Change Healthcare has hidden its data breach notification webpage from search engines using "noindex" code, TechCrunch found, making it difficult for affected individuals to find information about the massive healthcare data breach that compromised over 100 million people's medical records last year.

The UnitedHealth subsidiary said Tuesday it had "substantially" completed notifying victims of the February 2024 ransomware attack. The cyberattack caused months of healthcare disruptions and marked the largest known U.S. medical data theft.

An anonymous reader shares a report: U.S. school districts affected by the recent cyberattack on edtech giant PowerSchool have told TechCrunch that hackers accessed "all" of their historical student and teacher data stored in their student information systems. PowerSchool, whose school records software is used to support more than 50 million students across the United States, was hit by an intrusion in December that compromised the company's customer support portal with stolen credentials, allowing access to reams of personal data belonging to students and teachers in K-12 schools.

The attack has not yet been publicly attributed to a specific hacker or group. PowerSchool hasn't said how many of its school customers are affected. However, two sources at affected school districts -- who asked not to be named -- told TechCrunch that the hackers accessed troves of personal data belonging to both current and former students and teachers. Further reading: Lawsuit Accuses PowerSchool of Selling Student Data To 3rd Parties.

Microsoft will stop supporting its Microsoft 365 (formerly known as Office 365) desktop applications on Windows 10 after October 14, the day the company is retiring the old operating system, it said.

The U.S. Justice Department said on Tuesday that it has deleted malware planted on more than 4,200 computers by a group of criminal hackers who were backed by the People's Republic of China. From a report: The malware, known as "PlugX," affected thousands of computers around the globe and was used to infect and steal information, the department said. Investigators said the malware was installed by a band of hackers who are known by the names "Mustang Panda" and "Twill Typhoon."

A Google engineer has warned that a major shift in web browser caching is upending long-standing performance optimization practices. Browsers have overhauled their caching systems that forces websites to maintain separate copies of shared resources instead of reusing them across domains.

The new "double-keyed caching" system, implemented to enhance privacy, is ending the era of shared public content delivery networks, writes Google engineer Addy Osmani. According to Chrome's data, the change has led to a 3.6% increase in cache misses and 4% rise in network bandwidth usage.

Programmers have found ways to run the 1993 first-person shooter Doom on an array of unexpected platforms, and now a PDF file joins that list.

Developer ading2210's DoomPDF project shows the game operating within a document format primarily designed for static content display. The creator says he drew inspiration from pdftris, another PDF-based game port by Thomas Rinsma.

U.K. public sector and critical infrastructure organizations could be banned from making ransom payments under new proposals from the U.K. government. From a report: The U.K.'s Home Office launched a consultation on Tuesday that proposes a "targeted ban" on ransomware payments. Under the proposal, public sector bodies -- including local councils, schools, and NHS trusts -- would be banned from making payments to ransomware hackers, which the government says would "strike at the heart of the cybercriminal business model."

This government proposal comes after a wave of cyberattacks targeting the U.K. public sector. The NHS last year declared a "critical" incident following a cyberattack on pathology lab provider Synnovis, which led to a massive data breach of sensitive patient data and months of disruption, including canceled operations and the diversion of emergency patients. According to new data seen by Bloomberg, the cyberattack on Synnovis resulted in harm to dozens of patients, leading to long-term or permanent damage to their health in at least two cases.

A Snyk security researcher has published malicious NPM packages targeting Cursor, an AI coding startup, in what appears to be a dependency confusion attack. The packages, which collect and transmit system data to an attacker-controlled server, were published under a verified Snyk email address, according to security researcher Paul McCarty.

The OpenSSF package analysis scanner flagged three packages as malicious, generating advisories MAL-2025-27, MAL-2025-28 and MAL-2025-29. The researcher deployed the packages "cursor-retrieval," "cursor-always-local" and "cursor-shadow-workspace," likely attempting to exploit Cursor's private NPM packages of the same names.

