An anonymous reader quotes a report from MIT Technology Review: Almost all keyboard apps used by Chinese people around the world share a security loophole that makes it possible to spy on what users are typing. The vulnerability, which allows the keystroke data that these apps send to the cloud to be intercepted, has existed for years and could have been exploited by cybercriminals and state surveillance groups, according to researchers at the Citizen Lab, a technology and security research lab affiliated with the University of Toronto.

These apps help users type Chinese characters more efficiently and are ubiquitous on devices used by Chinese people. The four most popular apps -- built by major internet companies like Baidu, Tencent, and iFlytek -- basically account for all the typing methods that Chinese people use. Researchers also looked into the keyboard apps that come preinstalled on Android phones sold in China. What they discovered was shocking. Almost every third-party app and every Android phone with preinstalled keyboards failed to protect users by properly encrypting the content they typed. A smartphone made by Huawei was the only device where no such security vulnerability was found.

In August 2023, the same researchers found that Sogou, one of the most popular keyboard apps, did not use Transport Layer Security (TLS) when transmitting keystroke data to its cloud server for better typing predictions. Without TLS, a widely adopted international cryptographic protocol that protects users from a known encryption loophole, keystrokes can be collected and then decrypted by third parties. Even though Sogou fixed the issue after it was made public last year, some Sogou keyboards preinstalled on phones are not updated to the latest version, so they are still subject to eavesdropping. [...] After the researchers got in contact with companies that developed these keyboard apps, the majority of the loopholes were fixed. But a few companies have been unresponsive, and the vulnerability still exists in some apps and phones, including QQ Pinyin and Baidu, as well as in any keyboard app that hasn't been updated to the latest version.

An anonymous reader quotes a report from Wired: Network security appliances like firewalls are meant to keep hackers out. Instead, digital intruders are increasingly targeting them as the weak link that lets them pillage the very systems those devices are meant to protect. In the case of one hacking campaign over recent months, Cisco is now revealing that its firewalls served as beachheads for sophisticated hackers penetrating multiple government networks around the world. On Wednesday, Cisco warned that its so-called Adaptive Security Appliances -- devices that integrate a firewall and VPN with other security features -- had been targeted by state-sponsored spies who exploited two zero-day vulnerabilities in the networking giant's gear to compromise government targets globally in a hacking campaign it's calling ArcaneDoor.

The hackers behind the intrusions, which Cisco's security division Talos is calling UAT4356 and which Microsoft researchers who contributed to the investigation have named STORM-1849, couldn't be clearly tied to any previous intrusion incidents the companies had tracked. Based on the group's espionage focus and sophistication, however, Cisco says the hacking appeared to be state-sponsored. "This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor," a blog post from Cisco's Talos researchers reads. Cisco declined to say which country it believed to be responsible for the intrusions, but sources familiar with the investigation tell WIRED the campaign appears to be aligned with China's state interests.

Cisco says the hacking campaign began as early as November 2023, with the majority of intrusions taking place between December and early January of this year, when it learned of the first victim. "The investigation that followed identified additional victims, all of which involved government networks globally," the company's report reads. In those intrusions, the hackers exploited two newly discovered vulnerabilities in Cisco's ASA products. One, which it's calling Line Dancer, let the hackers run their own malicious code in the memory of the network appliances, allowing them to issue commands to the devices, including the ability to spy on network traffic and steal data. A second vulnerability, which Cisco is calling Line Runner, would allow the hackers' malware to maintain its access to the target devices even when they were rebooted or updated. It's not yet clear if the vulnerabilities served as the initial access points to the victim networks, or how the hackers might have otherwise gained access before exploiting the Cisco appliances. Cisco advises that customers apply its new software updates to patch both vulnerabilities.

A separate advisory (PDF) from the UK's National Cybersecurity Center notes that physically unplugging an ASA device does disrupt the hackers' access. "A hard reboot by pulling the power plug from the Cisco ASA has been confirmed to prevent Line Runner from re-installing itself," the advisory reads.

