OpenAI shuts down election influence operation that used ChatGPT

OpenAI has banned a cluster of ChatGPT accounts linked to an Iranian influence operation that was generating content about the U.S. presidential election, according to a blog post on Friday. The company says the operation created AI-generated articles and social media posts, though it doesn’t seem that it reached much of an audience.

This is not the first time OpenAI has banned accounts linked to state-affiliated actors using ChatGPT maliciously. In May the company disrupted five campaigns using ChatGPT to manipulate public opinion.

These episodes are reminiscent of state actors using social media platforms like Facebook and Twitter to attempt to influence previous election cycles. Now similar groups (or perhaps the same ones) are using generative AI to flood social channels with misinformation. Similar to social media companies, OpenAI seems to be adopting a whack-a-mole approach, banning accounts associated with these efforts as they come up.

OpenAI says its investigation of this cluster of accounts benefited from a Microsoft Threat Intelligence report published last week, which identified the group (which it calls Storm-2035) as part of a broader campaign to influence U.S. elections operating since 2020.

Microsoft said Storm-2035 is an Iranian network with multiple sites imitating news outlets and “actively engaging US voter groups on opposing ends of the political spectrum with polarizing messaging on issues such as the US presidential candidates, LGBTQ rights, and the Israel-Hamas conflict.” The playbook, as it has proven to be in other operations, is not necessarily to promote one policy or another but to sow dissent and conflict.

OpenAI identified five website fronts for Storm-2035, presenting as both progressive and conservative news outlets with convincing domain names like “evenpolitics.com.” The group used ChatGPT to draft several long-form articles, including one alleging that “X censors Trump’s tweets,” which Elon Musk’s platform certainly has not done (if anything, Musk is encouraging former president Donald Trump to engage more on X).

An example of a fake news outlet running ChatGPT-generated content.Image Credits: OpenAI

On social media, OpenAI identified a dozen X accounts and one Instagram account controlled by this operation. The company says ChatGPT was used to rewrite various political comments, which were then posted on these platforms. One of these tweets falsely, and confusingly, alleged that Kamala Harris attributes “increased immigration costs” to climate change, followed by “#DumpKamala.”

OpenAI says it did not see evidence that Storm-2035’s articles were shared widely and noted a majority of its social media posts received few to no likes, shares, or comments. This is often the case with these operations, which are quick and cheap to spin up using AI tools like ChatGPT. Expect to see many more notices like this as the election approaches and partisan bickering online intensifies.

Read More

Trump campaign hack-and-leak appears like a rerun of 2016. This time, media outlets are responding differently

This weekend, Politico dropped a news bombshell: A person who only goes by “Robert” had shared with the news organization documents allegedly stolen from the Donald Trump presidential campaign. 

Since then, we have learned that The New York Times and The Washington Post have also heard from the same person and received some stolen documents. The document dump has the hallmarks of a hack-and-leak operation, which typically involves malicious hackers stealing sensitive information and strategically leaking it with the goal of hurting the target of the hack. The FBI has said it is investigating the hack. Trump himself has accused the Iranian government of the breach. Longtime Trump confidante Roger Stone said his email account was compromised, which is likely where the whole operation began, according to anonymous people who spoke to The Washington Post.

If this all sounds familiar it’s because a near-identical hack-and-leak operation ahead of a U.S. election happened before and will inevitably happen again. It’s worth going back in time to a previous hack-and-leak operation to highlight what we learned then, and how those lessons apply now. 

In the summer of 2016, a hacker who identified themselves by the moniker Guccifer 2.0 and described themselves as a Romanian “hacker, manager, philosopher [and] women lover,” claimed to be behind the hack of the Democratic National Committee. This came as a surprise because cybersecurity firm CrowdStrike had accused a Russian intelligence agency of being behind the hack. In what is now an ironic twist, Roger Stone at the time publicly revealed he was in touch with Guccifer 2.0 and piggybacked on the hacker’s claims to attack the Democrats. 

But as it turned out, once I started asking Guccifer 2.0 some pointed questions back in 2016, their mask quickly started to fall off. Two years later, the FBI confirmed that Guccifer 2.0 was indeed no lone Romanian hacker, but a persona controlled by two agents working for Russia’s military intelligence unit, the Main Intelligence Directorate or GRU. While I pat myself on the back, I also want to be clear that, in a way, it was easy for me to focus on Guccifer 2.0 and their identity and motivations rather than the documents they were leaking, simply because I was (and still am) a cybersecurity reporter, not a political reporter. 

At this point and in this recent case, it’s unclear who “Robert” really is. But early signs point to a repeat of the Guccifer 2.0 situation.

Just a day before Politico’s report on the Trump hack, Microsoft revealed that an Iranian government-backed hacking group “sent a spear phishing email in June to a high-ranking official on a presidential campaign from the compromised email account of a former senior advisor.” Microsoft did not say which campaign it was, nor did it name the “former senior advisor” who was targeted, but sources have since told The Washington Post and Politico that the FBI has been investigating the Trump campaign hack since June. 

In a new report out Wednesday, Google’s Threat Analysis Group, which investigates government-backed hackers and threats, concurred with much of Microsoft’s assessment. Google said it has evidence that Iran-backed hackers were behind the targeting of personal email accounts of about a dozen individuals affiliated with President Biden and former President Trump as early as May.

To recap: It looks like Iranian government hackers may have compromised Stone, used his email account to then target and infiltrate the Trump campaign, stole some documents (for now we only know of files related to the vetting process of Republican vice presidential candidate J.D. Vance) and, finally, used a persona — Robert — to contact journalists, hoping they would cover the leaked documents. 

Contact Us
Do you have more information about the Trump campaign hack? Or other politically motivated hacks? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.

What is different from what happened in 2016 is how the media is covering this whole story. 