A new ransomware group called Codefinger targets AWS S3 buckets by exploiting compromised or publicly exposed AWS keys to encrypt victims' data using AWS's own SSE-C encryption, rendering it inaccessible without the attacker-generated AES-256 keys. While other security researchers have documented techniques for encrypting S3 buckets, "this is the first instance we know of leveraging AWS's native secure encryption infrastructure via SSE-C in the wild," Tim West, VP of services with the Halcyon RISE Team, told The Register. "Historically AWS Identity IAM keys are leaked and used for data theft but if this approach gains widespread adoption, it could represent a significant systemic risk to organizations relying on AWS S3 for the storage of critical data," he warned. From the report: ... in addition to encrypting the data, Codefinder marks the compromised files for deletion within seven days using the S3 Object Lifecycle Management API â" the criminals themselves do not threaten to leak or sell the data, we're told. "This is unique in that most ransomware operators and affiliate attackers do not engage in straight up data destruction as part of a double extortion scheme or to otherwise put pressure on the victim to pay the ransom demand," West said. "Data destruction represents an additional risk to targeted organizations."

Codefinger also leaves a ransom note in each affected directory that includes the attacker's Bitcoin address and a client ID associated with the encrypted data. "The note warns that changes to account permissions or files will end negotiations," the Halcyon researchers said in a report about S3 bucket attacks shared with The Register. While West declined to name or provide any additional details about the two Codefinger victims -- including if they paid the ransom demands -- he suggests that AWS customers restrict the use of SSE-C.

"This can be achieved by leveraging the Condition element in IAM policies to prevent unauthorized applications of SSE-C on S3 buckets, ensuring that only approved data and users can utilize this feature," he explained. Plus, it's important to monitor and regularly audit AWS keys, as these make very attractive targets for all types of criminals looking to break into companies' cloud environments and steal data. "Permissions should be reviewed frequently to confirm they align with the principle of least privilege, while unused keys should be disabled, and active ones rotated regularly to minimize exposure," West said. An AWS spokesperson said it notifies affected customers of exposed keys and "quickly takes any necessary actions, such as applying quarantine policies to minimize risks for customers without disrupting their IT environment."

They also directed users to this post about what to do upon noticing unauthorized activity.

The USB Implementers Forum has simplified its labeling system for USB docking stations and cables, dropping technical terms like "USB4v2" in favor of straightforward speed ratings such as "USB 80Gbps" or "USB 40Gbps."

The move follows criticism of previous complex naming conventions like "USB 3.2 Gen 2." The new logos will also display power transmission capabilities for cables, addressing consumer confusion over USB standards.

Microsoft is raising Microsoft 365 subscription prices by up to 46% across six Asian markets to fund AI features. In Australia, annual Microsoft 365 Family subscriptions will increase to AU$179 ($110) from AU$139, while Personal subscriptions will jump to AU$159 ($98) from AU$109. The price hikes also affect New Zealand, Malaysia, Singapore, Taiwan and Thailand customers.

SC Media reports on a new jailbreak method for large language models (LLMs) that "takes advantage of models' ability to identify and score harmful content in order to trick the models into generating content related to malware, illegal activity, harassment and more.

"The 'Bad Likert Judge' multi-step jailbreak technique was developed and tested by Palo Alto Networks Unit 42, and was found to increase the success rate of jailbreak attempts by more than 60% when compared with direct single-turn attack attempts..." For the LLM jailbreak experiments, the researchers asked the LLMs to use a Likert-like scale to score the degree to which certain content contained in the prompt was harmful. In one example, they asked the LLMs to give a score of 1 if a prompt didn't contain any malware-related information and a score of 2 if it contained very detailed information about how to create malware, or actual malware code. After the model scored the provided content on the scale, the researchers would then ask the model in a second step to provide examples of content that would score a 1 and a 2, adding that the second example should contain thorough step-by-step information. This would typically result in the LLM generating harmful content as part of the second example meant to demonstrate the model's understanding of the evaluation scale.

