Google is using artificial intelligence to power a new Chrome scam protection feature that analyzes brands and the intent of pages as you browse the web.

As spotted by Leo on X, a new flag in Chrome Canary enables a feature called “Client Side Detection Brand and Intent for Scam Detection” that uses an LLM, or Large Language Model. to analyze web pages on your device.

“Enables on device LLM output on pages to inquire for brand and intent of the page,” reads the Google Chrome flag’s description.

This feature is believed to help the scam detection service detect the brand and purpose (intent) of a webpage, making it easier to identify potential scams. It works on Mac, Windows, and Linux.

It’s unclear how the feature works, but it could issue warnings when you visit an obvious scam website.

For example, if you visit a fake Microsoft tech support page claiming your computer is infected and urging you to call a number, Chrome’s AI could analyze the promoted brand or language used on the page. If it detects scam tactics like fake urgency or suspicious domains, it could display a warning alerting you to avoid interacting with the page or sharing personal information.

This new tool is being tested in Chrome Canary and could be related to Chrome’s built-in Enhanced Protection feature, which now also uses artificial intelligence.

Chrome’s Enhanced Protection is now powered by AI.

Google says the updated Enhanced Protection feature uses AI to provide real-time protection against dangerous sites, downloads, and extensions.

Before October, Enhanced Protection didn’t use AI. It was described as “proactive protection,” but it has since been updated to “AI-powered protection.”

Google is likely using pre-trained data to understand web content and warn users about scams or dangerous sites.

The company is still testing these AI-powered security and privacy features in Chrome, and it’s unclear when more details will be shared.

A dual Russian and Israeli national has been charged in the United States for allegedly being the developer of the now-defunct LockBit ransomware-as-a-service (RaaS) operation since its inception in or around 2019 through at least February 2024.

Rostislav Panev, 51, was arrested in Israel earlier this August and is currently awaiting extradition, the U.S. Department of Justice (DoJ) said in a statement. Based on fund transfers to a cryptocurrency wallet owned by Panev, he allegedly earned approximately $230,000 between June 2022 and February 2024.

“Rostislav Panev for years built and maintained the digital weapons that enabled his LockBit co-conspirators to wreak havoc and cause billions of dollars in damage around the world,” U.S. Attorney Philip R. Sellinger said.

LockBit, which was one of the most prolific ransomware groups, had its infrastructure seized in February 2024 as part of an international law enforcement operation called Cronos. It gained notoriety for targeting more than 2,500 entities in at least 120 countries around the world, including 1,800 in the U.S. alone.

Victims of LockBit’s attacks included individuals and small businesses to multinational corporations, such as hospitals, schools, nonprofit organizations, critical infrastructure, government, and law enforcement agencies. The RaaS is believed to have netted the group at least $500 million in illicit profits.

Court documents show that Panev’s computer analyzed following his arrest had administrator credentials for an online repository that was hosted on the dark web and contained source code for multiple versions of the LockBit builder, which affiliates used to create custom builds of the ransomware.

Also discovered were access credentials for the LockBit control panel and a tool called StealBit, which allowed the affiliate actors to exfiltrate sensitive data from compromised hosts prior to initiating the encryption process.

Panev, besides writing and maintaining the LockBit malware code as well as offering technical guidance to the e-crime group, is also accused of exchanging direct messages with Dmitry Yuryevich Khoroshev, the primary administrator who also went by online alias LockBitSupp, discussing development work related to the builder and control panel.

“In interviews with Israeli authorities following his arrest in August, Panev admitted to having performed coding, development, and consulting work for the LockBit group and to having received regular payments in cryptocurrency for that work,” the DoJ said.

“Among the work that Panev admitted to having completed for the LockBit group was the development of code to disable antivirus software; to deploy malware to multiple computers connected to a victim network; and to print the LockBit ransom note to all printers connected to a victim network.”

With the latest arrest, a total of seven LockBit members – Mikhail Vasiliev, Ruslan Astamirov, Artur Sungatov, Ivan Gennadievich Kondratiev, Mikhail Pavlovich Matveev – have been charged in the U.S.

Despite these operational setbacks, the LockBit operators appear to be plotting a comeback, with a new version LockBit 4.0 scheduled for release in February 2025. However, it remains to be seen if the extortion gang can successfully stage a return in light of the ongoing wave of takedowns and charges.

