Group items tagged

"Ransomware right now, this is a business model," Lior Div, CEO of the security firm Cybereason told CNN's Richard Quest. "They are in it for the money and they are trying to generate as much revenue as possible for themselves. So as long as people are going to pay, they're going to keep operating in order to generate this massive amount of revenue that they are generating every year."

Cyber hygiene is necessary. Every US company and organization needs to protect itself, said Eric Goldstein, the current assistant director at CISA, in a statement.

The hack of the world's largest meat producer, JBS, a Brazilian company whose subsidiaries control a quarter of US beef processing and a large portion of pork processing, was disclosed Tuesday by the White House, which promised to re-focus on the issue and to raise it with Russia, the government thought to be harboring hackers.

You figure if nine meat plants hadn't gone dark in Arizona, Texas, Nebraska, Colorado, Wisconsin, Utah, Michigan and Pennsylvania, it seems very plausible we likely would never have heard. The US JBS headquarters is based in Greeley, Colorado, and it employs more than 66,000 people. Read about the fallout for them, from CNN's Brian Fung.

It's not clear, of course, if the company is paying the ransom. If they're getting back online this quickly, you've certainly got to assume they could have.

"We have attributed the JBS attack to REvil and Sodinokibi and are working diligently to bring the threat actors to justice. We continue to focus our efforts on imposing risk and consequences and holding the responsible cyber actors accountable," the FBI said in a statement. "A cyber attack on one is an attack on us all."

Ireland's national health service has completely shut its IT system and refuses to pay the ransom, which it said in May has disrupted everything from its Covid vaccine rollout to community health services.

In 2000, he became the first Anglophone to win a permanent position at the Collège de France, where he held the chair in the philosophy and history of scientific concepts until he retired in 2006.

His work in the philosophy of science was groundbreaking: He departed from the preoccupation with questions that had long concerned philosophers. Arguing that science was just as much about intervention as it was about representation, be helped bring experimentation to center stage.

Hacking often argued that as the human sciences have evolved, they have created categories of people, and that people have subsequently defined themselves as falling into those categories. Thus does human reality become socially constructed.

His book “The Emergence of Probability” (1975), which is said to have inspired hundreds of books by other scholars, examined how concepts of statistical probability have evolved over time, shaping the way we understand not just arcane fields like quantum physics but also everyday life.

“I was trying to understand what happened a few hundred years ago that made it possible for our world to be dominated by probabilities,” he said in a 2012 interview with the journal Public Culture. “We now live in a universe of chance, and everything we do — health, sports, sex, molecules, the climate — takes place within a discourse of probabilities.”

Whatever the subject, whatever the audience, one idea that pervades all his work is that “science is a human enterprise,” Ragnar Fjelland and Roger Strand of the University of Bergen in Norway wrote when Professor Hacking won the Holberg Prize. “It is always created in a historical situation, and to understand why present science is as it is, it is not sufficient to know that it is ‘true,’ or confirmed. We have to know the historical context of its emergence.”

Regarding one such question — whether unseen phenomena like quarks and electrons were real or merely the theoretical constructs of physicists — he argued for reality in the case of phenomena that figured in experiments, citing as an example an experiment at Stanford that involved spraying electrons and positrons into a ball of niobium to detect electric charges. “So far as I am concerned,” he wrote, “if you can spray them, they’re real.”

“I have long been interested in classifications of people, in how they affect the people classified, and how the effects on the people in turn change the classifications,” he wrote in “Making Up People

“I call this the ‘looping effect,’” he added. “Sometimes, our sciences create kinds of people that in a certain sense did not exist before.”

In “Why Race Still Matters,” a 2005 article in the journal Daedalus, he explored how anthropologists developed racial categories by extrapolating from superficial physical characteristics, with lasting effects — including racial oppression. “Classification and judgment are seldom separable,” he wrote. “Racial classification is evaluation.”

Similarly, he once wrote, in the field of mental health the word “normal” “uses a power as old as Aristotle to bridge the fact/value distinction, whispering in your ear that what is normal is also right.”

In his influential writings about autism, Professor Hacking charted the evolution of the diagnosis and its profound effects on those diagnosed, which in turn broadened the definition to include a greater number of people.

Encouraging children with autism to think of themselves that way “can separate the child from ‘normalcy’ in a way that is not appropriate,” he told Public Culture. “By all means encourage the oddities. By no means criticize the oddities.”

His emphasis on historical context also illuminated what he called transient mental illnesses, which appear to be so confined 0cto their time 0c 0cthat they can vanish when times change.