An additional one or two steps after the second step could be used to produce even more harmful information, the researchers found, by asking the LLM to further expand on and add more details to their harmful example. Overall, when tested across 1,440 cases using six different "state-of-the-art" models, the Bad Likert Judge jailbreak method had about a 71.6% average attack success rate across models.
Thanks to Slashdot reader spatwei for sharing the news.

"JPMorgan Chase shut down comments on an internal webpage announcing the bank's return-to-office policy," reports the Wall Street Journal, "after dozens of them criticized the move and at least one suggested that affected employees should unionize, according to people familiar with the matter." The bank's senior executives announced in an internal memo Friday that JPMorgan Chase would require all of its roughly 300,000 employees to work full time from the office starting in March, with only a limited number of exceptions. More than half of the bank's full-time workers, including senior managers and those with client-facing roles such as branch workers, have already been working full time from offices. The move primarily impacts back-office roles such as call-center workers who had still been able to work remotely two days a week...

Many employees shared concerns such as increased commuting costs, child-care challenges and the impact on work-life balance. One person suggested that they should consider unionizing to fight for a hybrid-work schedule, the people familiar with the matter said. Soon after, the bank disabled comments on the article...

The bank's executives said when announcing the move that affected employees would receive a 30-day notice before they are expected to return to the office full time. They also said there will be a limited number of teams that can work remotely or on a hybrid basis if their "work can be easily and clearly measured."
The bank's executives said yesterday a limited number of teams can still work remotely (full or part-time) — but only if their work "can be easily and clearly measured," according to the article. But they also announced how they'd implement the new policy.

Affected employees will receive a 30-day notice before being expected to return to the office full time.

Thanks to long-time Slashdot reader AsylumWraith for sharing the news.

While CES wraps up this week, "Not all innovation is good innovation," warns Elizabeth Chamberlain, iFixit's Director of Sustainability (heading their Right to Repair advocacy team). So this year the group held its fourth annual "anti-awards ceremony" to call out CES's "least repairable, least private, and least sustainable products..." (iFixit co-founder Kyle Wiens mocked a $2,200 "smart ring" with a battery that only lasts for 500 charges. "Wanna open it up and change the battery? Well you can't! Trying to open it will completely destroy this device...") There's also a category for the worst in security — plus a special award titled "Who asked for this?" — and then a final inglorious prize declaring "the Overall Worst in Show..."

Thursday their "panel of dystopia experts" livestreamed to iFixit's feed of over 1 million subscribers on YouTube, with the video's description warning about manufacturers "hoping to convince us that they have invented the future. But will their vision make our lives better, or lead humanity down a dark and twisted path?" The video "is a fun and rollicking romp that tries to forestall a future clogged with power-hungry AI and data-collecting sensors," writes The New Stack — though noting one final irony.

"While the ceremony criticized these products, YouTube was displaying ads for them..."

UPDATE: Slashdot reached out to iFixit co-founder Kyle Wiens, who says this teaches us all a lesson. "The gadget industry is insidious and has their tentacles everywhere."

"Of course they injected ads into our video. The beast can't stop feeding, and will keep growing until we knife it in the heart."

Long-time Slashdot reader destinyland summarizes the article: "We're seeing more and more of these things that have basically surveillance technology built into them," iFixit's Chamberlain told The Associated Press... Proving this point was EFF executive director Cindy Cohn, who gave a truly impassioned takedown for "smart" infant products that "end up traumatizing new parents with false reports that their baby has stopped breathing." But worst for privacy was the $1,200 "Revol" baby bassinet — equipped with a camera, a microphone, and a radar sensor. The video also mocks Samsung's "AI Home" initiative which let you answer phone calls with your washing machine, oven, or refrigerator. (And LG's overpowered "smart" refrigerator won the "Overall Worst in Show" award.)