At the time, countless media outlets took the Guccifer 2.0 documents — and later those stolen from Hillary Clinton’s then-campaign chairman John Podesta — and ran stories that essentially amplified the message that the Russian government wanted the American public to focus on, namely claims of corruption and malfeasance. Kathleen Hall Jamieson, a University of Pennsylvania professor who wrote a book about the 2016 hacking campaigns, told the Associated Press this week that in 2016 the media misrepresented some of the leaked material in a way that was more damaging to Clinton than it should have been. 

This time, the early coverage of the Trump campaign hack-and-leak has focused on the hack-and-leak operation itself, and not so much on what was leaked, something that disinformation experts have praised.

“Politico and [its journalist] Alex Isenstadt deserve significant credit for turning this story into a story about a (poor, it appears) foreign disinformation attempt, instead of covering the leaked Trump campaign documents as such,” said Thomas Rid, a professor at Johns Hopkins and someone who closely followed the 2016 Russian hacking and disinformation campaign. 

It’s important to note that this all might change, perhaps if or when “Robert” decides to leak something that the media considers more newsworthy. It’s also important to remember that, as my former colleague Joseph Cox wrote a few years ago, there have been many cases of hackers leaking information that was in the public interest. The data in those hacks and leaks deserved to be covered and reported on. That may still prove to be the case this time, too. 

Regardless, it’s important that journalists give the whole context behind hack-and-leak operations, no matter if they are launched by hackers working for governments trying to undermine elections or certain presidential candidates, or hacktivists with good intentions.  

When Politico asked the hacker about how they got the documents, Robert reportedly said: “I suggest you don’t be curious about where I got them from. Any answer to this question, will compromise me and also legally restricts you from publishing them.”

Perhaps Robert himself knows that, this time, journalists have learned the lessons.

Read More

Kiteworks captures $456M at a $1B+ valuation to help secure sensitive data

Mark up another unicorn and large funding round for the cybersecurity industry: Kiteworks, which builds tools to secure email communications, file sharing and situations where people work with sensitive data, has raised $456 million from Insight Partners and Sixth Street Growth. The investment values the company at over $1 billion.

It’s a notable development for the San Mateo-based startup, which was formerly known as Accellion and suffered a major data breach in 2021. That incident, related to legacy services, impacted at least 300 organizations, including Morgan Stanley, the University of California, Kroger and Shell. 

Today, Kiteworks is going strong: It has been profitable for the past two years, and its tools serve 100 million end users and more than 3,650 global enterprises and government agencies.

This investment comes at a time when IT breaches continue to plague users and organizations. But the funding environment overall for startups remains challenging. 

That has resulted in well-performing cybersecurity companies shaping up as consolidators. Wiz earlier this year raised $1 billion to scoop up smaller players, and Kiteworks has similar plans.

Kiteworks said it will be using the money in part to make acquisitions. 

“We have a pretty aggressive M&A strategy that we started about a year-and-a-half ago to two years ago,” chief strategy officer Tim Freestone said in an interview. “This will help fund the continuation of that strategy into the next four years.”

Since 2022, Kiteworks has acquired four smaller enterprise startups. It will also be using funds for hiring, R&D and business development, he added.

The cybersecurity industry has been marked by a very rapid, prolific profusion of startups — partly because the threats that are being addressed constantly evolve, and so enterprising technologists want to pursue those opportunities. Arguably, Kiteworks represents the other side of the cybersecurity story.

The company has been around as a privately held operation for more than 20 years, so it’s not quite a “startup” in the classic sense. 

And while a lot of the attention in recent years has been around areas like cloud, network/infrastructure and application security, Kiteworks’ focus has been on data, specifically how to secure sensitive data, regardless of whether it is on-premises, in a cloud, or somewhere else entirely — like a line of information entered in a form on the web. 

“We’re finally at the data layer as an industry, and so that’s helped us,” said Freestone.

One of Kiteworks’ unique selling points has been its specific approach to handling sensitive data as part of what it calls a private content network, or PCN (not to be confused with the other PCN in infosecurity, which stands for process control network). Government organizations, or those that want to supply those organizations, need to adhere to a strong layer of data protection compliance.

Kiteworks claims it is the “only security platform authorized by FedRAMP” in the U.S. providing support for activities like file sharing, file transfer and email communications to meet those compliance requirements. Some of its solutions are creative: a DRM tool that makes a document appear like the “real” one to a recipient, but is in fact a facsimile — this ensures that most data never leaves the firewall of the sender.

“This investment reinforces Kiteworks’ role in tackling the challenge of managing sensitive data,” said Jonathan Yaron, CEO and chairman of Kiteworks (pictured below). “We’re eager to accelerate our growth and continue innovating to meet our customers’ evolving needs.”

Image Credits: Kiteworks

Insight Partners and Sixth Street Growth’s co-investment is coming as a mix of primary and secondary shares in the company. The company is not disclosing the proportions of primary to secondary, but PitchBook data from early July notes that the first tranche of the total sum, designated as growth capital, was $228 million.

Insight, which has put more than $4.5 billion into cybersecurity investments (including in Wiz), believes now is the moment for Kiteworks to double down. 

“With the rise in third-party cybersecurity threats and stringent regulatory requirements, Kiteworks has a large market opportunity in front of them for both organic and inorganic growth,” said Eoin Duane, managing director of Insight, in an email to TechCrunch. “Customers love the Kiteworks PCN—there’s strong growth within the existing customer base, and as data security continues to become more important, the company is well-positioned to attract new customers.”

Read More

US appeals court rules geofence warrants are unconstitutional

A federal appeals court has ruled that geofence warrants are unconstitutional, a decision that will limit the use of the controversial search warrants across several U.S. states.

The Friday ruling from the U.S. Court of Appeals for the Fifth Circuit, which covers Louisiana, Mississippi, and Texas, found that geofence warrants are “categorically prohibited by the Fourth Amendment,” which protects against unwarranted searches and seizures. 

Civil liberties and privacy advocates applauded the ruling, which effectively makes the use of geofence warrants unlawful across the three U.S. states for now.