“hysterical fugue” was a short-lived epidemic of compulsive wandering that emerged in Europe in the 1880s, largely among middle-class men who had become transfixed by stories of exotic locales and the lure of trave

His intellectual tendencies were unmistakable from an early age. “When he was 3 or 4 years old, he would sit and read the dictionary,” Jane Hacking said. “His parents were completely baffled.”

He wondered aloud, the interviewer noted, if the whole universe was governed by nonlocality — if “everything in the universe is aware of everything else.”“That’s what you should be writing about,” he said. “Not me. I’m a dilettante. My governing word is ‘curiosity.’”

The report could put President-elect Donald Trump, who has consistently denied Russia’s involvement, in the position of having to respond to yet another review of the hacks by the intelligence agencies that he will eventually direct.

After the 2014 hack of Sony Pictures Entertainment, FBI Director James Comey publicly detailed technical evidence tying the intrusions to North Korea, in order to refute some experts who doubted the link.

Analogous to the panel that investigated the Sept. 11, 2001, terrorist attacks, it would be composed of outside experts and would have the power to interview witnesses and issue subpoenas and hear public testimony.

Sen. Lindsey Graham (R., S.C.) said this week he would head up a review of the Russian operation. Mr. Graham has previously called on Congress to look into the Russian hacks. He said Friday that his probe would look beyond Russia’s malicious cyberactivity.

Top Russian officials have shifted away from denying a role in the hack of the Democratic National Committee. Mr. Putin has said it is irrelevant who stole the computer records, and the foreign minister said the U.S. hasn’t proven anything so far.

Because of Putin’s highly conspirological mindset, he apparently blamed Goldman Sachs and Hillary Clinton for the release of the embarrassing information, Soldatov and Borogan reported.

An October report from the Russian business media outlet RBC explained in great detail how the St. Petersburg-based Internet Research Agency, also known as the “troll factory,” operated during the 2016 election. The report, authored by two Russian journalists, detailed the funding, budget, operating methods, and tactics, of the 100 trolls who spent 2016 populating American social media sites with divisive commentary and imitating civil rights groups. The report showed how the Agency was financed through its owner, Putin’s court caterer Yevgeny Prigozhin. It also detailed the reach of various politically inflammatory posts. It showed, for example, how the Agency produced over 20 Facebook posts that gathered over a million unique views each.

That same month, TVRain, Russia’s last independent television network, interviewed “Maxim,” a man who had worked as a troll at this factory. He revealed that the factory was largely staffed by college students from the prestigious St. Petersburg State University, Russia’s #2 university; their majors included international relations, linguistics, and journalism. They were, in other words, young, educated, worldly, and urban—the very cohort Americans imagine would rise up against someone like Putin. Instead, they worked in the factory, making nearly double the average Russian’s salary, sowing discord on Twitter, Facebook, and in the comments sections of various websites. They were instructed not to mention Russia, but instead to focus on issues that divided Americans, like guns and race.

ozlovsky told the journalists how he had been entrapped and blackmailed into working for the FSB, the main Russian security agency, nearly a decade ago. He said that when he hacked into the servers of the DNC, he purposely left behind a calling card: a data file with the number of his visa to the Caribbean Island of St. Martin, as well as his passport number. Kozlovsky also said that he was arrested now because the FSB wanted “to hide the digital traces” of what he did. (It’s worth noting that many of these claims are unverified.)

This had previously been the exclusive domain of the FSB—once run by Putin—and the GRU was trying to muscle in on the FSB’s territory and money. A side effect of this internal rivalry, Reiter concluded, was how the Americans discovered the hack.

Why has there been so little reporting on Russian election interference coming out of the place that perpetrated it? For one thing, the Russian security services and the Kremlin do not leak, at least not nearly as much as their American counterparts, and they are suspicious of Western journalists, of whom there are fewer and fewer these days. Russian government officials also “don’t like talking to independent journalists, but they’re still better to talk to than to American journalists,” said Liza Osetinskaya, a legendary Russian editor who now runs The Bell.

The problem is that independent journalism in Russia has been decimated.

Facing this kind of political and economic pressure, many of Russia’s journalists—many of them among the country’s best—either left home or abandoned the profession altogether.* What we are witnessing “is the last phase of the death of independent Russian media,” Galina Timchenko said at last summer’s Aspen Ideas Festival. She is another well-known Russian editor forced out under Kremlin pressure. She now runs the independent Meduza from Latvia. It has a fraction of the reach of the outlet she ran for a decade, Lenta.ru.The squelching of press freedom and the shuttering of independent media abroad is, in other words, not an academic matter. As 2017 has shown, when these voices are silenced, we know far less than we need about vital national security interests. If the violation of an abstract principle doesn’t bother you, its very concrete repercussions should.