One of the scariest presentations came from Paul Roberts, founder of SecuRepairs, a group advocating both cybersecurity and the right to repair. Roberts notes that about 65% of the routers sold in the U.S. are from a Chinese company named TP-Link — both wifi routers and the wifi/ethernet routers sold for homes and small offices.Roberts reminded viewers that in October, Microsoft reported "thousands" of compromised routers — most of them manufactured by TP-Link — were found working together in a malicious network trying to crack passwords and penetrate "think tanks, government organizations, non-governmental organizations, law firms, defense industrial base, and others" in North America and in Europe. The U.S. Justice Department soon launched an investigation (as did the U.S. Commerce Department) into TP-Link's ties to China's government and military, according to a SecuRepairs blog post.

The reason? "As a China-based company, TP-Link is required by law to disclose flaws it discovers in its software to China's Ministry of Industry and Information Technology before making them public." Inevitably, this creates a window "to exploit the publicly undisclosed flaw... That fact, and the coincidence of TP-Link devices playing a role in state-sponsored hacking campaigns, raises the prospects of the U.S. government declaring a ban on the sale of TP-Link technology at some point in the next year."

TP-Link won the award for the worst in security.

An anonymous reader quotes a report from TechCrunch: On Saturday, Triplegangers CEO Oleksandr Tomchuk was alerted that his company's e-commerce site was down. It looked to be some kind of distributed denial-of-service attack. He soon discovered the culprit was a bot from OpenAI that was relentlessly attempting to scrape his entire, enormous site. "We have over 65,000 products, each product has a page," Tomchuk told TechCrunch. "Each page has at least three photos." OpenAI was sending "tens of thousands" of server requests trying to download all of it, hundreds of thousands of photos, along with their detailed descriptions. "OpenAI used 600 IPs to scrape data, and we are still analyzing logs from last week, perhaps it's way more," he said of the IP addresses the bot used to attempt to consume his site. "Their crawlers were crushing our site," he said "It was basically a DDoS attack."

Triplegangers' website is its business. The seven-employee company has spent over a decade assembling what it calls the largest database of "human digital doubles" on the web, meaning 3D image files scanned from actual human models. It sells the 3D object files, as well as photos -- everything from hands to hair, skin, and full bodies -- to 3D artists, video game makers, anyone who needs to digitally recreate authentic human characteristics. [...] To add insult to injury, not only was Triplegangers knocked offline by OpenAI's bot during U.S. business hours, but Tomchuk expects a jacked-up AWS bill thanks to all of the CPU and downloading activity from the bot. Triplegangers initially lacked a properly configured robots.txt file, which allowed the bot to freely scrape its site since the system interprets the absence of such a file as permission. It's not an opt-in system.

Once the file was updated with specific tags to block OpenAI's bot, along with additional defenses like Cloudflare, the scraping stopped. However, robots.txt is not foolproof since compliance by AI companies is voluntary, leaving the burden on website owners to monitor and block unauthorized access proactively. "[Tomchuk] wants other small online business to know that the only way to discover if an AI bot is taking a website's copyrighted belongings is to actively look," reports TechCrunch.

Microsoft kicks off the new year with more job cuts, as fewer than 1% of employees reportedly face the axe. From a report: As first reported by Business Insider, Microsoft is trimming its workforce again, including roles in its security division, with the cuts targeting underperforming employees. A Microsoft spokesperson confirmed the layoffs with BI but declined to specify how many staffers are affected, stating, "At Microsoft, we focus on high-performance talent."

"We are always working on helping people learn and grow. When people are not performing, we take the appropriate action," the spokesperson told The Register.

U.S. software giant Ivanti has warned that a zero-day vulnerability in its widely-used enterprise VPN appliance has been exploited to compromise the networks of its corporate customers. From a report: Ivanti said on Wednesday that the critical-rated vulnerability, tracked as CVE-2025-0282, can be exploited without any authentication to remotely plant malicious code on Ivanti's Connect Secure, Policy Secure, and ZTA Gateways products. Ivanti says its Connect Secure remote-access VPN solution is "the most widely adopted SSL VPN by organizations of every size, across every major industry."

This is the latest exploited security vulnerability to target Ivanti's products in recent years. Last year, the technology maker pledged to overhaul its security processes after hackers targeted vulnerabilities in several of its products to launch mass-hacks against its customers. The company said it became aware of the latest vulnerability after its Ivanti Integrity Checker Tool (ICT) flagged malicious activity on some customer appliances.

