Security

WordPress Anti-Spam Plugin Vulnerability Exposes 200,000 Sites to RCE Attacks (searchenginejournal.com) 10

"A flaw in a WordPress anti-spam plugin with over 200,000 installations allows rogue plugins to be installed on affected websites," reports Search Engine Journal.

The authentication bypass vulnerability lets attackers gain full access to websites without a username or password, according to the article, and "Security researchers rated the vulnerability 9.8 out of 10, reflecting the high level of severity..." The flaw in the Spam protection, Anti-Spam, FireWall by CleanTalk plugin, was pinpointed by security researchers at Wordfence as caused by reverse DNS spoofing... [T]he attackers can trick the Ant-Spam plugin that the malicious request is coming from the website itself and because that plugin doesn't have a check for that the attackers gain unauthorized access... Wordfence recommends users of the affected plugin to update to version 6.44 or higher.
Thanks to Slashdot reader bleedingobvious for sharing the news.
Youtube

YouTube is Full of Old, Unseen Home Videos. Now You Can Watch Them at Random (yahoo.com) 18

From a new web project called IMG_0001: Between 2009 and 2012, iPhones had a built-in "Send to YouTube" button in the Photos app. Many of these uploads kept their default IMG_XXXX filenames, creating a time capsule of raw, unedited moments from random lives. Inspired by Ben Wallace, I made a bot that crawled YouTube and found 5 million of these videos! Watch them below, ordered randomly.
The Washington Post reports that it's the same 22-year-old software engineer who created Bop Spotter — that phone on a telephone pole using the Shazam app to identify songs people play in public.

And his new site includes only videos "posted before 2015, with fewer than 150 views each and durations shorter than 150 seconds." In about 12 hours total, Walz said, he coded a website that takes millions of these unedited, raw videos from more than nine years ago and serves them to viewers at random. The resulting project, titled IMG_0001 and hosted on his personal website, plays out like a glimpse into different worlds: Hit play and your first video may show teenagers practicing a dance in a high school hallway. That wraps up, and it rolls into footage of a dog frolicking in a snowy backyard...

Viewers were gripped by the videos' unfiltered nature, a contrast to the heavily produced and camera-aware content found on TikTok and YouTube today. Writer Ryan Broderick wrote in his newsletter Garbage Day that the project is "beautiful, haunting, funny, and sort of magical. Like staring into a security camera of the past." Mashable's Tim Marcin called it "the kind of authenticity that's all too rare online these days."

The website has more than 280,000 views and millions of video plays, Walz said — meaning plenty of viewers are sticking around to watch many of the videos.

The article includes an intesting observation from Christian Sandvig, a digital media professor at the University of Michigan. "The people who made the video might not even remember that they shared them!"
The Military

NASA Aircraft Uncovers Cold War Nuclear Missile Tunnels Under Greenland Ice (space.com) 72

An anonymous reader quotes a report from Space.com: NASA scientists conducting surveys of arctic ice sheets in Greenland got an unprecedented view of an abandoned "city under the ice" built by the U.S. military during the Cold War. During a scientific flight in April 2024, a NASA Gulfstream III aircraft flew over the Greenland Ice Sheet carrying radar instruments to map the depth of the ice sheet and the layers of bedrock below it. The images revealed a new view of Camp Century, a Cold War-era U.S. military base consisting of a series of tunnels carved directly into the ice sheet.

As it turns out, this abandoned "secret city" was the site of a secret Cold War project known as Project Iceworm [that] called for the construction of 2,500 miles (4,023 km) of tunnels that could be used [for] nuclear intermediate range ballistic missiles (IRBMs) at the Soviet Union. "We were looking for the bed of the ice and out pops Camp Century. We didn't know what it was at first," said NASA's Chad Greene, a cryospheric scientist at the agency's Jet Propulsion Laboratory (JPL), in an agency statement. "In the new data, individual structures in the secret city are visible in a way that they've never been seen before."
"Weapons, sewage, fuel and other contaminants were buried at Camp Century when it was abandoned, but the thawing Greenland Ice Sheet threatens to unbury these dangerous relics," reports Space.com. In 2017, the U.S. government issued a statement saying it "acknowledges the reality of climate change and the risk it poses" and will "work with the Danish government and the Greenland authorities to settle questions of mutual security" over Camp Century.