SolarWinds has some 300,000 customers but says "fewer than 18,000" installed the version of its Orion products earlier this year that now appears to have been compromised.

The intruders were careful to cover their tracks, Gerstell said. "You couldn't tell that they came in, you couldn't tell that they left the back door open. You couldn't even tell necessarily when they came in, took a look around and when they left."

Many U.S. national security agencies made major efforts to prevent Russia from interfering in this year's election. But those same agencies seem to have been blindsided by news that hackers — suspected to be Russia's foreign intelligence service, the SVR — were digging around inside U.S. government systems, possibly since the spring.

Microsoft has now taken control of the domain name that hackers used to communicate with systems that were compromised by the Orion update, according to security expert Brian Krebs. The company's analysis, he added, should help reveal the scope of the affected companies and agencies.

"We believe this is nation-state activity at significant scale, aimed at both the government and private sector," the company said as it shared some details about what it called "the threat activity we've uncovered over the past weeks."

So far, some U.S. government departments and agencies have acknowledged they are investigating the breaches but have provided few details. The White House has been silent about the suspected Russian hack.

"This SolarWinds hack is very problematic, very troublesome, because it's not at all clear exactly how we should respond," Gerstell said. Part of the problem, he added, is that it's not clear what the hackers did after gaining access.

The intrusion could simply be a case of espionage, he said, of one government trying to understand what its adversary is doing.

The company said, "We have been advised that this incident was likely the result of a highly sophisticated, targeted, and manual supply chain attack by an outside nation state, but we have not independently verified the identity of the attacker."

The cybersecurity firm announced last week that a "highly sophisticated state-sponsored adversary" stole its "red team" tools, which are used to test security vulnerabilities in its customers' computer networks. FireEye's clients include government agencies.

The incident is the latest in what has become a long list of suspected Russian electronic incursions into other nations – particularly the U.S. – under President Vladimir Putin.

The agency said Sunday that it "is aware of active exploitation of SolarWinds Orion Platform software" that was released between March and June. The agency is urging any affected organizations to take steps to detect intrusions and to take countermeasures.

“the United States and its allies are actually saying ‘no’ to key elements of these texts,” referring to two draft treaties on security issues that Russia had proposed to NATO and the United States.

“Ukrainians! All your personal data was uploaded to the internet,” the message read. “All data on the computer is being destroyed. All information about you became public. Be afraid and expect the worst.”

The attack came within hours of the conclusion of talks between Russia and the United States and NATO that were intended to find a diplomatic resolution after Russia massed tens of thousands of troops near the border with Ukraine.

On Friday, the Biden administration also accused Moscow of sending saboteurs into eastern Ukraine to stage an incident that could provide Russia with a pretext for invasion.

Moscow has demanded sweeping security concessions, including a promise not to accept Ukraine into the NATO alliance. But the cyberattack Friday led to immediate pledges of support and closer cooperation with Ukraine from NATO and the European Union, exactly the opposite of what Russian diplomats had said they were seeking.

On Thursday, Russian officials said the talks had not yielded results, and one senior diplomat said they were approaching “a dead end.”

A Russian military spyware strain called X-Agent, or Sofacy, that Ukrainian cyber experts say was used to hack Ukraine’s Central Election Commission during a 2014 presidential election, for example, was later found in the server of the Democratic National Committee in the United States after the electoral hacking attacks in 2016.

Ukrainian government websites began crashing a few hours later, according to the Ukrainian Foreign Ministry, which said the cyberattack occurred overnight from Thursday to Friday.

“We have not seen such a significant attack on government organizations in some time,” it said. “We suggest the current attack is tied to the recent failure of Russian negotiations on Ukraine’s future in NATO,” it added, referring to Moscow’s talks with the West.

The websites of the president and the defense ministry remained online. Ukrainian officials said the attack targeted 70 government websites.

the hacking activity targeting state bodies could be a part of this psychological attack on Ukrainians.”

“I strongly condemn the cyberattacks on the Ukrainian Government,” Mr. Stoltenberg said in a statement, adding, “NATO & Ukraine will step up cyber cooperation & we will continue our strong political & practical support.”

Sophisticated cybertools have turned up in standoffs between Israel and Iran, and the United States blamed Russia for using hacking to influence the 2016 election in the United States to benefit Donald J. Trump.

The U.S. government has traced some of the most drastic cyberattacks of the past decade to Russian actions in Ukraine.

