The British Museum was partly closed after a dismissed IT contractor trespassed, shutting down systems including its ticketing platform. The move disrupted operations and forced the closure of temporary exhibitions. The Guardian reports: While the museum will remain open this weekend, only a handful of ticket holders will be able to access its paid-for exhibitions, such as its Silk Roads show, because the IT system that manages bookings has been rendered unusable. The incident caused chaos in the middle of a busy Friday afternoon and is the latest security issue to blight the institution. A statement on the museum's website on Friday said that "due to an IT infrastructure issue some galleries have had to be closed. Please note that this means capacity will be limited, and priority will be given to members and pre-booked ticket holders. Currently our exhibitions remain closed."

The FBI warned this week that North Korean IT workers are abusing their access to steal source code and extort U.S. companies that have been tricked into hiring them. From a report: The security service alerted public and private sector organizations in the United States and worldwide that North Korea's IT army will facilitate cyber-criminal activities and demand ransoms not to leak online exfiltrated sensitive data stolen from their employers' networks. "North Korean IT workers have copied company code repositories, such as GitHub, to their own user profiles and personal cloud accounts. While not uncommon among software developers, this activity represents a large-scale risk of theft of company code," the FBI said.

"North Korean IT workers could attempt to harvest sensitive company credentials and session cookies to initiate work sessions from non-company devices and for further compromise opportunities." To mitigate these risks, the FBI advised companies to apply the principle of least privilege by disabling local administrator accounts and limiting permissions for remote desktop applications. Organizations should also monitor for unusual network traffic, especially remote connections since North Korean IT personnel often log into the same account from various IP addresses over a short period of time.

An anonymous reader quotes a report from Ars Technica: When threat actors use backdoor malware to gain access to a network, they want to make sure all their hard work can't be leveraged by competing groups or detected by defenders. One countermeasure is to equip the backdoor with a passive agent that remains dormant until it receives what's known in the business as a "magic packet." On Thursday, researchers revealed that a never-before-seen backdoor that quietly took hold of dozens of enterprise VPNs running Juniper Network's Junos OS has been doing just that. J-Magic, the tracking name for the backdoor, goes one step further to prevent unauthorized access. After receiving a magic packet hidden in the normal flow of TCP traffic, it relays a challenge to the device that sent it. The challenge comes in the form of a string of text that's encrypted using the public portion of an RSA key. The initiating party must then respond with the corresponding plaintext, proving it has access to the secret key.

The lightweight backdoor is also notable because it resided only in memory, a trait that makes detection harder for defenders. The combination prompted researchers at Lumin Technology's Black Lotus Lab to sit up and take notice. "While this is not the first discovery of magic packet malware, there have only been a handful of campaigns in recent years," the researchers wrote. "The combination of targeting Junos OS routers that serve as a VPN gateway and deploying a passive listening in-memory only agent, makes this an interesting confluence of tradecraft worthy of further observation." The researchers found J-Magic on VirusTotal and determined that it had run inside the networks of 36 organizations. They still don't know how the backdoor got installed.

An anonymous reader quotes a report from Ars Technica: The Department of Homeland Security has terminated all members of advisory committees, including one that has been investigating a major Chinese hack of large US telecom firms. "The Cyber Safety Review Board -- a Department of Homeland Security investigatory body stood up under a Biden-era cybersecurity executive order to probe major cybersecurity incidents -- has been cleared of non-government members as part of a DHS-wide push to cut costs under the Trump administration, according to three people familiar with the matter," NextGov/FCW reported yesterday.