Scientists are using Camp Century to serve as a warning and a signpost to measure how climate change is affecting the area. You can learn more about Camp Century in a restored declassified U.S. Army film on YouTube.
Privacy

Senators Say TSA's Facial Recognition Program Is Out of Control (gizmodo.com) 69

A bipartisan group of 12 senators has urged the TSA inspector general to investigate the agency's use of facial recognition technology, citing concerns over privacy, civil liberties, and its expansion to over 430 airports without sufficient safeguards or proven effectiveness. Gizmodo reports: "This technology will soon be in use at hundreds of major and mid-size airports without an independent evaluation of the technology's precision or an audit of whether there are sufficient safeguards in place to protect passenger privacy," the senators wrote. The letter was signed by Jeffrey Merkley (D-OR), John Kennedy (R-LA), Ed Markey (D-MA), Ted Cruz (R-TX), Roger Marshall (R-Kansas), Ron Wyden (D-OR), Steve Daines (R-MT), Elizabeth Warren (D-MA), Bernie Sanders (I-VT), Cynthia Lummis (R-WY), Chris Van Hollen (D-MD), and Peter Welch (D-VT).

While the TSA's facial recognition program is currently optional and only in a few dozen airports, the agency announced in June that it plans to expand the technology to more than 430 airports. And the senators' letter quotes a talk given by TSA Administrator David Pekoske in 2023 in which he said "we will get to the point where we require biometrics across the board." [...] The latest letter urges the TSA's inspector general to evaluate the agency's facial recognition program to determine whether it's resulted in a meaningful reduction in passenger delays, assess whether it's prevented anyone on no-fly lists from boarding a plane, and identify how frequently it results in identity verification errors.

Privacy

Data Broker Leaves 600K+ Sensitive Files Exposed Online (theregister.com) 18

A security researcher discovered an unprotected database belonging to SL Data Services containing over 600,000 sensitive files, including criminal histories and background checks with names, addresses, and social media accounts. The Register reports: We don't know how long the personal information was openly accessible. Infosec specialist Jeremiah Fowler says he found the Amazon S3 bucket in October and reported it to the data collection company by phone and email every few days for more than two weeks. [The info service provider eventually closed up the S3 bucket, says Fowler, although he never received any response.] In addition to not being password protected, none of the information was encrypted, he told The Register. In total, the open bucket contained 644,869 PDF files in a 713.1 GB archive.

Some 95 percent of the documents Fowler saw were labeled "background checks," he said. These contained full names, home addresses, phone numbers, email addresses, employment, family members, social media accounts, and criminal record history belonging to thousands of people. In at least one of these documents, the criminal record indicated that the person had been convicted of sexual misconduct. It included case details, fines, dates, and additional charges. While court records and sex offender status are usually public records in the US, this exposed cache could be combined with other data points to make complete profiles of people -- along with their family members and co-workers -- providing everything criminals would need for targeted phishing and/or social engineering attacks.

Security

The World's First Unkillable UEFI Bootkit For Linux (arstechnica.com) 80

An anonymous reader quotes a report from Ars Technica: Over the past decade, a new class of infections has threatened Windows users. By infecting the firmware that runs immediately before the operating system loads, these UEFI bootkits continue to run even when the hard drive is replaced or reformatted. Now the same type of chip-dwelling malware has been found in the wild for backdooring Linux machines. Researchers at security firm ESET said Wednesday that Bootkitty -- the name unknown threat actors gave to their Linux bootkit -- was uploaded to VirusTotal earlier this month. Compared to its Windows cousins, Bootkitty is still relatively rudimentary, containing imperfections in key under-the-hood functionality and lacking the means to infect all Linux distributions other than Ubuntu. That has led the company researchers to suspect the new bootkit is likely a proof-of-concept release. To date, ESET has found no evidence of actual infections in the wild.

