Microsoft is planning to no longer support the Windows Mail, Calendar, and People apps later this year. The Verge: The software giant has been moving existing users of these apps over to the new Outlook for Windows app in recent months, and now it has set an end of support date for the Mail, Calendar, and People apps of December 31st.

Once the apps reach end of support later this year, Microsoft warns that users who haven't moved to the new Outlook app "will no longer be able to send and receive email using Windows Mail and Calendar."

Microsoft has been rolling out the new Outlook for Windows app for years, with it officially reaching the general availability stage in August. The new web-based Outlook is designed to eventually replace the full desktop version of Outlook too, and Microsoft plans to provide enterprise customers a 12-month notice before it starts to move people away from the desktop version of Outlook.

D-Link confirmed no fix will be issued for the over 60,000 D-Link NAS devices that are vulnerable to a critical command injection flaw (CVE-2024-10914), allowing unauthenticated attackers to execute arbitrary commands through unsanitized HTTP requests. The networking company advises users to retire or isolate the affected devices from public internet access. BleepingComputer reports: The flaw impacts multiple models of D-Link network-attached storage (NAS) devices that are commonly used by small businesses: DNS-320 Version 1.00; DNS-320LW Version 1.01.0914.2012; DNS-325 Version 1.01, Version 1.02; and DNS-340L Version 1.08. [...] A search that Netsecfish conducted on the FOFA platform returned 61,147 results at 41,097 unique IP addresses for D-Link devices vulnerable to CVE-2024-10914.

In a security bulletin today, D-Link has confirmed that a fix for CVE-2024-10914 is not coming and the vendor recommends that users retire vulnerable products. If that is not possible at the moment, users should at least isolate them from the public internet or place them under stricter access conditions. The same researcher discovered in April this year an arbitrary command injection and hardcoded backdoor flaw, tracked as CVE-2024-3273, impacting mostly the same D-Link NAS models as the latest flaw.

Amazon has confirmed that employee data was compromised after a "security event" at a third-party vendor. From a report: In a statement given to TechCrunch on Monday, Amazon spokesperson Adam Montgomery confirmed that employee information had been involved in a data breach. "Amazon and AWS systems remain secure, and we have not experienced a security event. We were notified about a security event at one of our property management vendors that impacted several of its customers including Amazon. The only Amazon information involved was employee work contact information, for example work email addresses, desk phone numbers, and building locations," Montgomery said.

Amazon declined to say how many employees were impacted by the breach. It noted that the unnamed third-party vendor doesn't have access to sensitive data such as Social Security numbers or financial information and said the vendor had fixed the security vulnerability responsible for the data breach. The confirmation comes after a threat actor claimed to have published data stolen from Amazon on notorious hacking site BreachForums. The individual claims to have more than 2.8 million lines of data, which they say was stolen during last year's mass-exploitation of MOVEit Transfer.

Google will require all new mobile chipsets launching with Android 15 to support its Android Virtualization Framework (AVF), a significant shift in the operating system's security architecture. The mandate, reports AndroidAuthority that got a hold of Android's latest Vendor Software Requirements document, affects major chipmakers including Qualcomm, MediaTek, and Samsung's Exynos division. New processors like the Snapdragon 8 Elite and Dimensity 9400 must implement AVF support to receive Android certification.

AVF, introduced with Android 13, creates isolated environments for security-sensitive operations including code compilation and DRM applications. The framework also enables full operating system virtualization, with Google demonstrating Chrome OS running in a virtual machine on Android devices.

Long-time Slashdot reader DesScorp writes: The Washingtonian magazine reports that yet another company is ending most remote work for its employees. The Post's previous policy from 2022 until now had been 3 days in office, 2 days remote. The employee union for the paper, the Washington Post Guild, will oppose the mandate.
The union sent members a defiant email, according to the article. "Guild leadership sees this for what it is: a change that stands to further disrupt our work than to improve our productivity or collaboration." Managers will have to return beginning February 3, 2025, and all other employees will be expected in the office beginning June 2 [according to a memo from publisher Will Lewis]. "I want that great office energy for us every day," Lewis writes. "I am reliably informed that is how it used to be here before Covid, and it's important we get this back."

"Java application security would be enhanced through two proposals aimed at resisting quantum computing attacks," reports InfoWorld, "one plan involving digital signatures and the other key encapsulation." The two proposals reside in the OpenJDK JEP (JDK Enhancement Proposal) index.

