Since 2021, Apple has been sending threat notifications to certain users, informing them that they may have been individually targeted by mercenary spyware attacks. When victims of spyware reach out to Apple for help, TechCrunch reports, "Apple doesn't tell the targets to get in touch with its own security engineers." Instead, Apple directs them to the nonprofit security lab Access Now, "which runs a digital helpline for people in civil society who suspect they have been targets of government spyware."

While some view this as Apple sidestepping responsibility, cybersecurity experts agree that Apple's approach -- alerting victims, directing them to specialized support, and recommending tools like Lockdown Mode -- has been a game changer in combating mercenary spyware threats. From the report: For people who investigate spyware, Apple sharing spyware notifications with victims represented a turning point. Before the notifications, "We were just like in the dark, not knowing who to check," according to Access Now's legal counsel Natalia Krapiva. "I think it's one of the greatest things that's happened in the sphere of this kind of forensic investigations and hunting of sophisticated spyware," Krapiva told TechCrunch.

Now, when someone or a group of people get a notification from Apple, they are warned that something potentially anomalous is happening with their device, that someone is targeting them, and that they need to get help. And Apple tells them exactly where to get it, according to Scott-Railton, who said Access Now's helpline is the right place to go because "the helpline is able to do good, systematic triage work and support." Krapiva said that the helpline is staffed by more than 30 people, supported by others who work in other departments of the nonprofit. So far in 2024, Krapiva said Access Now received 4,337 tickets through the helpline.

For anyone alerted by a notification, Apple tells those targets and victims of spyware to update their iOS software and all their apps. Apple also suggests the user switches on Lockdown Mode, an opt-in iOS security feature that has stopped spyware attacks in the past by limiting device features that are often exploited to plant spyware. Apple said last year that it is not aware of any successful spyware infection against someone who used Lockdown Mode.

The U.S. Department of Justice has charged Russian-Israeli national, Rostislav Panev, for his alleged role as a developer in the LockBit ransomware group, accused of designing malware and maintaining infrastructure for attacks that extorted over $500 million and caused billions in global damages. CyberScoop reports: The arrest is part of a broader campaign by international law enforcement agencies to dismantle LockBit. In February, a coordinated operation led by the U.K.'s National Crime Agency in cooperation with the FBI and the U.S. Justice Department disrupted LockBit's infrastructure, seizing websites and servers critical to its operations. These efforts significantly curtailed the group's ability to launch further attacks and extort victims.

Panev is one of several individuals charged in connection with LockBit. Alongside him, other key figures have been indicted, including Dmitry Khoroshev, alleged to be "LockBitSupp," the group's primary creator and administrator. Khoroshev, still at large, is accused of developing the ransomware and coordinating attacks on an international scale. The State Department has offered a reward of up to $10 million for his capture.

Meanwhile, numerous members linked to LockBit remain fugitives, such as Russian nationals Artur Sungatov and Ivan Kondratyev, each facing charges for deploying ransomware against multiple industries globally. Mikhail Matveev, another alleged LockBit affiliate, is also at large, with a $10 million reward for his capture. Matveev was recently charged with computer crimes in Russia. You can read the full criminal complaint against Panev here (PDF).

Japanese electronics manufacturer Sanwa Supply has launched a rotating USB-C cable capable of 240W power delivery but sadly USB 2.0 transfer speeds, Tom'sHardware reports. The $16 cable features a 360-degree rotating connector and is available in 1-meter and 1.8-meter lengths, with both USB-C to USB-C and USB-A to USB-C options, the report adds.

An anonymous reader quotes a report from Gizmodo: Hackers aligned with the Chinese government have infiltrated U.S. telecommunications infrastructure so deeply that it allowed the interception of unencrypted communications on a number of people, according to reports that first emerged in October. The operation, dubbed Salt Typhoon, apparently allowed hackers to listen to phone calls and nab text messages, and the penetration has been so extensive they haven't even been booted from the telecom networks yet. The Cybersecurity and Infrastructure Security Agency (CISA) issued guidance this week on best practices for protecting "highly targeted individuals," which includes a new warning (PDF) about text messages.

