An anonymous reader quotes a report from TechRadar: BrewDog, one of the world's largest craft beer brewers, has exposed personally identifiable information (PII) belonging to more than 200,000 of its shareholders and customers, according to cybersecurity researchers. Cybersecurity consulting firm PenTest Partners discovered that a flaw in the official BrewDog app, which persisted for more than 18 months, made it easy for anyone to access the PII of other users. In its detailed report, PenTest Partners notes that the mobile app doled out the same hard coded API Bearer Token, which effectively rendered request authorization useless. The researchers say that, thanks to the flaw, any user could append the customerID of another user to the API endpoint URL to extract their PII and other details. In addition to being damaging to the user, the flaw could've also been used to adversely affect the company since the leaked details could've been used to generate QR codes to get discounted and even free beers. BrewDog started using hard-coded tokens with v2.5.5 of its app, launched in March 2020, before finally patching the flaw in v2.5.13 release in September 2021.

Instagram has been experiencing issues for many of us here at The Verge, but it turns out that the problem might be broader than that, according to a statement from Facebook. From a report: "We're aware that some people are having trouble accessing our apps and products," Facebook said in a tweet. "We're working to get things back to normal as quickly as possible and we apologize for any inconvenience."

A wild search for the U.S. dollars supposedly backing the stablecoin at the center of the global cryptocurrency trade --- and in the crosshairs of U.S. regulators and prosecutors. From a report: In July, Treasury Secretary Janet Yellen summoned the chair of the Federal Reserve, the head of the Securities and Exchange Commission, and six other top officials for a meeting to discuss Tether. The absurdity of the situation couldn't have been lost on them: Inflation was spiking, a Covid surge threatened the economic recovery, and Yellen wanted to talk about a digital currency dreamed up by the former child actor who'd missed a penalty shot in The Mighty Ducks. But Tether had gotten so large that it threatened to put the U.S. financial system at risk. It was as if a playground snowball fight had escalated so wildly that the Joint Chiefs of Staff were being called in to avert a nuclear war.

Tether is what's come to be known in financial circles as a stablecoin -- stable because one Tether is supposed to be backed by one dollar. But it's actually more like a bank. The company that issues the currency, Tether Holdings Ltd., takes in dollars from people who want to trade crypto and credits their digital wallets with an equal amount of Tethers in return. Once they have Tethers, people can send them to cryptocurrency exchanges and use them to bet on the price of Bitcoin, Ether, or any of the thousands of other coins. And at least in theory, Tether Holdings holds on to the dollars so it can return them to anyone who wants to send in their tokens and get their money back. The convoluted mechanism became popular because real banks didn't want to do business with crypto companies, especially foreign ones.

Exactly how Tether is backed, or if it's truly backed at all, has always been a mystery. For years a persistent group of critics has argued that, despite the company's assurances, Tether Holdings doesn't have enough assets to maintain the 1-to-1 exchange rate, meaning its coin is essentially a fraud. But in the crypto world, where joke coins with pictures of dogs can be worth billions of dollars and scammers periodically make fortunes with preposterous-sounding schemes, Tether seemed like just another curiosity. Then, this year, Tether Holdings started putting out a huge amount of digital coins. There are now 69 billion Tethers in circulation, 48 billion of them issued this year. That means the company supposedly holds a corresponding $69 billion in real money to back the coins --- an amount that would make it one of the 50 largest banks in the U.S., if it were a U.S. bank and not an unregulated offshore company.

Stranded in Yemen's war zone, a decaying supertanker has more than a million barrels of oil aboard. If -- or when -- it explodes or sinks, thousands may die. From a report: Soon, a vast, decrepit oil tanker in the Red Sea will likely sink, catch fire, or explode. The vessel, the F.S.O. Safer -- pronounced "Saffer" -- is named for a patch of desert near the city of Marib, in central Yemen, where the country's first reserves of crude oil were discovered. In 1987, the Safer was redesigned as a floating storage-and-off-loading facility, or F.S.O., becoming the terminus of a pipeline that began at the Marib oil fields and proceeded westward, across mountains and five miles of seafloor. The ship has been moored there ever since, and recently it has degraded to the verge of collapse. More than a million barrels of oil are currently stored in its tanks. The Exxon Valdez spilled about a quarter of that volume when it ran aground in Alaska, in 1989.