Geofence warrants, also known as “reverse” search warrants, allow police to draw a shape on a map, such as over a crime scene, and demand that Google (or any other company that collects user locations) search its entire banks of location data for any phone or device that was in that area at a specific point in time. 

But critics have long argued that geofence warrants are unconstitutional because they can be overbroad and include information on entirely innocent people. 

The court case centers on an armed robbery of a U.S. Postal Service worker in Mississippi in February 2018, in which police used a geofence warrant to identify the individuals suspected of the robbery. 

The Fifth Circuit’s opinion comes to a different conclusion than a similar case heard last month in the Fourth Circuit, which covers North Carolina, Virginia and West Virginia. That ruling found that accessing Google’s stores of location data does not count as a search and upheld the legality of geofence warrants across those states. 

In its case, the Fifth Circuit disagreed and found that police seeking data from Google’s vast stores of location data for a criminal suspect does in fact constitute a search. But because the bank of data is so big, and because the entire database has to be scanned, the court ruled that there is no legal authority capable of authorizing a search, per a blog post by law professor Orin Kerr analyzing the ruling.

The court said in its ruling, its emphasis included: “This search is occurring while law enforcement officials have no idea who they are looking for, or whether the search will even turn up a result. Indeed, the quintessential problem with these warrants is that they never include a specific user to be identified, only a temporal and geographic location where any given user may turn up post-search. That is constitutionally insufficient.”

While the Fifth Circuit ruled that geofence warrants are unconstitutional, the court concluded that the police department had acted in good faith when seeking the warrant for the location data held by Google, and upheld the defendant’s conviction. The court said, in part because the use of geofence warrants were novel at the time and the department asked other agencies for legal guidance prior to submitting the warrant, the evidence should not be suppressed in this case. 

Kerr, in his analysis, said the ruling “raises questions of whether any digital warrants for online contents are constitutional.” 

Because tech companies, like Google, Uber, Snap and others, collect and store huge amounts of its users’ location data and histories on its servers, this data can be obtained by law enforcement; if the data didn’t exist, the problem would be moot. The use of geofence warrants has rocketed in recent years, at one point amounting to about one-quarter of all U.S. legal demands the company received. 

Google said late last year that it would begin storing users’ location data on their devices, making geofence warrants less useful for law enforcement.

Read More

The biggest data breaches in 2024: 1 billion stolen records and rising

We’re over halfway through 2024, and already this year we have seen some of the biggest, most damaging data breaches in recent history. And just when you think that some of these hacks can’t get any worse, they do.

From huge stores of customers’ personal information getting scraped, stolen and posted online, to reams of medical data covering most people in the United States getting stolen, the worst data breaches of 2024 to date have already surpassed at least 1 billion stolen records and rising. These breaches not only affect the individuals whose data was irretrievably exposed, but also embolden the criminals who profit from their malicious cyberattacks.

Travel with us to the not-so-distant past to look at how some of the biggest security incidents of 2024 went down, their impact and. in some cases, how they could have been stopped. 

AT&T’s data breaches affect “nearly all” of its customers, and many more non-customers

For AT&T, 2024 has been a very bad year for data security. The telecoms giant confirmed not one, but two separate data breaches just months apart.

In July, AT&T said cybercriminals had stolen a cache of data that contained phone numbers and call records of “nearly all” of its customers, or around 110 million people, over a six-month period in 2022 and in some cases longer. The data wasn’t stolen directly from AT&T’s systems, but from an account it had with data giant Snowflake (more on that later).

Although the stolen AT&T data isn’t public (and one report suggests AT&T paid a ransom for the hackers to delete the stolen data) and the data itself does not contain the contents of calls or text messages, the “metadata” still reveals who called who and when, and in some cases the data can be used to infer approximate locations. Worse, the data includes phone numbers of non-customers who were called by AT&T customers during that time. That data becoming public could be dangerous for higher-risk individuals, such as domestic abuse survivors.

That was AT&T’s second data breach this year. Earlier in March, a data breach broker dumped online a full cache of 73 million customer records to a known cybercrime forum for anyone to see, some three years after a much smaller sample was teased online.

The published data included customers’ personal information, including names, phone numbers and postal addresses, with some customers confirming their data was accurate. 

But it wasn’t until a security researcher discovered that the exposed data contained encrypted passcodes used for accessing a customer’s AT&T account that the telecoms giant took action. The security researcher told TechCrunch at the time that the encrypted passcodes could be easily unscrambled, putting some 7.6 million existing AT&T customer accounts at risk of hijacks. AT&T force-reset its customers’ account passcodes after TechCrunch alerted the company to the researcher’s findings. 

One big mystery remains: AT&T still doesn’t know how the data leaked or where it came from. 

Change Healthcare hackers stole medical data on “substantial proportion” of people in America

In 2022, the U.S. Justice Department sued health insurance giant UnitedHealth Group to block its attempted acquisition of health tech giant Change Healthcare, fearing that the deal would give the healthcare conglomerate broad access to about “half of all Americans’ health insurance claims” each year. The bid to block the deal ultimately failed. Then, two years later, something far worse happened: Change Healthcare was hacked by a prolific ransomware gang; its almighty banks of sensitive health data were stolen because one of the company’s critical systems was not protected with multi-factor authentication.

The lengthy downtime caused by the cyberattack dragged on for weeks, causing widespread outages at hospitals, pharmacies and healthcare practices across the United States. But the aftermath of the data breach has yet to be fully realized, though the consequences for those affected are likely to be irreversible. UnitedHealth says the stolen data — which it paid the hackers to obtain a copy — includes the personal, medical and billing information on a “substantial proportion” of people in the United States. 

UnitedHealth has yet to attach a number to how many individuals were affected by the breach. The health giant’s chief executive, Andrew Witty, told lawmakers that the breach may affect around one-third of Americans, and potentially more. For now, it’s a question of just how many hundreds of millions of people in the U.S. are affected. 