Second Netwalker Ransomware Affiliate Gets 20 Years in Prison

The development comes as Daniel Christian Hulea, a 30-year-old Romanian affiliate of the NetWalker ransomware operation, was sentenced to 20 years in prison and ordered to forfeit $21,500,000 and his interests in an Indonesian company and a luxury resort property that was financed with ill-gotten proceeds from the attacks.

Hulea previously pleaded guilty in the U.S. to charges of computer fraud conspiracy and wire fraud conspiracy back in June 2024. He was arrested in Romania on July 11, 2023, and subsequently extradited to the U.S.

“As part of his plea agreement, Hulea admitted to using NetWalker to obtain approximately 1,595 bitcoin in ransom payments for himself and a co-conspirator, valued at approximately $21,500,000 at the time of the payments,” the DoJ said.

The NetWalker ransomware operation particularly singled out the healthcare sector during the height of the COVID-19 pandemic. It was dismantled online in January 2021 when U.S. and Bulgarian authorities seized the dark web sites used by the group. In October 2022, a Canadian affiliate, Sebastien Vachon-Desjardins, was sentenced to 20 years in prison.

Raccoon Stealer Developer Sentenced to 5 Years in Prison

In related law enforcement news, the DoJ also announced the sentencing of Mark Sokolovsky, a Ukrainian national accused of being the primary developer of the Raccoon Stealer malware, to 60 months in federal prison for one count of conspiracy to commit computer intrusion.

The 28-year-old conspired to offer the Raccoon infostealer as a malware-as-a-service (MaaS) to other criminal actors for $200 a month, who then deployed the malware on victims’ systems using various ruses such as email phishing in order to steal sensitive data. The harvested information was used to commit financial crimes or sold to others on underground forums.

Sokolovsky, who was extradited from the Netherlands in February 2024, pleaded guilty to the crime in early October and agreed to forfeit $23,975 and pay at least $910,844.61 in restitution.

“Mark Sokolovsky was a key player in an international criminal conspiracy that victimized countless individuals by administering malware which made it cheaper and easier for even amateurs to commit complex cybercrimes,” said U.S. Attorney Jaime Esparza for the Western District of Texas.

The U.S. Federal Bureau of Investigation (FBI) has set up a website where users can check whether their email address shows up in the data stolen by the Raccoon stealer malware. The MaaS operation was taken offline in March 2022 concurrent with Sokolovsky’s arrest by Dutch authorities.

NYC Man Gets Nearly 6 Years in Prison for Credit Card Trafficking and Money Laundering

The latest actions also follow the sentencing of a 32-year-old New York City man, Vitalii Antonenko, to time served plus days for his involvement in a criminal scheme that infiltrated systems with SQL injection attacks in order to steal credit card and personal information and offer the data for sale on online criminal marketplaces.

“Once a co-conspirator sold the data, Antonenko and others used Bitcoin as well as traditional bank and cash transactions to launder the proceeds in order to disguise their nature, location, source, ownership, and control,” the DoJ noted in May 2020. “The conspiracy’s victims included a hospitality business and non-profit scientific research institution, both located in eastern Massachusetts.”

Antonenko was arrested in March 2019 on his return to the U.S. from Ukraine carrying “computers and other digital media that held hundreds of thousands of stolen payment card numbers.”

In September 2024, he pleaded guilty to one count of conspiracy to gain unauthorized access to computer networks and to traffic in unauthorized access devices, and one count of money laundering conspiracy.

Press freedom advocates are urging Apple to ditch an “immature” generative AI system that incorrectly summarized a BBC news notification that incorrectly related that suspected UnitedHealthcare CEO shooter Luigi Mangione had killed himself.

Reporters Without Borders (RSF) said this week that Apple’s AI kerfuffle, which generated a false summary as “Luigi Mangione shoots himself,” is further evidence that artificial intelligence cannot reliably produce information for the public. Apple Intelligence, which launched in the UK on December 11, needed less than 48 hours to make the very public mistake. 

“This accident highlights the inability of AI systems to systematically publish quality information, even when it is based on journalistic sources,” RSF said. “The probabilistic way in which AI systems operate automatically disqualifies them as a reliable technology for news media that can be used in solutions aimed at the general public.”

Because it isn’t reliably accurate, RSF said AI shouldn’t be allowed to be used for such purposes, and asked Apple to pull the feature from its operating systems. 

