Dark Web Monitoring is intended to be a proactive security measure. If you’ve used your Proton Mail email address to sign up for a third-party service, like a social media site, and then hackers steal user data from that service, it would let you know in a timely manner if your credentials have been compromised so you can take action (hopefully) before any harm is done. It seems a fitting move for the service, which already offers end-to-end encryption and has made privacy its main stance since the beginning. Dark Web Monitoring won’t be available to free users, though.

“While data breaches of third-party sites leading to the leak of personal information (such as your email address) can never be entirely avoided, automated early warning can help users stay vigilant and mitigate worse side effects such as identity theft,” said Eamonn Maguire, Head of Anti-Abuse and Account Security at Proton.

The post Proton Mail’s paid users will now get alerts if their info has been posted on the dark web appeared first on Best News.

Devices from those brands should now reflect a firmware version of 2.4.1 or higher, which would indicate they’ve received the update. Consumer Reports says its own samples got the update automatically, but it can’t hurt to double check in your settings considering the risks (that is, if you haven’t tossed the cameras out already). The publication says it’s confirmed that the update fixes the security problems. Eken also told Consumer Reports that the two doorbell cams it had rated with the “Don’t Buy” label — the Eken Smart Video Doorbell and Tuck Sharkpop Doorbell Camera — have been discontinued.

These doorbell cameras, which were sold on popular ecommerce platforms including Amazon, Walmart and Temu but since appear to have been pulled, also lacked the proper labeling required by the FCC. The company told Consumer Reports it will add these IDs to new products moving forward. Following its tests of the update, Consumer Reports has removed the warning labels from its scorecards.

The post Budget doorbell camera manufacturer fixes security issues that left users vulnerable to spying appeared first on Best News.

DNAR Profiles contain sensitive details including self-reported information like display names and locations, as well as shared DNA percentages for DNA Relatives matches, family names, predicted relationships and ancestry reports. Family Tree profiles contain display names and relationship labels, plus other information that a user may choose to add, including birth year and location. When the breach was first revealed in October, the company said its investigation “found that no genetic testing results have been leaked.”

According to the new filing, the data “generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics.” All of this was obtained through a credential-stuffing attack, in which hackers used login information from other, previously compromised websites to access those users’ accounts on other sites. In doing this, the filing says, “the threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature and posted certain information online.”

Following the discovery of the breach, 23andMe instructed affected users to change their passwords and later rolled out two-factor authentication for all of its customers. In another update on Friday, 23andMe said it had completed the investigation and is notifying everyone who was affected. The company also wrote in the filing that it “believes that the threat actor activity is contained,” and is working to have the publicly-posted information taken down.

Update, December 2 2023, 7:03PM ET: This story has been updated to include information provided by a 23andMe spokesperson on the scope of the breach and the number of DNA Relative participants affected.

The post 23andMe hackers accessed ancestry information on millions of customers using a feature that matches relatives appeared first on Best News.

In a new report, SAFE points to events like the deadly 2021 power crisis in Texas, when millions of people were left without electricity during a winter storm, and a 2022 shooting at a North Carolina substation that led to outages for more than 40,000 people. While instances like these may once have been considered rare events, they’re unfortunately becoming par for the course. The report also highlights sophisticated cyberattacks abroad, like the historic hack into Ukraine’s power grid in 2015, as examples of what the US grid could find itself up against.

“Extreme weather events, cyber espionage and domestic terror attacks, combined with increasing demand on aging infrastructure have turned the occasional power failure into alarmingly common events in cities across the United States,” said Thomas Coleman, executive director of SAFE’s Grid Security Project, in a statement published alongside the report.

The rapid transition away from fossil fuels will only add to the strain. Electric vehicles, which draw directly from the grid, have seen exponential adoption in recent years, and the system is still limited in its capacity to deliver energy from renewable sources like wind and solar to populated areas. The current infrastructure won’t be able to reliably keep up with greater energy generation and transmission needs.