Synnovis ransomware attack sparked widespread outages at hospitals across London 

A June cyberattack on U.K. pathology lab Synnovis — a blood and tissue testing lab for hospitals and health services across the U.K. capital — caused ongoing widespread disruption to patient services for weeks. The local National Health Service trusts that rely on the lab postponed thousands of operations and procedures following the hack, prompting the declaration of a critical incident across the U.K. health sector.

A Russia-based ransomware gang was blamed for the cyberattack, which saw the theft of data related to some 300 million patient interactions dating back a “significant number” of years. Much like the data breach at Change Healthcare, the ramifications for those affected are likely to be significant and life-lasting. 

Some of the data was already published online in an effort to extort the lab into paying a ransom. Synnovis reportedly refused to pay the hackers’ $50 million ransom, preventing the gang from profiting from the hack but leaving the U.K. government scrambling for a plan in case the hackers posted millions of health records online. 

One of the NHS trusts that runs five hospitals across London affected by the outages reportedly failed to meet the data security standards as required by the U.K. health service in the years that ran up to the June cyberattack on Synnovis.

Ticketmaster had an alleged 560 million records stolen in the Snowflake hack

A series of data thefts from cloud data giant Snowflake quickly snowballed into one of the biggest breaches of the year, thanks to the vast amounts of data stolen from its corporate customers. 

Cybercriminals swiped hundreds of millions of customer data from some of the world’s biggest companies — including an alleged 560 million records from Ticketmaster, 79 million records from Advance Auto Parts and some 30 million records from TEG — by using stolen credentials of data engineers with access to their employer’s Snowflake environments. For its part, Snowflake does not require (or enforce) its customers to use the security feature, which protects against intrusions that rely on stolen or reused passwords. 

Incident response firm Mandiant said around 165 Snowflake customers had data stolen from their accounts, in some cases a “significant volume of customer data.” Only a handful of the 165 companies have so far confirmed their environments were compromised, which also includes tens of thousands of employee records from Neiman Marcus and Santander Bank, and millions of records of students at Los Angeles Unified School District. Expect many Snowflake customers to come forward. 

(Dis)honorable mentions

Cencora notifies over a million and counting that it lost their data:

U.S. pharma giant Cencora disclosed a February data breach involving the compromise of patients’ health data, information that Cencora obtained through its partnerships with drug makers. Cencora has steadfastly refused to say how many people are affected, but a count by TechCrunch shows well over a million people have been notified so far. Cencora says it’s served more than 18 million patients to date. 

MediSecure data breach affects half of Australia:

Close to 13 million people in Australia — roughly half of the country’s population — had personal and health data stolen in a ransomware attack on prescriptions provider MediSecure in April. MediSecure, which distributed prescriptions for most Australians until late 2023, declared insolvency soon after the mass theft of customer data.

Kaiser shared health data on millions of patients with advertisers:

U.S. health insurance giant Kaiser disclosed a data breach in April after inadvertently sharing the private health information of 13.4 million patients, specifically website search terms about diagnoses and medications, with tech companies and advertisers. Kaiser said it used their tracking code for website analytics. The health insurance provider disclosed the incident in the wake of several  other telehealth startups, like Cerebral, Monument and Tempest, admitting they too shared data with advertisers.

USPS shared postal address with tech giants, too:

And then it was the turn of the U.S. Postal Service caught sharing postal addresses of logged-in users with advertisers like Meta, LinkedIn and Snap, using a similar tracking code provided by the companies. USPS removed the tracking code from its website after TechCrunch notified the postal service in July of the improper data sharing, but the agency wouldn’t say how many individuals had data collected. USPS has over 62 million Informed Delivery users as of March 2024.

Evolve Bank data breach affected fintech and startup customers:

A ransomware attack targeting Evolve Bank saw the personal information of more than 7.6 million people stolen by cybercriminals in July. Evolve is a banking-as-a-service giant serving mostly fintech companies and startups, like Affirm and Mercury. As a result, many of the individuals notified of the data breach had never heard of Evolve Bank, let alone have a relationship with the firm, prior to its cyberattack.

Read More

Open source tools to boost your productivity

For every yin, there’s a yang; for every action, a reaction; and for every piece of proprietary software, there’s an open source alternative. Or something like that.

The issue of “openness” in technology has rarely been so front and center in the public consciousness as it has these past couple of years. Twitter’s steady demise has drawn millions to explore alternatives, many of which are open source. And the OpenAI power struggle last year also shone a spotlight on what “open source” might actually mean in the context of the burgeoning AI revolution.

The consumer software world has long offered “open” alternatives to the established incumbents, be that LibreOffice instead of Microsoft Office; GIMP over Photoshop; or Thunderbird in place of Outlook. There might be any number of reasons why an individual or business might prefer to journey down the open source route: Maybe it’s the added transparency and security compared to the proprietary players or the customizability it offers. Or some might just like to support a software development ethos that favors freedom and collaboration over walled gardens and vendor lock-in.

There are potential downsides to open source software, such as a lack of formal customer support, limited features, or technical hurdles around deployment. But it’s still good to know your options if you’re looking to bring a little more openness to your app stack — without compromising too much on your productivity.

With that in mind, TechCrunch has pulled together some open source alternatives to popular productivity apps. These might appeal to prosumers, freelancers, or small businesses looking to escape the clutches of the usual Big Tech players.

Penpot: Design and prototyping

Penpot in action.Image Credits: Penpot

Penpot is an open source web-based design tool, offering a range of plans targeting everyone from individuals to enterprises.

Although regulatory headwinds ultimately put an end to Adobe’s $20 billion bid for Figma last year, Penpot saw signups surge when news of the plans first emerged — and the startup went on to raise $8 million off the back of this.

Excalidraw is also a neat open source whiteboarding tool with collaborative features built in; it’s also worth checking out.

Cal.com in action.Image Credits: Cal.com

Everyone loves Calendly, the scheduling platform (worth $3 billion) that helps people organize meetings without having to engage in multiple back-and-forth emails, messages and phone calls.

