Robert Grupe's AppSecNewsBits & AI 2024-10-26

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
UnitedHealth says Change Healthcare hack affects over 100 million, the largest-ever US healthcare data breach
Portions of Change Healthcare’s network remain offline as the company continues to recover from the February cyberattack.
This is the first time that UnitedHealth Group (UHG), the U.S. health insurance provider that owns the health tech company, has put a number of affected individuals to the data breach, after previously saying it anticipated the breach to include data on a “substantial proportion of people in America.”
The ransomware attack and data breach at Change Healthcare stands as the largest known digital theft of U.S. medical records, and one of the biggest data breaches in living history. The ramifications for the millions of Americans whose private medical information was irretrievably stolen are likely to be life lasting.
By gaining access to a critical internal system using only a stolen password, the ransomware gang was able to reach other parts of Change Healthcare’s network and deploy ransomware.
[rG: While initial intrusion was a failing of weak access management, preventable defense in-depth failings of lateral movement and data protection lead to the ultimate sensitive data exfiltration and exposure attack chain.]

Ransomware's ripple effect felt across ERs as patient care suffers
Ransomware infected 389 US healthcare organizations this fiscal year, putting patients' lives at risk and costing facilities up to $900,000 a day in downtime alone.
The average admitted payment now up to $4.4 million – to hospitals hit by a ransomware attack as well as those nearby.
Stroke code activation at hospitals close to one suffering from a ransomware infection jumped from 59 to 103, while confirmed strokes skyrocketed 113.6 percent, from 22 to 47 cases, according to a 2023 study.
It also found reported cardiac arrests at a nearby hospital dealing with an infected hospital's overflow of patients increased 81 percent, from 21 cases to 38.
Meanwhile, survival rates for out-of-hospital cardiac arrests with favorable neurological outcomes plummeted, from 40 percent pre-ransomware infection to 4.5 percent during the incident.
In addition to the Russians and Iranians, Chinese crews are also getting in on the healthcare ransomware game and using it as a cover for their government-backed espionage activity

Insurance admin Landmark says data breach impacts 800,000 people
Landmark Admin is a third-party administrator for insurance companies, offering back-office services like new business processing and claims administration for large insurance carriers.
Landmark says it detected suspicious activity on May 13th, 2024, causing the company to shut down IT systems and remote access to its network to prevent the spread of the attack.
Landmark engaged with a third-party cybersecurity company to remediate the incident and investigate whether data was stolen in the attack.
During this investigation, Landmark says it found evidence that the threat actor accessed some files during the attack that contained the personal information of 806,519 people.
Landmark says the investigation is ongoing. It is unknown if it was ransomware or a data theft attack.
[rG: Failure of logging, monitoring, and response – so far.]

Millions of Android and iOS users at risk from hardcoded creds in popular apps
The problem stems from lazy coding. Leaving creds in code means anyone with access to the app's binary or source code could gain access to backend infrastructure and potentially exfiltrate user data.
Symantec recommends users install a third-party security system to block any of the consequences of these coding errors, and – surprise, surprise – it has one for the purpose. Users should also be very wary of whatever permissions their apps ask for and only install apps from trusted sources.
Or developers could just write better code and use services like AWS Secrets Manager or Azure Key Vault that are designed to keep sensitive information in a safe place. Symantec's researchers also recommend encrypting everything and conducting regular code reviews and security scanning.

'Satanic' data thief claims to have slipped into 350M Hot Topic shoppers info
A data thief calling themselves Satanic are asking for $20,000 for the database, which is very low but understandable given the paucity of actionable information stolen - the wages of sin are scarce at this level. Satanic also offered Hot Topic the chance to pay $100,000 to remove the sale listing.
It appears that the leak possibly came from an employee at Robling, a retail analytics business. The data most likely came from a staffer who picked up a malware infection in September, and the shoplifted data contained 240 credentials. Satanic' first claimed that the breach originated from an Infostealer log. They provided a username matching the one found on the computer researchers were investigating.