According to SAFE, “the progeny of the infrastructure on which our great-grandparents once relied is increasingly inadequate to serve as the foundation of today’s modern economy.” In other words, the grid needs updating, and fast.

The post The US electrical grid is in desperate need of upgrades, watchdog warns appeared first on Best News.

The NSA’s recent move toward AI security was announced Thursday by outgoing director General Paul Nakasone. He says that the division will operate underneath the umbrella of the pre-existing Cybersecurity Collaboration Center. This entity works with private industry and international partners to protect the US from cyberattacks stemming from China, Russia and other countries with active malware and hacking campaigns.

For instance, the agency issued an advisory this week suggesting that Chinese hackers have been targeting government, industrial and telecommunications outfits via hacked router firmware. There’s also the specter of election interference, though Nakasone says he’s yet to see any evidence of Russia or China trying to influence the 2024 US presidential election. Still, this has been a big problem in the past, and that was before the rapid proliferation of AI algorithms like the CIA’s recently-announced chatbot.

As artificial intelligence threatens to boost the abilities of these bad actors, the US government will look to this new security division to keep up. The NSA decided on establishing the unit after conducting a study that suggested poorly-secured AI models pose a significant national security challenge. This has only been compounded by the increase of generative AI technologies that the NSA points out can be used for both good and bad purposes.

Nakasone says the organization will become “NSA’s focal point for leveraging foreign intelligence insights, contributing to the development of best practices guidelines, principles, evaluation, methodology and risk frameworks” for both AI security and for the goal of secure development and adoption of artificial intelligence within “our national security systems and our defense industrial base.” To that end, the group will work hand-in-hand with industry leaders, science labs, academic institutions, international partners and, of course, the Department of Defense.

Nakasone is on his way out of the NSA and the US Cyber Command and he’ll be succeeded by his current deputy, Air Force Lt. Gen. Timothy Haugh. Nakasone has been at his post since 2018 and, by all accounts, has had quite a successful run of it.

The post The NSA has a new security center specifically for guarding against AI appeared first on Best News.

Republican state attorneys that were against the new proposed policies said that the call for new inspections could overwhelm state regulators. The attorney generals of Arkansas, Iowa and Missouri all sued the EPA – claiming the agency had no authority to set these requirements. This led to the EPA’s proposal being temporarily blocked back in June. While it's unclear if any cybersecurity regulations will be put in motion to protect the public moving forward, the EPA said it plans to continue working with the industry to “lower cybersecurity risks to clean and safe water.“ It encourages all states to “voluntarily review” the cybersecurity of their water systems, nothing that any proactive actions might curb the potential public health impacts if a hack were to take place.Ever since the highly publicized Solarwinds hack in 2020 that exposed government records and the 2021 Colonial Pipeline ransomware attack that temporarily shut down operations for the oil pipeline system, it's been abundantly clear that government entities and public agencies are hackable and prime targets for bad actors. The Biden administration has initiated a national strategy focused on public-private alliances to shift the burden of cybersecurity onto the organizations that are “best-positioned to reduce risks for all of us.”

The post The EPA won't force water utilities to inspect their cyber defenses appeared first on Best News.

The cyber incident impacted warehouse management, invoice and other delivery systems, according to Venhuizen's memo. "The impact of this incident is resulting in disruptions to your shipments," Venhuizen wrote. An update issued on Monday urged stores to stay open, and confirmed there were no known impacts to its in-store payment and service systems.

Out of the company's 1,400 servers and 3,500 networked devices, 1,202 were impacted by the attack, according to a notice obtained by Bleeping Computer. About half had been restored as of early Thursday morning. "This frustration and all of this effort is the direct result of a malicious cyber attack on Ace," the update said. "This was perpetuated by criminals. Though they are hiding in this shadows, they are no different than thugs who break into your store attempting to steal your stuff." The details of the attack, such as who is responsible and how they accessed the systems, hasn't been confirmed yet.