There’s also an open source challenger called Cal.com, touted as “scheduling infrastructure for absolutely everyone.” Cal.com can be self-hosted or hosted by the company itself as part of a SaaS offering, with multiple plans on offer. The company also raised a fairly chunky $25 million Series A round of investment in 2022.

Screenity: Screen recording

Screenity.Image Credits: Screenity

Loom emerged as one of the beneficiaries of the rapid transition to remote work, enabling asynchronous video communication through myriad screencasting, recording and sharing features. As with many startups, Loom struggled as the world returned to some semblance of normality, and the company exited to Atlassian last year for just shy of $1 billion.

Still, remote work isn’t going away, and anyone looking for an open source Loom alternative that doesn’t sit under the auspices of a billion-dollar corporation could do worse than checking out Screenity. However, it is limited to the Chrome browser for now.

Jitsi: Video conferencing

Jitsi in action.Image Credits: under a Jitsi license.

Zoom was one of the big winners of the rapid shift to remote work, but that doesn’t mean there isn’t room for a fully self-hostable and configurable video-conferencing alternative. That’s exactly what’s offered by Jitsi, an open source community-driven project started by founder Emil Ivov way back in 2003.

Users can head to meet.jitsi.com and instantly start a meeting. And while Jitsi is open source and free for anyone to deploy as they please, its parent company, 8×8, offers a paid service with additional features. It’s worth noting that 8×8 acquired Jitsi from Atlassian in 2018.

Nextcloud: Cloud storage

Nextcloud.Image Credits: Nextcloud

Nextcloud is both a client-side and server-side solution for file storage. Other cloud storage providers, such as Shadow Drive, use Nextcloud’s infrastructure under the hood.

Users can self-host their Nextcloud instances or use a third-party provider suggested by Nextcloud, which helps users manage the setup and maintenance process.

Nextcloud can be used by hobbyists or enterprises looking to sidestep industry incumbents such as Dropbox, with a strong emphasis on privacy, security and data sovereignty.

Ghost: Publishing

Ghost dashboard.Image Credits: Ghost

Substack has built a business around providing tools for writers to create newsletters and similar content. However, Substack is a closed ecosystem, much like Medium.

Ghost is an open source publishing platform developed by former WordPress engineer John O’Nolan in 2013. While WordPress is also an open source solution, Ghost offers a cheaper alternative with a managed hosting instance and doesn’t take any fees from publishers on subscriptions.

Ghost raised $300,000 through crowdfunding during the project’s initial phase in 2013, with notable backers like Seth Godin, Leo Babauta and Microsoft.

TabbyML: Coding copilot

GitHub Copilot has emerged as the poster child of the AI-powered pair-progamming space, though Google and Amazon have introduced similar smarts.

Regardless, none of these incumbents’ coding assistants is open source and they can’t be self-hosted — something TabbyML hopes to address. Founded by two former Googlers last year, TabbyML raised $3.2 million in seed funding for an early iteration of what it calls an open source GitHub Copilot alternative, one that can be entirely self-hosted.

Chatwoot: Customer support

Chatwoot.Image Credits: Chatwoot

As one of the major players in the customer relationship space, Zendesk needs little introduction. But the private equity-owned facet of Zendesk might not be to everyone’s fancy. Plus Zendesk is, well, entirely proprietary.

Chatwoot, on the other hand, touts its open source chops that allow businesses to self-host the customer engagement platform, thus keeping all their data in-house.

PhotoPrism: Photo management

PhotoPrism.Image Credits: PhotoPrism

In 2020, Google Photos ended its free unlimited tier. The same year, a Berlin-based team operating under the name PhotoPrism emerged as an alternative of sorts, with the ability to run a self-hosted server on your desktop (Windows, Mac, or Linux) along with DigitalOcean, Raspberry Pi, FreeBSD, and many network-attached storage (NAS) devices.

PhotoPrism includes support for backing up photos, as well as tools for converting files, detecting duplicates, and recognizing friend-and-family faces in photos. The company offers a range of plans designed for individuals and organizations alike, with self-hosted and hosted options available.

Bitwarden: Password management

Bitwarden.Image Credits: Bitwarden

From LastPass to Dashlane and 1Password, there are no shortages of password-management tools out there that generate hard-to-guess passwords and store them in a secure digital vault. But Bitwarden has set itself apart by operating largely under an open source model, raising a chunky $100 million in funding in the process.

Bitwarden’s core components are open source, allowing anyone to view, modify and distribute the code. However, certain features are only available under a proprietary “source available” license, which still offers transparency, albeit with greater restrictions on what the end user can do with it.

AppFlowy: Task management

AppFlowy.Image Credits: AppFlowy

AppFlowy is an open source alternative to Notion, the $10 billion workplace productivity and collaboration tool.

Founded in 2021, AppFlowy pitches a self-hostable solution replete with tools for managing projects, taking notes, creating documents, and tracking the status of individual project items and deadlines. The company raised $6.4 million in funding last year from a who’s who of investors, including the founders of Automattic and YouTube.

Dub.co: Link management

Dub.co.Image Credits: Dub

For link shortening and management, Spectrum Equity owned Bitly is one of the popular tools, while Google recently put a final nail in its URL shortening service’s coffin. If you are looking for an open source alternative, Dub.co could be your answer.

Former Vercel employee Steven Tey started this as a side project in 2022, transforming it into a company two years later. While Dub.co provides a lot of its own URL management services, including time-series data, personalization and a way to use branded links, it also allows you to self-host its solution.

Read More

CSC ServiceWorks reveals 2023 data breach affecting thousands of people

Laundry giant CSC ServiceWorks says tens of thousands of people had their personal information stolen from its systems after recently disclosing a cyberattack from 2023.

The New York-based laundry giant provides over a million internet-connected laundry machines to residential buildings, hotels, and university campuses around North America and Europe. CSC also employs more than 3,200 team members, according to its website.

In a data breach notification filed late on Friday, CSC confirmed that the data breach affected at least 35,340 individuals, including over a hundred people in Maine. 