“Facts can’t be decided by a roll of the dice,” said Vincent Berthier, head of RSF’s tech and journalism desk. “RSF calls on Apple to act responsibly by removing this feature.

“The automated production of false information attributed to a media outlet is a blow to the outlet’s credibility and a danger to the public’s right to reliable information on current affairs,” Berthier added.

It’s unknown if or how Apple plans to address the issue. The BBC has filed its own complaint, but Apple declined to comment to the British broadcaster publicly on the matter. 

According to the BBC, this doesn’t even appear to be the first time Apple’s AI summaries have falsely reported news. The beeb pointed to an Apple AI summary from November shared by a ProPublica reporter that attributed news of Israeli prime minister Benjamin Netanyahu’s arrest (which hasn’t happened) to the New York Times, suggesting Apple Intelligence might be a serial misreader of the daily headlines. 

Google’s AI search results have also been tricked into surfacing scam links, and have also urged users to glue cheese to pizza and eat rocks.  

Berthier stated, “The European AI Act – despite being the most advanced legislation in the world in this area – did not classify information-generating AIs as high-risk systems, leaving a critical legal vacuum. This gap must be filled immediately.”

The Register has reached out to Apple to learn about what it might do to address the problem of its AI jumping to conclusions about the news, and RSF to see if it’s heard from Apple, but we haven’t heard back from either. ®

The U.S. Department of Justice revealed charges Friday against Rostislav Panev, a dual Russian and Israeli national, for his alleged role as a developer in the notorious LockBit ransomware group. Panev was arrested in Israel following a U.S. provisional arrest request and is currently awaiting extradition.

Authorities allege that Panev has been an instrumental figure in LockBit’s operations since its inception in 2019. As a developer, Panev is accused of designing malware code and maintaining the infrastructure used by gang members and its affiliates to conduct its attacks. LockBit has been tied to over 2,500 attacks in 120 countries, extracting more than $500 million in ransom payments and causing billions in losses to victims, including businesses, hospitals, and government agencies.

The arrest is part of a broader campaign by international law enforcement agencies to dismantle LockBit. In February, a coordinated operation led by the U.K.’s National Crime Agency in cooperation with the FBI and the U.S. Justice Department disrupted LockBit’s infrastructure, seizing websites and servers critical to its operations. These efforts significantly curtailed the group’s ability to launch further attacks and extort victims.

Panev is one of several individuals charged in connection with LockBit. Alongside him, other key figures have been indicted, including Dmitry Khoroshev, alleged to be “LockBitSupp,” the group’s primary creator and administrator. Khoroshev, still at large, is accused of developing the ransomware and coordinating attacks on an international scale. The State Department has offered a reward of up to $10 million for his capture.

Meanwhile, numerous members linked to LockBit remain fugitives, such as Russian nationals Artur Sungatov and Ivan Kondratyev, each facing charges for deploying ransomware against multiple industries globally. Mikhail Matveev, another alleged LockBit affiliate, is also at large, with a $10 million reward for his capture. Matveev was recently charged with computer crimes in Russia. 

“As alleged by the complaint, Rostislav Panev for years built and maintained the digital weapons that enabled his LockBit coconspirators to wreak havoc and cause billions of dollars in damage around the world,” said Philip Sellinger, the U.S. Attorney for the District of New Jersey. “But just like the six other LockBit members previously identified and charged by this office and our FBI and Criminal Division partners, Panev could not remain anonymous and avoid justice indefinitely. He must now answer for his crimes. Today’s announcement represents another blow struck by the United States and our international partners against the LockBit organization, and our efforts will continue relentlessly until the group is fully dismantled and its members brought to justice.”

Panev’s lawyer, Sharon Nahari, told Israeli news outlet Ynet earlier this week that Panev was neither aware of nor complicit in the alleged schemes. An extradition hearing for Panev will be held in Israel next month. 

You can read the full criminal complaint against Panev here.

NEWS BRIEF

Operational technology (OT) and Industrial control systems (ICS) are increasingly exposed to compromise through engineering workstations. A new malware developed to kill stations running Siemens systems joins a growing list of botnets and worms working to infiltrate industrial networks through these on-premises, Internet-connected attack vectors.