"Do not use SMS as a second factor for authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication provider's network who intercepts these messages can read them. SMS MFA is not phishing-resistant and is therefore not strong authentication for accounts of highly targeted individuals," the guidance, which has been posted online, reads. Not every service even allows for multi-factor authentication and sometimes text messages are the only option. But when you have a choice, it's better to use phishing-resistant methods like passkeys or authenticator apps. CISA prefaces its guidance by insisting it's only really speaking about high-value targets. The telecommunications hack mentioned above has been called the "worst hack in our nation's history," according to Sen. Mark Warner (D-VA).

Microsoft has lauded the success of its efforts to convince customers to use passkeys instead of passwords, without actually quantifying that success. From a report: The software megalith credits passkey adoption to its enrolment user experience, or UX, which owes its unspecified uptake to unavoidable passkey solicitations -- sometimes referred to as "nudges."

"We're implementing logic that determines how often to show a nudge so as not to overwhelm users, but we don't let them permanently opt out of passkey invitations," explained Sangeeta Ranjit, group product manager, and Scott Bingham, principal product manager, in a blog post. The corporation's onboarding strategy seems to suit its corporate address: One Microsoft Way.

Ranjit and Bingham describe that strategy in a post titled "Convincing a billion users to love passkeys: UX design insights from Microsoft to boost adoption and security." But they don't disclose how many customers love passkeys enough to actually use them.

Longtime Slashdot reader sinij shares a report from Wired with the caption: "This story will be an on-going payday for traffic ticket lawyers. I am ordering one now." From the report: Digital license plates, already legal to buy in a growing number of states and to drive with nationwide, offer a few perks over their sheet metal predecessors. You can change their display on the fly to frame your plate number with novelty messages, for instance, or to flag that your car has been stolen. Now one security researcher has shown how they can also be hacked to enable a less benign feature: changing a car's license plate number at will to avoid traffic tickets and tolls -- or even pin them on someone else.

Josep Rodriguez, a researcher at security firm IOActive, has revealed a technique to "jailbreak" digital license plates sold by Reviver, the leading vendor of those plates in the US with 65,000 plates already sold. By removing a sticker on the back of the plate and attaching a cable to its internal connectors, he's able to rewrite a Reviver plate's firmware in a matter of minutes. Then, with that custom firmware installed, the jailbroken license plate can receive commands via Bluetooth from a smartphone app to instantly change its display to show any characters or image. That susceptibility to jailbreaking, Rodriguez points out, could let drivers with the license plates evade any system that depends on license plate numbers for enforcement or surveillance, from tolls to speeding and parking tickets to automatic license plate readers that police use to track criminal suspects. "You can put whatever you want on the screen, which users are not supposed to be able to do," says Rodriguez. "Imagine you are going through a speed camera or if you are a criminal and you don't want to get caught."

Worse still, Rodriguez points out that a jailbroken license plate can be changed not just to an arbitrary number but also to the number of another vehicle -- whose driver would then receive the malicious user's tickets and toll bills. "If you can change the license plate number whenever you want, you can cause some real problems," Rodriguez says. All traffic-related mischief aside, Rodriguez also notes that jailbreaking the plates could also allow drivers to use the plates' features without paying Reviver's $29.99 monthly subscription fee. Because the vulnerability that allowed him to rewrite the plates' firmware exists at the hardware level -- in Reviver's chips themselves -- Rodriguez says there's no way for Reviver to patch the issue with a mere software update. Instead, it would have to replace those chips in each display. That means the company's license plates are very likely to remain vulnerable despite Rodriguez's warning -- a fact, Rodriguez says, that transport policymakers and law enforcement should be aware of as digital license plates roll out across the country. "It's a big problem because now you have thousands of licensed plates with this issue, and you would need to change the hardware to fix it," he says.