Still, Bootkitty suggests threat actors may be actively developing a Linux version of the same sort of unkillable bootkit that previously was found only targeting Windows machines. "Whether a proof of concept or not, Bootkitty marks an interesting move forward in the UEFI threat landscape, breaking the belief about modern UEFI bootkits being Windows-exclusive threats," ESET researchers wrote. "Even though the current version from VirusTotal does not, at the moment, represent a real threat to the majority of Linux systems, it emphasizes the necessity of being prepared for potential future threats." [...] As ESET notes, the discovery is nonetheless significant because it demonstrates someone -- most likely a malicious threat actor -- is pouring resources and considerable know-how into creating working UEFI bootkits for Linux. Currently, there are few simple ways for people to check the integrity of the UEFI running on either Windows or Linux devices. The demand for these sorts of defenses will likely grow in the coming years.

Security

Hacker In Snowflake Extortions May Be a US Soldier (krebsonsecurity.com) 20

An anonymous reader quotes a report from KrebsOnSecurity: Two men have been arrested for allegedly stealing data from and extorting dozens of companies that used the cloud data storage company Snowflake, but a third suspect -- a prolific hacker known as Kiberphant0m -- remains at large and continues to publicly extort victims. However, this person's identity may not remain a secret for long: A careful review of Kiberphant0m's daily chats across multiple cybercrime personas suggests they are a U.S. Army soldier who is or was recently stationed in South Korea.

Kiberphant0m's identities on cybercrime forums and on Telegram and Discord chat channels have been selling data stolen from customers of the cloud data storage company Snowflake. At the end of 2023, malicious hackers discovered that many companies had uploaded huge volumes of sensitive customer data to Snowflake accounts that were protected with nothing more than a username and password (no multi-factor authentication required). After scouring darknet markets for stolen Snowflake account credentials, the hackers began raiding the data storage repositories for some of the world's largest corporations. Among those was AT&T, which disclosed in July that cybercriminals had stolen personal information, phone and text message records for roughly 110 million people. Wired.com reported in July that AT&T paid a hacker $370,000 to delete stolen phone records.

On October 30, Canadian authorities arrested Alexander Moucka, a.k.a. Connor Riley Moucka of Kitchener, Ontario, on a provisional arrest warrant from the United States, which has since indicted him on 20 criminal counts connected to the Snowflake breaches. Another suspect in the Snowflake hacks, John Erin Binns, is an American who is currently incarcerated in Turkey. Investigators say Moucka, who went by the handles Judische and Waifu, had tasked Kiberphant0m with selling data stolen from Snowflake customers who refused to pay a ransom to have their information deleted. Immediately after news broke of Moucka's arrest, Kiberphant0m was clearly furious, and posted on the hacker community BreachForums what they claimed were the AT&T call logs for President-elect Donald J. Trump and for Vice President Kamala Harris. [...] Also on Nov. 5, Kiberphant0m offered call logs stolen from Verizon's push-to-talk (PTT) customers -- mainly U.S. government agencies and emergency first responders.
Kiberphant0m denies being in the U.S. Army and said all these clues were "a lengthy ruse designed to create a fictitious persona," reports Krebs.

"I literally can't get caught," Kiberphant0m said, declining an invitation to explain why. "I don't even live in the USA Mr. Krebs." A mind map illustrates some of the connections between and among Kiberphant0m's apparent alter egos.
Businesses

China Woos Western Tech Talent in Race for Chip Supremacy (msn.com) 82

Chinese companies are aggressively recruiting foreign tech talent as a key strategy to gain technological supremacy, prompting national security concerns across Western nations and Asia, WSJ reported Wednesday, citing multiple intelligence officials and corporate sources. The campaign focuses particularly on advanced semiconductor expertise, with companies like Huawei offering triple salaries to employees at critical firms like Zeiss SMT and ASML, which produce essential components for cutting-edge chip manufacturing.