FortiGate admins report active exploitation 0-day. Vendor isn’t talking
Fortinet, a maker of network security software, has kept a critical vulnerability under wraps for more than a week amid reports that attackers are using it to execute malicious code on servers.
Fortinet representatives have yet to release any sort of public advisory detailing the vulnerability or the specific software that’s affected.
People are quite openly posting what is happening on Reddit now, threat actors are registering rogue FortiGates into FortiManager with hostnames like 'localhost' and using them to get remote code execution.
The vulnerability likely resides in the FortiGate to FortiManager protocol. FGFM is the language that allows Fortigate firewall devices to communicate with the manager over port 541. Shodan search engine shows more than 60,000 such connections exposed to the Internet.
Update
Mandiant began working with Fortinet earlier this month to investigate the digital break-ins, and determined the exploitation began around June 27. A new threat cluster, UNC5820, is behind the attacks.
UNC5820 staged and exfiltrated the configuration data of the FortiGate devices managed by the exploited FortiManager. This data contains detailed configuration information of the managed appliances as well as the users and their FortiOS256-hashed passwords."
While the criminals could have abused this access to move laterally to the managed devices, and from there jump into enterprise systems, "at this stage of our investigations there is no evidence" that UNC5820 did compromise any additional environments in these attacks.
How WatchTowr Explored the Complexity of a Vulnerability in the Fortinet FortiGate SSLVPN appliance
It's a Format String vulnerability [that] quickly leads to Remote Code Execution via one of many well-studied mechanisms.

Tech firms to pay millions in SEC penalties for misleading SolarWinds disclosures
Avaya, Check Point, and Mimecast have agreed to fork over $1 million, $995,000, and $990,000, respectively for "making materially misleading disclosures regarding cybersecurity risks and intrusions,” Unisys also faced charges of disclosure control and procedures violations, bringing its penalty to $4 million.
Avaya allegedly (none of the companies admitted or denied the allegations in their settlements) told shareholders that the compromise only led to a few emails being stolen while knowing that "at least 145 files in its cloud file sharing environment" had been accessed as well, while Mimecast appears to have failed to disclose the nature of what code was stolen or the number of encrypted credentials purloined from the firm.
Check Point supposedly knew what happened but only described the matter "in generic terms."
Meanwhile, Unisys "described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data.
In the meantime, let this be a reminder to any publicly-held company considering underreporting that cybersecurity incident: Someone might come looking to audit your report, even years later, so don't leave anything out.

Severe flaws in E2EE cloud storage platforms used by millions

• Sync's vulnerabilities include unauthenticated key material, allowing attackers to inject their own encryption keys and compromise data. The lack of public key authentication in file sharing further enables attackers to decrypt shared files. Shared links expose passwords to the server, breaking confidentiality. Additionally, attackers can rename or move files undetected and even inject folders into user storage, making them appear as if the user uploaded them.

• pCloud's main issues stem from unauthenticated key material, allowing attackers to overwrite private keys and force encryption with attacker-controlled keys. Public keys are also unauthenticated, giving attackers access to encrypted files. Additionally, attackers can inject files, manipulate metadata like file size, and reorder or remove chunks due to the lack of authentication in the chunking process.

• Icedrive's use of unauthenticated CBC encryption makes it vulnerable to file tampering, allowing attackers to modify file contents. File names can also be truncated or altered. The chunking process lacks authentication, meaning attackers can reorder or remove file chunks, compromising file integrity.

• Seafile is vulnerable to protocol downgrades, making password brute-forcing easier. Its use of unauthenticated CBC encryption allows file tampering, and unauthenticated chunking lets attackers manipulate file chunks. File names and locations are also unsecured, and the server can inject files or folders into user storage.

• Tresorit's public key authentication relies on server-controlled certificates, which attackers can replace to access shared files. Metadata is also vulnerable to tampering, allowing attackers to alter file creation details and mislead users.

HACKING
Over 6,000 WordPress sites hacked to install plugins pushing infostealers
These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users. Since 2023, a malicious campaign called ClearFake has been used to display fake web browser update banners on compromised websites that distribute information-stealing malware.
In 2024, a new campaign called ClickFix was introduced that shares many similarities with ClearFake but instead pretends to be software error messages with included fixes. However, these "fixes" are PowerShell scripts that, when executed, will download and install information-stealing malware.
If you find unknown plugins, you should also immediately reset the passwords for any admin users to a unique password only used at your site.

