 Platform Switches (CSCwj97011)
• Nexus 6000 Series Switches (CSCwj97011)
• Nexus 7000 Series Switches (CSCwj94682)2
• Nexus 9000 Series Switches in standalone NX-OS mode (CSCwj97009)

The company has released software updates for the impacted NX-OS devices and all customers are advised to update immediately.