A memo sent Monday by DHS Acting Secretary Benjamine Huffman said that in order to "eliminate[e] the misuse of resources and ensur[e] that DHS activities prioritize our national security, I am directing the termination of all current memberships on advisory committees within DHS, effective immediately. Future committee activities will be focused solely on advancing our critical mission to protect the homeland and support DHS's strategic priorities." The memo said advisory board members terminated this week "are welcome to reapply." The Cyber Safety Review Board's list of members included security experts from the private sector and lead cybersecurity officials from multiple government agencies. "The CSRB was 'less than halfway' done with its Salt Typhoon investigation, according to a now-former member," wrote freelance cybersecurity reporter Eric Geller, who quoted an anonymous source as saying the Cyber Safety Review Board's review of Salt Typhoon is "dead." The former member was also quoted as saying, "There are still professional staff for the CSRB and I hope they will continue some of the work in the interim."

The Cyber Safety Review Board operates under (PDF) the DHS's Cybersecurity and Infrastructure Security Agency (CISA), notes Ars. The review board previously investigated a 2023 hack of Microsoft Exchange Online and more recently has been investigating how the Chinese hacking group called Salt Typhoon infiltrated major telecom providers such as Verizon and AT&T.

A security researcher discovered and fixed a critical domain name server misconfiguration in Mastercard's systems that persisted undetected for nearly five years, potentially exposing the credit card giant to traffic interception risks.

Philippe Caturegli, founder of security firm Seralys, found that one of Mastercard's five DNS servers incorrectly pointed to "akam.ne" instead of "akam.net" from June 2020 to January 2025. He spent $300 to register the domain through Niger's domain authority to prevent potential exploitation. Mastercard said the typo has been corrected, insisting there was "not a risk to our systems."

Cloudflare blocked 21.3 million DDoS attacks in 2024, including a record-breaking 5.6 terabit-per-second strike that targeted an Asian internet service provider last October. The yearly total marked a 53% increase from 2023.

The 80-second October attack, which originated from over 13,000 compromised Internet of Things devices running Mirai malware variant, highlighted an alarming trend: hyper-volumetric attacks exceeding 1 terabit per second grew by 1,885% in the fourth quarter compared to the previous quarter. Ransom DDoS attacks, where criminals threatened organizations with service disruptions unless paid, rose 78% in the same period.

An anonymous reader quotes a report from ZDNet: This year, artificial intelligence will be dominated by the maturation of AI code as corporate "workers" that can take over corporate processes and be managed just like employees, according to a year-outlook blog post disseminated by investment bank Goldman Sachs featuring its chief information officer, Marco Argenti. "The capabilities of AI models to plan and execute complex, long-running tasks on humans' behalf will begin to mature," writes Argenti. "This will create the conditions for companies to eventually 'employ' and train AI workers to be part of hybrid teams of humans and AIs working together."

"There's a great opportunity for capital to move towards the application layer, the toolset layer," says Goldman Sachs CIO Marco Argenti. "I think we will see that shift happening, most likely as early as next year." Argenti predicts that corporate HR offices will have to manage "human and machine resources," and there may even be AI "layoffs" as programs are replaced by more highly capable versions. [...]

Among other predictions offered by Argenti is that the most-capable AI models will be like PhD graduates -- so-called expert AI systems that have "industry-specific knowledge" for finance, medicine, etc. [...] "The intersection of LLMs and robotics will increasingly bring AI into, and enable it to experience, the physical world, which will help enable reasoning capabilities for AI," he writes. Argenti sees "responsible AI" increasing in importance as a board-room priority in 2025, and, in something of a repeat of last year's predictions, he expects that the largest generative AI models -- the "frontier" models of OpenAI and others -- will become the province of only a handful of institutions with budgets large enough to pursue their enormous training costs. That is the "Formula One" version of AI, where the "engines" of AI are made by a handful of powerful providers. Everyone else will work on smaller-model development, Argenti predicts. Further reading: Nvidia's Huang Says That IT Will 'Become the HR of AI Agents'

Migrating from VMware's virtualization platform could take up to four years and cost organizations between $300 and $3,000 per virtual machine, Gartner has warned in a new report. Companies running 2,000 or more virtual machines will need up to 10 full-time staff for initial assessment and another six employees for a nine-month technical evaluation, according to Gartner.

