Connect with us

Published

on

Ransomware has long been plaguing American municipalities. It appeared to be another typical ransomware attack that impacted the city of Columbus, Ohio, this past July. The city’s response to the hack, however, was not, and it has cybersecurity and legal experts across the country questioning its motives.

Connor Goodwolf (legal name is David Leroy Ross) is an IT consultant who plumbs the dark web as part of his job. “I track dark web-type crimes, criminal organizations, and stuff like what the Telegram CEO has been arrested for,” Goodwolf said.

So when word got out that the city of Columbus, his hometown, had been breached, Goodwolf did what he does: he poked around online. It didn’t take him long to discover what the hackers had in their possession.

“It wasn’t the biggest, but it was one of the most impactful breaches I have seen,” Goodwolf said.

In some ways, he described it as a routine breach, with personal identifiable information, protected health information, Social Security numbers and driver’s license photos exposed. However, because multiple databases were breached, it was more encompassing than other attacks. According to Goodwolf, the hackers had breached multiple databases from the city, the police, and the prosecutor’s office. There were arrest records and sensitive information about minors and domestic violence victims. Some of the breached databases, he says, went back to 1999. 

Goodwolf found over three terabytes of data that took over 8 hours to download.

“The first thing I see is the prosecutor’s database, and I’m like ‘holy sh-t’ these are domestic violence victims. When it comes to domestic violence victims, we need to protect them the most because they have already been victimized once, and now they are again by having their information exposed,” he said.

Goodwolf’s first action was to contact the city to let them know how serious the breach was, because what he saw contradicted official statements. At a press conference on August 13,  Columbus Mayor Andrew Ginther said: “The personal data that the threat actor published to the dark web was either encrypted or corrupted, so the majority of the data came by the threat actor is unusable.”

But what Goodwolf was finding didn’t support that view. “I tried to reach out to the city multiple times to multiple departments and was blown off,” he said.

Google-owned Mandiant, as well as many other top cybersecurity firms, have been tracking a continued increase in ransomware attacks, both in prevalence and severity, and the rise of the Rhysida Group behind the Columbus hack, which has come into prominence within the last year.

The Rhysida Group claimed responsibility for the hack. While not much is known about the cyber gang, Goodwolf and other security experts say they appear to be state-sponsored and based in Eastern Europe, possibly linked to Russia. Goodwolf says these ransomware gangs are “professional operations” with a staff, paid vacation, and PR people.

“They have ramped up the attacks and targets since last autumn,” he said.

The U.S. government’s Cybersecurity and Infrastructure Security Agency issued a bulletin about Rhysida last November.

Goodwolf said that because no one from the city responded to him he went to the local media and shared data with journalists to get the word out about the seriousness of the breach. And that is when he heard from the city of Columbus, in the form of a lawsuit and a temporary restraining order preventing him from disseminating additional information. 

The city defended its response in a statement to CNBC:

“The City initially moved to obtain this order, which was granted by the Court, to prevent the dissemination of sensitive and confidential information, potentially including the identities of undercover police officers, that threatens public safety and criminal investigations.”

The city’s temporary 14-day restraining order against Goodwolf has since expired, and now it has a preliminary injunction and an agreement with Goodwolf not to release more data.

“It should be noted that the Court order does not prohibit the defendant from discussing the data breach or even describing what kind of data was exposed,” the city’s statement added. “It simply prohibits the individual from disseminating the stolen data posted on the dark web. The City remains engaged with federal authorities and cyber security experts to respond to this cyber intrusion.”

Meanwhile, the mayor did have to perform a mea culpa at a subsequent press conference, saying his initial statements were based on the information he had at the time. “It was the best information we had at the time. Clearly, we discovered that that was inaccurate information and I have to accept responsibility for that.”

Realizing the exposure to residents was greater than first thought, the city is offering two years of free credit monitoring from Experian. This includes anyone who has had contact with the city of Columbus via an arrest or other business. Columbus is also working with Legal Aid to see what additional protections are needed for domestic violence victims who may have been compromised or need help with civil protection orders.