Lenovo's latest ThinkPad P1 Gen 7 laptop is set to be the first to use the new LPCAMM2 memory form factor, the successor to SODIMM sticks. From a report: While Lenovo has largely focused on the AI performance of its new laptop, which is equipped with an Intel Core Ultra CPU and Nvidia RTX 3000 Ada GPU, the company also noted that its device was the first in the world to use the LPCAMM2 memory standard. LPCAMM2 uses 64 percent less space than SODIMM and 61 percent less active power, according to Lenovo. This is thanks to it being based on LPDDR5X memory instead of regular DDR5.

Designed specifically for laptops, the LPCAMM2 standard actually has its origins in tech developed by Dell. Simply termed CAMM (Compression Attached Memory Module), it first debuted as a proprietary type of memory in Dell's Precision 7670 in 2022. However, in 2023 the PC giant donated its intellectual property to JEDEC, the organization that standardizes memory technologies. CAMM became LPCAMM2 (Low-Power Compression Attached Memory Module) in September 2023 when JEDEC finally confirmed its specifications. Samsung promptly announced plans to produce LPCAMM2 sticks, and claimed they would have 50 percent more performance and 70 percent more efficiency than their SODIMM-based predecessors. Plus, LPCAMM2 can offer dual-channel memory without requiring a second module.

Today, Framework is the modular repairable laptop company. Tomorrow, it wants to be a consumer electronics company, period. From a report: That's one of the biggest reasons it just raised another $18 million in funding -- it wants to expand beyond the laptop into "additional product categories." Framework CEO Nirav Patel tells me that has always been the plan. The company originally had other viable ideas beyond laptops, too. "We chose to take on the notebook space first," he says, partly because Framework knew it could bootstrap its ambitions by catering to the PC builders and tinkerers and Linux enthusiasts left behind by big OEMs -- and partly because it wanted to go big or go home.

If Framework could succeed in laptops, he thought, it would be able to build almost anything. After five years building laptops, what might Framework add to the portfolio? Patel won't say -- I only get the barest hints, no matter how many different ways I ask. He won't even say if they'll make less or more of a splash than laptops. Framework might choose an "equally difficult" category or might instead try something "a bit smaller and simpler to execute, streamlined now that we have all this infrastructure."

An anonymous reader shares a report: Qualcomm is cheating on the Snapdragon X Plus/Elite benchmarks given to OEMs and the press. SemiAccurate doesn't use these words lightly but there is no denying what multiple sources are telling us. [...] Then there were the actual 'briefings' for the X Pro SoC. To call them pathetic is giving them more than their due. The deck was 11 slides, three of which were empty/fluff, five 'benchmark' slides with woefully inadequate disclosure, and two infographic summary slides. The last was the slide below with the 'deep technical' stats [screenshots in the linked article], much of which we told you about last week. And more.

The rest of the 'disclosure' for Snapdragon X Pro was a list of features that all fall under the guise of exactly what you would expect. The rest was filled with deep 'details' like the GPU capabilities of 3.8TFLOPS. That's it. No specs, no capabilities, no nothing. It was truly pathetic. But wait there is more, or less really, with statements like it having AV1 encode and decode. Trivialities like frame rates and resolutions were seemingly not needed for such technical briefs. See what we mean by pathetic? Those 10 cores are arranged how again? That 42MB of cache is what level? Shall I go on about the bare minimum basics or do you get the point now? SemiAccurate was planning to ask Qualcomm about their cheating on benchmarks at the promised briefing but, well, they lied to us and cut us out of the pathetic bits they did brief on. We honestly would have liked to know why they were cheating but we kind of think they will do their usual response to bad news and pretend it never happened like last time. If they actually do explain things we will of course update this article as we always do.

Andy Greenberg reports via Wired: More than two months after the start of a ransomware debacle whose impact ranks among the worst in the history of cybersecurity, the medical firm Change Healthcare finally confirmed what cybercriminals, security researchers, and Bitcoin's blockchain had already made all too clear: that it did indeed pay a ransom to the hackers who targeted the company in February. And yet, it still faces the risk of losing vast amounts of customers' sensitive medical data. In a statement sent to WIRED and other news outlets on Monday evening, Change Healthcare wrote that it paid a ransom to a cybercriminal group extorting the company, a hacker gang known as AlphV or BlackCat. "A ransom was paid as part of the company's commitment to do all it could to protect patient data from disclosure," the statement reads. The company's belated admission of that payment accompanied a new post on its website where it warns that the hackers may have stolen health-related data that would "cover a substantial proportion of people in America."