The Quantum-Resistant Module-Lattice-Based Digital Signature Algorithm proposal calls for enhancing the security of Java applications by providing an implementation of the quantum-resistant module-latticed-based digital signature algorithm (ML-DSA). ML-DSA would secure against future quantum computing attacks by using digital signatures to detect unauthorized modifications to data and to authenticate the identity of signatories. ML-DSA was standardized by the United States National Institute of Standards and Technology (NIST) in FIPS 204.

The Quantum-Resistant Module-Lattice-Based Key Encapsulation Mechanism proposal calls for enhancing application security by providing an implementation of the quantum-resistant module-lattice-based key encapsulation mechanism (ML-KEM). KEMs are used to secure symmetric keys over insecure communication channels using public key cryptography. ML-KEM is designed to be secure against future quantum computing attacks and was standardized by NIST in FIPS 203.

On Tuesday Massachusetts voted to become the first state to allow gig-working drivers to join labor unions, reports WBUR: Since these gig workers are classified as independent contractors, federal law allowing employees the right to unionize does not apply to them. With the passage of this ballot initiative, Massachusetts is the first state to give ride-hailing drivers the ability to collectively bargain over working conditions.
Supporters have said the ballot measure "could provide a model for other states to let Uber and Lyft drivers unionize," reports Reuters, "and inspire efforts to organize them around the United States." Roxana Rivera, assistant to the president of 32BJ SEIU, an affiliate of the Service Employees International Union, that had spearheaded a campaign to pass the proposal, said its approval shows that Massachusetts voters want drivers to have a meaningful check against the growing power of app-based companies... The Massachusetts vote was the latest front in a years-long battle in the United States over whether ride-share drivers should be considered to be independent contractors or employees entitled to benefits and wage protections. Studies have shown that using contractors can cost companies as much as 30% less than employees.

Drivers for Uber and Lyft, including approximately 70,000 in Massachusetts, do not have the right to organize under the National Labor Relations Act... Under the Massachusetts measure, drivers can form a union after collecting signatures from at least 25% of active drivers in Massachusetts, and companies can form associations to allow them to jointly negotiate with the union during state-supervised talks.
But the Boston Globe points out that the measure " divided labor advocates in Massachusetts, some of whom worry it would in fact be a step backward in the lengthy fight to boost the rights of gig workers." Those concerns led the state's largest labor organization, the AFL-CIO, to remain neutral. But two unions backing the effort, the SEIU 32BJ and the International Association of Machinists, say allowing drivers to unionize, even if not as full employees, will help provide urgently needed worker protections and better pay and safety standards.

Law enforcement officers are warning other officials and forensic experts that iPhones which have been stored securely for forensic examination are somehow rebooting themselves, returning the devices to a state that makes them much harder to unlock, 404 Media is reporting, citing a law enforcement document it obtained. From the report: The exact reason for the reboots is unclear, but the document authors, who appear to be law enforcement officials in Detroit, Michigan, hypothesize that Apple may have introduced a new security feature in iOS 18 that tells nearby iPhones to reboot if they have been disconnected from a cellular network for some time. After being rebooted, iPhones are generally more secure against tools that aim to crack the password of and take data from the phone.

"The purpose of this notice is to spread awareness of a situation involving iPhones, which is causing iPhone devices to reboot in a short amount of time (observations are possibly within 24 hours) when removed from a cellular network," the document reads. Apple did not provide a response on whether it introduced such an update in time for publication.

An anonymous reader quotes a report from TechCrunch: The FBI is warning that hackers are obtaining private user information — including emails and phone numbers — from U.S.-based tech companies by compromising government and police email addresses to submit "emergency" data requests. The FBI's public notice filed this week is a rare admission from the federal government about the threat from fraudulent emergency data requests, a legal process designed to help police and federal authorities obtain information from companies to respond to immediate threats affecting someone's life or property. The abuse of emergency data requests is not new, and has been widely reported in recent years. Now, the FBI warns that it saw an "uptick" around August in criminal posts online advertising access to or conducting fraudulent emergency data requests, and that it was going public for awareness.

"Cyber-criminals are likely gaining access to compromised US and foreign government email addresses and using them to conduct fraudulent emergency data requests to US based companies, exposing the personal information of customers to further use for criminal purposes," reads the FBI's advisory. [...] The FBI said in its advisory that it had seen several public posts made by known cybercriminals over 2023 and 2024, claiming access to email addresses used by U.S. law enforcement and some foreign governments. The FBI says this access was ultimately used to send fraudulent subpoenas and other legal demands to U.S. companies seeking private user data stored on their systems. The advisory said that the cybercriminals were successful in masquerading as law enforcement by using compromised police accounts to send emails to companies requesting user data. In some cases, the requests cited false threats, like claims of human trafficking and, in one case, that an individual would "suffer greatly or die" unless the company in question returns the requested information.