The notorious hacker IntelBroker claims to have stolen data from HPE systems, including source code, private repositories, digital certificates, and access to certain services. SecurityWeek reports: The compromised data allegedly includes source code for products such as Zerto and iLO, private GitHub repositories, digital certificates, Docker builds, and even some personal information that the hacker described as "old user PII for deliveries." IntelBroker is also offering access to some services used by HPE, including APIs, WePay, GitHub and GitLab. Contacted by SecurityWeek, HPE said it's aware of the breach claims and is conducting an investigation.

"HPE became aware on January 16 of claims being made by a group called IntelBroker that it was in possession of information belonging to HPE. HPE immediately activated our cyber response protocols, disabled related credentials, and launched an investigation to evaluate the validity of the claims," said HPE spokesperson Adam R. Bauer. "There is no operational impact to our business at this time, nor evidence that customer information is involved," Bauer added.

Hackers could steal sensitive personal data from former startup employees by exploiting abandoned company domains and Google login systems, security researcher Dylan Ayrey revealed at ShmooCon conference. The vulnerability particularly affects startups that relied on "Sign in with Google" features for their business software.

Ayrey, CEO of Truffle Security, demonstrated the flaw by purchasing one failed startup's domain and accessing ChatGPT, Slack, Notion, Zoom and an HR system containing Social Security numbers. His research found 116,000 website domains from failed tech startups currently available for sale. While Google offers preventive measures through its OAuth "sub-identifier" system, some providers avoid it due to reliability concerns - which Google disputes. The company initially dismissed Ayrey's finding as a fraud issue before reversing course and awarding him a $1,337 bounty. Google has since updated its documentation but hasn't implemented a technical fix, TechCrunch reports.

Canon has launched a new iOS livestreaming app that allows users to switch between three camera views -- but initially excludes support for Canon cameras. The "Live Switcher Mobile" app, compatible only with Apple devices, offers automated camera switching and streaming to platforms including YouTube, Twitch, and Facebook through RTMP protocol.

The free version supports 720p resolution with ads and watermarks, while an $18 monthly subscription unlocks 1080p quality and additional features. Canon plans to add support for its cameras in future updates, it says.

Further reading: Canon Draws Fire for Charging Subscription Fee To Use Cameras as Webcams.

Technology giants must do more to co-operate with law enforcement on encryption or they risk threatening European democracy, according to the head of Europol, as the agency gears up to renew pressure on companies at the World Economic Forum in Davos this week. From a report: Catherine De Bolle told the Financial Times she will meet Big Tech groups in the Swiss mountain resort to discuss the matter, claiming that companies had a "social responsibility" to give the police access to encrypted messages that are used by criminals to remain anonymous. "Anonymity is not a fundamental right," said the EU law enforcement agency's executive director.

"When we have a search warrant and we are in front of a house and the door is locked, and you know that the criminal is inside of the house, the population will not accept that you cannot enter." In a digital environment, the police needed to be able to decode these messages to fight crime, she added. "You will not be able to enforce democracy [without it]."

Amazon has angered its workers again "after forcing them to return to the office five days a week," reports the New York Post. The problem? "Not enough desks for everyone." (As well as "packed parking lots" that are turning some workers away.)

The Post cites interviews conducted with seven Amazon employees by Business Insider (which notes that in mid-December Amazon had already delayed full return-to-office at dozens of locations, sometimes until as late as May, because of office-capacity issues).

Here in mid-January, the Post writes, many returning-to-office workers still aren't happy: Some meeting rooms have not had enough chairs — and there also have not been enough meeting rooms for everyone, one worker told the publication... [S]imply reaching the office is a challenge in itself, according to the report. Some complained they were turned away from company parking lots that were full, while others griped about having to join meetings from the road due to excess traffic on their way to the office, according to the Slack messages. Once staffers conquer the challenges of reaching the office and finding a desk, some lamented the lack of in-person discussions since many of the meetings remain virtual, according to BI.
Amazon acknowledged they had offices that were "not quite ready" to "welcome everyone back a full five days a week," according to Post, though Amazon believed the number of not-quite-ready offices were "relatively small".