By morning, the hack had crippled much of the government’s public-facing digital infrastructure, including the most widely used site for handling government services online, Diia. The smartphone app version of the program was still operating, the Ukrainska Pravda newspaper reported. Diia also has a role in Ukraine’s coronavirus response and in encouraging vaccination.

The malware, known as NotPetya, had targeted a type of Ukrainian tax preparation software but apparently spun out of control, according to experts.

It coincided with the assassination of a Ukrainian military intelligence officer in a car bombing in Kyiv and the start of an E.U. policy granting Ukrainians visa-free travel, an example of the type of integration with the West that Russia has opposed.

But NotPetya spread around the world, with devastating results, illustrating the risks of collateral damage from military cyberattacks for people and businesses whose lives are increasingly conducted online, even if they live far from conflict zones

The total global cost is thought to be far higher

Because you say that to your friends, you confide in your friends, and who knows what's in there of your personal life and your professional life."

The Clinton campaign has refused to confirm or deny the authenticity of any of the emails

The website has faced criticism in the past for its tendency not to screen releases for personally identifiable information or security sensitivities,

Podesta emails -- which go back to the 2008 race -- have contained personal email addresses and even cellphone numbers for a wide range of DC personalities,

including personal security and financial fraud.

information introduces these peripheral individuals to a range of risks.

sensitive financial information was contained in the emails published online.

the possibility that they may be targeted by phishing or scams to try to lure them into further traps.

the dangers can increase to identity theft and the risk extended to family, friends and professional contacts.

I've got all kinds of new security provisions, new computers, and I'm changing how I use email.

"I hired a cybersecurity firm and I'm not rich," he added. "I've spent for me what's an enormous amount of money."

I figured out that a new batch of hacked emails from Hillary Clinton's campaign chairman, John Podesta, had been released, including a note I wrote to Podesta with my cell number.

all the contents of your emails for 10 years dumped out into public, think about how that feels.

saying the First Amendment freedom trumps personal privac

'It's like somebody robbed a bank and as they're running away the money is spilling out of the backpack and instead of catching the criminal everyone is stopping to chase the money.'

U.S. intelligence officials told NBC News they now believe with "a high level of confidence" that Putin became personally involved in the covert Russian campaign

Ultimately, the CIA has assessed, the Russian government wanted to elect Donald Trump. The FBI and other agencies don't fully endorse that view, but few officials would dispute that the Russian operation was intended to harm Clinton's candidacy by leaking embarrassing emails about Democrats.

Now the U.S has solid information tying Putin to the operation, the intelligence officials say. Their use of the term "high confidence" implies that the intelligence is nearly incontrovertible.

The alert also ramped up the urgency of government warnings. After playing the incident down — President Trump has said nothing and Secretary of State Mike Pompeo deflected the hacking as one of the many daily attacks on the federal government,

“Security and privacy have long been top companywide priorities at Twitter,” said Twitter spokeswoman Rebecca Hahn. She said that Zatko’s allegations appeared to be “riddled with inaccuracies” and that Zatko “now appears to be opportunistically seeking to inflict harm on Twitter, its customers, and its shareholders.” Hahn said that Twitter fired Zatko after 15 months “for poor performance and leadership.” Attorneys for Zatko confirmed he was fired but denied it was for performance or leadership.

the whistleblower document alleges the company prioritized user growth over reducing spam, though unwanted content made the user experience worse. Executives stood to win individual bonuses of as much as $10 million tied to increases in daily users, the complaint asserts, and nothing explicitly for cutting spam.

Chief executive Parag Agrawal was “lying” when he tweeted in May that the company was “strongly incentivized to detect and remove as much spam as we possibly can,” the complaint alleges.

Zatko described his decision to go public as an extension of his previous work exposing flaws in specific pieces of software and broader systemic failings in cybersecurity. He was hired at Twitter by former CEO Jack Dorsey in late 2020 after a major hack of the company’s systems.

“I felt ethically bound. This is not a light step to take,” said Zatko, who was fired by Agrawal in January. He declined to discuss what happened at Twitter, except to stand by the formal complaint. Under SEC whistleblower rules, he is entitled to legal protection against retaliation, as well as potential monetary rewards.

A person familiar with Zatko’s tenure said the company investigated Zatko’s security claims during his time there and concluded they were sensationalistic and without merit. Four people familiar with Twitter’s efforts to fight spam said the company deploys extensive manual and automated tools to both measure the extent of spam across the service and reduce it.

In 1998, Zatko had testified to Congress that the internet was so fragile that he and others could take it down with a half-hour of concentrated effort. He later served as the head of cyber grants at the Defense Advanced Research Projects Agency, the Pentagon innovation unit that had backed the internet’s invention.

