Deutsche Lufthansa has grounded all of its flights because of company computer issues. From a report: A Lufthansa spokesman said Wednesday the company is urgently investigating the matter. It wasn't immediately clear whether Lufthansa flights that were already airborne were instructed to land. Lufthansa's stable of airlines includes its namesake brand and the national flag-carriers Austrian Airlines, Brussels Airlines and Swiss. The company also operates low-cost carrier Eurowings as well as other smaller airlines. In total, the group operates around 700 aircraft, making it Europe's largest airline by fleet size.

An anonymous reader quotes a report from The Verge: Hyundai and Kia are offering free software updates for millions of their cars in response to a rash of car thefts inspired by a viral social media challenge on TikTok. The so-called "Kia Challenge" on the social media platform has led to hundreds of car thefts nationwide, including at least 14 reported crashes and eight fatalities, according to the National Highway Traffic Safety Administration. Thieves known as "the Kia Boyz" would post instructional videos about how to bypass the vehicles' security system using tools as simple as a USB cable.

The thefts are reportedly easy to pull off because many 2015-2019 Hyundai and Kia vehicles lack electronic immobilizers that prevent thieves from simply breaking in and bypassing the ignition. The feature is standard equipment on nearly all vehicles from the same period made by other manufacturers. Hyundai and its subsidiary Kia are offering to update the "theft alarm software logic" to extend the length of the alarm sound from 30 seconds to one minute. The vehicles will also be updated to require a key in the ignition switch to turn the vehicle on. The software upgrade modifies certain vehicle control modules on Hyundai vehicles equipped with standard "turn-key-to-start" ignition systems. As a result, locking the doors with the key fob will set the factory alarm and activate an "ignition kill" feature so the vehicles cannot be started when subjected to the popularized theft mode. Customers must use the key fob to unlock their vehicles to deactivate the "ignition kill" feature.

There hasn't been a nationwide accounting of how many Hyundai and Kia vehicles have been stolen, but stats from individual cities provide some sense of how viral the trend has become. In Milwaukee, for example, police report that 469 Kias and 426 Hyundais were stolen in 2020. Those numbers spiked the following year to 3,557 Kias and 3,406 Hyundais, according to NPR. Approximately 3.8 million Hyundais and 4.5 million Kias are eligible for the software update free of charge, for a total of 8.3 million cars. Vehicle owners are instructed to take their cars to a local dealership, where technicians will install the upgrades in less than an hour. The upgraded vehicles will also get a window decal indicating they've been equipped with anti-theft technology.

A new bill advancing through the Arkansas legislature aims to make it harder for people to access porn sites. From a report: Senate Bill 66, the Protection of Minors from Distribution of Harmful Material Act, would require anyone in Arkansas to provide a "digitized identification card" before viewing a site that contains more than 33.33 percent of "harmful material." That arbitrarily-defined number, and the language of the bill itself, is a copycat of a recently-enacted law in Louisiana that blocks people from seeing porn if they don't hand over official identification. SB66 was filed in the Arkansas Senate in January, and passed to the House on February 1.

Microsoft has confirmed that it's finally killing off Yammer, the enterprise social network it procured more than a decade ago for $1.2 billion. From a report: Yammer was initially created out of San Francisco back in 2008, with cofounder David Sacks formally launching the startup at a TechCrunch startup event. The company went on to raise north of $140 million in funding before Microsoft swooped in with its billion-dollar bid four years after its launch. In many ways, it's surprising that the Yammer brand has lasted this long.

Despite Microsoft's best efforts to bring Yammer to the masses by integrating it into its core Office suite of products, Microsoft has set about developing tangential communication tools such as Microsoft Teams, which the company integrated with Yammer in 2019. And then two years ago, Microsoft launched Viva, pitched as an "employee experience platform" that was something akin to the corporate intranet of yore. In the intervening months, Microsoft has been turbo-charging Viva, and last year it launched Viva Engage, which it said at the time was an "evolution of the Yammer Communities app."

Security camera company Arlo is reversing course on its controversial decision to apply a retroactive end-of-life policy to many of its popular home security cameras. The Verge reports: On Friday, Arlo CEO Matthew McRae posted a thread on Twitter, announcing that the company will not remove free storage of videos for existing customers and that it is extending the EOL dates for older cameras a further year to 2025. He also committed to sending security updates to these cameras until 2026. The end-of-life policy was due to go into effect January 1st, 2023, and removed a big selling point -- seven-day free cloud storage -- for many Arlo cams. McRae now says all users with the seven-day storage service will "continue to receive that service uninterrupted." But he did note that "any future migrations will be handled in a seamless manner," indicating there are changes coming still.