Ace Hardware also warned retailers to be aware of cybercriminals trying to take advantage of the chaos by spoofing email updates or trying to remotely access in-store systems. Ace Hardware operates on a retailer-owned model, in which store owners form the cooperative of shareholders behind the retail giant. The retailer operates more than 5,800 stores.

The post Ace Hardware's online ordering and other systems are still down due to a suspected cyberattack appeared first on Best News.

While the stated intention of the move is to crack down on malware, it’ll also curb the wider use of Discord as an unofficial file hosting service. It’s not uncommon for users to upload images and other content to their own servers and then post those links elsewhere. You won’t be able to do that as smoothly anymore once it makes the move away from permanent file links, because the links will go dead after a day. Nothing will change for content posted and shared within Discord itself.

Switching to temporary file links “will help our safety team restrict access to flagged content, and generally reduce the amount of malware distributed using our CDN [content delivery network],” a spokesperson for Discord told BleepingComputer. Discord also noted, “If users are using Discord to host files, we’d recommend they find a more suitable service.”

The post Discord is switching to expiring links for files shared off-platform appeared first on Best News.

DataBreaches.net initially reported on the incident, which was conducted by ALPHV / BlackCat, a group known for breaching entities as diverse as MGM Resorts and Reddit. The hackers reportedly infiltrated the servers of fintech company MeridianLink on November 7, stealing company data without encrypting it. However, when the business neglected to negotiate directly, the hackers increased the pressure by filing a report with the SEC.

They did so citing a new rule the SEC passed this summer, which requires companies falling victim to “material cybersecurity incidents” to report them to the agency within four business days.

However, the four-day requirement may not have taken effect yet. At least one official form claims the rule kicked in 90 days after the date of publication in the Federal Register (they appear to have been published on August 4, making that alleged effective date November 2) or December 18. But the Federal Register document says, “With respect to compliance with the incident disclosure requirements in Item 1.05 of Form 8–K and in Form 6–K [the part referring to the four-day requirement], all registrants other than smaller reporting companies must begin complying on December 18, 2023.” Adding to the confusion, Reuters reported in October that the rule takes effect on December 15.

Engadget reached out to the SEC to clarify whether the rule is active yet. We’ll update this article if we hear back.

MeridianLink told BleepingComputer that it quickly worked to contain the threat. “Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption,” the company wrote. The company says it’s still trying to determine if any consumer personal information was breached, promising to notify affected parties if it was.

Whether the SEC has any teeth (or desire) to do anything about MeridianLink’s failure to report the incident in four business days, the rule could, ironically, serve as a new tool for cyber attackers. Rather than contacting customers or making calls to tighten the grip and pressure companies to comply with their demands, perhaps they can now simply rat them out to Uncle Sam.

The post Hackers use a new SEC rule to snitch on the company they infiltrated appeared first on Best News.

So, now you’re probably spending a few days sleeping in your childhood bed, and wondering when Uncle Dave will stop talking to you about buying gold stocks. There’s never been a better time to take care of the less-than-riveting admin work of locking down your digital life. Here’s a quick holiday checklist you and your loved ones (including Dave) can spend an hour doing during your holiday downtime to set up for a more secure year.

Update all your apps and devices

For the most current patches and options, you’ll need to start this security check up by updating all your devices and apps. The companies behind the tech have already done a lot of the work to keep you safe, but it’s your job to make sure that you’re taking full advantage of those updates. I’d recommend starting with operating system updates then apps second because there’s usually some new features reliant on the latest OS within other software. While you’re there, set up automatic updates so that you don’t have to worry about doing this manually in the future.

Sign up for or update your password manager

Strong passwords are your first line of defense to keep your accounts safe, but they’re almost impossible to memorize and keep track of. Download a password manager to store this information for you, so that your passwords can be unguessable gibberish that you’ll actually use. Long term, it’s important to change these passwords every 90 days or so, and never to repeat across accounts. A password manager will help remind you of that, and even generate new password ideas for you. Unique and regularly-changing passwords help prevent attacks like credential stuffing, as we’ve seen make headlines in the recent 23andMe data breach.