An anonymous reader quotes a report from TechCrunch: GPS tracking firm Hapn is exposing the names of thousands of its customers due to a website bug, TechCrunch has learned. A security researcher alerted TechCrunch in late November to customer names and affiliations -- such as the name of their workplace -- spilling from one of Hapn's servers, which TechCrunch has seen.

Hapn, formerly known as Spytec, is a tracking company that allows users to remotely monitor the real-time location of internet-enabled tracking devices, which can be attached to vehicles or other equipment. The company also sells GPS trackers to consumers under its Spytec brand, which rely on the Hapn app for tracking. Spytec touts its GPS devices for tracking the locations of valuable possessions and "loved ones." According to its website, Hapn claims to track more than 460,000 devices and counts customers within the Fortune 500.

The bug allows anyone to log in with a Hapn account to view the exposed data using the developer tools in their web browser. The exposed data contains information on more than 8,600 GPS trackers, including the IMEI numbers for the SIM cards in each tracker, which uniquely identify each device. The exposed data does not include location data, but thousands of records contain the names and business affiliations of customers who own, or are tracked by, the GPS trackers.

An anonymous reader shares a report: Australia's chief cyber security agency has decided local orgs should stop using the tech that forms the current cryptographic foundation of the internet by the year 2030 -- years before other nations plan to do so -- over fears that advances in quantum computing could render it insecure.

The Land Down Under's plans emerged last week when the Australian Signals Directorate (ASD) published guidance for High Assurance Cryptographic Equipment (HACE) -- devices that send and/or receive sensitive information -- that calls for disallowing the cryptographic algorithms SHA-256, RSA, ECDSA and ECDH, among others, by the end of this decade.

Bill Buchanan, professor in the School of Computing at Edinburgh Napier University, wrote a blog post in which he expressed shock that the ASD aims to move so quickly. "Basically, these four methods are used for virtually every web connection that we create, and where ECDH is used for the key exchange, ECDSA or RSA is used to authenticate the remote server, and SHA-256 is used for the integrity of the data sent," he wrote. "The removal of SHA-256 definitely goes against current recommendations."

A cybersquatting scheme targeting prominent writers and entrepreneurs has exposed flaws in Bluesky's domain-based verification system, newsletter Tedium reports, citing users.

Bloomberg columnist Conor Sen reported receiving an extortion attempt this week when an anonymous user who had purchased his namesake domain demanded payment to transfer ownership. The episode has unraveled wider revelations of similar attacks targeting at least five other well-known users, including political blogger Matt Yglesias and The Hustle founder Sam Parr.

The platform's moderation team initially banned Parr's legitimate account while leaving the impersonator active, Sen told Tedium. The fake account was only removed after users escalated the issue to senior Bluesky staff.

Microsoft bought twice as many of Nvidia's flagship chips as any of its largest rivals in the US and China this year, as OpenAI's biggest investor accelerated its investment in artificial intelligence infrastructure. From a report: Analysts at Omdia, a technology consultancy, estimate that Microsoft bought 485,000 of Nvidia's "Hopper" chips this year. That put Microsoft far ahead of Nvidia's next biggest US customer Meta, which bought 224,000 Hopper chips, as well as its cloud computing rivals Amazon and Google.

With demand outstripping supply of Nvidia's most advanced graphics processing units for much of the past two years, Microsoft's chip hoard has given it an edge in the race to build the next generation of AI systems. This year, Big Tech companies have spent tens of billions of dollars on data centres running Nvidia's latest chips, which have become the hottest commodity in Silicon Valley since the debut of ChatGPT two years ago kick-started an unprecedented surge of investment in AI.