Telegram's Transparency Report reveals a sharp increase in U.S. government data requests, with 900 fulfilled requests affecting 2,253 users. "The news shows a massive spike in the number of data requests fulfilled by Telegram after French authorities arrested Telegram CEO Pavel Durov in August, in part because of the company's unwillingness to provide user data in a child abuse investigation," notes 404 Media. From the report: Between January 1 and September 30, 2024, Telegram fulfilled 14 requests "for IP addresses and/or phone numbers" from the United States, which affected a total of 108 users, according to Telegram's Transparency Reports bot. But for the entire year of 2024, it fulfilled 900 requests from the U.S. affecting a total of 2,253 users, meaning that the number of fulfilled requests skyrocketed between October and December, according to the newly released data. "Fulfilled requests from the United States of America for IP address and/or phone number: 900," Telegram's Transparency Reports bot said when prompted for the latest report by 404 Media. "Affected users: 2253," it added.

A month after Durov's arrest in August, Telegram updated its privacy policy to say that the company will provide user data, including IP addresses and phone numbers, to law enforcement agencies in response to valid legal orders. Up until then, the privacy policy only mentioned it would do so when concerning terror cases, and said that such a disclosure had never happened anyway. Even though the data technically covers the entire of 2024, the jump from a total of 108 affected users in October to 2253 as of now, indicates that the vast majority of fulfilled data requests were in the last quarter of 2024, showing a huge increase in the number of law enforcement requests that Telegram completed. You can access the platform's transparency reports here.

The Register's Connor Jones reports: Marc Rogers, DEF CON's head of security, faces tens of thousands of dollars in medical bills following an accident that left him with a broken neck and temporary quadriplegia. The prominent industry figure, whose work has spanned roles at tech companies such as Vodafone and Okta, including ensuring the story lines on Mr Robot and The Real Hustle were factually sound, is recovering in hospital. [...] Rogers said it will be around four to six weeks before he returns to basic independence and is able to travel, but a full recovery will take up to six months. He begins a course of physical therapy today, but his insurance will only cover the first of three required weeks, prompting friends to set up a fundraiser to cover the difference.

Rogers has an impressive cyber CV. Beginning life in cybersecurity back in the '80s when he went by the handle Cjunky, he has gone on to assume various high profile roles in the industry. In addition to the decade leading Vodafone UK's cybersecurity and being the VP of cybersecurity strategy at Okta, as already mentioned, Rogers has also worked as head of security at Cloudflare and founded Vectra, among other experiences. Now he heads up security at DEF CON, is a member of the Ransomware Taskforce, and is the co-founder and CTO at AI observability startup nbhd.ai.

If you hadn't heard of him from any of these roles, or from his work in the entertainment biz, he's also known for his famous research into Apple's Touch ID sensor, which he was able to compromise on both the iPhone 5S and 6 during his time as principal researcher at Lookout. Other consumer-grade kit to get the Rogers treatment include the short-lived Google Glass devices, also while he was at Lookout, and the Tesla Model S back in 2015. "It's a sad fact that in the US GoFundMe has become the de facto standard for covering insurance shortfalls," Rogers said. "I will be forever grateful to my friends who stood it up for me and those who donated to it so that I can resume making bad guys cry as soon as feasibly possible."

The cybersecurity community has rallied together to support Rogers' fundraiser, which has accrued over $83,000 in donations. The goal is $100,000.

Microsoft will begin enforcing storage limits on unlicensed OneDrive accounts from January 27, 2025, ending a loophole that allowed organizations to retain departed employees' data without cost.

Data from accounts unlicensed for over 93 days will move to recycle bins for another 93 days before permanent deletion, unless under retention policies. Archived data retrieval will cost $0.60 per gigabyte plus $0.05 monthly per gigabyte. Organizations must either retrieve data, add licenses, or risk losing access, Microsoft has warned.