Forescout researchers reported the discovery of the Siemens malware, which they called “Chaya_003.” But that’s hardly an isolated case. The researchers also found two Mitsubishi engineering workstations compromised by the Ramnit worm, they explained in a new report.

“Malware in OT/ICS is more common than you think — and engineering workstations connected to the Internet are targets,” the Forescout team warned.

Researchers from SANS said engineering workstation compromise accounts for more than 20% of OT cybersecurity incidents, the report noted. Botnets targeting OT systems, which the report said includes Aisuru, Kaiten, and Gafgyt, rely on Internet-connected devices to infiltrate networks.

Engineering workstations make excellent targets for cyberattack because they are on-premises stations running traditional operating systems as well as specialized software tools provided by vendors such as the Siemens TIA portal or Mitsubishi GX Works, the Forescout team wrote.

To defend against these campaigns, OT/ICS network operators should ensure engineering workstations are protected and that there is adequate network segmentation, and implement an ongoing threat monitoring program.

The report acknowledges malware developed specifically for OT environments is relatively rare compared with efforts put behind enterprise compromises, “but there’s little room to sleep easily if you’re a security operator in OT or manage industrial control system security,” the researchers added.

​The Alliance for Creativity and Entertainment (ACE) has taken down one of the world’s largest live sports streaming piracy rings, with over 821 million visits last year.

ACE says the Markkystreams Vietnam-based operation was the largest illegal sports streaming service it has shut down to date. 

The piracy ring primarily targeted audiences across the United States and Canada, streaming sports events daily from all the U.S. sports leagues and global leagues of every category. ACE says this operation affected all its members, including sports tier members DAZN, beIN Sports, and Canal+.

“The shutdown of this globally notorious live sports piracy ring is a huge victory in our campaign against the piracy of live sports programs and follows other recent successful actions by ACE and law enforcement in Vietnam,” said Larissa Knapp, Executive Vice President at the Motion Picture Association (MPA), on Thursday.

“ACE’s live sports members face a unique threat when it comes to digital piracy, as live sports broadcasts lose substantial commercial value once the game ends. The takedown serves as a warning to piracy operators everywhere – including operators in live sports piracy – that ACE will identify and shut down their illegal operations.”

The anti-piracy group says the ring’s Hanoi-based operators handed over control to 138 domains, including the bestsolaris[dot]com, streameast[dot]to, markkystreams[dot]com, crackstreams[dot]dev, and weakspell[dot]to domains.

“This website is no longer available due to copyright infringement. Do not put yourself at risk by using or subscribing to illegal streaming services,” a banner displayed on the seized websites reads.

​ACE is a coalition of over 50 media and entertainment companies, including the world’s largest film studios and television networks, focused on shuttering illegal streaming services since June 2017.

Its governing board includes Amazon, Apple TV+, Universal Studios, The Walt Disney Studios, Netflix, Paramount Global, Sony Pictures, and Warner Bros. Discovery.

Since its launch, ACE has taken down a long list of piracy platforms, including the Openload and Streamango streaming providers in October 2019, the pirate IPTV service Beast IPTV in December 2020, the 123movies.la streaming site in May 2021, and the world’s largest anime pirate site Zoro.to in July 2023.

ACE also works with law enforcement organizations like the U.S. Department of Justice, Europol, and Interpol in operations targeting large-scale illegal streaming rings.

Since the start of the year, it helped shutter a pirate TV streaming network that made millions of dollars since its launch in 2015, convict five men linked to the Jetflicks illegal streaming service, and, most recently, dismantle a pirate streaming service with over 22 million users worldwide that was making over €250 million ($263M) each month.

Dec 20, 2024Ravie LakshmananMalware / Supply Chain Attack

The developers of Rspack have revealed that two of their npm packages, @rspack/core and @rspack/cli, were compromised in a software supply chain attack that allowed a malicious actor to publish malicious versions to the official package registry with cryptocurrency mining malware.

Following the discovery, versions 1.1.7 of both libraries have been unpublished from the npm registry. The latest safe version is 1.1.8.

“They were released by an attacker who gained unauthorized npm publishing access, and contain malicious scripts,” software supply chain security firm Socket said in an analysis.

Rspack is billed as an alternative to the webpack, offering a “high performance JavaScript bundler written in Rust.” Originally developed by ByteDance, it has since been adopted by several companies such as Alibaba, Amazon, Discord, and Microsoft, among others.