These recruitment efforts intensified after Western export controls restricted China's access to advanced technology. While Taiwan and South Korea have implemented strict countermeasures, including criminal penalties for illegal talent transfers, the U.S. and Europe struggle to balance open labor markets with national security concerns.

Chinese firms often obscure their origins through local ventures and persistent recruitment tactics. The strategy has shown results: Former employees have helped Chinese companies advance their technological capabilities, including SMIC's development of 7nm chips with help from ex-TSMC talent.
Technology

Most Smart Device Makers Fail To Reveal Software Support Periods, FTC Finds (ftc.gov) 32

Nearly 89% of smart device manufacturers fail to disclose how long they will provide software updates for their products, a Federal Trade Commission staff study found this week. The review of 184 connected devices, including hearing aids, security cameras and door locks, revealed that 161 products lacked clear information about software support duration on their websites.

Basic internet searches failed to uncover this information for two-thirds of the devices. "Consumers stand to lose a lot of money if their smart products stop delivering the features they want," said Samuel Levine, Director of the FTC's Bureau of Consumer Protection. The agency warned that manufacturers' failure to provide software update information for warranted products costing over $15 may violate the Magnuson Moss Warranty Act. The FTC also cautioned that companies could violate the FTC Act if they misrepresent product usability periods. The study excluded laptops, personal computers, tablets and automobiles from its review.
Security

Russia-Linked Hackers Exploited Firefox, Windows Bugs In 'Widespread' Hacking Campaign (techcrunch.com) 31

An anonymous reader quotes a report from TechCrunch: Security researchers have uncovered two previously unknown zero-day vulnerabilities that are being actively exploited by RomCom, a Russian-linked hacking group, to target Firefox browser users and Windows device owners across Europe and North America. RomCom is a cybercrime group that is known to carry out cyberattacks and other digital intrusions for the Russian government. The group -- which was last month linked to a ransomware attack targeting Japanese tech giant Casio -- is also known for its aggressive stance against organizations allied with Ukraine, which Russia invaded in 2014.

Researchers with security firm ESET say they found evidence that RomCom combined use of the two zero-day bugs -- described as such because the software makers had no time to roll out fixes before they were used to hack people -- to create a "zero click" exploit, which allows the hackers to remotely plant malware on a target's computer without any user interaction. "This level of sophistication demonstrates the threat actor's capability and intent to develop stealthy attack methods," ESET researchers Damien Schaeffer and Romain Dumont said in a blog post on Monday. [...] Schaeffer told TechCrunch that the number of potential victims from RomCom's "widespread" hacking campaign ranged from a single victim per country to as many as 250 victims, with the majority of targets based in Europe and North America.
Mozilla and the Tor Project quickly patched a Firefox-based vulnerability after being alerted by ESET, with no evidence of Tor Browser exploitation. Meanwhile, Microsoft addressed a Windows vulnerability on November 12 following a report by Google's Threat Analysis Group, indicating potential use in government-backed hacking campaigns.
Science

'Lollipop' Device Brings Taste To Virtual Reality (ieee.org) 26

An anonymous reader quotes a report from IEEE Spectrum: Virtual- and augmented-reality setups already modify the way users see and hear the world around them. Add in haptic feedback for a sense of touch and a VR version of Smell-O-Vision, and only one major sense remains: taste. To fill the gap, researchers at the City University of Hong Kong have developed a new interface to simulate taste in virtual and other extended reality (XR). The group previously worked on other systems for wearable interfaces, such as haptic and olfactory feedback. To create a more "immersive VR experience," they turned to adding taste sensations, says Yiming Liu, a coauthor of the group's research paper published today in the Proceedings of the National Academy of Sciences.