Pixel perfect Ghostpulse malware loader hides inside PNG image files
Previous versions of Ghostpulse were also difficult to detect and used sneaky methods such as hiding payloads in a PNG file's IDAT chunk. However, it now parses the image's pixels, embedding the malicious data within the structure. The malware constructs a byte array by extracting each pixel's red, green, and blue (RGB) values sequentially using standard Windows APIs from the GdiPlus(GDI+) library," Bitam said. "Once the byte array is built, the malware searches for the start of a structure that contains the encrypted Ghostpulse configuration, including the XOR key needed for decryption.

Anthropic's latest Claude model can interact with computers – what could go wrong?
The latest iteration of Claude 3.5 Sonnet expands response options by allowing the model to "reason" about the state of the computer, and to take actions like invoking applications or services. There's also a file system editor tool for viewing, creating, and editing files. And there's a tool that allows the model to run bash commands, among others. The latest iteration of Claude 3.5 Sonnet expands response options by allowing the model to "reason" about the state of the computer, and to take actions like invoking applications or services. In some circumstances, Claude will follow commands found in content even if it conflicts with the user's instructions. For example, instructions on webpages or contained in images may override instructions or cause Claude to make mistakes. We suggest taking precautions to isolate Claude from sensitive data and actions to avoid risks related to prompt injection.

Voice-enabled AI agents can automate everything, even your phone scams
The Realtime API, released earlier this month, provides a more or less equivalent capability to third-party developers. It allows developers to pass text or audio to OpenAI's GPT-4o⁠ model and have it respond with text, audio, or both.
The scamming agents consisted of OpenAI's GPT-4o model, a browser automation tool called Playwright, associated code, and fraud instructions for the model. They utilized browser action functions based on Playwright like get_html, navigate, click_element, fill_element, and evaluate_javascript, to interact with websites in conjunction with a standard jailbreaking prompt template to bypass GPT-4o safety controls.
The average cost of a successful scam is about $0.75.

Perfctl malware strikes again as crypto-crooks target Docker Remote API server
In the newer attack, the criminals also gained initial access via these internet-connected servers and then created a container from the ubuntu:mantic-20240405 base image. It uses specific settings to operate in privileged mode and pid mode: host to ensure the container shares the Process ID (PID) namespace of the host system. This means the processes running inside the container will share the same PID namespace as the processes on the host. As a result, the container's processes will be able to see and interact with all the processes running on the host system in the same way as all running processes, as if they were running directly on the host. The miscreants then execute a two-part payload using a Docker Exec API. The first part uses the nsenter command to escape the container. This command runs as root and allows the attacker to execute programs in different namespaces – such as the target's mount, UTS, IPC, network, and PID – and this gives it "similar capabilities as if it were running in the host system."
The second part of the payload contains a Base64-encoded shell script that checks for and prevents duplicate processes and creates a bash script. Once that is installed, it creates a custom __curl function that can be used when curl or wget is not present in the system, self-terminates if the architecture is not x86-64, checks for and confirms the presence of a malicious process, and looks for active TCP connections using ports 44870 or 63582.
To avoid becoming perfctl's next victim, the team at Trend recommends implementing strong access controls and authentication, and monitoring Docker Remote API servers for any unusual behavior.

White Hat Hackers Earn $500,000 on First Day of Pwn2Own Ireland 2024
The highest single reward, $100,000, was earned by Sina Kheirkhah of Summoning Team, who chained a total of nine vulnerabilities for an attack that went from a QNAP QHora-322 router to a TrueNAS Mini X storage device.

Google Scholar has a 'verified email' for Sir Isaac Newton
According to Google Scholar, Isaac Newton is a "Professor of Physics, MIT" with a "Verified email at mit[.]edu."
Albert Einstein has yet to verify his email. He probably prefers letters.
"Verified" social media profiles have traditionally been associated with the likes of elite, famous, or notable public figures, and as such, these are generally checked for authenticity by a team behind the scenes. The same goes for accounts that pay for a blue tick—ultimately, there is a team of humans (paired with technology) running some basic checks to ensure that the person on social media is who they claim to be. A Google Scholar profile, on the other hand, makes no claims of Google verifying the identity of the profile owner. Instead, profiles state that their email address has been verified and hosted at the said institution.