The FBI said the compromised access to law enforcement accounts allowed the hackers to generate legitimate-looking subpoenas that resulted in companies turning over usernames, emails, phone numbers, and other private information about their users. But not all fraudulent attempts to file emergency data requests were successful, the FBI said. The FBI said in its advisory that law enforcement organizations should take steps to improve their cybersecurity posture to prevent intrusions, including stronger passwords and multi-factor authentication. The FBI said that private companies "should apply critical thinking to any emergency data requests received," given that cybercriminals "understand the need for exigency."

UK government-appointed commissioners have labeled Birmingham City Council's Oracle Fusion rollout as "the poorest ERP deployment" they have seen. From a report: A report published by the UK council's Corporate Finance Overview and Scrutiny Committee found that 18 months after Fusion went live, the largest public authority in Europe "had not tactically stabilized the system or formulated clear plans to resolve the system issues and recover the operation."

The city council's cloud-based Oracle tech replaced the SAP system that it began using in 1999, but the disastrous project encountered a string of landmark failures. The council has failed to produce auditable accounts since Oracle was implemented in 2022, costs have ballooned from around 19 million pound to a projected estimate of 131 million pound and, because the council chose not to use system audit features, it cannot tell if fraud has taken place on its multibillion-pound spending budget for an 18-month period. In September last year, the council became effectively bankrupt due to outstanding equal pay claims and the Oracle implementation.

The report from "best value commissioners" appointed by central government to investigate struggling councils said that following the Oracle implementation, "a serious lack of trust had developed between members and officers driven by the failed implementation and subsequent lack of progress to resolve the situation."

A federal agency has issued a directive to employees to reduce the use of their phones for work matters due to China's recent hack of U.S. telecommunications infrastructure, WSJ reported on Thursday, citing people familiar with the matter. From the report: In an email to staff sent Thursday, the chief information officer at the Consumer Financial Protection Bureau warned that internal and external work-related meetings and conversations that involve nonpublic data should only be held on platforms like Microsoft Teams and Cisco WebEx and not on work-issued or personal phones.

"Do NOT conduct CFPB work using mobile voice calls or text messages," the email said, while referencing a recent government statement acknowledging the telecommunications infrastructure attack. "While there is no evidence that CFPB has been targeted by this unauthorized access, I ask for your compliance with these directives so we reduce the risk that we will be compromised," said the email, which was sent to all CFPB employees and contractors. It wasn't clear if other federal agencies had taken similar measures or were planning to, but many U.S. officials have already curtailed their phone use due to the hack, according to a former official.

An anonymous reader shares a report: In October, video game giant Activision said it had fixed a bug in its anti-cheat system that affected "a small number of legitimate player accounts," who were getting banned because of the bug. In reality, according to the hacker who found the bug and was exploiting it, they were able to ban "thousands upon thousands" of Call of Duty players, who they essentially framed as cheaters. The hacker, who goes by Vizor, spoke to TechCrunch about the exploit, and told their side of the story.

"I could have done this for years and as long as I target random players and no one famous it would have gone without notice," said Vizor, who added that it was "funny to abuse the exploit." TechCrunch was introduced to Vizor by a cheat developer called Zebleer, who is familiar with the Call of Duty hacking scene. Zebleer said he had been in touch with Vizor for months, and as such had knowledge of the exploit, which he said he saw Vizor using.

Nvidia will impose a 100-hour monthly limit on its GeForce Now cloud gaming service for new subscribers starting January 2025, with existing members facing the same restriction from 2026, the company said on Thursday.

The gaming giant aims to maintain current subscription prices by implementing the cap, which affects roughly 6% of users. Members can purchase additional 15-hour blocks for $2.99 on Performance tier or $5.99 for Ultimate tier once they exceed the limit.

The service, which allows users to stream games from remote servers, will also rebrand its Priority membership to Performance tier, adding 1440p streaming and ultrawide resolution support. Subscribers can carry over 15 unused hours monthly or switch to basic servers after reaching the cap, Nvidia said.

An anonymous reader quotes a report from PCMag: Have I Been Pwned has long been one of the most useful ways to learn if your personal information was exposed in a hack. But a new site offers its own powerful tool to help you check if your data has been leaked to cybercriminals. DataBreach.com is the work of a New Jersey company called Atlas Privacy, which helps consumers remove their personal information from data brokers and people search websites. On Wednesday, the company told us it had launched DataBreach.com as an alternative to Have I Been Pwned, which is mainly searchable via the user's email address. DataBreach.com is designed to do that and more. In addition to your email address, the site features an advanced search function to see whether your full name, physical address, phone number, Social Security number, IP address, or username are in Atlas Privacy's extensive library of recorded breaches. More categories will also be added over time.