An anonymous reader shares a report: A Chinese hacker indicted earlier this month and the PRC-based cybersecurity company he worked for are both sanctioned by the US government for compromising "tens of thousands of firewalls" -- some protecting US critical infrastructure, putting human lives at risk.

In a series of coordinated actions, the US Treasury Department's Office of Foreign Assets Control (OFAC), the Department of Justice (DoJ), and the FBI said the massive cyber espionage campaign, which compromised at least 36 firewalls protecting US critical infrastructure, posed significant risks to national security.

A federal court in Indiana earlier this month unsealed an indictment charging 30-year-old Guan Tianfeng (Guan) with conspiracy to commit computer and wire fraud by hacking into firewall devices worldwide, including one "used by an agency of the United States." Guan, employed by the Chinese cybersecurity firm Sichuan Silence -- a known contractor for Beijing intelligence -- was alleged to have discovered a zero-day vulnerability in firewall products manufactured by UK cybersecurity firm Sophos.

Seagate has launched its first mass-produced hard drives using heat-assisted magnetic recording (HAMR) technology, introducing 32TB and 30TB models under the Exos M brand. The drives, based on Seagate's Mozaic 3+ platform, mark the company's commercial breakthrough in HAMR technology after 16 years of development. Compatible with existing systems, the 32TB model uses shingled magnetic recording, while the 30TB version employs conventional magnetic recording.

Framework has announced a $39 Dual M.2 Adapter for its Laptop 16, enabling users to add two additional M.2 slots to the laptop's expansion bay. The new component allows for up to 26TB of total storage when combined with the laptop's existing SSD slots, supporting various M.2 form factors with PCIe 4.0 connectivity.

The company also replaced the Laptop 16's liquid metal cooling system with Honeywell PTM7958 thermal paste to address performance concerns. Framework will provide the new thermal solution to existing customers upon request. The adapter marks Framework's first modular expansion component for the Laptop 16 since its launch, complementing the optional Radeon RX 7700S graphics card offering.

A cyberattack on Rhode Island's RIBridges system has exposed personal data of individuals involved in programs like Medicaid, SNAP, and others, with hackers demanding a ransom. The breach may include sensitive details like Social Security numbers and banking information. The Associated Press reports: Anyone who has been involved in Medicaid, the Supplemental Nutrition Assistance Program known as SNAP, Temporary Assistance for Needy Families, Childcare Assistance Program, Rhode Island Works, Long-term Services and Supports, the At HOME Cost Share Program and health insurance purchased through HealthSource RI may be impacted, McKee said Saturday.

The system known as RIBridges was taken offline on Friday, after the state was informed by its vendor, Deloitte, that there was a major security threat to the system. The vendor confirmed that "there is a high probability that a cybercriminal has obtained files with personally identifiable information from RIBridges," the state said. The state has contracted with Experian to run a toll-free hotline for Rhode Islanders to call to get information about the breach and how they can protect their data.

WordPress co-founder and CEO of Automattic Matt Mullenweg is trolling contributors and users of the WordPress open-source project by requiring them to check a box that says "Pineapple is delicious on pizza." From a report: The change was spotted by WordPress contributors late Sunday, and is still up as of Monday morning. Trying to log in or create a new account without checking the box returns a "please try again" error.

Last week, as part of the ongoing legal battle between WP Engine and Automattic, the company that owns WordPress.com, a judge ordered Mullenweg to remove a controversial login checkbox from WordPress.org that required users to pledge that they were not affiliated with WP Engine before logging in.

"Envy the lumberjacks, for they perform the happiest, most meaningful work on earth," the Washington Post wrote almost two years ago, after analyzing more than 13,000 journals from the U.S. Bureau of Labor Statistics' time-use survey. (For the first time the surveys asked how workers felt during the day.) And outdoor forestry jobs "look awesome by that metric, dangerous as they often are in the long run," the Post wrote in a recent follow-up. [Alternate URL.]