APPSEC, DEVSECOPS, DEV
CHAI: Look for healthcare AI model 'nutrition labels' soon
The Coalition for Health AI this past Friday unveiled news plans for how it would certify independent artificial intelligence assurance labs. The draft frameworks come as the group – comprising health system heavy-hitters such as Mayo Clinic, Penn Medicine and Stanford, along with Amazon, Google, Microsoft and other Big Tech giants – set a timeline for its aim to standardize the output of testing labs by grading AI and ML models with so-called CHAI Model Cards – which the group likens to ingredient and nutrition labels on food products.
Created with the ANSI National Accreditation Board and several emerging quality assurance labs using ISO 17025 – it's the predominant standard for testing and calibration laboratories worldwide – the draft CHAI certification program framework requires, among other things, mandatory disclosure of conflicts of interest between assurance labs and model developers, and the protection of data and intellectual property. (That standard was also used for ONC's Electronic Health Record certification program.)
The new model cards were designed to comply with the HTI-1 requirements promulgated by ONC earlier this year, meant to be an easily legible starting point for organizations reviewing AI models during the procurement process, and for EHR vendors seeking to comply with the Health IT Certification Program.

Linus Torvalds Growing Frustrated By Buggy Hardware & Theoretical CPU Attacks
“Honestly, I'm pretty damn fed up with buggy hardware and completely theoretical attacks that have never actually shown themselves to be used in practice.
So I think this time we push back on the hardware people and tell them it's THEIR damn problem, and if they can't even be bothered to say yay-or-nay, we just sit tight.
Because dammit, let's put the onus on where the blame lies, and not just take any random shit from bad hardware and say "oh, but it might be a problem".

CISA proposes new security requirements to protect govt, personal data
Pursuant to Exec. Order 14117, Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.

CISA Safe Software Deployment: How Software Manufacturers Can Ensure Reliability for Customers

VENDORS & PLATFORMS
OWASP’s Dependency-Check tool update: Key changes — and limitations
The Open Web Application Security Project (OWASP) has released a new version of its dependency-check tool, which can identify known vulnerabilities in third-party software components, measure and enforce policy compliance, respond to identified vulnerabilities, prioritize vulnerability mitigation, triage findings and policy violations, and produce a CycloneDX-based software bill of materials (SBOM).
While the dependency-check SCA tool is a great starting point for any organization pursuing software supply chain security (SSCS), it still leaves a lot to be desired when compared to many of the tools currently on the market.

Factal: Disaster Response Intelligence Service
Factal is a breaking news technology company that helps the world's largest organizations protect people, avoid disruptions and expedite disaster relief when global events put them at immediate risk.

A Network Nerd's Take on Emergency Preparedness

Microsoft introduces 10 AI agents for sales, finance, supply chain in Dynamics 365

1. Sales Qualification Agent "frees up time for the seller to spend on higher value activities by researching and prioritizing leads in the pipe and developing personalized sales emails to initiate a sales conversation."

2. Sales Order Agent "automates the order intake process from entry to confirmation by interacting with customers, capturing their preferences."

3. Supplier Communications Agent "autonomously manages collaboration with suppliers to confirm order delivery, while preempting potential delays."

4. Financial Reconciliation Agent "helps teams prepare and cleanse data sets to simplify and reduce time spent on the most labor-intensive part of the financial period close process that leads to financial reporting."

5. Account Reconciliation Agent "automates the matching and clearing of transactions between subledgers and the general ledger."

6. Time and Expense Agent "autonomously manages time entry, expense tracking and approval workflows."

7. Customer Intent Agent "continuously discovers new intents from past and current customer conversations across all channels, mapping issues and corresponding resolutions maintained by the agent in a library."

8. Customer Knowledge Management Agent "analyzes case notes, transcripts, summaries and other artifacts from human-assisted cases to uncover insights."

9. Case Management Agent "automates key tasks throughout the case lifecycle -- creation, resolution, follow up, closure -- to reduce handle time and alleviate the burden on service representatives."

10. Scheduling Operations Agent "helps optimize schedules […] accounting for issues such as traffic delays, double bookings, or last-minute cancellations that often result in conflicts or gaps."

[rG: Integration capabilities that may have potential uses for InfoSec GRC.]