The Safer's problems are manifold and intertwined. It is forty-five years old -- ancient for an oil tanker. Its age would not matter so much were it being maintained properly, but it is not. In 2014, members of one of Yemen's powerful clans, the Houthis, launched a successful coup, presaging a brutal conflict that continues to this day. Before the war, the Yemeni state-run firm that owns the ship -- the Safer Exploration & Production Operations Company, or sepoc -- spent some twenty million dollars a year taking care of the vessel. Now the company can afford to make only the most rudimentary emergency repairs. More than fifty people worked on the Safer before the war; seven remain. This skeleton crew, which operates with scant provisions and no air-conditioning or ventilation below deck -- interior temperatures on the ship frequently surpass a hundred and twenty degrees -- is monitored by soldiers from the Houthi militia, which now occupies the territory where the Safer is situated. The Houthi leadership has obstructed efforts by foreign entities to inspect the ship or to siphon its oil. The risk of a disaster increases every day.

A vessel without power is known as a dead ship. The Safer died in 2017, when its steam boilers ran out of fuel. A boiler is a tanker's heart, because it generates the power and the steam needed to run vital systems. Two diesel generators on deck now provide electricity for basic needs, such as laptop charging. But crucial processes driven by the boiler system have ceased -- most notably, "inerting," in which inert gases are pumped into the tanks where the crude is stored, to neutralize flammable hydrocarbons that rise off the oil. Before inerting became a commonplace safety measure, in the nineteen-seventies, tankers blew up surprisingly often, and with lethal consequences: in December, 1969, three of them exploded within seventeen days, killing four men. Since the boilers on the Safer stopped working, the ship has been a tinderbox, vulnerable to a static-electric spark, a discharged weapon, a tossed cigarette butt. [...] The Safer is not sinking. It is not on fire. It has not exploded. It is not leaking oil. Yet the crew of the ship, and every informed observer, expects disaster to occur soon. But how soon? A year? Six months? Two weeks? Tomorrow? In May, Ahmed Kulaib, the former executive at sepoc, told me that "it could be after five minutes."

Google executive Hiroshi Lockheimer has called on Apple to adopt the Rich Communication Services (RCS) protocol that would enable improved and more secure messaging between iPhone and Android devices. From a report: RCS brings a number of modern features -- including support for audio messages, group chats, typing indicators and read receipts -- and end-to-end encryption to traditional text messaging. But it's unlikely Apple will play ball.

[...] Lockheimer, senior vice president for Android, has encouraged the company to change its mind. In response to a tweet about how group chats are incompatible between iPhone and Android devices, Lockheimer said, "group chats don't need to break this way. There exists a Really Clear Solution." "Here's an open invitation to the folks who can make this right: we are here to help." Lockheimer doesn't mention Apple specifically, but it's clear that the "folks" he is referring to are those in Cupertino, who have been against RCS.

A developer who made a tool that let people automatically unfollow friends and groups on Facebook says he's been banned permanently from the social networking site. From a report: Louis Barclay was the creator of "Unfollow Everything," a browser extension that allowed Facebook users to essentially delete their News Feed by unfollowing all their connections at once. Facebook allows users to individually unfollow friends, groups, and pages, which removes their content from the News Feed, the algorithmically-controlled heart of Facebook. Barclay's tool automated this process, instantly wiping users' News Feed.

[...] In response, Facebook sent Barclay a cease-and-desist letter earlier this year, saying he'd violated the site's terms of service by creating software that automated user interactions. Barclay says the company then "permanently disabled my Facebook and Instagram accounts" and "demanded that I agree to never again create tools that interact with Facebook or its other services."

EU antitrust regulators are following up on a complaint by Slack by asking Microsoft's rivals if its Teams app integrated with its Office product gives it greater clout, in a sign that they could open an investigation. From a report: In a questionnaire sent to rivals and seen by Reuters, the European Commission is focusing on the period 2016 to 2021. Microsoft introduced Teams in early 2017 to compete with Slack and others in the fast-growing workplace collaboration market. Slack, bought by business software maker Salesforce.com in July, took its grievance over Microsoft's Teams software to the Commission last year. Microsoft, which has been handed 2.2 billion euros ($2.6 billion) in EU fines for cases involving so-called tying and other practices in previous decade, declined to comment.