The lollipop-shaped lickable device can produce nine different flavors: sugar, salt, citric acid, cherry, passion fruit, green tea, milk, durian, and grapefruit. Each flavor is produced by food-grade chemicals embedded in a pocket of agarose gel. When a voltage is applied to the gel, the chemicals are transported to the surface in a liquid that then mixes with saliva on the tongue like a real lollipop. Increase the voltage, and get a stronger flavor. Initially, the researchers tested several methods for simulating taste, including electrostimulating the tongue. The other methods each came with limitations, such as being too bulky or less safe, so the researchers opted for chemical delivery through a process called iontophoresis, which moves chemicals and ions through hydrogels and has a low electrical-power requirement. With a 2-volt maximum, the device is well within the human safety limit of 30 V, which is considered enough to deliver a substantial shock in some situations.
Some of the possible applications mentioned by the authors include gustation tests, virtual grocery shopping, and immersive environments for exploring food flavors. However, the current system is limited to one hour of use due to gel depletion and it only supports a handful of flavor channels.

Future development aims to extend operation time, increase flavor complexity, and improve usability, marking the beginning of a new frontier for XR interfaces.
Security

US Senators Propose Law To Require Bare Minimum Security Standards (theregister.com) 57

American hospitals and healthcare organizations would be required to adopt multi-factor authentication (MFA) and other minimum cybersecurity standards under new legislation proposed by a bipartisan group of US senators. From a report: The Health Care Cybersecurity and Resiliency Act of 2024 [PDF], introduced on Friday by US Senators Bill Cassidy (R-Louisiana), Mark Warner (D-Virginia), John Cornyn (R-Texas), and Maggie Hassan (D-New Hampshire), would, among other things, require better coordination between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) around cybersecurity in the healthcare and public health sector.

This includes giving HHS a year to implement a cybersecurity incident response plan and update the types of information displayed publicly via the department's breach reporting portal. Currently, all healthcare orgs that are considered "covered entities" under the US Health Insurance Portability and Accountability Act (HIPAA) are required to notify HHS if they are breached. The new law would require breached entities to report how many people were affected by the security incident.

It would also mandate that the portal include details on "any corrective action taken against a covered entity that provided notification of a breach" as well as "recognized security practices that were considered" during the breach investigation, plus any other information that the HHS secretary deems necessary.

Security

Blue Yonder Ransomware Attack Disrupts Grocery Store Supply Chain (bleepingcomputer.com) 11

Blue Yonder, a Panasonic subsidiary specializing in AI-driven supply chain solutions, experienced a recent ransomware attack that impacted many of its customers. "Among its 3,000 customers are high-profile organizations like DHL, Renault, Bayer, Morrisons, Nestle, 3M, Tesco, Starbucks, Ace Hardware, Procter & Gamble, Sainsbury, and 7-Eleven," reports BleepingComputer. From the report: On Friday, the company warned that it was experiencing disruptions to its managed services hosting environment due to a ransomware incident that occurred the day before, on November 21. "On November 21, 2024, Blue Yonder experienced disruptions to its managed services hosted environment, which was determined to be the result of a ransomware incident," reads the announcement. "Since learning of the incident, the Blue Yonder team has been working diligently together with external cybersecurity firms to make progress in their recovery process. We have implemented several defensive and forensic protocols."

Blue Yonder claims it has detected no suspicious activity in its public cloud environment and is still processing multiple recovery strategies. [...] As expected, this has impacted clients directly, as a spokesperson for UK grocery store chain Morrisons has confirmed to the media they have reverted to a slower backup process. Sainsbury told CNN that it had contingency plans in place to overcome the disruption. A Saturday update informed customers that the restoration of the impacted services continued, but no specific timelines for complete restoration could be shared yet. Another update published on Sunday reiterated the same, urging clients to monitor the customer update page on Blue Yonder's website over the coming days.

SuSE

SUSE Unveils Major Rebranding, New Data-Protecting AI Platform (zdnet.com) 12

An anonymous reader quotes a report from ZDNet, written by Steven Vaughan-Nichols: At KubeCon North America, SUSE announced a significant rebranding effort, several new product offerings, and the launch of SUSE AI, a secure platform for deploying and running generative AI (gen AI) applications. SUSE has renamed its entire portfolio to make product names more descriptive and customer-friendly. Notable changes include:

- Rancher, SUSE's Kubernetes offering, is now SUSE Rancher.
- Liberty Linux, the company's Red Hat Enterprise Linux (RHEL)/CentOS clone and support offering, becomes SUSE Multi Linux Support.
- Harvester is rebranded as SUSE Virtualization
- Longhorn is now SUSE Storage.