But is that really the right metric? "Readers kept reminding us that there's more to a fulfilling job than how happy you are while doing it." What about those wanting jobs where they're meaningfully impacting the world? We didn't have a stellar way to measure other feelings about work, but we kept our eye on an often-overlooked federal data provider: AmeriCorps. The independent agency, which CEO Michael D. Smith described to us as "bite-sized" but "punching well above our weight," funds the Civic Engagement and Volunteering Supplement, part of the Census Bureau's Current Population Survey... In 2021 and again in 2023, the researchers behind the CEV asked if you agree or disagree with these four statements:

- I am proud to be working for my employer.
- My main satisfaction in life comes from work.
- My workplace contributes to the community.
- I contribute to the community through my work....


The workers most likely to say they're proud to be working for their employer and that they gain satisfaction from work are — surprise! — the self-employed. The self-employed who are incorporated — a group that often includes small-business owners — are almost twice as likely as private-sector, for-profit workers to strongly profess pride in their employer.

Government and nonprofit workers fall somewhere in the middle on those questions. But they rank at the very top on "My workplace contributes to the community" and "I contribute to the community through my work." Local government workers, who include teachers, take the top spot for strong agreement on both, followed by nonprofit workers. Private-sector, for-profit workers once again lag behind. The jobs that do worse on these measures tend to be in manufacturing or other blue-collar production and extraction jobs, or at the lower-paid end of the service sector. Folks in food services (e.g., bartenders and food prep), janitorial roles and landscaping, and personal services (e.g., barbershops, laundry and hotels) all struggle to find greater meaning in their work. Though some better-paid service jobs also struggle by some measures — think sales, engineering or software development.

On the questions regarding pride in your employer and life satisfaction, we see managers and our old friends in agriculture and forestry take the top spots. But right behind them — and actually in the lead in the other question — lurks the real standout, a set of jobs we'd classify as "care and social services." That includes, most notably, religious workers. Looking a bit deeper at about 100 occupations for which we have detailed data, we see clergy were most likely to strongly agree on every question.
Other observations from the article:

• "As a rule, you feel better about your job as you get older. Presumably, it's some mix of people who love their work delaying retirement, people job-hopping until they find meaningful employment, and people learning to love whatever hand they've been dealt."

• "Most measures of satisfaction also rise with education, often quite sharply. Someone with a graduate degree is twice as likely as a high school dropout to strongly agree their workplace contributes to the community."

• But... "More-educated folks are actually a bit less likely to strongly agree that work is their main satisfaction in life."

The non-profit, free certificate authority Let's Encrypt shared some news from their executive director as they approach their 10th anniversary in 2025: Internally things have changed dramatically from what they looked like ten years ago, but outwardly our service hasn't changed much since launch. That's because the vision we had for how best to do our job remains as powerful today as it ever was: free 90-day TLS certificates via an automated API. Pretty much as many as you need. More than 500,000,000 websites benefit from this offering today, and the vast majority of the web is encrypted.

Our longstanding offering won't fundamentally change next year, but we are going to introduce a new offering that's a big shift from anything we've done before — short-lived certificates. Specifically, certificates with a lifetime of six days. This is a big upgrade for the security of the TLS ecosystem because it minimizes exposure time during a key compromise event.

Because we've done so much to encourage automation over the past decade, most of our subscribers aren't going to have to do much in order to switch to shorter lived certificates. We, on the other hand, are going to have to think about the possibility that we will need to issue 20x as many certificates as we do now. It's not inconceivable that at some point in our next decade we may need to be prepared to issue 100,000,000 certificates per day. That sounds sort of nuts to me today, but issuing 5,000,000 certificates per day would have sounded crazy to me ten years ago... It was hard to build Let's Encrypt. It was difficult to scale it to serve half a billion websites...