The thread did not provide details on specific models other than using the Arlo Pro 2 as an example of a camera that will now EOL in 2025 instead of 2024, as previously announced, with security updates continuing until 2026. There was also no update on the plans to remove other features, such as email notifications and E911 emergency calling, or whether "legacy video storage" will remain. The EOL policy applied to the following devices: Arlo Gen 3, Arlo Pro, Arlo Baby, Arlo Pro 2, Arlo Q, Arlo Q Plus, Arlo Lights, and Arlo Audio Doorbell.

An anonymous reader quotes a report from BleepingComputer: Domain registrar Namecheap had their email account breached Sunday night, causing a flood of MetaMask and DHL phishing emails that attempted to steal recipients' personal information and cryptocurrency wallets. The phishing campaigns started around 4:30 PM ET and originated from SendGrid, an email platform used historically by Namecheap to send renewal notices and marketing emails. After recipients began complaining on Twitter, Namecheap CEO Richard Kirkendall confirmed that the account was compromised and that they disabled email through SendGrid while they investigated the issue.

Namecheap published a statement Sunday night stating that their systems were not breached but rather it was an issue at an upstream system that they use for email. "We have evidence that the upstream system we use for sending emails (third-party) is involved in the mailing of unsolicited emails to our clients. As a result, some unauthorized emails might have been received by you," reads a statement issued by Namecheap. "We would like to assure you that Namecheap's own systems were not breached, and your products, accounts, and personal information remain secure." After the phishing incident, Namecheap says they stopped all emails, including two-factor authentication code delivery, trusted devices' verification, and password reset emails, and began investigating the attack with their upstream provider. Services were restored later that night at 7:08 PM EST.

While Namecheap did not state the name of this upstream system, the CEO of Namecheap previously tweeted that they were using SendGrid, which is also confirmed in the phishing emails' mail headers. However, Twilio SendGrid told BleepingComputer that Namecheap's incident was not the result of a hack or compromise of the email service provider's systems, adding more confusion as to what happened: "Twilio SendGrid takes fraud and abuse very seriously and invests heavily in technology and people focused on combating fraudulent and illegal communications. We are aware of the situation regarding the use of our platform to launch phishing email and our fraud, compliance and cyber security teams are engaged in the matter. This situation is not the result of a hack or compromise of Twilio's network. We encourage all end users and entities to take a multi-pronged approach to combat phishing attacks, deploying security precautions such as two factor authentication, IP access management, and using domain-based messaging. We are still investigating the situation and have no additional information to provide at this time."

"The waiting time for general purpose quantum computers is getting shorter, but they are still probably decades away," notes Security Week.

But "The arrival of cryptanalytically-relevant quantum computers that will herald the cryptopocalypse will be much sooner — possibly less than a decade." It is important to note that all PKI-encrypted data that has already been harvested by adversaries is already lost. We can do nothing about the past; we can only attempt to protect the future.... [T]his is not a threat for the future — the threat exists today. Adversaries are known to be stealing and storing encrypted data with the knowledge that within a few years they will be able to access the raw data. This is known as the 'harvest now, decrypt later' threat. Intellectual property and commercial plans — not to mention military secrets — will still be valuable to adversaries when the cryptopocalypse happens.

The one thing we can say with certainty is that it definitely won't happen in 2023 — probably. That probably comes from not knowing for certain what stage in the journey to quantum computing has been achieved by foreign nations or their intelligence agencies — and they're not likely to tell us. Nevertheless, it is assumed that nobody yet has a quantum computer powerful enough to run Shor's algorithm and crack PKI encryption in a meaningful timeframe. It is likely that such computers may become available as soon as three to five years. Most predictions suggest ten years.

Note that a specialized quantum computer designed specifically for Shor does not need to be as powerful as a general-purpose quantum computer — which is more likely to be 20 to 30 years away.... "Quantum computing is not, yet, to the point of rendering conventional encryption useless, at least that we know of, but it is heading that way," comments Mike Parkin, senior technical engineer at Vulcan Cyber. Skip Sanzeri, co-founder and COO at QuSecure, warns that the threat to current encryption is not limited to quantum decryption. "New approaches are being developed promising the same post-quantum cybersecurity threats as a cryptographically relevant quantum computer, only much sooner," he said. "It is also believed that quantum advancements don't have to directly decrypt today's encryption. If they weaken it by suggesting or probabilistically finding some better seeds for a classical algorithm (like the sieve) and make that more efficient, that can result in a successful attack. And it's no stretch to predict, speaking of predictions, that people are going to find ways to hack our encryption that we don't even know about yet."