But the parking lot situation may continue. Business Insider says one employee from Amazon's Nashville office "said the wait time for a company parking pass was backed up for months." (Although another Nashville staffer said Amazon was handing out passes for them to take mass-transit for free, which they'd described as "incredibly generous.")

There's also Amazon shuttle busses, according to the article. Although other staffers "said they were denied a spot on Amazon shuttle buses because the vehicles were full..." Others said they just drove back home, while some staffers found street parking nearby, according to multiple Slack messages seen by Business Insider...

This month, some employees were still questioning the logic behind the policy. They said being in the office has had little effect on their work routine and has not generated much of a productivity gain. A considerable portion of their in-office work is still being done through video calls with customers who are elsewhere, these employees told BI. Many Amazon colleagues are at other office locations, so face-to-face meetings still don't happen very often, they added.
The Post adds another drawback of returning to the office. "Employees at Amazon's Toronto office said their personal belongings have repeatedly been stolen from their desks."

In 2022 Google released a tool to easily scan for vulnerabilities in dependencies named OSV-Scanner. "Together with the open source community, we've continued to build this tool, adding remediation features," according to Google's security blog, "as well as expanding ecosystem support to 11 programming languages and 20 package manager formats... Users looking for an out-of-the-box vulnerability scanning CLI tool should check out OSV-Scanner, which already provides comprehensive language package scanning capabilities..."

Thursday they also announced an extensible library for "software composition analysis" scanning (as well as file-system scanning) named OSV-SCALIBR (Open Source Vulnerability — Software Composition Analysis LIBRary). The new library "combines Google's internal vulnerability management expertise into one scanning library with significant new capabilities such as:

• Software composition analysis for installed packages, standalone binaries, as well as source code

• OSes package scanning on Linux (COS, Debian, Ubuntu, RHEL, and much more), Windows, and Mac

• Artifact and lockfile scanning in major language ecosystems (Go, Java, Javascript, Python, Ruby, and much more)

• Vulnerability scanning tools such as weak credential detectors for Linux, Windows, and Mac

• Software Bill of Materials (SBOM) generation in SPDX and CycloneDX, the two most popular document formats

• Optimization for on-host scanning of resource constrained environments where performance and low resource consumption is critical

"OSV-SCALIBR is now the primary software composition analysis engine used within Google for live hosts, code repos, and containers. It's been used and tested extensively across many different products and internal tools to help generate SBOMs, find vulnerabilities, and help protect our users' data at Google scale. We offer OSV-SCALIBR primarily as an open source Go library today, and we're working on adding its new capabilities into OSV-Scanner as the primary CLI interface."

Fortune reports 18% of workers have engaged in "career catfishing" — getting a job offer, but then refusing to show up on the first day of work.

And when someone posted Fortune's article to Reddit's antiwork subreddit, it drew 2,100 upvotes -- and another 84 comments. ("I love doing this...! This feels really great to do after a company has jerked you around, and basically said that several other people were in line ahead of you... after five interviews.")

But Fortune reports there's other sources of frustration: At the moment, Gen Z is contending with an onerous battle to land an entry-level, full-time role. The class of 2025 is set to apply to more jobs than the graduating class prior, already submitting 24% more applications on average this past summer than seniors did last year. Furthermore, the class of 2024 applied to 64% more jobs than the cohort before them, according to job platform Handshake. To make matters all the more bleak, the number of job listings has dwindled from 2023 levels, generating deeper frenzy and more intense competition for the roles listed.