Atlas Privacy has been offering its paid services to customers, such as police officers and celebrities, to protect bad actors from learning their addresses or phone numbers. In doing so, the company has also amassed over 17.5 billion records from the numerous stolen databases circulating on the internet, including in cybercriminal forums. As a public service, Atlas is now using its growing repository of stolen records to create a breach notification site, free of charge. DataBreach.com builds off Atlas's effort in August to host a site notifying users whether their Social Security number and other personal information were leaked in the National Public Data hack. Importantly, Atlas designed DataBreach.com to prevent it from storing or collecting any sensitive user information typed into the site. Instead, the site will fetch a hash from Atlas' servers, or a fingerprint of the user's personal information -- whether it be an email address, name, or SSN -- and compare it to whatever the user is searching for. "The comparison will be done locally," meaning it'll occur on the user's PC or phone, rather than Atlas's internet server, de Saint Meloir said.

Schneider Electric confirmed that it is investigating a breach as a ransomware group Hellcat claims to have stolen more than 40 GB of compressed data -- and demanded the French multinational energy management company pay $125,000 in baguettes or else see its sensitive customer and operational information leaked. The Register: And yes, you read that right: payment in baguettes. As in bread. Schneider Electric declined to answer The Register's specific questions about the intrusion, including if the attackers really want $125,000 in baguettes or if they would settle for cryptocurrency.

A spokesperson, however, emailed us the following statement: "Schneider Electric is investigating a cybersecurity incident involving unauthorized access to one of our internal project execution tracking platforms which is hosted within an isolated environment. Our Global Incident Response team has been immediately mobilized to respond to the incident.âSchneider Electric's products and services remain unaffected."

spatwei writes: Google has used a large language model (LLM) agent called "Big Sleep" to discover a previously unknown, exploitable memory flaw in a widely used software for the first time, the company announced Friday.

The stack buffer underflow vulnerability in a development version of the popular open-source database engine SQLite was found through variant analysis by Big Sleep, which is a collaboration between Google Project Zero and Google DeepMind.

Big Sleep is an evolution of Project Zero's Naptime project, which is a framework announced in June that enables LLMs to autonomously perform basic vulnerability research. The framework provides LLMs with tools to test software for potential flaws in a human-like workflow, including a code browser, debugger, reporter tool and sandbox environment for running Python scripts and recording outputs.

The researchers provided the Gemini 1.5 Pro-driven AI agent with the starting point of a previous SQLIte vulnerability, providing context for Big Sleep to search for potential similar vulnerabilities in newer versions of the software. The agent was presented with recent commit messages and diff changes and asked to review the SQLite repository for unresolved issues.

Google's Big Sleep ultimately identified a flaw involving the function "seriesBestIndex" mishandling the use of the special sentinel value -1 in the iColumn field. Since this field would typically be non-negative, all code that interacts with this field must be designed to handle this unique case properly, which seriesBestIndex fails to do, leading to a stack buffer underflow.

Cybercriminals have breached dozens of major companies including AT&T, Ticketmaster and Hot Topic by exploiting "infostealer" malware that harvests login credentials from infected computers, an investigation has found. The malware, spread through pirated software and social media, has infected 250,000 new devices daily, according to cybersecurity firm Recorded Future. Russian developers create the malware while contractors distribute it globally, deliberately avoiding former Soviet states. Hot Topic suffered potentially the largest retail hack ever in October when attackers accessed 350 million customer records using stolen developer credentials. Google and Microsoft are racing to patch vulnerabilities, but malware makers quickly adapt to new security measures.

Five years ago remote workers were offered $10,0000 to move to Tulsa, Oklahoma for at least a year. Since then roughly 3,300 have accepted the offer, according to the New York TImes. [Alternate URL here.] But more importantly, now researchers are looking at the results: Their research, released this month, surveyed 1,248 people — including 411 who had participated in Tulsa Remote and others who were accepted but didn't move or weren't accepted but had applied to the program — and found that remote workers who moved to Tulsa saved an average of $25,000 more on annual housing costs than the group that was chosen but didn't move... Nearly three-quarters of participants who have completed the program are still living in Tulsa. The program brings them together for farm-to-table dinners, movie nights and local celebrity lectures to help build community, given that none have offices to commute to.
The article says every year the remote workers contribute $14.9 million in state income taxes and $5.8 million in sales taxes (more than offsetting the $33 million spent over the last five years). And additional benefits could be even greater. "We know that for every dollar we've spent on the incentive, there's been about a $13 return on that investment to the city," the program's managing director told Fortune — pointing out that the remote workers have an average salary of $100,000. (500 of the 3,300 even bought homes...)