Steve Weston, co-founder and CTO at Incrypteon, offers a possible illustration. "Where is the threat in 2023 and beyond?" he asks. "Is it the threat from quantum computers, or is the bigger threat from AI? An analysis of cryptoanalysis and code breaking over the last 40 years shows how AI is used now, and will be more so in the future."
The article warns that "the coming cryptopocalypse requires organizations to transition from known quantum-vulnerable encryption (such as current PKI standards) to something that is at least quantum safe if not quantum secure." (The chief revenue officer at Quintessence Labs tells the site that symmetric encryption like AES-256 "is theorized to be quantum safe, but one can speculate that key sizes will soon double.")

"The only quantum secure cryptography known is the one-time pad."

Thanks to Slashdot reader wiredmikey for sharing the article.

Reddit has confirmed hackers accessed internal documents and source code following a "highly-targeted" phishing attack. From a report: A post by Reddit CTO Christopher Slowe, or KeyserSosa, explained that the company became aware of the "sophisticated" attack targeting Reddit employees on February 5. He says that an as-yet-unidentified attacker sent "plausible-sounding prompts," which redirected employees to a website masquerading as Reddit's intranet portal in an attempt to steal credentials and two-factor authentication tokens.

Slowe said that "similar phishing attempts" have been reported recently, without naming specific examples, but likened the breach to the recent Riot Games hack, which saw attackers use social engineering tactics to access source code for the company's legacy anti-cheat system. Reddit said that hackers successfully obtained an employee's credentials, allowing them to gain access to internal documents and source code, as well as some internal dashboards and business systems. Slowe said the company learned of the breach after the phished employee self-reported the incident to Reddit's security team. Reddit quickly cut off the infiltrators' access and began an internal investigation.

"Wherever you live, you should be paying attention to Utah Senate Bill 152 and the somewhat similar House Bill 311," writes tech journalist and long-time child safety advocate Larry Magid in an op-ed via the Mercury News. "Even though it's legislation for a single state, it could set a dangerous precedent and make it harder to pass and enforce sensible federal legislation that truly would protect children and other users of connected technology." From the report: SB 152 would require parents to provide their government-issued ID and physical address in order for their child or teenager to access social media. But even if you like those provisions, this bill would require everyone -- including adults -- to submit government-issued ID to sign up for a social media account, including not just sites like Facebook, Instagram, Snapchat and TikTok, but also video sharing sites like YouTube, which is commonly used by schools. The bill even bans minors from being online between 10:30 p.m. and 6:30 a.m., empowering the government to usurp the rights of parents to supervise and manage teens' screen time. Should it be illegal for teens to get up early to finish their homework (often requiring access to YouTube or other social media) or perhaps access information that would help them do early morning chores? Parents -- not the state -- should be making and enforcing their family's schedule.

I oppose these bills from my perch as a long-time child safety advocate (I wrote "Child Safety on the Information Highway" in 1994 for the National Center for Missing & Exploited Children and am currently CEO of ConnectSafely.org). However well-intentioned, they could increase risk and deny basic rights to children and adults. SB 152 would require companies to keep a "record of any submissions provided under the requirements," which means there would not only be databases of all social media users, but also of users under 18, which could be hacked by criminals or foreign governments seeking information on Utah children and adults. And, in case you think that's impossible, there was a breach in 2006 of a database of children that was mandated by the State of Utah to protect them from sites that displayed or promoted pornography, alcohol, tobacco and gambling. No one expects a data breach, but they happen on a regular basis. There is also the issue of privacy. Social media is both media and speech, and some social media are frequented by people who might not want employers, family members, law enforcement or the government to know what information they're consuming. Whatever their interests, people should have the right to at least anonymously consume information or express their opinions. This should apply to everyone, regardless of who they are, what they believe or what they're interested in. [...]

It's important to always look at the potential unintended consequences of legislation. I'm sure the lawmakers in Utah who are backing this bill have the best interests of children in mind. But this wouldn't be the first law designed to protect children that actually puts them at risk or violates adult rights in the name of child protection. I applaud any policymaker who wants to find ways to protect kids and hold technology companies accountable for doing their part to protect privacy and security as well as employing best-practices when it comes to the mental health and well being of children. But the legislation, whether coming from Utah, another state or Washington, D.C., must be sensible, workable, constitutional and balanced, so it at the very least, does more good than harm.