[...] Also, like everyone else, SUSE now has an AI offering: SUSE AI. This isn't an AI chatbot, like Red Hat's Lightspeed AI tool. No, it's a secure platform for deploying and running gen AI applications. This new offering addresses key challenges faced by enterprises as they move from AI experimentation to deployment, particularly in areas of security and compliance.
These are SUSE AI's top features, as highlighted by Vaughan-Nichols:

1. Security by Design: SUSE AI provides security and certifications at the software infrastructure level, along with zero-trust security tools, templates, and compliance playbooks.
2. Multifaceted Trust: The platform ensures that generated data is correct and private customer and IP data remain secure. It supports deployment across various environments, including on-premise, hybrid, cloud, and air-gapped setups.
3. Choice and Flexibility: SUSE AI allows customers to select and deploy their preferred AI components and LLMs.
4. Simplified Operations: The platform provides simplified cluster operations, persistent storage, and easy access to pre-configured shared tools and services.
Hardware

Raspberry Pi's $7 Pico 2 W Microcontroller Board Adds Wireless Connectivity (engadget.com) 29

Raspberry Pi has announced the Pico 2 W, a wireless version of its Pico 2 microcontroller board built for hobbyists and industrial applications. From a report: At $7, it's a relatively inexpensive way to control electronic devices like smart home gadgets and robots. With the new version, users will be able to securely link to remote sources to send and receive data, either via Bluetooth 5.2 or Wi-Fi 802.11n.

As with the Pico 2, the wireless variant is built around the RP2350 microcontroller built in-house by Raspberry Pi. it offers more speed and memory than the original RP2040 chip, along with a security model built around Arm's TrustZone for Cortex-M. Users can program it using C, C++ and MicroPython, and choose between Arm Cortex-M33 or RISC-V cores.

Network

Thousands of Palo Alto Networks Firewalls Compromised This Week After Critical Security Hole (theregister.com) 28

Palo Alto Networks boasts 70,000 customers in 150 countries, including 85% of the Fortune 500.

But this week "thousands of Palo Alto Networks firewalls were compromised by attackers exploiting two recently patched security bug," reports the Register: The intruders were able to deploy web-accessible backdoors to remotely control the equipment as well as cryptocurrency miners and other malware. Roughly 2,000 devices had been hijacked as of Wednesday — a day after Palo Alto Networks pushed a patch for the holes — according to Shadowserver and Onyphe. As of Thursday, the number of seemingly compromised devices had dropped to about 800. The vendor, however, continues to talk only of a "limited number" of exploited installations... The Register has asked for clarification, including how many compromised devices Palo Alto Networks is aware of, and will update this story if and when we hear back from the vendor.

Rumors started swirling last week about a critical security hole in Palo Alto Networks appliances that allowed remote unauthenticated attackers to execute arbitrary code on devices. Exploitation requires access to the PAN-OS management interface, either across the internet or via an internal network. The manufacturer did eventually admit that the firewall-busting vulnerability existed, and had been exploited as a zero-day — but it was still working on a patch. On Tuesday, PAN issued a fix, and at that time said there were actually two vulnerabilities. The first is a critical (9.3 CVSS) authentication bypass flaw tracked as CVE-2024-0012. The second, a medium-severity (6.9 CVSS) privilege escalation bug tracked as CVE-2024-9474. The two can be chained together to allow remote code execution (RCE) against the PAN-OS management interface... once the attackers break in, they are using this access to deploy web shells, Sliver implants, and/or crypto miners, according to Wiz threat researchers.

Security

Craigslist Founder Gives $300M to Fund Critical US Infrastructure Cybersecurity (yahoo.com) 16

Craig Newmark "is alarmed about potential cybersecurity risks in the U.S.," according to Yahoo Finance. The 71-year-old Craigslist founder says "our country is under attack now" in a new interview with Yahoo Finance executive editor Brian Sozzi on his Opening Bid podcast.