Google has said it will provide 10,000 "high-risk" users with free hardware security keys, days after the company warned thousands of Gmail users that they were targeted by state-sponsored hackers. From a report: The warning, sent by Google's Threat Analysis Group (TAG), alerted more than 14,000 Gmail users that they had been targeted in a state-sponsored phishing campaign from APT28, also known as Fancy Bear, said to be made up of operatives of Russia's GRU intelligence agency. Fancy Bear has been active for more than a decade but it's widely known for hacking into the Democratic National Committee and its disinformation and election influencing campaign in the run-up to the 2016 U.S. presidential election. "These warnings indicate targeting not compromise. If we are warning you there's a very high chance we blocked," Google's TAG director Shane Huntley wrote in a Twitter thread on Thursday. "The increased numbers this month come from a small number of widely targeted campaigns which were blocked."

Hackers have managed to deface Twitch for a few hours this morning, replacing a number of background game images with photos of Amazon CEO Jeff Bezos. From a report: Users reported seeing images of Bezos in the listings for GTA V, Dota 2, Smite, Minecraft, Apex Legends, and many more on the Amazon-owned service. It's not clear how the background images were changed or whether this latest incident was aided by a huge security breach at Twitch earlier this week. Hackers were able to exploit a server misconfiguration and steal hundreds of gigabytes of information. Twitch is still investigating the breach, and so far a wealth of information pertaining to the website's source code, unreleased projects, and even how much the top streamers make has been released.

Epic Games CEO Tim Sweeney, whose high-profile antitrust lawsuit against Apple is now under appeal, is today calling out the iPhone maker for giving itself access to an advertising slot its competitors don't have: the iPhone's Settings screen. From a report: Some iOS 15 users noticed Apple is now advertising its own services at the top of their Settings, just below their Apple ID. The services being suggested are personalized to the device owner, based on which ones they already subscribe to, it appears. For example, those without an Apple Music subscription may see an ad offering a free six-month trial. However, current Apple Music subscribers may instead see a prompt to add on a service they don't yet have, like AppleCare coverage for their devices.

Sweeney suggests this sort of first-party advertising is an anticompetitive risk for Apple, as some of the services it's pushing here are those that directly compete with third-party apps published on its App Store. But those third-party apps can't gain access to the iPhone's Settings screen, of course --- they can only bid for ad slots within the App Store itself. Writes Sweeney: "New from the guys who banned Fortnite: settings-screen ads for their own music service, which come before the actual settings, and which aren't available to other advertisers like Spotify or Sound Cloud."

Microsoft just promised it's going to make it easier for its customers to repair the products it sells in the near future. As first reported by Grist, the company will study the environmental impact of right-to-repair and act on its findings by the end of the next year. From a report: The initiative is a reaction to a shareholder resolution filed in June 2021 that demanded the company seriously consider the environmental impact of making its products easier to repair, which itself was fueled by the broader right to repair movement, which has been gaining steam and momentum for years. The shareholders partnered with As You Sow, a non-profit specializing in shareholder advocacy, to help them put pressure on Microsoft. It seems to have worked.

An anonymous reader quotes a report from the BBC: A gang of car thieves used a handheld device disguised as a Nintendo Game Boy to steal vehicles worth $245,000. Dylan Armer, Christopher Bowes and Thomas Poulson stole five Mitsubishi Outlanders by using the gadget to bypass the cars' security systems. West Yorkshire Police said the device, worth $27,000 could unlock and start a car "in a matter of seconds." The trio, all from Yorkshire, were jailed at Leeds Crown Court after pleading guilty to conspiracy to steal. CCTV footage of the theft showed them unplug the car from its charging point before using the device to unlock and start it. When officers stopped the three men they found the Game Boy-style gadget hidden in a secret compartment of their car. Police said footage recovered from Poulson's phone showed him demonstrating "how quickly and easily the gadget gave them full access to the vehicles, accompanied by a commentary in mocking tones." The force added that the "significant investment required to buy one of the sophisticated devices suggested the thefts were planned and orchestrated crimes."