An anonymous reader quotes a report from KrebsOnSecurity: Authorities in the United States and United Kingdom today levied financial sanctions against seven men accused of operating "Trickbot," a cybercrime-as-a-service platform based in Russia that has enabled countless ransomware attacks and bank account takeovers since its debut in 2016. The U.S. Department of the Treasury says the Trickbot group is associated with Russian intelligence services, and that this alliance led to the targeting of many U.S. companies and government entities. Initially a stealthy trojan horse program delivered via email and used to steal passwords, Trickbot evolved into "a highly modular malware suite that provides the Trickbot Group with the ability to conduct a variety of illegal cyber activities, including ransomware attacks," the Treasury Department said.

"During the height of the COVID-19 pandemic in 2020, Trickbot targeted hospitals and healthcare centers, launching a wave of ransomware attacks against hospitals across the United States," the sanctions notice continued. "In one of these attacks, the Trickbot Group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing a diversion of ambulances. Members of the Trickbot Group publicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid to the group."

Only one of the men sanctioned today is known to have been criminally charged in connection with hacking activity. According to the Treasury Department, the alleged senior leader of the Trickbot group is 34-year-old Russian national Vitaly "Bentley" Kovalev. A New Jersey grand jury indicted Kovalev in 2012 after an investigation by the U.S. Secret Service determined that he ran a massive "money mule" scheme, which used phony job offers to trick people into laundering money stolen from hacked small to mid-sized businesses in the United States. The 2012 indictment against Kovalev relates to cybercrimes he allegedly perpetrated prior to the creation of Trickbot. A copy of the now-unsealed 2012 indictment of Kovalev is here (PDF).

Microsoft-owned GitHub is laying off 10% of its staff. From a report: In a message to staff on Thursday, GitHub's CEO Thomas Dohmke said that due to "new budgetary realignments" the company must reduce the workforce "by up to 10% through the end of FY23." The company is also going fully remote, Dohmke wrote, telling staff they're "seeing very low utilization rates" in their offices. "We are not vacating offices immediately, but will move to close all of our offices as their leases end or as we are operationally able to do so," Dohmke wrote.

"We announced a number of difficult but necessary decisions and budgetary realignments to both protect the health of our business in the short term and grant us the capacity to invest in our long-term strategy moving forward," a GitHub spokesperson told Fortune in a written statement. The company declined to comment on whether these cuts are a part of Microsoft's layoffs that impacted 10,000 employees last month.

Thunderbird blog: Before we really dig in, let's start with the future. We believe it's a bright one! With this year's release of Thunderbird 115 "Supernova," we're doing much more than just another yearly release. It's a modernized overhaul of the software, both visually and technically. Thunderbird is undergoing a massive rework from the ground up to get rid of all the technical and interface debt accumulated over the past 10 years. This is not an easy task, but it's necessary to guarantee the sustainability of the project for the next 20 years. Simply "adding stuff on top" of a crumbling architecture is not sustainable, and we can't keep ignoring it. Throughout the next 3 years, the Thunderbird project is aiming at these primary objectives:

1. Make the code base leaner and more reliable, rewrite ancient code, remove technical debt.
2. Rebuild the interface from scratch to create a consistent design system, as well as developing and maintaining an adaptable and extremely customizable user interface.
3. Switch to a monthly release schedule.

Inside those objectives there are hundreds of very large steps that need to happen, and achieving everything will require a lot of time and resources.

The National Institute of Standards and Technology (NIST) announced that ASCON is the winning bid for the "lightweight cryptography" program to find the best algorithm to protect small IoT (Internet of Things) devices with limited hardware resources. BleepingComputer reports: ASCON was selected as the best of the 57 proposals submitted to NIST, several rounds of security analysis by leading cryptographers, implementation and benchmarking results, and feedback received during workshops. The whole program lasted for four years, having started in 2019. NIST says all ten finalists exhibited exceptional performance that surpassed the set standards without raising security concerns, making the final selection very hard.

ASCON was eventually picked as the winner for being flexible, encompassing seven families, energy efficient, speedy on weak hardware, and having low overhead for short messages. NIST also considered that the algorithm had withstood the test of time, having been developed in 2014 by a team of cryptographers from Graz University of Technology, Infineon Technologies, Lamarr Security Research, and Radboud University, and winning the CAESAR cryptographic competition's "lightweight encryption" category in 2019.