Make sure you’re using MFA or, ideally, passkeys

Strong passwords are important, but it’s well-known that they aren’t enough to keep unauthorized actors out of your account. Most people are familiar with using a text message code to grant access to an account. If you’re taking time out of your day to set this up, however, I would recommend using a third-party authenticator app or a hardware key for more secure options. Or, for companies that have switched to allowing passkeys at login, that’s usually your best bet.

This will be one of the more tedious parts of the checklist, so if you can’t sit down and knock out your major logins now, at least push yourself to make these changes each time you log into a website over the next couple of weeks. Being stuck with family for the holiday might not be your preferred opportunity to make this change, but there’s sure to be an upcoming major snowstorm or bout seasonal depression just screaming to be harnessed for your technological well-being.

Consider a VPN, or at least a more secure browser

A strong VPN will keep your web browsing private. Whether it’s free or paid for, defaulting to using a VPN adds an extra layer of security to the work you’re doing online. Most have options to use it across different devices, or to run automatically on startup so that you can set it up once and forget about it. I would also recommend switching over to a secure browser like Tor that runs on a privacy-first platform for more sensitive online matters. Of course there’s a catch: VPNs and Tor can both slow down your browsing, or break certain website features. Updates to the services have helped over time, but even if you use it for just a portion of web browsing, some protection is better than none.

Get up to date on the latest hacks and attack vectors

Keeping up with security news will help you determine what accounts need special attention versus where you can go on autopilot. Once you know whether a breach may have occurred or a password has been leaked, you can quickly make changes to accommodate. Websites already exist to see if you’ve been in a data breach, and most companies have an obligation to tell you if they’ve been impacted. When you also stay up to date on the latest scams and attacks, you know what red flags to look out for in your own inbox to stay proactive.

Tell brokers to stop selling your data

It’s surprisingly easy to stop companies from trading your privacy for cash. On top of getting in the habit of not sharing your cookies or granting location data, you can opt out of working with the top three major data brokers. Axiom, Oracle and Epsilon all have slightly different variations of the same form to fill out so that information like your home address and relatives’ names aren’t being sold for profit. This is a good start to getting your online privacy back, however, it can be more of a headache than just one opt out form.

You have to do this frequently to make sure your information hasn’t been readded to any of the broker sites, and if your information has already been sold to marketing companies, it’s too late to undo it. There are subscription service sites that can help track and continuously delete whatever information pops up for you, but starting with just Axiom, Oracle and Epsilon will still be a free, worthwhile step toward more privacy.

Back up everything

Get an external hard drive or connect to the cloud and keep all of your data backed up. Do this regularly, so that even if your device quits or gets ransomed by an attacker, you aren’t completely screwed. I’d recommend opting for something that can be set up automatically, so that you don’t have to keep constant track of it. That could look like spending the 99 cents per month on extra iCloud storage (or Google Drive or another in-house cloud tool) so that your phone gets backed up each night while you’re asleep. Windows and Mac also both do auto updates to an external drive on desktop, so you can set it and forget it.

Alternatively, you could install backup software onto a device so that it’s taken care of by a third party, but that may be less intuitive to set up. Just don’t forget to clean up your data storage every once in a while, too, so that you’re not holding onto useless screenshots or pictures of your ex from years ago that are taking up valuable space.

Make a plan to check in on your security settings more frequently

It’s overwhelming to play catch up. Going through a list like this can seem intimidating if you haven’t worried about it before. If you set up automatic updates and backups, it’ll take some of those repeat tasks off your plate. But since you’ll already, hopefully, be setting new passwords once a quarter, you can do a quick check up on your other security measures too. See if you’ve been a victim of a breach or identity theft, keep telling data brokers to get their hands off your information and find out if new VPNs or other software has been released that could make your security setup more seamless. Making it a part of the routine is much easier than annual sprees, and can help you catch a cybersecurity problem before it becomes unmanageable.

The post Here’s everything you should do to up your security before next year appeared first on Best News.