The Tulsa-based George Kaiser Family Foundation — which provides the $10,000 awards — told the New York Times it will continue funding the program "so long as it demonstrates to be a community-enhancing opportunity." And with so much of the population now able to work remotely, the lead author on the latest study adds that "Every heartland mayor should pay attention to this..."

Millions of U.S. cellphone users could be vulnerable to Chinese government surveillance, warns a Washington Post columnist, "on the networks of at least three major U.S. carriers."

They cite six current or former senior U.S. officials, all of whom were briefed about the attack by the U.S. intelligence community. The Chinese hackers, who the United States believes are linked to Beijing's Ministry of State Security, have burrowed inside the private wiretapping and surveillance system that American telecom companies built for the exclusive use of U.S. federal law enforcement agencies — and the U.S. government believes they likely continue to have access to the system.... The U.S. government and the telecom companies that are dealing with the breach have said very little publicly about it since it was first detected in August, leaving the public to rely on details trickling out through leaks...

The so-called lawful-access system breached by the Salt Typhoon hackers was established by telecom carriers after the terrorist attacks of Sept. 11, 2001, to allow federal law enforcement officials to execute legal warrants for records of Americans' phone activity or to wiretap them in real time, depending on the warrant. Many of these cases are authorized under the Foreign Intelligence Surveillance Act (FISA), which is used to investigate foreign spying that involves contact with U.S. citizens. The system is also used for legal wiretaps related to domestic crimes.

It is unknown whether hackers were able to access records about classified wiretapping operations, which could compromise federal criminal investigations and U.S. intelligence operations around the world, multiple officials told me. But they confirmed the previous reporting that hackers were able to both listen in on phone calls and monitor text messages. "Right now, China has the ability to listen to any phone call in the United States, whether you are the president or a regular Joe, it makes no difference," one of the hack victims briefed by the FBI told me. "This has compromised the entire telecommunications infrastructure of this country."

The Wall Street Journal first reported on Oct. 5 that China-based hackers had penetrated the networks of U.S. telecom providers and might have penetrated the system that telecom companies operate to allow lawful access to wiretapping capabilities by federal agencies... [After releasing a short statement], the FBI notified 40 victims of Salt Typhoon, according to multiple officials. The FBI informed one person who had been compromised that the initial group of identified targets included six affiliated with the Trump campaign, this person said, and that the hackers had been monitoring them as recently as last week... "They had live audio from the president, from JD, from Jared," the person told me. "There were no device compromises, these were all real-time interceptions...." [T]he duration of the surveillance is believed to date back to last year.
Several officials told the columnist that the cyberattack also targetted senior U.S. government officials and top business leaders — and that even more compromised targets are being discovered. At this point, "Multiple officials briefed by the investigators told me the U.S. government does not know how many people were targeted, how many were actively surveilled, how long the Chinese hackers have been in the system, or how to get them out."

But the article does include this quote from U.S. Senate Intelligence Committee chairman Mark Warner. "It is much more serious and much worse than even what you all presume at this point."

One U.S. representative suggested Americans rely more on encrypted apps. The U.S. is already investigating — but while researching the article, the columnist writes, "The National Security Council declined to comment, and the FBI did not respond to a request for comment..." They end with this recommendation.

"If millions of Americans are vulnerable to Chinese surveillance, they have a right to know now."

Slashdot reader spatwei shared this report from SC World: Nearly three dozen flaws in open-source AI and machine learning (ML) tools were disclosed Tuesday as part of [AI-security platform] Protect AI's huntr bug bounty program.

The discoveries include three critical vulnerabilities: two in the Lunary AI developer toolkit [both with a CVSS score of 9.1] and one in a graphical user interface for ChatGPT called Chuanhu Chat. The October vulnerability report also includes 18 high-severity flaws ranging from denial-of-service to remote code execution... Protect AI's report also highlights vulnerabilities in LocalAI, a platform for running AI models locally on consumer-grade hardware, LoLLMs, a web UI for various AI systems, LangChain.js, a framework for developing language model applications, and more.
In the article, Protect AI's security researchers point out that these open-source tools are "downloaded thousands of times a month to build enterprise AI Systems."

The three critical vulnerabilties have already been addressed by their respective companies, according to the article.