Two of ASCON's native features highlighted in NIST's announcement are AEAD (Authenticated Encryption with Associated Data) and hashing. AEAD is an encryption mode that provides confidentiality and authenticity for transmitted or stored data, combining symmetric encryption and MAC (message authentication code) to prevent unauthorized access or tampering. Hashing is a data integrity verification mechanism that creates a string of characters (hash) from unique inputs, allowing two data exchange points to validate that the encrypted message has not been tampered with. Despite ASCON's lightweight nature, NIST says the scheme is powerful enough to offer some resistance to attacks from powerful quantum computers at its standard 128-bit nonce. However, this is not the goal or purpose of this standard, and lightweight cryptography algorithms should only be used for protecting ephemeral secrets. For more details on ASCON, check the algorithm's website, or read the technical paper (PDF) submitted to NIST in May 2021.

An anonymous reader quotes a report from Motherboard: A section of the UK government has proposed making the sale or possession of bespoke encrypted phones for crime a criminal offense in its own right. The measure is intended to help the country's law enforcement agencies tackle organized crime and those who facilitate it, but civil liberties experts tell Motherboard the proposal is overbroad and poorly defined, meaning it could sweep up other forms of secure communication used by the wider population if not adjusted. "At the moment the government proposal appears to be vague and overly broad. While it states that the provisions 'will not apply to commercially available mobile phones nor the encrypted messaging apps available on them' it is difficult to see how it will not result in targeting devices used on a daily [basis] by human rights defenders, protesters and pretty much all of us who want to keep our data secure," Ioannis Kouvakas, senior legal officer and assistant general counsel at UK-based activism organization Privacy International, told Motherboard in an email.

The proposal is included in a document published by the Home Office (PDF). In that document, the Home Office proposes two legislative measures that it says could be used to improve law enforcement's response to serious and organized crime, and is seeking input from law enforcement, businesses, lawyers, civil liberties NGOs, and the wider public. [...] The first measure looks to create new criminal offenses on the "making, modifying, supply, offering to supply and possession of articles for use in serious crime." The document points to several specific items: vehicle concealments used to hide illicit goods; digital templates for 3D-printing firearms; pill presses used in the drug trade; and "sophisticated encrypted communication devices used to facilitate organized crime." In other words, this change would criminalize owning an encrypted phone, selling one, or making one for use in crime, a crime in itself. [...]

With encrypted phones, the Home Office writes that both the encryption itself and modifications made to the phones are creating "considerable barriers" to law enforcement. Typically, phones from this industry use end-to-end encryption, meaning that messages are encrypted before leaving the device, rendering any interception by law enforcement ineffective. (Multiple agencies have instead found misconfigurations in how companies' encryption works, or hacked into firms, to circumvent this protection). Encrypted phone companies sometimes physically remove the microphone, camera, and GPS functionality from handsets too. Often distributors sell these phones for thousands of dollars for yearly subscriptions. Given that price, the Home Office says it is "harder to foresee a need for anyone to use them for legitimate, legal reasons." The Home Office adds that under one option for legislation, laws could still criminalize people who did not suspect the technology would be used for serious crime, simply because the technology is so "closely associated with serious crime." Potential signs could include someone paying for a phone "through means which disguise the identity of the payer," the document reads. Often distributors sell phones for Bitcoin or cash, according to multiple encrypted phone sellers that spoke to Motherboard. The document says "the provisions will not apply to commercially available mobile phones nor the encrypted messaging apps available on them." But the Home Office does not yet have a settled definition of what encompasses "sophisticated encrypted communication devices," leaving open the question of what exactly the UK would be prepared to charge a person for possessing or selling.

Netflix is expanding its paid password sharing to subscribers in Canada, New Zealand, Portugal, and Spain starting Wednesday, the company announced in a blog post. From a report: The company had already started testing the change -- in a few different forms -- in some countries in Latin America. Now, Netflix is expanding its efforts ahead of a broader rollout in "the coming months." Last week, Netflix faced pushback after notes about when and how it might block devices used beyond your household popped up on support pages for the US and other countries where the new "paid sharing" setup hasn't rolled out yet.

Netflix said that was inadvertent, and now none of the support pages have any details about restrictions on streaming to devices that aren't on your home network. No matter what country you select, it only says, "A Netflix account is meant to be shared in one household (people who live in the same location as the account owner). People who are not in your household will need to sign up for their own account to watch Netflix."