Linus Torvalds affirms expulsion of Russian maintainers
Linux kernel developer Greg Kroah-Hartman published a message to the Linux kernel mailing list showing that a handful of Linux developers in the MAINTAINERS file had been removed. His explanation was vague. "Remove some entries due to various compliance requirements," Kroah-Hartman wrote. "They can come back in the future if sufficient documentation is provided." Mailing list participants pushed back, asking for further explanation about the removed names, all of which appear to be Russian and most of which are associated with a Russian (.ru) email address. Russia is currently subject to US government sanctions related to its February 2022 invasion of Ukraine and other concerns.
Torvalds responded to the mailing list challenges in the style for which he's become famous by attributing the blowback to Russian trolls. “If you haven't heard of Russian sanctions yet, you should try to read the news some day. And by "news", I don't mean Russian state-sponsored spam. As to sending me a revert patch - please use whatever mush you call brains. I'm Finnish. Did you think I'd be supporting Russian aggression? Apparently it's not just lack of real news, it's lack of history knowledge too.”
[rG: Another era of technology collaboration ended by human self-inflicted tower of babel syndrome.]

Can We Turn Off AI Tools From Google, Microsoft, Apple, and Meta? Sometimes...
Google, Apple, Microsoft and Meta have all unleashed tech that they describe as artificial intelligence. Soon, the companies say, we’ll all be using artificial intelligence to write emails, generate images and summarize articles. Google will produce an AI-generated summary of the answer on top of the search results. And whenever you use the search tool inside Instagram, you may now be interacting with Meta’s chatbot, Meta AI. In addition, when Apple’s suite of AI tools, Apple Intelligence, arrives on iPhones and other Apple products through software updates this month, the tech will appear inside the buttons we use to edit text and photos.
It helps to know how to opt out. After I contacted Microsoft, Meta, Apple and Google, they offered steps to turn off their AI tools or data collection, where possible. I'll walk you through the steps.

The empire of C++ strikes back with Safe C++ blueprint
Rewriting a project in a different programming language is costly, so the aim here is to make memory safety more accessible by providing the same soundness guarantees as Rust at a lower cost.
Rust lacks function overloading, templates, inheritance and exceptions. C++ lacks traits, relocation and borrow checking. These discrepancies are responsible for an impedance mismatch when interfacing the two languages. Most code generators for inter-language bindings aren’t able to represent features of one language in terms of the features of another. Though DARPA is trying to develop better automated C++ to Rust conversion tools, telling veteran C++ developers to learn Rust isn't an answer. The foreignness of Rust for career C++ developers combined with the friction of interop tools makes hardening C++ applications by rewriting critical sections in Rust difficult.

Bitwarden's FOSS halo slips as new SDK requirement locks down freedoms

LEGAL & REGULATORY
Russia sentences REvil ransomware members to over 4 years in prison

LinkedIn Fined More Than $300 Million in Ireland Over Personal Data Processing
Irish officials said LinkedIn wasn’t sufficiently informing users when seeking their consent to process third-party data for behavioral analysis and targeted advertising and ordered the platform to bring its processing into compliance.

The Global Surveillance Free-for-All in Mobile Ad Data
Babel Street’s LocateX platform also allows customers to track individual mobile users by their Mobile Advertising ID or MAID, a unique, alphanumeric identifier built into all Google Android and Apple mobile devices. Babel Street also bundles people-search services with its platform, to make it easier for customers to zero in on a specific device.
Atlas Data Privacy Corp. helps its users remove their personal information from the clutches of consumer data brokers, and from people-search services online. Backed by millions of dollars in litigation financing, Atlas so far this year has sued 151 consumer data brokers on behalf of a class that includes more than 20,000 New Jersey law enforcement officers who are signed up for Atlas services. Atlas alleges all of these data brokers have ignored repeated warnings that they are violating Daniel’s Law, a New Jersey statute allowing law enforcement, government personnel, judges and their families to have their information completely removed from commercial data brokers.
An Atlas investigator showed how they isolated mobile devices seen in a New Jersey courtroom parking lot that was reserved for jurors, and then tracked one likely juror’s phone to their home address over several days. While the Atlas investigator had access to its trial account at Babel Street, they were able to successfully track devices belonging to several plaintiffs named or referenced in the lawsuit. They did so by drawing a digital polygon around the home address or workplace of each person in Babel Street’s platform, which focused exclusively on the devices that passed through those addresses each day.

Location tracking of phones is out of control. Here’s how to fight back.
Android by accessing Settings > Location > App location permissions and, on iOS, Settings > Privacy & Security > Location Services.
iPhone users can do this by accessing Settings > Privacy & Security > Tracking.
Both operating systems will display a list of apps and whether they are permitted access always, never, only while the app is in use, or to prompt for permission each time. Both also allow users to choose whether the app sees precise locations down to a few feet or only a coarse-grained location.