Overall, Zatko wrote in a February analysis for the company attached as an exhibit to the SEC complaint, “Twitter is grossly negligent in several areas of information security. If these problems are not corrected, regulators, media and users of the platform will be shocked when they inevitably learn about Twitter’s severe lack of security basics.”

Zatko’s complaint says strong security should have been much more important to Twitter, which holds vast amounts of sensitive personal data about users. Twitter has the email addresses and phone numbers of many public figures, as well as dissidents who communicate over the service at great personal risk.

This month, an ex-Twitter employee was convicted of using his position at the company to spy on Saudi dissidents and government critics, passing their information to a close aide of Crown Prince Mohammed bin Salman in exchange for cash and gifts.

Zatko’s complaint says he believed the Indian government had forced Twitter to put one of its agents on the payroll, with access to user data at a time of intense protests in the country. The complaint said supporting information for that claim has gone to the National Security Division of the Justice Department and the Senate Select Committee on Intelligence. Another person familiar with the matter agreed that the employee was probably an agent.

“Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure and infuse it with foreign state actors with an agenda, and you’ve got a recipe for disaster,” Charles E. Grassley (R-Iowa), the top Republican on the Senate Judiciary Committee,

Many government leaders and other trusted voices use Twitter to spread important messages quickly, so a hijacked account could drive panic or violence. In 2013, a captured Associated Press handle falsely tweeted about explosions at the White House, sending the Dow Jones industrial average briefly plunging more than 140 points.

After a teenager managed to hijack the verified accounts of Obama, then-candidate Joe Biden, Musk and others in 2020, Twitter’s chief executive at the time, Jack Dorsey, asked Zatko to join him, saying that he could help the world by fixing Twitter’s security and improving the public conversation, Zatko asserts in the complaint.

The complaint — filed last month with the Securities and Exchange Commission and the Department of Justice, as well as the FTC — says thousands of employees still had wide-ranging and poorly tracked internal access to core company software, a situation that for years had led to embarrassing hacks, including the commandeering of accounts held by such high-profile users as Elon Musk and former presidents Barack Obama and Donald Trump.

But at Twitter Zatko encountered problems more widespread than he realized and leadership that didn’t act on his concerns, according to the complaint.

Twitter’s difficulties with weak security stretches back more than a decade before Zatko’s arrival at the company in November 2020. In a pair of 2009 incidents, hackers gained administrative control of the social network, allowing them to reset passwords and access user data. In the first, beginning around January of that year, hackers sent tweets from the accounts of high-profile users, including Fox News and Obama.

Several months later, a hacker was able to guess an employee’s administrative password after gaining access to similar passwords in their personal email account. That hacker was able to reset at least one user’s password and obtain private information about any Twitter user.

Twitter continued to suffer high-profile hacks and security violations, including in 2017, when a contract worker briefly took over Trump’s account, and in the 2020 hack, in which a Florida teen tricked Twitter employees and won access to verified accounts. Twitter then said it put additional safeguards in place.

This year, the Justice Department accused Twitter of asking users for their phone numbers in the name of increased security, then using the numbers for marketing. Twitter agreed to pay a $150 million fine for allegedly breaking the 2011 order, which barred the company from making misrepresentations about the security of personal data.

After Zatko joined the company, he found it had made little progress since the 2011 settlement, the complaint says. The complaint alleges that he was able to reduce the backlog of safety cases, including harassment and threats, from 1 million to 200,000, add staff and push to measure results.

But Zatko saw major gaps in what the company was doing to satisfy its obligations to the FTC, according to the complaint. In Zatko’s interpretation, according to the complaint, the 2011 order required Twitter to implement a Software Development Life Cycle program, a standard process for making sure new code is free of dangerous bugs. The complaint alleges that other employees had been telling the board and the FTC that they were making progress in rolling out that program to Twitter’s systems. But Zatko alleges that he discovered that it had been sent to only a tenth of the company’s projects, and even then treated as optional.

“If all of that is true, I don’t think there’s any doubt that there are order violations,” Vladeck, who is now a Georgetown Law professor, said in an interview. “It is possible that the kinds of problems that Twitter faced eleven years ago are still running through the company.”

“Agrawal’s Tweets and Twitter’s previous blog posts misleadingly imply that Twitter employs proactive, sophisticated systems to measure and block spam bots,” the complaint says. “The reality: mostly outdated, unmonitored, simple scripts plus overworked, inefficient, understaffed, and reactive human teams.”