But Newmark also revealed what he's doing about it: [H]e started Craig Newmark Philanthropies to primarily invest in projects to protect critical American infrastructure from cyberattacks. He told Sozzi he is now spending $200 million more to address the issue, on top of an initial $100 million pledge revealed in September of this year. He encouraged other wealthy people to join him in the fight against cyberattacks. "I tell people, 'Hey, the people who protect us could use some help. The amounts of money comparatively are small, so why not help out,'" he said... The need for municipalities and other government entities to act rather than react remains paramount, warns Newmark. "I think a lot about this," said Newmark.

"I've started to fund networks of smart volunteers who can help people protect infrastructure, particularly [for] the small companies and utilities across the country who are responsible for most of our electrical and power supplies, transportation infrastructure, [and] food distribution.... A lot of these systems have no protection, so an adversary could just compromise them, saying unless you do what we need, we can start shutting off these things," he continued. Should that happen, recovery "could take weeks and weeks without your water supply or electricity."

A web page at Craig Newmark Philanthropies offers more details Craig was part of the whole "duck and cover" thing, in the 50s and 60s, and realizes that we need civil defense in the cyber domain, "cyber civil defense." This is patriotism, for regular people.

He's committed $100 million to form a Cyber Civil Defense network of groups who are starting to protect the country from cyber threats. Attacks on our power grids, our cyber infrastructure and even the internet-connected gadgets and appliances in our homes are real. If people think that's alarmist, tell them to "Blame Craig." The core of Cyber Civil Defense [launched in 2022] includes groups like Aspen Digital, Global Cyber Alliance, and Consumer Reports, focusing on citizen cyber education and literacy, cyber tool development, and cybersecurity workforce programs aimed at diversifying the growing field.

It's already made significant investments in groups like the Ransomware Task Force and threat watchdog group Shadowserver Foundation...
Open Source

GitHub Announces New Open Source Fund with Security Mentoring (techcrunch.com) 2

The GitHub Secure Open Source Fund launched this week with an initial commitment of $1.25 million, reports TechCrunch, using "capital from contributors including American Express, 1Password, Shopify, Stripe, and GitHub's own parent company Microsoft." GitHub briefly teased the new initiative at its annual GitHub Universe developer conference last month, but Tuesday it announced full details and formally opened the program for applicants, which will be reviewed "on a rolling basis" through the closing date of January 7, 2025, with programming and funding starting shortly after...

Tuesday's news builds on a number of previous GitHub initiatives designed to support project maintainers that work on key components of critical software, including GitHub Sponsors which landed in 2019 (and which is powering the new fund), but more directly the GitHub Accelerator program that launched its first cohort last year — the GitHub Secure Open Source Fund is essentially an extension of that.

"We're trying to acknowledge the fact that we're the home of open source, ultimately, and we have an obligation to help ensure that open source can continue to thrive and have the support that it needs," GitHub Chief Operating Officer Kyle Daigle told TechCrunch in an interview. Qualifying projects can be pretty much any project that has an open source license, but of course GitHub will be looking at those that need the funds most — so Kubernetes can hold fire with its application. "We're looking for the outsized impact, which tends to be big projects with few maintainers that we all rely on," Daigle said.

The sum of $1.25 million might sound like a reasonable amount, but it will be split across 125 projects, which means just $10,000 each — better than nothing, for sure, but a drop in the ocean on the grand scheme of things. However, Daigle is quick to stress that money is only part of the prize here — as with the initial accelerator program, maintainers embark on a three-week program, which includes mentorship, certification, education workshops, and ongoing access to GitHub tools.

From GitHub's announcement: Since introducing support for organizations through GitHub Sponsors, more than 5,800 organizations, including Microsoft and Stripe, have invested in maintainers and projects on GitHub, up nearly 40% YoY. Cumulatively, the platform has unlocked over $60 million in funding for maintainers to help them spend more time working on their projects.