News of the data breach is the latest security issue to beset CSC over the past year, after multiple security researchers say they found simple but critical vulnerabilities in its laundry platform capable of losing the company revenue.

In its data breach notice, CSC said an intruder broke into its systems on September 23, 2023 and had access to its network for five months until February 4, 2024, when the company discovered the intruder. It’s not known why it took the company several months to detect the breach. CSC said it took until June to identify what data was stolen.

The stolen data includes names; dates of birth; contact information; government identity documents, such as Social Security and driver’s license numbers; financial information, such as bank account numbers; and health insurance information, including some limited medical information.

Given that the types of data involved typically relate to the information that companies hold on their employees, such as for business records and workplace benefits, it’s plausible that the data breach affects current and former CSC employees, as customers are not typically asked for this information.

For its part, CSC would not clarify either way.

CSC spokesperson Stephen Gilbert declined to answer TechCrunch’s specific questions about the incident, including whether the breach affects employees, customers, or both. The company would not describe the nature of the cyberattack, or whether the company has received any communication from the threat actor, such as a ransom demand.

CSC made headlines earlier this year after ignoring a simple bug discovered by two student security researchers that allowed anyone to run free laundry cycles. The company belatedly patched the vulnerability and apologized to the researchers, who spent weeks trying to alert the company to the flaw.

The findings prompted the company to set up a vulnerability disclosure program, allowing future security researchers to contact the company directly to privately report bugs or vulnerabilities. 

Last month, details of a new vulnerability found in CSC-powered laundry machines allowing anyone to also get free laundry were made public. Michael Orlitzky said in a blog post that the hardware-level vulnerability, which involves short circuiting two wires inside a CSC-powered laundry machine, bypasses the need to enter coins to operate the machine. Orlitzky is due to present his findings at the Def Con security conference in Las Vegas on Saturday.

Read More

Student raised security concerns in Mobile Guardian MDM weeks before cyberattack

A person claiming to be a student in Singapore publicly posted documentation showing lax security in a widely popular school mobile device management service called Mobile Guardian, weeks before a cyberattack on the company resulted in the mass-wiping of student devices and widespread disruption.

In an email with TechCrunch, the student — who declined to provide his name citing fear of legal retaliation — said he reported the bug to the Singaporean government by email in late May but could not be sure that the bug was ever fixed. The Singaporean government told TechCrunch that the bug was fixed prior to Mobile Guardian’s cyberattack on August 4, but the student said that the bug was so easy to find and trivial for an unsophisticated attacker to exploit, that he fears there are more vulnerabilities of similar exploitability.

The U.K.-based Mobile Guardian, which provides student device management software in thousands of schools around the world, disclosed the breach on August 4 and shut down its platform to block the malicious access, but not before the intruder used their access to remotely wipe thousands of student devices.

A day later, the student published details of the vulnerability he had previously sent to the Singaporean Ministry of Education, a major customer of Mobile Guardian since 2020.

In a Reddit post, the student said the security bug he found in Mobile Guardian granted any signed-in user “super admin” access to the company’s user management system. With that access, the student said, a malicious person could perform actions that are reserved for school administrators, including the ability to “reset every person’s personal learning device,” he said. 

The student wrote that he reported the issue to the Singaporean education ministry on May 30. Three weeks later, the ministry responded to the student saying the flaw is “no longer a concern,” but declined to share any further details with him, citing “commercial sensitivity,” according to the email seen by TechCrunch. 

When reached by TechCrunch, the ministry confirmed it had received word of the bug from the security researcher, and that “the vulnerability had been picked up as part of an earlier security screening, and had already been patched,” as per spokesperson Christopher Lee.

“We also confirmed that the disclosed exploit was no longer workable after the patch. In June, an independent certified penetration tester conducted a further assessment, and no such vulnerability was detected,” said the spokesperson.

“Nevertheless, we are mindful that cyber threats can evolve quickly and new vulnerabilities discovered,” the spokesperson said, adding that the ministry “regards such vulnerability disclosures seriously and will investigate them thoroughly.”

Bug exploitable in anyone’s browser

The student described the bug to TechCrunch as a client-side privilege escalation vulnerability, which allowed anyone on the internet to create a new Mobile Guardian user account with an extremely high level of system access using only the tools in their web browser. This was because Mobile Guardian’s servers were allegedly not performing the proper security checks and trusting responses from the user’s browser.

The bug meant that the server could be tricked into accepting the higher level of system access for a user’s account by modifying the network traffic in the browser.

TechCrunch was provided a video — recorded on May 30, the day of disclosure — demonstrating how the bug works. The video shows the user creating a “super admin” account using only the browser’s in-built tools to modify the network traffic containing the user’s role to elevate that account’s access from “admin” to “super admin.”

The video showed the server accepting the modified network request, and when logged in as that newly created “super admin” user account, granted access to a dashboard displaying lists of Mobile Guardian enrolled schools.

Mobile Guardian CEO Patrick Lawson did not respond to multiple requests for comment prior to publication, including questions about the student’s vulnerability report and whether the company fixed the bug.

After we contacted Lawson, the company updated its statement as follows: “Internal and third party investigations into previous vulnerabilities of the Mobile Guardian Platform are confirmed to have been resolved and no longer pose a risk.” The statement did not say when the previous flaws were resolved nor did the statement explicitly rule out a link between the previous flaws and its August cyberattack. 

This is the second security incident to beset Mobile Guardian this year. In April, the Singaporean education ministry confirmed the company’s management portal had been hacked and the personal information of parents and school staff from hundreds of schools across Singapore compromised. The ministry attributed the breach to Mobile Guardian’s lax password policy, rather than a vulnerability in its systems.

Do you know more about the Mobile Guardian cyberattack? Are you affected? Get in touch. You can contact this reporter on Signal and WhatsApp at +1 646-755-8849, or by email. You can send files and documents via SecureDrop.