One current and one former employee recalled that incident, when failures at two Twitter data centers drove concerns that the service could have collapsed for an extended period. “I wondered if the company would exist in a few days,” one of them said.

The current and former employees also agreed with the complaint’s assertion that past reports to various privacy regulators were “misleading at best.”

For example, they said the company implied that it had destroyed all data on users who asked, but the material had spread so widely inside Twitter’s networks, it was impossible to know for sure

As the head of security, Zatko says he also was in charge of a division that investigated users’ complaints about accounts, which meant that he oversaw the removal of some bots, according to the complaint. Spam bots — computer programs that tweet automatically — have long vexed Twitter. Unlike its social media counterparts, Twitter allows users to program bots to be used on its service: For example, the Twitter account @big_ben_clock is programmed to tweet “Bong Bong Bong” every hour in time with Big Ben in London. Twitter also allows people to create accounts without using their real identities, making it harder for the company to distinguish between authentic, duplicate and automated accounts.

In the complaint, Zatko alleges he could not get a straight answer when he sought what he viewed as an important data point: the prevalence of spam and bots across all of Twitter, not just among monetizable users.

Zatko cites a “sensitive source” who said Twitter was afraid to determine that number because it “would harm the image and valuation of the company.” He says the company’s tools for detecting spam are far less robust than implied in various statements.

The complaint also alleges that Zatko warned the board early in his tenure that overlapping outages in the company’s data centers could leave it unable to correctly restart its servers. That could have left the service down for months, or even have caused all of its data to be lost. That came close to happening in 2021, when an “impending catastrophic” crisis threatened the platform’s survival before engineers were able to save the day, the complaint says, without providing further details.

The four people familiar with Twitter’s spam and bot efforts said the engineering and integrity teams run software that samples thousands of tweets per day, and 100 accounts are sampled manually.

Some employees charged with executing the fight agreed that they had been short of staff. One said top executives showed “apathy” toward the issue.

Zatko’s complaint likewise depicts leadership dysfunction, starting with the CEO. Dorsey was largely absent during the pandemic, which made it hard for Zatko to get rulings on who should be in charge of what in areas of overlap and easier for rival executives to avoid collaborating, three current and former employees said.

For example, Zatko would encounter disinformation as part of his mandate to handle complaints, according to the complaint. To that end, he commissioned an outside report that found one of the disinformation teams had unfilled positions, yawning language deficiencies, and a lack of technical tools or the engineers to craft them. The authors said Twitter had no effective means of dealing with consistent spreaders of falsehoods.

Dorsey made little effort to integrate Zatko at the company, according to the three employees as well as two others familiar with the process who spoke on the condition of anonymity to describe sensitive dynamics. In 12 months, Zatko could manage only six one-on-one calls, all less than 30 minutes, with his direct boss Dorsey, who also served as CEO of payments company Square, now known as Block, according to the complaint. Zatko allegedly did almost all of the talking, and Dorsey said perhaps 50 words in the entire year to him. “A couple dozen text messages” rounded out their electronic communication, the complaint alleges.

Faced with such inertia, Zatko asserts that he was unable to solve some of the most serious issues, according to the complaint.

Some 30 percent of company laptops blocked automatic software updates carrying security fixes, and thousands of laptops had complete copies of Twitter’s source code, making them a rich target for hackers, it alleges.

A successful hacker takeover of one of those machines would have been able to sabotage the product with relative ease, because the engineers pushed out changes without being forced to test them first in a simulated environment, current and former employees said.

“It’s near-incredible that for something of that scale there would not be a development test environment separate from production and there would not be a more controlled source-code management process,” said Tony Sager, former chief operating officer at the cyberdefense wing of the National Security Agency, the Information Assurance divisio

Sager is currently senior vice president at the nonprofit Center for Internet Security, where he leads a consensus effort to establish best security practices.

The complaint says that about half of Twitter’s roughly 7,000 full-time employees had wide access to the company’s internal software and that access was not closely monitored, giving them the ability to tap into sensitive data and alter how the service worked. Three current and former employees agreed that these were issues.

“A best practice is that you should only be authorized to see and access what you need to do your job, and nothing else,” said former U.S. chief information security officer Gregory Touhill. “If half the company has access to and can make configuration changes to the production environment, that exposes the company and its customers to significant risk.”

The complaint says Dorsey never encouraged anyone to mislead the board about the shortcomings, but that others deliberately left out bad news.

When Dorsey left in November 2021, a difficult situation worsened under Agrawal, who had been responsible for security decisions as chief technology officer before Zatko’s hiring, the complaint says.