Cybersecurity and cryptocurrency researchers told WIRED last month that Change Healthcare appeared to have paid that ransom on March 1, pointing to a transaction of 350 bitcoins or roughly $22 million sent into a crypto wallet associated with the AlphV hackers. That transaction was first highlighted in a message on a Russian cybercriminal forum known as RAMP, where one of AlphV's allegedly jilted partners complained that they hadn't received their cut of Change Healthcare's payment. However, for weeks following that transaction, which was publicly visible on Bitcoin's blockchain and which both security firm Recorded Future and blockchain analysis firm TRM Labs told WIRED had been received by AlphV, Change Healthcare repeatedly declined to confirm that it had paid the ransom.

Change Healthcare's confirmation of that extortion payment puts new weight behind the cybersecurity industry's fears that the attack -- and the profit AlphV extracted from it -- will lead ransomware gangs to further target health care companies. "It 100 percent encourages other actors to target health care organizations," Jon DiMaggio, a researcher with cybersecurity firm Analyst1 who focuses on ransomware, told WIRED at the time the transaction was first spotted in March. "And it's one of the industries we don't want ransomware actors to target -- especially when it affects hospitals." Compounding the situation, a conflict between hackers in the ransomware ecosystem has led to a second ransomware group claiming to possess Change Healthcare's stolen data and threatening to sell it to the highest bidder on the dark web. Earlier this month that second group, known as RansomHub, sent WIRED alleged samples of the stolen data that appeared to come from Change Healthcare's network, including patient records and a contract with another health care company.

A lawsuit is alleging Amazon was so desperate to keep up with the competition in generative AI it was willing to breach its own copyright rules. From a report: The allegation emerges from a complaint accusing the tech and retail mega-corp of demoting, and then dismissing, a former high-flying AI scientist after it discovered she was pregnant. The lawsuit was filed last week in a Los Angeles state court by Dr Viviane Ghaderi, an AI researcher who says she worked successfully in Amazon's Alexa and LLM teams, and achieved a string of promotions, but claims she was later suddenly demoted and fired following her return to work after giving birth. She is alleging discrimination, retaliation, harassment and wrongful termination, among other claims.

An anonymous reader shares a report: For years, people who have found Google search frustrating have been adding "Reddit" to the end of their search queries. This practice is so common that Google even acknowledged the phenomenon in a post announcing that it will be scraping Reddit posts to train its AI. And so, naturally, there are now services that will poison Reddit threads with AI-generated posts designed to promote products.

A service called ReplyGuy advertises itself as "the AI that plugs your product on Reddit" and which automatically "mentions your product in conversations naturally." Examples on the site show two different Redditors being controlled by AI posting plugs for a text-to-voice product called "AnySpeech" and a bot writing a long comment about a debt consolidation program called Debt Freedom Now. A video demo shows a dashboard where a user adds the name of their company and URL they want to direct users to. It then auto-suggests keywords that "help the bot know what types of subreddits and tweets to look for and when to respond."

Moments later, the dashboard shows how Reply Guy is "already in the responses" of the comments section of different Reddit posts. "Many of our responses will get lots of upvotes and will be well-liked." The creator of the company, Alexander Belogubov, has also posted screenshots of other bot-controlled accounts responding all over Reddit. Begolubov has another startup called "Stealth Marketing" that also seeks to manipulate the platform by promising to "turn Reddit into a steady stream of customers for your startup."

Yet another international cop shop has come out swinging against end-to-end encryption - this time it's Europol which is urging an end to implementation of the tech for fear police investigations will be hampered by protected DMs. The Register: In a joint declaration of European police chiefs published over the weekend, Europol said it needs lawful access to private messages, and said tech companies need to be able to scan them (ostensibly impossible with E2EE implemented) to protect users. Without such access, cops fear they won't be able to prevent "the most heinous of crimes" like terrorism, human trafficking, child sexual abuse material (CSAM), murder, drug smuggling and other crimes.