Charitable contributions from people like you and organizations around the world make this stuff possible. Since 2015, tens of thousands of people have donated. They've made a case for corporate sponsorship, given through their Donor-Advised Funds, or set up recurring donations, sometimes to give $3 a month. That's all added up to millions of dollars that we've used to change the Internet for nearly everyone using it.
Thanks to long-time Slashdot reader rastos1 for sharing the news.

America's 1994 "Communications Assistance for Law Enforcement Act" (or CALEA) created the security hole that helped enable a massive telecomm breach. But now America's FBI "is falling back on the same warmed-over, bad advice about encryption that it has trotted out for years," argues the Intercept: In response to the Salt Typhoon hack, attributed to state-backed hackers from China, the bureau is touting the long-debunked idea that federal agents could access U.S. communications without opening the door to foreign hackers. Critics say the FBI's idea, which it calls "responsibly managed encryption," is nothing more than a rebranding of a government backdoor. "It's not this huge about-face by law enforcement," said Andrew Crocker, the surveillance litigation director at the Electronic Frontier Foundation. "It's just the same, illogical talking points they have had for 30+ years, where they say, 'Encryption is OK, but we need to be able to access communications.' That is a circle that cannot be squared...."

In a blog post last month, encryption expert Susan Landau said CALEA had long been a "national security disaster waiting to happen... If you build a system so that it is easy to break into, people will do so — both the good guys and the bad. That's the inevitable consequence of CALEA, one we warned would come to pass — and it did," she said...

Sean Vitka, the policy director at the progressive group Demand Progress, said the hack has once again provided damning evidence that government backdoors cannot be secured. "If the FBI cannot keep their wiretap system safe, they absolutely cannot keep the skeleton key to all Apple phones safe," Vitka said.
Thanks to Slashdot reader mspohr for sharing the article.

An anonymous reader quotes a report from Ars Technica: A sophisticated and ongoing supply-chain attack operating for the past year has been stealing sensitive login credentials from both malicious and benevolent security personnel by infecting them with Trojanized versions of open source software from GitHub and NPM, researchers said. The campaign, first reported three weeks ago by security firm Checkmarx and again on Friday by Datadog Security Labs, uses multiple avenues to infect the devices of researchers in security and other technical fields. One is through packages that have been available on open source repositories for over a year. They install a professionally developed backdoor that takes pains to conceal its presence. The unknown threat actors behind the campaign have also employed spear phishing that targets thousands of researchers who publish papers on the arXiv platform.

The objectives of the threat actors are also multifaceted. One is the collection of SSH private keys, Amazon Web Services access keys, command histories, and other sensitive information from infected devices every 12 hours. When this post went live, dozens of machines remained infected, and an online account on Dropbox contained some 390,000 credentials for WordPress websites taken by the attackers, most likely by stealing them from fellow malicious threat actors. The malware used in the campaign also installs cryptomining software that was present on at least 68 machines as of last month. It's unclear who the threat actors are or what their motives may be. Datadog researchers have designated the group MUT-1244, with MUT short for "mysterious unattributed threat."

Healthcare giant Optum has restricted access to an internal AI chatbot used by employees after a security researcher found it was publicly accessible online, and anyone could access it using only a web browser. TechCrunch: The chatbot, which TechCrunch has seen, allowed employees to ask the company questions about how to handle patient health insurance claims and disputes for members in line with the company's standard operating procedures (SOPs).

While the chatbot did not appear to contain or produce sensitive personal or protected health information, its inadvertent exposure comes at a time when its parent company, health insurance conglomerate UnitedHealthcare, faces scrutiny for its use of artificial intelligence tools and algorithms to allegedly override doctors' medical decisions and deny patient claims.

Mossab Hussein, chief security officer and co-founder of cybersecurity firm spiderSilk, alerted TechCrunch to the publicly exposed internal Optum chatbot, dubbed "SOP Chatbot." Although the tool was hosted on an internal Optum domain and could not be accessed from its web address, its IP address was public and accessible from the internet and did not require users to enter a password.