Penn State pays DoJ $1.25M to settle cybersecurity compliance case
The DoJ contends in its settlement agreement that Penn State failed to comply with NIST SP 800-171, which outlines requirements for how non-government entities have to store controlled unclassified information (CUI). Fifteen contracts between Penn State, the DoD, and NASA involved "collection, development, receipt, transmission, use or storing" of such info for the agencies, necessitating compliance with the NIST regulation. Penn State told the government in late 2020 that it hadn't implemented all the requirements, but it never took steps to resolve the matter. In addition, Penn State abandoned its contract with government-compliant cloud host Box in favor of OneDrive, which doesn't meet NIST's CUI security requirements, to save money.

US lawmakers push DoJ to prosecute tax prep firms for leaking taxpayer data to big tech
The technology that leaks customer info is the tracking pixel. Those tiny, invisible images log everything website visitors do, and share the data with whoever is responsible for creating the tracking snippet – like Google, Meta, or even TikTok. Gathering and sharing that data, as personal and private as it may be, isn't explicitly illegal when service providers properly disclose what data is being collected, why they collect it, and who it's going to be shared with. Unfortunately for the tax time helpers examined by TIGTA, they don't appear to have made those disclosures. Improper disclosures contravene Treasury Department regulations on disclosure of tax return information, which the letter writers noted carries a penalty of $1,000 and up to a year in prison per violation.

FTC's rule banning fake online reviews goes into effect
A new Federal Trade Commission banning the sale or purchase of online reviews is now in effect. The rule bans reviews and testimonials attributed to people who don’t exist or are generated by artificial intelligence, people who don’t have experience with the business or product/services, or misrepresent their experience. It also bans businesses from creating or selling reviews or testimonials. Businesses that knowingly buy fake reviews, procure them from company insiders or disseminate fake reviews will be penalized. It also prohibits businesses from using “unfounded or groundless legal threats, physical threats, intimidation, or certain false public accusations.
FTC Report Fraud website

Cable companies ask 5th Circuit to block FTC’s click-to-cancel rule
Lawsuits were filed about a week after the Federal Trade Commission approved a rule that "requires sellers to provide consumers with simple cancellation mechanisms to immediately halt all recurring charges."
In addition to the click-to-cancel provision, the FTC set out other requirements for "negative option" features in which a consumer's silence or failure to take action to reject or cancel an agreement is interpreted by the seller as acceptance of an offer.
The NCTA cable lobby group, which represents companies like Comcast and Charter, have complained about the rule's impact on their ability to talk customers out of canceling. NCTA CEO Michael Powell claimed during a January 2024 hearing that "a consumer may easily misunderstand the consequences of canceling and it may be imperative that they learn about better options" and that the rule's disclosure and consent requirements raise "First Amendment issues."
The Interactive Advertising Bureau argued at the same hearing that the rule would "restrict innovation without any corresponding benefit" and "constrain companies from being able to adapt their offerings to the needs of their customers."

San Francisco billboards call out tech firms for not paying for open source
The signs are the work of the Open Source Pledge – a group that launched earlier this month. It asks businesses that make use of open source code to pledge $2,000 per developer to support projects that develop the code. So far, 25 companies have signed up – but project co-founder Chad Whitacre wants bigger firms to pay their dues, too.
The issue of paying FOSS developers is neatly illustrated by Randall Munroe's classic xkcd 2347 comic titled Dependency that highlights how key software can often be maintained by a single individual – who is worthy of support, given the extent of reliance on their work.
Some businesses – such as US retailer Target – have started financing open source development along the same lines as the pledge program, and the Indian online exchange Zerodha has pledged $1 million a year to support open source programs.

Norway to increase minimum age limit on social media to 15 to protect children
The Scandinavian country already has a minimum age limit of 13 in place. Despite this, more than half of nine-year-olds, 58% of 10-year-olds and 72% of 11-year-olds are on social media.
The government has pledged to introduce more safeguards to prevent children from getting around the age restrictions – including amending the Personal Data Act so that social media users must be 15 years old to agree that the platform can handle their personal data, and developing an age verification barrier for social media.