Read More

Ecovacs home robots can be hacked to spy on their owners, researchers say

Malicious hackers can take over control of vacuum and lawn mower robots made by Ecovacs to spy on their owners using the devices’ cameras and microphones, new research has found.

Security researchers Dennis Giese and Braelynn are due to speak at the Def Con hacking conference on Saturday detailing their research into Ecovacs robots. When they analyzed several Ecovacs products, the two researchers found a number of issues that can be abused to hack the robots via Bluetooth and surreptitiously switch on microphones and cameras remotely. 

“Their security was really, really, really, really bad,” Giese told TechCrunch in an interview ahead of the talk.

The researchers said they reached out to Ecovacs to report the vulnerabilities but never heard back from the company, and believe the vulnerabilities are still not fixed and could be exploited by hackers. 

Ecovacs did not respond to requests for comment from TechCrunch. 

The main issue, according to the researchers, is that there is a vulnerability that allows anyone using a phone to connect to and take over an Ecovacs robot via Bluetooth from as far away as 450 feet (around 130 meters). And once the hackers take control of the device, they can connect to it remotely because the robots themselves are connected via Wi-Fi to the internet.

“You send a payload that takes a second, and then it connects back to our machine. So this can, for example, connect back to a server on the internet. And from there, we can control the robot remotely,” said Giese. “We can read out to Wi-Fi credentials, we can read out all the [saved room] maps. We can, because we’re sitting on the operation of the robot’s Linux operating system. We can access cameras, microphones, whatever.” 

A dog seen through a hacked Ecovacs device. Image Credits: Dennis Giese and Braelynn

Giese said that the lawn mower robots have Bluetooth active at all times, while the vacuum robots have Bluetooth enabled for 20 minutes when they switch on, and once a day when they do their automatic reboot, which makes them a bit harder to hack.

Because most of the newer Ecovacs robots are equipped with at least one camera and a microphone, once the hackers have control of a compromised robot, the robots can be turned into spies. The robots have no hardware light or any other indicator that warns people nearby that their cameras and microphones are on, according to the researchers. 

On some models there is, in theory, an audio file that gets played every five minutes saying the camera is on but hackers could easily delete the file and stay stealthy, Giese said. 

“You can basically just delete or overwrite the file with the empty one. So the warnings are not playing anymore if you access the camera remotely,” said Giese.

Apart from the risk of hacking, Giese and Braelynn said they found other problems with Ecovacs devices.

Among the issues, they said: The data stored on the robots remains on Ecovacs’ cloud servers even after deleting the user’s account; the authentication token also remains on the cloud, allowing someone to access a robot vacuum after deleting their account and potentially allowing them to spy on the person who may have purchased the robot secondhand. Also, the lawn mower robots have an anti-theft mechanism that forces someone to enter a PIN if they pick up the robot, but the PIN is stored in plaintext inside the lawn mower so a hacker could easily find it and use it.  

The researchers said that once an Ecovacs robot is compromised, if the device is in range of other Ecovacs robots, those devices can be hacked, too. 

Giese and Braelynn said they analyzed the following devices: Ecovacs Deebot 900 Series, Ecovacs Deebot N8/T8, Ecovacs Deebot N9/T9, Ecovacs Deebot N10/T10, Ecovacs Deebot X1, Ecovacs Deebot T20, Ecovacs Deebot X2, Ecovacs Goat G1, Ecovacs Spybot Airbot Z1, Ecovacs Airbot AVA, and the Ecovacs Airbot ANDY.

Read More

How a cybersecurity researcher befriended, then doxed, the leader of LockBit ransomware gang

Earlier this year, an international coalition of law enforcement agencies took control of the dark web site of the notorious ransomware gang LockBit, replacing its content with the now-familiar message from the authorities: “This site is now under the control of law enforcement.” The operation didn’t disrupt the group’s operation for too long, with the gang launching a new site shortly after the takedown.

But then, on May 6, the authorities updated LockBit’s old site page and announced that they would be revealing the identity of LockBit’s administrator. “Who is LockBitSupp?” read a box on the site, which also included a 24-hour countdown. 

When cybersecurity researcher Jon DiMaggio saw the announcement, he immediately wondered: Do the cops have the same guy I have identified?  

A screenshot of the seized LockBit darknet website. Image Credits: TechCrunch / screenshotImage Credits: TechCrunch (screenshot)

For the last couple of years, DiMaggio, who is a researcher at the cybersecurity firm Analyst1, had developed a relationship with LockBitSupp — first pretending to be a budding cybercriminal interested in joining the gang, then as himself. And, in the end, DiMaggio was able to figure out LockBitSupp’s real identity before it was publicly revealed by the authorities. 

On Friday, in a talk at the hacking conference Def Con in Las Vegas, DiMaggio told the whole story of his relationship with LockBitSupp, detailing how he gained his trust using a made-up persona, and then kept the relationship going even after DiMaggio publicly revealed that he had infiltrated the gang and tricked LockBitSupp into giving up details of the operation to him.

“Our relationship had a bunch of ups and downs,” DiMaggio said during a preview of his presentation, which he gave to TechCrunch ahead of the conference.

At first, DiMaggio explained that he created a series of sockpuppet accounts to approach people who appeared to have direct relationships with LockBitSupp, as well as observe their interactions. The goal during this phase was to create a cybercriminal persona that had some sort of history and connections in the underground, which would make it easier to appear credible when reaching out directly to LockBit and its administrator. 

“The important part of this was monitoring those conversations that appeared irrelevant. The ones where they had their guard down, where they were just talking s—t with other hackers. It allowed me to see the things they liked and the things they disliked. It gave me some context into their political views,” said DiMaggio. “All those things that I needed to build before I could engage because if I just went into this, and I started asking questions related to attacks and their operation, it’d be pretty obvious that I was a researcher.”