The npm packages in question, @rspack/core, and @rspack/cli, attract weekly downloads of over 300,000 and 145,000, respectively, indicative of their popularity.

An analysis of the rogue versions of the two libraries has revealed that they incorporate code to make calls to a remote server (“80.78.28[.]72”) in order to transmit sensitive configuration details such as cloud service credentials, while also collecting IP address and location details by making an HTTP GET request to “ipinfo[.]io/json.”

In an interesting twist, the attack also limits the infection to machines located in a specific set of countries, such as China, Russia, Hong Kong, Belarus, and Iran.

The end goal of the attacks is to trigger the download and execution of an XMRig cryptocurrency miner on compromised Linux hosts upon installation of the packages by means of a postinstall script specified in the “package.json” file.

“The malware is executed via the postinstall script, which runs automatically when the package is installed,” Socket said. “This ensures the malicious payload is executed without any user action, embedding itself into the target environment.”

Besides publishing a new version of the two packages sans the malicious code, the project maintainers said they invalidated all existing npm tokens and GitHub tokens, checked the permissions of the repository and npm packages, and audited the source code for any potential vulnerabilities. An investigation into the root cause of the token theft is underway.

“This attack highlights the need for package managers to adopt stricter safeguards to protect developers, like enforcing attestation checks, to prevent updating to unverified versions,” Socket said. “But it’s not totally bullet-proof.”

“As seen in the recent Ultralytics supply chain attack in the Python ecosystem, attackers may still be able to publish versions with attestation by compromising GitHub Actions through cache poisoning.”

Cybercriminals are selling hundreds of thousands of credential sets stolen with the help of a cracked version of Acunetix, a powerful commercial web app vulnerability scanner, new research finds. The cracked software is being resold as a cloud-based attack tool by at least two different services, one of which KrebsOnSecurity traced to an information technology firm based in Turkey.

Araneida Scanner.

Cyber threat analysts at Silent Push said they recently received reports from a partner organization that identified an aggressive scanning effort against their website using an Internet address previously associated with a campaign by FIN7, a notorious Russia-based hacking group.

But on closer inspection they discovered the address contained an HTML title of “Araneida Customer Panel,” and found they could search on that text string to find dozens of unique addresses hosting the same service.

It soon became apparent that Araneida was being resold as a cloud-based service using a cracked version of Acunetix, allowing paying customers to conduct offensive reconnaissance on potential target websites, scrape user data, and find vulnerabilities for exploitation.

Silent Push also learned Araneida bundles its service with a robust proxy offering, so that customer scans appear to come from Internet addresses that are randomly selected from a large pool of available traffic relays.

The makers of Acunetix, Texas-based application security vendor Invicti Security, confirmed Silent Push’s findings, saying someone had figured out how to crack the free trial version of the software so that it runs without a valid license key.

“We have been playing cat and mouse for a while with these guys,” said Matt Sciberras, chief information security officer at Invicti.

Silent Push said Araneida is being advertised by an eponymous user on multiple cybercrime forums. The service’s Telegram channel boasts nearly 500 subscribers and explains how to use the tool for malicious purposes.

In a “Fun Facts” list posted to the channel in late September, Araneida said their service was used to take over more than 30,000 websites in just six months, and that one customer used it to buy a Porsche with the payment card data (“dumps”) they sold.

Araneida Scanner’s Telegram channel bragging about how customers are using the service for cybercrime.

“They are constantly bragging with their community about the crimes that are being committed, how it’s making criminals money,” said Zach Edwards, a senior threat researcher at Silent Push. “They are also selling bulk data and dumps which appear to have been acquired with this tool or due to vulnerabilities found with the tool.”

Silent Push also found a cracked version of Acunetix was powering at least 20 instances of a similar cloud-based vulnerability testing service catering to Mandarin speakers, but they were unable to find any apparently related sales threads about them on the dark web.

Rumors of a cracked version of Acunetix being used by attackers surfaced in June 2023 on Twitter/X, when researchers first posited a connection between observed scanning activity and Araneida.

According to an August 2023 report (PDF) from the U.S. Department of Health and Human Services (HHS), Acunetix (presumably a cracked version) is among several tools used by APT 41, a prolific Chinese state-sponsored hacking group.