"Our societies have not previously tolerated spaces that are beyond the reach of law enforcement, where criminals can communicate safely and child abuse can flourish," the declaration said. "They should not now." The joint statement, which was agreed to in cooperation with the UK's National Crime Agency, isn't exactly making a novel claim. It's nearly the same line of reasoning that the Virtual Global Taskforce, an international law enforcement group founded in 2003 to combat CSAM online, made last year when Meta first first started talking about implementing E2EE on Messenger and Instagram.

North Korean animators have been secretly working on major international TV shows, including an Amazon superhero series and an upcoming HBO Max children's anime, according to a report by cybersecurity researchers. The findings, detailed in a report by the Stimson Center think tank's 38 North Project and Google-owned security firm Mandiant, provide a glimpse into how North Korea can use skilled IT workers to raise funds for its heavily sanctioned regime.

Researcher Nick Roy discovered a misconfigured cloud server on a North Korean IP address in December, containing thousands of animation files, including cells, videos, and notes discussing ongoing projects. Some images appeared to be from Amazon's "Invincible" and HBO Max's "Iyanu: Child of Wonder." The server, which mysteriously stopped being used at the end of February, likely allowed work to be sent to and from North Korean animators, according to Martyn Williams, a senior fellow on the 38 North Project. U.S. sanctions prohibit companies from working with North Korean entities, but the researchers say it is unlikely that the companies involved were aware of the animators' origins. The report suggests the contracting arrangement was several steps removed from the major producers.

Long-time Slashdot reader tippen shared this report from the Register: AI agents, which combine large language models with automation software, can successfully exploit real world security vulnerabilities by reading security advisories, academics have claimed.

In a newly released paper, four University of Illinois Urbana-Champaign (UIUC) computer scientists — Richard Fang, Rohan Bindu, Akul Gupta, and Daniel Kang — report that OpenAI's GPT-4 large language model (LLM) can autonomously exploit vulnerabilities in real-world systems if given a CVE advisory describing the flaw. "To show this, we collected a dataset of 15 one-day vulnerabilities that include ones categorized as critical severity in the CVE description," the US-based authors explain in their paper. "When given the CVE description, GPT-4 is capable of exploiting 87 percent of these vulnerabilities compared to 0 percent for every other model we test (GPT-3.5, open-source LLMs) and open-source vulnerability scanners (ZAP and Metasploit)...."

The researchers' work builds upon prior findings that LLMs can be used to automate attacks on websites in a sandboxed environment. GPT-4, said Daniel Kang, assistant professor at UIUC, in an email to The Register, "can actually autonomously carry out the steps to perform certain exploits that open-source vulnerability scanners cannot find (at the time of writing)."
The researchers wrote that "Our vulnerabilities span website vulnerabilities, container vulnerabilities, and vulnerable Python packages. Over half are categorized as 'high' or 'critical' severity by the CVE description...."

"Kang and his colleagues computed the cost to conduct a successful LLM agent attack and came up with a figure of $8.80 per exploit"

SiliconANGLE reports that to help organizations detect vulnerabilities earlier, Red Hat has "announced updates to its Trusted Software Supply Chain that enable organizations to shift security 'left' in the software supply chain." Red Hat announced Trusted Software Supply Chain in May 2023, pitching it as a way to address the rising threat of software supply chain attacks. The service secures software pipelines by verifying software origins, automating security processes and providing a secure catalog of verified open-source software packages. [Thursday's updates] are aimed at advancing the ability for customers to embed security into the software development life cycle, thereby increasing software integrity earlier in the supply chain while also adhering to industry regulations and compliance standards.

They start with a new tool called Red Hat Trust Artifact Signer. Based on the open-source Sigstore project [founded at Red Hat and now part of the Open Source Security Foundation], Trust Artifact Signer allows developers to sign and verify software artifacts cryptographically without managing centralized keys, to enhance trust in the software supply chain. The second new release, Red Hat Trusted Profile Analyzer, provides a central source for security documentation such as Software Bill of Materials and Vulnerability Exploitability Exchange. The tool simplifies vulnerability management by enabling proactive identification and minimization of security threats.