To date, the city has not paid the hackers, who were demanding $2 million in ransom.   

‘He’s Not Edward Snowden’

Those who study cybersecurity law and work within the realm expressed surprise at Columbus filing a civil lawsuit against the researcher.

“Lawsuits against data security researchers are rare,” said Raymond Ku, professor of law at Case Western Reserve University. On the rare occasion they do happen, he said, it is usually when the researcher is alleged to have disclosed how a flaw was or can be exploited, which would then allow others to take advantage of the flaw as well.

“He wasn’t Edward Snowden,” said Kyle Hanslovan, CEO of cybersecurity company Huntress, who described himself as troubled by the city of Columbus’s response and what it could mean for future breaches. Snowden was a government contract employee who leaked classified information and faced criminal charges, but considered himself a whistleblower. Goodwolf, Hanslovan says, is a Good Samaritan who independently found the breached data.

“In this case, it appears we have just silenced someone who, as far as I can tell, appears to be a security researcher who did the bare minimum and confirmed the official statements made were not true. This can’t possibly be an appropriate use of the courts,” Hanslovan said, predicting the case will be quickly overturned.

Columbus City Attorney Zach Klein said during a September press conference that the case was “not about freedom of speech or whistleblowing. This is about downloading and disclosure of stolen criminal investigatory records.”

Hanslovan worries about the ripple effect where cybersecurity consultants and researchers are afraid to do their jobs for fear of being sued. “The bigger story here is are we seeing the emergence of a new playbook” for hacking response in which individuals are silenced, and that should not be welcomed, he said. “Silencing any opinion, even for 14 days, could be enough to prevent something credible from coming to light, and that terrifies me,” Hanslovan said. “That voice needs to be heard. As we see bigger cybersecurity incidents come up, I am worried that folks will be more concerned bringing them to light.”

Scott Dylan, founder of United Kingdom-based venture capital firm NexaTech Ventures, also thinks the actions of the city of Columbus could induce a chilling effect on the field of cybersecurity.

“As the field of cyberlaw continues to mature, this case is likely to be referenced in future discussions about the role of researchers in the aftermath of data breaches,” Dylan said.

He says legal frameworks must evolve to keep pace with the sophistication of both cyberattacks and the ethical dilemmas they generate, and the approach taken by Columbus is a mistake.

Meanwhile, the legal process will grind on for Goodwolf. Despite Columbus and Goodwolf reaching an agreement last week on the dissemination of information, the city is still suing him for damages in a civil suit that could reach $25,000 or higher. Goodwolf is representing himself in his talks with the city, though says that he has a lawyer on standby, if needed.

Some residents have filed a class-action lawsuit against the city. Goodwolf says that 55% of the information breached has been sold onto the dark web, while 45% is available for anyone with the skills to access it.

Dylan thinks the city is taking a big risk, even if its actions may be legally defensible, by creating the appearance of an attempt to silence discourse rather than encourage transparency. “It’s a strategy that could backfire, both in terms of public trust and future litigation,” he said.

“I am hoping the city realizes the mistake of filing a civil suit and the implications not just on security,” Goodwolf said, noting that Intel is building a $1 billion facility in a Columbus suburb. In recent years, the city has been positioning itself as a new tech hub in the Midwest, and attacking white hats and cybersecurity researchers, he said, could cause some in the tech sector to rethink it as a location.

Continue Reading

Technology

Amazon cashierless tech competitor Grabango shutters after failing to secure funding

Published

on

By

Amazon cashierless tech competitor Grabango shutters after failing to secure funding

Grabango’s mobile app

Grabango

Grabango, a venture-backed startup that was vying to take on Amazon in cashierless checkout technology, is shutting down after it was unable to raise enough money to stay afloat.

“Although the company established itself as a leader in checkout-free technology, it was not able to secure the funding it needed to continue providing service to its clients,” a spokesperson said in a statement to CNBC on Wednesday. “The company would like to thank its employees, investors, and clients for all their hard work and dedication.”