THE TURKISH CONNECTION

Silent Push notes that the website where Araneida is being sold — araneida[.]co — first came online in February 2023. But a review of this Araneida nickname on the cybercrime forums shows they have been active in the criminal hacking scene since at least 2018.

A search in the threat intelligence platform Intel 471 shows a user by the name Araneida promoted the scanner on two cybercrime forums since 2022, including Breached and Nulled. In 2022, Araneida told fellow Breached members they could be reached on Discord at the username “Ornie#9811.”

According to Intel 471, this same Discord account was advertised in 2019 by a person on the cybercrime forum Cracked who used the monikers “ORN” and “ori0n.” The user “ori0n” mentioned in several posts that they could be reached on Telegram at the username “@sirorny.”

Orn advertising Araneida Scanner in Feb. 2023 on the forum Cracked. Image: Ke-la.com.

The Sirorny Telegram identity also was referenced as a point of contact for a current user on the cybercrime forum Nulled who is selling website development services, and who references araneida[.]co as one of their projects. That user, “Exorn,” has posts dating back to August 2018.

In early 2020, Exorn promoted a website called “orndorks[.]com,” which they described as a service for automating the scanning for web-based vulnerabilities. A passive DNS lookup on this domain at DomainTools.com shows that its email records pointed to the address ori0nbusiness@protonmail.com.

Constella Intelligence, a company that tracks information exposed in data breaches, finds this email address was used to register an account at Breachforums in July 2024 under the nickname “Ornie.” Constella also finds the same email registered at the website netguard[.]codes in 2021 using the password “ceza2003” [full disclosure: Constella is currently an advertiser on KrebsOnSecurity].

A search on the password ceza2003 in Constella finds roughly a dozen email addresses that used it in an exposed data breach, most of them featuring some variation on the name “altugsara,” including altugsara321@gmail.com. Constella further finds altugsara321@gmail.com was used to create an account at the cybercrime community RaidForums under the username “ori0n,” from an Internet address in Istanbul.

According to DomainTools, altugsara321@gmail.com was used in 2020 to register the domain name altugsara[.]com. Archive.org’s history for that domain shows that in 2021 it featured a website for a then 18-year-old Altuğ Şara from Ankara, Turkey.

Archive.org’s recollection of what altugsara dot com looked like in 2021.

LinkedIn finds this same altugsara[.]com domain listed in the “contact info” section of a profile for an Altug Sara from Ankara, who says he has worked the past two years as a senior software developer for a Turkish IT firm called Bilitro Yazilim.

Neither Altug Sara nor Bilitro Yazilim responded to requests for comment.

Invicti’s website states that it has offices in Ankara, but the company’s CEO said none of their employees recognized either name.

“We do have a small team in Ankara, but as far as I know we have no connection to the individual other than the fact that they are also in Ankara,” Invicti CEO Neil Roseman told KrebsOnSecurity.

Researchers at Silent Push say despite Araneida using a seemingly endless supply of proxies to mask the true location of its users, it is a fairly “noisy” scanner that will kick off a large volume of requests to various API endpoints, and make requests to random URLs associated with different content management systems.

What’s more, the cracked version of Acunetix being resold to cybercriminals invokes legacy Acunetix SSL certificates on active control panels, which Silent Push says provides a solid pivot for finding some of this infrastructure, particularly from the Chinese threat actors.

Further reading: Silent Push’s research on Araneida Scanner.

On Call Digital technology remains frighteningly finickity, which is why good tech support people are always in demand – and also the reason The Register never tires of telling your support stories each Friday in On Call, the column your generosity makes possible.

This week, meet a reader we’ll Regomize as “Boris” who years ago worked for a business providing services to what he described as “a large international automotive company” that ran its production planning application on an old school mainframe – proper supervillain lair kit, with big tape drives whirring away all day.

The IT director at this client had a temper.

“He was known and feared as someone who ate systems support people for breakfast.”

Boris was therefore far from thrilled when he was called in to address a problem his colleagues had been unable to address.

“The planning application would sometimes suddenly hang at random points without any obvious reason,” Boris told On Call. “This was very upsetting as delays in the availability of manufacturing schedules interfered with plant operations, which cost serious money.”

Hardware experts were put on trans-Atlantic flights so they could pore over the mainframe’s innards. Software engineers who had hand-coded the machine’s OS were sent to find faults.