The final new release, Red Hat Trusted Application Pipeline, combines the capabilities of the Trusted Profile Analyzer and Trusted Artifact Signer with Red Hat's internal developer platform to provide integrated security-focused development templates. The feature aims to standardize and accelerate the adoption of secure development practices within organizations.
Specifically, Red Hat's announcement says organizations can use their new Trust Application Pipeline feature "to verify pipeline compliance and provide traceability and auditability in the CI/CD process with an automated chain of trust that validates artifact signatures, and offers provenance and attestations."

An anonymous reader shares a report: iPerf is a fairly popular cross-platform tool that is used by many to measure network performance and diagnose any potential issues in this area. The open-source utility is maintained by an organization called Energy Sciences Network (ESnet) and officially supports Linux, Unix, and Windows. However, Microsoft has now published a detailed blog post explaining why you should not use the latest version, iPerf3, on Windows installations.

Microsoft has highlighted three key reasons to discourage the use of iPerf3 on Windows. The first is that ESnet does not support this version on Windows, and recommends iPerf2 instead. On its website, ESnet has emphasized that CentOS 7 Linux, FreeBSD 11, and macOS 10.12 are the only supported platforms. Another very important reason not to use iPerf3 on Windows is that it does not make native OS calls. Instead, it leverages Cygwin as an emulation layer, which obviously comes with a performance penalty. This alone means that iPerf3 on Windows isn't really an ideal candidate for benchmarking your network. While Microsoft has praised the maintainers who are trying to get iPerf3 to run on Windows via emulation, another flaw with this approach is that some advanced networking options simply aren't available on Windows or may behave in unexpected ways.

Microsoft is getting ready to annoy its faithful Windows 10 user base with yet another prompt. From a report: This time, Microsoft wants Windows 10 users to switch from using a local account to their online Microsoft account. As first noticed by the outlet Windows Latest, the most recent Windows 10 update Release Preview includes some information about new notifications added to the operating system intended to make users switch from their local account to their Microsoft account. "New! This update starts the [roll out] of account-related notifications for Microsoft accounts in Settings > Home," reads the update, originally from the official Windows blog, which then lays out its case for using a Microsoft account.

U.S. telecom provider Frontier Communications shut down its systems after a cybercrime group breached some of its IT systems in a recent cyberattack. BleepingComputer reports: Frontier is a leading U.S. communications provider that provides gigabit Internet speeds over a fiber-optic network to millions of consumers and businesses across 25 states. After discovering the incident, the company was forced to partially shut down some systems to prevent the threat actors from laterally moving through the network, which also led to some operational disruptions. Despite this, Frontier says the attackers could access some PII data, although it didn't disclose if it belonged to customers, employees, or both.

"On April 14, 2024, Frontier Communications Parent, Inc. [..] detected that a third party had gained unauthorized access to portions of its information technology environment," the company revealed in a filing with the U.S. Securities and Exchange Commission on Thursday. "Based on the Company's investigation, it has determined that the third party was likely a cybercrime group, which gained access to, among other information, personally identifiable information." Frontier now believes that it has contained the breach, has since restored its core IT systems affected during the incident, and is working on restoring normal business operations.

An anonymous reader shares a report: A financially motivated criminal hacking group says it has stolen a confidential database containing millions of records that companies use for screening potential customers for links to sanctions and financial crime. The hackers, which call themselves GhostR, said they stole 5.3 million records from the World-Check screening database in March and are threatening to publish the data online.

World-Check is a screening database used for "know your customer" checks (or KYC), allowing companies to determine if prospective customers are high risk or potential criminals, such as people with links to money laundering or who are under government sanctions.The hackers told TechCrunch that they stole the data from a Singapore-based firm with access to the World-Check database, but did not name the firm. A portion of the stolen data, which the hackers shared with TechCrunch, includes individuals who were sanctioned as recently as this year.

An anonymous reader quotes a report from Futurism: In a new blog post from LastPass, the password management firm used by countless personal and corporate clients to help protect their login information, the company explains that someone used AI voice-cloning tech to spoof the voice of its CEO in an attempt to trick one of its employees. As the company writes in the post, one of its employees earlier this week received several WhatsApp communications -- including calls, texts, and a voice message -- from someone claiming to be its CEO, Karim Toubba. Luckily, the LastPass worker didn't fall for it because the whole thing set off so many red flags. "As the attempted communication was outside of normal business communication channels and due to the employee's suspicion regarding the presence of many of the hallmarks of a social engineering attempt (such as forced urgency)," the post reads, "our employee rightly ignored the messages and reported the incident to our internal security team so that we could take steps to both mitigate the threat and raise awareness of the tactic both internally and externally."