DiMaggio said his initial attempt to join the gang was rejected, but he kept talking to LockBitSupp, with whom he started to have a direct and friendly relationship. From then on, DiMaggio said he focused on LockBitSupp, cracking jokes with him, casually posing questions about details of his operation, such as questions on different elements and types of attacks, how to choose among them, how to negotiate with victims, and how to establish what’s the right ransom demand depending on the victim company.

Then, in January 2023, DiMaggio wrote a long report about his findings during his undercover research, and essentially burned all his fake cybercriminal personas. DiMaggio said he thought this would be the end of his relationship with LockBitSupp. Instead, the criminal ringleader appeared to have taken it lightly, posting in forums that he wished DiMaggio had shown him on yachts with women, enjoying his life as a high-flying cybercriminal. That, itself, was interesting to DiMaggio.

“The person that I know, while he certainly is motivated by money, he is not a flashy person, he’s not the type of person I would expect to be obsessed with material items,” said DiMaggio. “So there was a vast contrast in his demeanor and persona that he presented on these forums versus the person that I talked to one on one.”

Then, DiMaggio said that LockBitSupp started using his LinkedIn photo as their avatar in hacking forums as a way to poke fun at DiMaggio. “This was very much a cat-and-mouse game, and honestly LockBit loved playing this game with me as much as I loved playing it with them,” said DiMaggio. 

At one point in early August of last year, DiMaggio decided to troll LockBitSupp in public. As a joke, he posted on X claiming he was going to release new research into the ransomware group, and that if LockBitSupp wanted to stop him, he could pay him $10 million. He made it seem like he was trying to extort the extortionists. Surprisingly, it seemed like some cybercriminals believed him, and were worried they would be exposed. 

“It just goes to show from a psychological aspect, you can really f—k with these guys,” said DiMaggio. “The mental aspect of this operation went much further than anything else that I did.”

Meanwhile, DiMaggio said that LockBitSupp went offline for around 12 days. When he came back, he seemed upset, but didn’t stop communicating with him. Around the same time, LockBit claimed responsibility for a cyberattack against a community hospital that treats children in Chicago, the second attack on a hospital after the one that hit Toronto’s SickKids hospital, another facility for children. 

These attacks, DiMaggio said, “really, really pissed me off.” And they almost convinced him to send an angry message to LockBitSupp, telling them to “f—k off,” and that he was coming for them. Eventually, DiMaggio said he decided against sending it, because “you cannot become emotionally invested with your target.”

Security researcher Jon DiMaggio. Image Credits: supplied / Bryce Durbin / TechCrunch

Then, law enforcement took down LockBit’s website, and at least temporarily disrupted the gang’s operation. DiMaggio said he decided to focus all his efforts on identifying LockBitSupp, putting the word out in the cybercrime underground, and with other researchers, that he was going after the gang’s leader.

“At this point, LockBit knew it, the hunt was on,” said DiMaggio. 

And that hunt was facilitated by an anonymous tip that someone sent DiMaggio. The tipster, DiMaggio said, gave him a Yandex email address allegedly owned by LockBitSupp. With that as a starting point, DiMaggio said he was able to unravel the mystery of LockBitSupp’s identity, leading him to someone named Dmitry Khoroshev. But as tantalizing as that finding was, DiMaggio couldn’t be completely sure.

But then, something happened that not even he expected. The authorities updated the seized LockBit website with the intention of revealing LockBitSupp’s identity. DiMaggio said that at this point he reached out to the FBI, with whom he’s had a relationship as a private industry partner, and told them he had identified Khoroshev as the LockBit’s administrator, and he planned to write a report revealing that. The goal, DiMaggio said, was to ask the FBI whether he should wait to publish his report or not. 

“If they told me to wait, then there was a pretty good chance I had the right guy. If they told me to do whatever I wanted, then I probably would have still waited because that might have been because I had the wrong guy,” DiMaggio said, who added that the FBI told him to wait. 

DiMaggio was on his way to the RSA cybersecurity conference in San Francisco, so “I packed my stuff, flew out to San Francisco, landed, I got to the hotel, and I spent the entire day, the entire night working and writing,” said DiMaggio. “I was writing everything I had on Dmitry. And I was going to wait for this timer to tick down. And when they published it, if we had the same guy, I was going to publish my report.”

When the 24-hour countdown struck zero, as promised, the U.S. Department of Justice accused Dmitry Khoroshev of being LockBit’s mastermind and administrator. At that point, DiMaggio could go live with his own report doxing Khoroshev.

“This was my first time doxing somebody. And well, they released his name, I released everything else on this dude. I had where he lived, I had his phone numbers, current and previous,” said DiMaggio. “And boy, it was difficult to not just call this guy up on the phone, having his legitimate phone number prior to the indictment, just to see if I had the right guy, but I didn’t.”

DiMaggio even published a message for Khorosehv, as a way to say goodbye and to tell him that he had to dox him before others did.  

“LockBitSupp, you are a smart guy. You said it’s not about the money anymore, and you want to have a million victims before you stop, but sometimes you need to know when to walk away. It is that time, my old friend,” DiMaggio wrote.

“You have always been real with me, and I want to be real with you. Take your money and go enjoy your life before you end up in a situation where you can’t. Much like REvil, you have pushed things too far. It’s time to move on. I don’t hate you; I hate what you do, and I did not enjoy putting you on blast today because we have known one another for a long time. The truth is if I didn’t do this today, someone else would. I have too much respect for you as an adversary to watch you get picked apart by some clown with an OSINT handbook, which is all it would take now that your identity is known. With our history, it needed to come from me. It’s time to move on,” he wrote.

Since then, DiMaggio said, he hasn’t heard back from Khoroshev. 

In talking openly about his operation, DiMaggio said he hopes to show how researchers can find out information about cybercriminals by infiltrating their groups, and not just collecting data from hacks or lurking on forums. But DiMaggio also said that he wants researchers to know that doing what he did could carry consequences, even though, for now, he has only rumors that Khoroshev would like to get retribution, though nothing has happened. 

“Nobody gets out of this unscathed,” said DiMaggio, “when you go f—k with criminals like this.”

Read More