An unnamed executive had prepared a presentation for the new CEO’s first full board meeting, according to the complaint. Zatko’s complaint calls the presentation deeply misleading.

The presentation showed that 92 percent of employee computers had security software installed — without mentioning that those installations determined that a third of the machines were insecure, according to the complaint.

Another graphic implied a downward trend in the number of people with overly broad access, based on the small subset of people who had access to the highest administrative powers, known internally as “God mode.” That number was in the hundreds. But the number of people with broad access to core systems, which Zatko had called out as a big problem after joining, had actually grown slightly and remained in the thousands.

The presentation included only a subset of serious intrusions or other security incidents, from a total Zatko estimated as one per week, and it said that the uncontrolled internal access to core systems was responsible for just 7 percent of incidents, when Zatko calculated the real proportion as 60 percent.

Zatko stopped the material from being presented at the Dec. 9, 2021 meeting, the complaint said. But over his continued objections, Agrawal let it go to the board’s smaller Risk Committee a week later.

Agrawal didn’t respond to requests for comment. In an email to employees after publication of this article, obtained by The Post, he said that privacy and security continues to be a top priority for the company, and he added that the narrative is “riddled with inconsistences” and “presented without important context.”

On Jan. 4, Zatko reported internally that the Risk Committee meeting might have been fraudulent, which triggered an Audit Committee investigation.

Agarwal fired him two weeks later. But Zatko complied with the company’s request to spell out his concerns in writing, even without access to his work email and documents, according to the complaint.

Since Zatko’s departure, Twitter has plunged further into chaos with Musk’s takeover, which the two parties agreed to in May. The stock price has fallen, many employees have quit, and Agrawal has dismissed executives and frozen big projects.

Zatko said he hoped that by bringing new scrutiny and accountability, he could improve the company from the outside.

“I still believe that this is a tremendous platform, and there is huge value and huge risk, and I hope that looking back at this, the world will be a better place, in part because of this.”

The two men were murdered two days after a university teacher was hacked to death by suspected Islamist militants.

So-called Islamic State (IS) claimed responsibility - but the Bangladeshi government insists there is no IS presence in the country.

"I am devastated by the brutal murder of Xulhaz Mannan and another young Bangladeshi," said US Ambassador Marcia Bernicat."We abhor this senseless act of violence and urge the government of Bangladesh in the strongest terms to apprehend the criminals behind these murders," she added.

Another person was also injured when the attackers entered a Dhaka flat.

"Tonoy" and named in Bangladeshi media as Tanay Mojumdar, said they and other friends had set up Roopbaan with the aim of spreading tolerance.

Homosexuality is technically illegal in Bangladesh and remains a highly sensitive issue in society.

"Both were extremely gentle, non-violent and aware that being openly gay and active in their work was a personal danger," the photographer said.

"Until a year ago the only threat to coming out was shame of the family and having to start a new life elsewhere in Bangladesh. Now it's one of danger," he said.

Imran Sarker, who led major protests by secular activists in 2013 against Islamist leaders, said he had received a phone call warning that he would be killed "very soon".

Last year, four prominent secular bloggers were also killed with machetes.The four bloggers had all appeared on a list of 84 "atheist bloggers" drawn up by Islamic groups in 2013 and widely circulated.

The teenager was taken into custody Monday afternoon, and the police were searching his residence as part of a criminal investigation, according to a statement from the Metropolitan Police. On Tuesday, the police said the boy had been released on bail.

TalkTalk’s efforts to play down the impact of the data breach have not stopped British authorities from criticizing the company and the failure of its online security systems

Shares of TalkTalk are down 8 percent since the hacking attack was confirmed on Friday.

Malware that was created for the explicit purpose of prying into private online communications, also known as spyware, has become a $1 billion industry.

smaller companies also sell simpler versions of the software for as little as $10, allowing people to snoop on their spouses or children.

The May 2018 message that contained the innocuous-seeming video file, with a tiny 14-byte chunk of malicious code, came out of the blue, according to the report and additional notes obtained by The New York Times. In the 24 hours after it was sent, Mr. Bezos’ iPhone began sending large amounts of data, which increased approximately 29,000 percent over his normal data usage

The FTI report was not definitive about the hack, but said it had “medium to high confidence” that the message from the prince’s WhatsApp account was the culprit. In notes to the report, FTI said it was still attempting a more thorough analysis of the iPhone, including by jailbreaking it, or bypassing Apple’s control system on the phone.

the episode was “a wake-up call to the international community as a whole that we are facing a technology that is very difficult to track, extremely powerful and effective, and that is completely unregulated.”