Food tech publication The Spoon reported earlier on Grabango’s closure.

Launched in 2016, Grabango was developing checkout-free technology that uses computer vision and machine learning to track and tally up items as shoppers grab them from store shelves. Will Glaser, Grabango’s founder and CEO, is a longtime Bay Area technologist who cofounded music streaming service Pandora.

The company employed roughly 100 employees, according to LinkedIn and Pitchbook.

Grabango raised just over $73 million, Pitchbook data shows, with its most sizable financing round coming in 2021, before the market turned. In June of that year, Grabango raised $39 million in a round led by Commerce Ventures, with participation from Peter Thiel’s Founders Fund as well as the venture arms of Unilever and Honeywell.

In February of this year, Glaser told Axios the company had plans to go public “in a couple of years at a $10 billion to $15 billion market cap.”

The IPO market has dried up since early 2022, with just three notable venture-backed companies debuting in the U.S. this year. The lack of liquidity has hammered the venture industry, making it harder for firms to launch new funds and for startups, outside of a select few AI companies, to raise capital.

Based in Berkeley, California, Grabango was seen as one of the primary rivals to Amazon’s cashierless checkout offering, called Just Walk Out. Other startups in the space include AiFi and Trigo.

Grabango had inked deals with grocers including Aldi and Giant Eagle, along with convenience store chains 7-Eleven and Circle K. Amazon has targeted its Just Walk Out service to convenience stores and retailers in airports, stadiums and hospitals, among other venues.

Amazon in April pulled its cashierless checkout technology from its U.S. Fresh stores and Whole Foods supermarkets. In a blog post following that decision, Glaser said Amazon’s reliance on shelf sensor technology in its JWO system had “proven to be its Achilles’ heel.” Glaser said Grabango eschewed shelf sensors in favor of computer vision which put it on a path for “widespread adoption.”

“This is a classic Tortoise and Hare parable, but with the players taking on surprising roles,” Glaser wrote. “The much larger Amazon lept to an early lead, but was unable to turn it into a sustained success. The more nimble Grabango, ironically, took the more difficult technical path, and is now reaping the benefits of its patience with a fundamentally more capable system.”

— CNBC’s Ari Levy contributed to this report.

WATCH: Amazon is making a big bet on selling its cashierless tech to outsiders

Why Amazon is selling its cashierless tech to outsiders after removing it from its own U.S. stores

Continue Reading

Technology

Amazon tests adding robot warehouses to Whole Foods so shoppers can pick up other orders at checkout

Published

on

By

Amazon tests adding robot warehouses to Whole Foods so shoppers can pick up other orders at checkout

An independent contractor wearing a protective mask and gloves loads Amazon Prime grocery bags into a car outside a Whole Foods Market in Berkeley, California, on October 7, 2020.

David Paul Morris/Bloomberg via Getty Images

Amazon said Wednesday it’s testing adding mini warehouses to Whole Foods supermarkets as part of a bid to attract more shoppers to its stores and away from other grocery competitors.

The company is building a micro fulfillment center attached to a Whole Foods location in the Philadelphia suburb of Plymouth Meeting, Pennsylvania. Once the facility is operational within the next year, shoppers can order items from Amazon’s website and its online grocery service, Amazon Fresh, while browsing Whole Foods and pick it up in store as they’re checking out.

At a press event held near an Amazon warehouse in Nashville, Anand Varadarajan, who leads the product and technology teams for Amazon’s worldwide grocery business, showed a mockup of what the completed facility will look like. A small automated warehouse would be bolted onto a Whole Foods store, where robots fetch and ferry items like socks, soda bottles or tennis rackets and place them into bags for pickup by the shopper.

The arrangement would allow shoppers to buy staple goods from brands that aren’t carried at Whole Foods markets like Pepsi soda and Kellogg’s cereal, and tap into Amazon’s vast online catalog of items.