While this LastPass scam attempt failed, those who follow these sorts of things may recall that the company has been subject to successful hacks before. In August 2022, as a timeline of the event compiled by the Cybersecurity Dive blog detailed, a hacker compromised a LastPass engineer's laptop and used it to steal source code and company secrets, eventually getting access to its customer database -- including encrypted passwords and unencrypted user data like email addresses. According to that timeline, the clearly-resourceful bad actor remained active in the company's servers for months, and it took more than two months for LastPass to admit that it had been breached. More than six months after the initial breach, Toubba, the CEO, provided a blow-by-blow timeline of the months-long attack and said he took "full responsibility" for the way things went down in a February 2023 blog post.

404 Media: An online service is scraping Discord servers en masse, archiving and tracking users' messages and activity across servers including what voice channels they join, and then selling access to that data for as little as $5. Called Spy Pet, the service's creator says it scrapes more than ten thousand Discord servers, and besides selling access to anyone with cryptocurrency, is also offering the data for training AI models or to assist law enforcement agencies, according to its website.

The news is not only a brazen abuse of Discord's platform, but also highlights that Discord messages may be more susceptible to monitoring than ordinary users assume. Typically, a Discord user's activity is spread across disparate servers, with no one entity, except Discord itself, able to see what messages someone has sent across the platform more broadly. With Spy Pet, third-parties including stalkers or potentially police can look up specific users and see what messages they've posted on various servers at once. "Have you ever wondered where your friend hangs out on Discord? Tired of basic search tools like Discord.id? Look no further!" Spy Pet's website reads. It claims to be tracking more than 14,000 servers, 600 million users, and includes a database of more than 3 billion messages.

Cloudflare, in a blog post: Key insights from the first quarter of 2024 include:
1. 2024 started with a bang. Cloudflare's defense systems automatically mitigated 4.5 million DDoS attacks during the first quarter -- representing a 50% year-over-year (YoY) increase.
2. DNS-based DDoS attacks increased by 80% YoY and remain the most prominent attack vector.
3. DDoS attacks on Sweden surged by 466% after its acceptance to the NATO alliance, mirroring the pattern observed during Finland's NATO accession in 2023.

We've just wrapped up the first quarter of 2024, and, already, our automated defenses have mitigated 4.5 million DDoS attacks -- an amount equivalent to 32% of all the DDoS attacks we mitigated in 2023. Breaking it down to attack types, HTTP DDoS attacks increased by 93% YoY and 51% quarter-over-quarter (QoQ). Network-layer DDoS attacks, also known as L3/4 DDoS attacks, increased by 28% YoY and 5% QoQ. When comparing the combined number of HTTP DDoS attacks and L3/4 DDoS attacks, we can see that, overall, in the first quarter of 2024, the count increased by 50% YoY and 18% QoQ. In total, our systems mitigated 10.5 trillion HTTP DDoS attack requests in Q1. Our systems also mitigated over 59 petabytes of DDoS attack traffic -- just on the network-layer.

A crypto wallet maker claimed this week that hackers may be targeting people with an iMessage "zero-day" exploit -- but all signs point to an exaggerated threat, if not a downright scam. From a report: Trust Wallet's official X (previously Twitter) account wrote that "we have credible intel regarding a high-risk zero-day exploit targeting iMessage on the Dark Web. This can infiltrate your iPhone without clicking any link. High-value targets are likely. Each use raises detection risk." The wallet maker recommended iPhone users to turn off iMessage completely "until Apple patches this," even though no evidence shows that "this" exists at all. The tweet went viral, and has been viewed over 3.6 million times as of our publication. Because of the attention the post received, Trust Wallet hours later wrote a follow-up post. The wallet maker doubled down on its decision to go public, saying that it "actively communicates any potential threats and risks to the community."