She said Mr. Bezos’ experience should sound alarms because even with his wealth and resources, it took months of investigation by specialists to figure out what had happened — a luxury few others have.“It basically means that we are all extremely vulnerable,”

But the administration is not "taking any options off the table" in response to the incident, press secretary Jen Psaki said at a press briefing earlier Wednesday, adding that there's an internal policy review process to consider any actions.

In April, the Biden administration announced a series of actions, including sanctions, against Russia for its interference in the 2020 US election, its ongoing actions in Crimea and the SolarWinds cyber attack. The attack on the software developer was one of the worst data breaches to ever hit the US government.

The JBS attack comes after a string of cyber breaches and ransomware attacks tied to nation state actors.

"I'm not going to give any further analysis on that. Other than to tell you that our view is that when there are criminal entities within a country, they certainly have a responsibility and it is a role that the government can play," she responded.

Microsoft also recently said that hackers who are part of the same Russian group behind the SolarWinds hack have struck again in the US and other countries, launching a new cyberattack on more than 150 government agencies, think tanks and other organizations.

The hackers used "phishing" emails that are designed to steal usernames and passwords, the California-based security firm said.

The Burisma hack "really is starting to parallel with what we saw in 2016", Area 1 co-founder Oren Falkowitz told Reuters.

The victims include government, consulting, technology, telecom and other entities in North America, Europe, Asia and the Middle East, according to the security firm FireEye, which helped raise the alarm about the breach.

After studying the malware, FireEye said it believes the breaches were carefully targeted: "These compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction."

Hackers exploited the way software companies distribute updates, adding malware to the legitimate package. Security analysts said the malicious code gave hackers a "backdoor" — a foothold in their targets' computer networks — which they then used to gain elevated credentials. SolarWinds traced the "supply chain" attack to updates for its Orion network products between March and June.

FireEye is calling the "Trojanized" SolarWinds software Sunburst. It named another piece of malware – which it said had never been seen before — TEARDROP.

olarWinds said it is cooperating with the FBI, the U.S. intelligence community and other investigating agencies to learn more about the malware and its effects. The company and security firms also said any affected agencies or customers should update to the latest software to lessen their exposure to the vulnerability. Microsoft has now taken control of the domain name that hackers used to communicate with systems that were compromised by the Orion update, according to security expert Brian Krebs. That access can help reveal the scope of the hack, he said.

For the U.S. government, Mandia says, there are bigger questions to be addressed — including a doctrine on what the U.S. expects nations' rules of engagement to be, and what the response will be to those who violate that doctrine.

supply-chain attack

According to SolarWinds S.E.C. filings, the malware was on the software from March to June. The number of organizations that downloaded the corrupted update could be as many as 18,000, which includes most federal government unclassified networks and more than 425 Fortune 500 companies.

The magnitude of this ongoing attack is hard to overstate.

The Russians have had access to a considerable number of important and sensitive networks for six to nine months.

While the Russians did not have the time to gain complete control over every network they hacked, they most certainly did gain it over hundreds of them.

The logical conclusion is that we must act as if the Russian government has control of all the networks it has penetrated

The actual and perceived control of so many important networks could easily be used to undermine public and consumer trust in data, written communications and services.

hat should be done?On Dec. 13, the Cybersecurity and Infrastructure Security Agency, a division of the Department of Homeland Security — itself a victim — issued an emergency directive ordering federal civilian agencies to remove SolarWinds software from their networks.

It also is impractical. In 2017, the federal government was ordered to remove from its networks software from a Russian company, Kaspersky Lab, that was deemed too risky. It took over a year to get it off the networks.

The remediation effort alone will be staggering

Cyber threat hunters that are stealthier than the Russians must be unleashed on these networks to look for the hidden, persistent access controls.

The National Defense Authorization Act, which each year provides the Defense Department and other agencies the authority to perform its work, is caught up in partisan wrangling. Among other important provisions, the act would authorize the Department of Homeland Security to perform network hunting in federal networks.

The response must be broader than patching networks. While all indicators point to the Russian government, the United States, and ideally its allies, must publicly and formally attribute responsibility for these hacks. If it is Russia, President Trump must make it clear to Vladimir Putin that these actions are unacceptable. The U.S. military and intelligence community must be placed on increased alert; all elements of national power must be placed on the table.

President Trump is on the verge of leaving behind a federal government, and perhaps a large number of major industries, compromised by the Russian government. He must use whatever leverage he can muster to protect the United States and severely punish the Russians.President-elect Joe Biden must begin his planning to take charge of this crisis. He has to assume that communications about this matter are being read by Russia, and assume that any government data or email could be falsified.