That adds up to a hiring managers' market and senior executives are playing hardball; only 12% of mid-level executives think entry-level workers are prepared to join the workforce, per a report from technology education provider General Assembly. About one in four say they wouldn't hire today's entry-level employees. Yet, that's not really the point of entry-level roles, points out Jourdan Hathaway, General Assembly's chief business officer. By definition, it's a position that requires investment in a young adult, she explained. "The entry-level employee pipeline is broken," Hathaway wrote in a statement. "Companies must rethink how they source, train, and onboard employees."

The especially competitive hiring landscape could be forcing Gen Zers to accept the first gig they can get because the job market is so dire — only to later regret it and not show up the first day.
The article also acknowledges that "employers themselves have a role in the two-way communication — or lack thereof — between hire and hirer." Almost 80% of hiring managers admitted they've stopped responding to candidates during the application process, according to a survey of 625 hiring managers from Resume Genius.

Gen Zers say that their ghosting is in reaction to the company's behavior. More than a third of applicants who have purposefully dropped the ball say it was because a recruiter was rude to them or misled them about a position, according to Monster... In part, it's likely AI that's fueling said ghosting. AI has become more integrated into the hiring process, becoming a screener that rejects resumes without ever reaching a human person's eyes. That phenomenon possibly fuels both sides' tendency to be non-responsive...

The ratio of vacant U.S. jobs to jobless workers "has fallen from a record of 2 in 2022 to 1.1 in November," reports the Wall Street Journal — which adds that "the balance of power between employers and employees has shifted as the labor market has gone from white-hot to merely solid."

JP Morgan's five-days-a-week return-to-office mandate was only the beginning, with big companies like Amazon and Dell "tightening remote-work policies, shrinking travel budgets and cutting back on benefits... Companies are slashing perks such as college-tuition assistance and time off for a sick pet... " 76% of [U.S.] job growth in the past year has been in healthcare and education, leisure and hospitality, and government. In fields such as finance, information, and professional and business services, job growth has been far weaker. While a shift in leverage to employers might have shown up in layoffs or wage cuts in the past, now it is more subtle, often in changes to working conditions. For example, knowing that some workers will quit rather than return to the office, some companies are ending remote work as a way of trimming payroll. "Quiet quitting" — workers who slacked off rather than quit — has been replaced by "quiet cutting" — employers who cut jobs without actually announcing job cuts...

Michael Gibbs, a professor of economics at the University of Chicago's Booth School of Business, said the new mandates might simply be a message to workers that times have changed. "Firms are trying to reset expectations," he said... [After refusing her employers return-to-office four-days-a-week mandate, Mayrian] Sanz, who now works as an independent business and leadership coach, said she applied for 25 to 30 jobs listed as remote but initially got no responses. When some hiring managers finally replied, they had a surprise: Jobs listed as remote would now be in-office. "They just say everything is shifting to going back to the office," she said.

Among tech workers, the share receiving perks such as paid volunteer hours, college-tuition reimbursement, free financial advice and mental-health programs all declined by about 4 percentage points in 2024 from 2023, according to Dice, a technology job board. Average bonuses fell by more than $800, from $15,011 to $14,194. Meanwhile, Netflix has quietly backed off from its unlimited parental leave in a child's first year, The Wall Street Journal reported last month. A company spokesman said at that time that employees have the freedom and flexibility to determine what is best for them.
The article notes that "The actual impact of return-to-office directives remains to be seen," with economists "skeptical" the directives make companies more productive and faster-growing: Many workers now being called in were already spending some time in their cubicles. Nicholas Bloom, a professor of economics at Stanford University, said most of the benefits of collaboration can be achieved with just a few days in the office, while some tasks that require concentration are better done at home.
Elsewhere the Wall Street Journal that looking for a job "is set to get less miserable this year," since roughly two-thirds of U.S. employers plan to add permanent roles within the next six months, "according to a new survey by staffing and consulting firm Robert Half."