None could determine the cause of the hangs. Indeed, all reported the machine was working as intended. All systems nominal.

Those investigations consumed months – and did not make the client happier.

Indeed, the irate IT director began making serious noises about seeking compensation and junking the mainframe.

In desperation, Boris was asked to examine the situation.

Boris wasn’t thrilled about that, as his skill set – engineering and scientific matters – was not obviously applicable to the situation. And he knew nothing about scheduling assembly lines.

He nonetheless visited the client’s office, and was quickly “shouted at and threatened by the IT director.”

Boris managed to retain sufficient composure to ask for the application’s source code.

“Fortuitously it was in Fortran – one of the programming languages I was very familiar with,” Boris told On Call. It also contained an obvious error that he spotted after about ten minutes.

“The code assumed that all the tapes were at their start point. Whether or not the program would run successfully depended on the state of the tapes left by any previously executed application. Sometimes it would run, and sometimes not.”

The fix seemed simple: a Rewind All; statement in the code – one at the start and one at the end – would surely ensure the tape was always at the start point when the application ran.

Boris recompiled the software, ran it, and relaxed as the problem went away.

Which is where his troubles began – because the abusive IT director took a shine to him.

“Forever after I was his ‘go to’ person for advice on almost everything from hardware selection decisions to application development and I was treated with reverence and the appropriate level of respect by all.”

But Boris knew this couldn’t last – because his Fortran fix was fortuitous. He therefore lived in fear of being found out and ending up on the wrong side of the abusive IT director’s wrath.

“Fortunately, I was moved overseas on a different project before my limitations could be tested,” he told On Call.

Phew!

Have you ever found a fix despite not being an expert in the troubled tech you were asked to tend? If so, click here to send On Call an email so we can feature your story after the festive season.

On Call wishes readers all the best for their end-of-year celebrations, and thanks you all for the weekly gift of your stories. ®

The introduction of new cybersecurity disclosure rules by the U.S. Securities and Exchange Commission has led to a significant uptick in the number of reported cybersecurity incidents from public companies, according to a leading U.S. law firm that specializes in finance and M&A activity.

Analysis by Paul Hastings LLP found that since the disclosure law went into effect in 2023, there has been a 60% increase in disclosures of cybersecurity incidents, and 78% of disclosures were made within eight days of discovery of the incident.

The regulations require public companies to disclose material cybersecurity incidents within four business days of determining their materiality, aiming to provide investors with timely and relevant information that could impact investment decisions.

Despite the increase in disclosures, less than 10% of disclosures detailed the material impacts of these incidents, revealing potential hesitancy or difficulty in assessing comprehensive impacts swiftly. Companies are often faced with the challenge of balancing detailed reporting with the protection of sensitive operation details, as the rules do not mandate disclosing specific technical details that could hinder remediation efforts.

Michelle Reed, co-chair of Paul Hastings’ data privacy and cybersecurity practice, said the hesitancy is likely because companies are disclosing very quickly, so as to not be penalized by the SEC for delayed disclosure.

“The coming year will be an interesting testing ground on how materiality in the cyber world ultimately shakes out,” Reed told CyberScoop. 

The materiality clause has led to inconsistent outcomes among companies that have publicly disclosed a cybersecurity incident. For instance, the ransomware attack on automotive software provider CDK Global in June resulted in varying degrees of materiality disclosures. CDK’s parent company, Brookfield Business Partners, said in their July disclosure they did not “expect this incident to have a material impact” on their business despite paying a $25 million ransom. 

Some other car dealerships also filed disclosures saying the attack on CDK negatively impacted their company, but stopped short of saying the incident caused a “material impact.” 

Reed told CyberScoop these cases illuminate the ambiguity companies face in determining the depth of information necessary for reporting, while avoiding the disclosure of sensitive security measures that could exacerbate vulnerabilities and lead to lawsuits.

“Materiality is a sliding scale, weighing risk and likelihood of impact,” she said. “The exact same breach could happen to two different companies, and based on size of the company and effectiveness of their incident response, one may have to disclose and the other may not.” 

An additional concern covered in the report is the prevalence of third-party breaches, which account for 1 in 4 incidents. The report points out this kind of cybersecurity incident leads to further dilemmas for companies on whether to disclose third-party breaches, particularly when other companies may have disclosed an incident related to the same breach.   

You can read the full report on Paul Hastings’ website.