The US Department of Justice has created a team to investigate cryptocurrency-related crime. The Verge reports: The National Cryptocurrency Enforcement Team (NCET) will handle investigations of "crimes committed by virtual currency exchanges, mixing and tumbling services, and money laundering infrastructure actors," the agency said in a news release. Mixing and tumbling services can obscure the source of a cryptocurrency transaction, by mixing it with other funds. Cryptocurrency is "used in a wide variety of criminal activity," including ransomware demand payments, money laundering, and for the illegal sales of drugs, weapons, and malware, the agency noted. Several high-profile ransomware cases have involved demands in cryptocurrency, including the Colonial Pipeline attack in May, where the company reportedly paid a $5 million ransom to DarkSide.

The DOJ says the NCET, which will provide expertise in blockchain and cryptocurrency transactions for the Justice Department and other US government agencies, will draw team members from the DOJ's money laundering, intellectual property, and computer crimes divisions, as well as from US attorneys' offices across the country. The team will be under the supervision of Assistant Attorney General Kenneth Polite Jr. to start, but the Justice Department is seeking to hire someone who has "experience with complex criminal investigations and prosecutions, as well as the technology underpinning cryptocurrencies and the blockchain," on a more permanent basis.

Washington State University this week launched a new $125 million program to collect and analyze animal viruses with the aim of preventing the next pandemic. GeekWire reports: The program is funded with an award from the U.S. Agency for International Development and includes researchers at the University of Washington and the Seattle-based nonprofit PATH. The project will partner with up to 12 countries in Africa, Asia and Latin America to build up lab capacity for surveillance of animal viruses that have the potential to "spillover" into humans and cause disease. The project will survey wildlife and domesticated animals for three families of viruses -- coronaviruses, filoviruses (which includes Ebola), and paramyxoviruses (which are in the same family as the measles and Nipah viruses). Researchers will not be working in the lab with the live viruses and will kill them as part of the collection process.

The team aims to collect more than 800,000 samples in the five years of the project, called Discovery & Exploration of Emerging Pathogens -- Viral Zoonoses, or DEEP VZN. The project is expected to yield 8,000 to 12,000 novel, previously unknown, viruses for analysis. The program has parallels with another USAID-funded program, STOP Spillover, which assesses risk factors for animal-to-human disease transmission and implements interventions to stop it. DEEP VZN will select partner sites outside the U.S. based on factors such as commitment to data sharing and whether there are lots of interactions between humans and animals in the region. Other partners for the project include Washington University in St. Louis and the nonprofit FHI 360.

An anonymous reader writes: The suspected Russian hackers who used SolarWinds and Microsoft software to burrow into U.S. federal agencies emerged with information about counter-intelligence investigations, policy on sanctioning Russian individuals and the country's response to COVID-19, people involved in the investigation told Reuters. The hacks were widely publicized after their discovery late last year, and American officials have blamed Russia's SVR foreign intelligence service, which denies the activity. But little has been disclosed about the spies' aims and successes. [...] It has been previously reported that the hackers breached unclassified Justice Department networks and read emails at the departments of treasury, commerce and homeland security. Nine federal agencies were breached. The hackers also stole digital certificates used to convince computers that software is authorized to run on them and source code from Microsoft(MSFT.O) and other tech companies. One of the people involved said that the exposure of counter-intelligence matters being pursued against Russia was the worst of the losses.

In an annual threat-review paper released on Thursday, Microsoft said the Russian spies were ultimately looking for government material on sanctions and other Russia-related policies, along with U.S. methods for catching Russian hackers. Cristin Goodwin, general manager of Microsoft's Digital Security Unit, said the company drew its conclusions from the types of customers and accounts it saw being targeted. In such cases, she told Reuters, "You can infer the operational aims from that." Others who worked on the government's investigation went further, saying they could see the terms that the Russians used in their searches of U.S. digital files, including "sanctions."

Chris Krebs, the former head of U.S. cyber-defense agency CISA and now an adviser to SolarWinds and other companies, said the combined descriptions of the attackers' goals were logical. "If I'm a threat actor in an environment, I've got a clear set of objectives. First, I want to get valuable intelligence on government decision-making. Sanctions policy makes a ton of sense," Krebs said. The second thing is to learn how the target responds to attacks, or "counter-incident response," he said: "I want to know what they know about me so I can improve my tradecraft and avoid detection."