And Computerworld notes that the IT unemployment rate is now just 2% in the U.S. (according to official figures from the US Bureau of Labor statistics).

From the New York Post: Generation Z's recent foray into the corporate world has been an eye-popping escapade plagued by their "annoying" workplace habits and helicopter parents accompanying them on interviews. Now, newcomers to the 9-to-5 grind are inflicting a fresh new level of hell onto the workforce with a trending act of defiance known as "career catfishing."
That means "a successful candidate accepted a job and then never showed up," writes Fortune, citing a survey of 1,000 U.K. employees conducted by CV Genius.

The New York Post notes researchers "found that a staggering 34% of 20-somethings skip Day 1 of work, sans communicating with their new employer, as a demonstration of autonomy." After drudging through the ever-exasperating job hunting process — which often includes submitting dozens of lengthy applications, suffering through endless rounds of interviews and anxiously awaiting updates from sluggish hiring managers — the Z's are apparently "catfishing" jobs to prove that they, rather than their prospective employers, have all the power.

But the rebellious babes aren't the only ones pulling fast ones on new bosses. A surprising 24% of millennials, staffers ranging in age from 28 to 43, have taken a shine to career catfishing, too, per the findings. However, only 11% of Gen Xers, hirelings ages 44 to 59, and 7% of baby boomers, personnel over age 60, have joined in on the office treachery. Unlike their older colleagues, Gen Zs are apparently more concerned about prioritizing their personal needs and goals than kowtowing to the demands of corporate culture.
Fortune agrees that "Gen Z applicants aren't alone in going no- and low-contact during the recruiting process. Some 74% of employers now admit that ghosting is a facet of the hiring landscape, according to a 2023 Indeed survey of thousands of job seekers and employers..." That being said, simply not showing up to work could prove unsustainable in the long run. Like many young workers before them, Gen Zers have garnered a poor reputation with employers. Hiring managers have labeled them as the most difficult generation to work with, according to a Resume Genius report.
The report found employees also admitted to practicing "quiet vacationing" (taking time off without telling your boss) and "coffee badging" (grabbing coffee in the office before returning home)...

An anonymous reader shares a report: FBI leaders have warned that they believe hackers who broke into AT&T's system last year stole months of their agents' call and text logs, setting off a race within the bureau to protect the identities of confidential informants, a document reviewed by Bloomberg News shows.

FBI officials told agents across the country that details about their use on the telecom carrier's network were believed to be among the billions of records stolen, according to the document and interviews with a current and a former law enforcement official. They asked not to be named to discuss sensitive information. Data from all FBI devices under the bureau's AT&T service for public safety agencies were presumed taken, the document shows.

The cache of hacked AT&T records didn't reveal the substance of communications but, according to the document, could link investigators to their secret sources. The data was believed to include agents' mobile phone numbers and the numbers with which they called and texted, the document shows. Records for calls and texts that weren't on the AT&T network, such as through encrypted messaging apps, weren't part of the stolen data.

Microsoft began mandatory rollouts of the Windows 11 2024 Update (24H2) for eligible devices running Home and Pro editions, the company announced on its Windows 11 issues page. The update, which Microsoft describes as a "full code swap," requires longer installation times, with users reporting processes exceeding an hour.

While users can briefly postpone the installation, the company is now pushing updates to mainstream users not managed by IT departments. The 24H2 update introduces USB4's 80Gbps support, Bluetooth LE Audio for hearing aids, and enhanced Energy Saver controls.

Microsoft researchers who tested more than 100 of the company's AI products concluded that AI systems can never be made fully secure, according to a new pre-print paper. The 26-author study, which included Azure CTO Mark Russinovich, found that large language models amplify existing security risks and create new vulnerabilities. While defensive measures can increase the cost of attacks, the researchers warned that AI systems will remain vulnerable to threats ranging from gradient-based attacks to simpler techniques like interface manipulation for phishing.