Amazon said it’s looking to “eliminate those extra trips” made by shoppers to other grocery stores. The average American shops at two different grocery stores per week, whether to maximize their cost savings, shop from a broader range of products, or take advantage of different promotions at each store, according to an April study from market research firm Drive Research.

“Customers shopping at Whole Foods Market today are looking for natural and organic products,” Varadarajan said during a presentation on Wednesday. “However, our data shows that many of them also visit additional stores to complete their regular grocery shopping needs. With our micro fulfillment center, we can reduce the need for our customers to visit different stores or make multiple online orders.”

Amazon has for years angled to gobble up a bigger share of the grocery market. It’s a category where Americans frequently spend money, more than other verticals like clothes or electronics. But Amazon also faces stiff competition from entrenched players like Walmart, Kroger and Albertsons, along with regional grocers.

In 2017, it spent $13.7 billion to acquire Whole Foods, a price tag more than 10 times higher than Amazon had paid in any prior deal. It’s also launched a growing stable of grocery offerings, including a grocery delivery service and its own supermarket chain, Amazon Fresh, aimed at the mass market.

Amazon CEO Andy Jassy has also said the company has a growing business selling “everyday essentials” like paper towels, dish soap and other items.

Continue Reading

Technology

OpenAI says bad actors are using its platform to disrupt elections, but with little ‘viral engagement’

Published

on

By

OpenAI says bad actors are using its platform to disrupt elections, but with little 'viral engagement'

Jaap Arriens | NurPhoto via Getty Images

OpenAI is increasingly becoming a platform of choice for cyber actors looking to influence democratic elections across the globe.

In a 54-page report published Wednesday, the ChatGPT creator said that it’s disrupted “more than 20 operations and deceptive networks from around the world that attempted to use our models.” The threats ranged from AI-generated website articles to social media posts by fake accounts.

The company said its update on “influence and cyber operations” was intended to provide a “snapshot” of what it’s seeing and to identify “an initial set of trends that we believe can inform debate on how AI fits into the broader threat landscape.”

OpenAI’s report lands less than a month before the U.S. presidential election. Beyond the U.S., it’s a significant year for elections worldwide, with contests taking place that affect upward of 4 billion people in more than 40 countries. The rise of AI-generated content has led to serious election-related misinformation concerns, with the number of deepfakes that have been created increasing 900% year over year, according to data from Clarity, a machine learning firm.

Misinformation in elections is not a new phenomenon. It’s been a major problem dating back to the 2016 U.S. presidential campaign, when Russian actors found cheap and easy ways to spread false content across social platforms. In 2020, social networks were inundated with misinformation on Covid vaccines and election fraud.

Lawmakers’ concerns today are more focused on the rise in generative AI, which took off in late 2022 with the launch of ChatGPT and is now being adopted by companies of all sizes.

OpenAI wrote in its report that election-related uses of AI “ranged in complexity from simple requests for content generation, to complex, multi-stage efforts to analyze and reply to social media posts.” The social media content related mostly to elections in the U.S. and Rwanda, and to a lesser extent, elections in India and the EU, OpenAI said.

In late August, an Iranian operation used OpenAI’s products to generate “long-form articles” and social media comments about the U.S. election, as well as other topics, but the company said the majority of identified posts received few or no likes, shares and comments. In July, the company banned ChatGPT accounts in Rwanda that were posting election-related comments on X. And in May, an Israeli company used ChatGPT to generate social media comments about elections in India. OpenAI wrote that it was able to address the case within less than 24 hours.

In June, OpenAI addressed a covert operation that used its products to generate comments about the European Parliament elections in France, and politics in the U.S., Germany, Italy and Poland. The company said that while most social media posts it identified received few likes or shares, some real people did reply to the AI-generated posts.

None of the election-related operations were able to attract “viral engagement” or build “sustained audiences” via the use of ChatGPT and OpenAI’s other tools, the company wrote.

WATCH: Outlook of election could be positive or very negative for China

Outcome of election could be positive or very negative for China in short-term, says Dan Niles

Continue Reading

Trending