But we know we're just scratching the surface when it comes to organizations and corporate support of open source. This summer, we partnered with the Linux Foundation and researchers from Laboratory for Innovation Science at Harvard (LISH) to learn more about the state of open source funding today. Diving in, we assessed organizations funding behaviors, potential misalignments, and opportunities to improve. In the report launched today, we found:


- Responding organizations annually invest $1.7 billion in open source, which can be extrapolated to estimate that approximately $7.7 billion is invested across the entire open source ecosystem annually.

- 86% of investment is in the form of contribution labor by employees and contractors working for the funding organization, with the remaining 14% being direct financial contributions.

- Organizations generally know how and where they contribute (65%) but lack specific clarity of their contributions (38%).

- Security efforts focus on bugs and maintenance; only a few (6%) said comprehensive security audits are a priority.


We all stand to benefit from unlocking more funding for open source. By tackling problems like open source security as an ecosystem, we believe we can help create more available funding and resources that are vital to the sustainability of open source. Not every open source project or maintainer has access to funding and training for security. That's why we created a fund that everyone potentially eligible can apply for...

This is the beginning of a journey into helping find ways to secure open source. On its own, it's not the answer, but we are confident it will help. We will be monitoring the impact of these investments and share what we learn as we go.

Government

China Wiretaps Americans in 'Worst Hack in Our Nation's History' (gizmodo.com) 91

Longtime Slashdot reader mspohr shares a report from Gizmodo: Hackers for the Chinese government were able to deeply penetrate U.S. telecommunications infrastructure in ways that President Joe Biden's administration hasn't yet acknowledged, according to new reports from the Washington Post and New York Times. The hackers were able to listen to phone calls and read text messages, reportedly exploiting the system U.S. authorities use to wiretap Americans in criminal cases. The worst part? The networks are still compromised and it may take incredibly drastic measures to boot them from U.S. systems.

The hackers behind the infiltration of U.S. telecom infrastructure are known to Western intelligence agencies as Salt Typhoon, and this particular breach of U.S. equipment was first reported in early October by the Wall Street Journal. But Sen. Mark Warner, a Democrat from Virginia, spoke with the Washington Post and New York Times this week to warn the public that this is so much worse than we initially thought, dubbing it "the worst telecom hack in our nation's history." And those articles based on Warner's warnings were published late Thursday.

Hackers weren't able to monitor or intercept anything encrypted, according to the Times, which means that conversations over apps like Signal and Apple's iMessage were probably protected. But end-to-end encryption over texts between Apple devices and Android devices, for instance, aren't encrypted in the same way, meaning they were vulnerable to interception by Salt Typhoon, according to the Times. The details about how the hackers were able to push so deeply into U.S. systems are still scarce, but it has something to do with the ways in which U.S. authorities wiretap suspects in this country with a court order.

Wireless Networking

Russian Spies Jumped From One Network To Another Via Wi-Fi (wired.com) 18

"Steven Adair, of cybersecurity firm Veloxity, revealed at the Cyberwarcon security conference how Russian hackers were able to daisy-chain as many as three separate Wi-Fi networks in their efforts to attack victims," writes Longtime Slashdot reader smooth wombat. Wired reports: Adair says that Volexity first began investigating the breach of its DC customer's network in the first months of 2022, when the company saw signs of repeated intrusions into the customer's systems by hackers who had carefully covered their tracks. Volexity's analysts eventually traced the compromise to a hijacked user's account connecting to a Wi-Fi access point in a far end of the building, in a conference room with external-facing windows. Adair says he personally scoured the area looking for the source of that connection. "I went there to physically run down what it could be. We looked at smart TVs, looked for devices in closets. Is someone in the parking lot? Is it a printer?" he says. "We came up dry."

Only after the next intrusion, when Volexity managed to get more complete logs of the hackers' traffic, did its analysts solve the mystery: The company found that the hijacked machine which the hackers were using to dig around in its customer's systems was leaking the name of the domain on which it was hosted -- in fact, the name of another organization just across the road. "At that point, it was 100 percent clear where it was coming from," Adair says. "It's not a car in the street. It's the building next door." With the cooperation of that neighbor, Volexity investigated that second organization's network and found that a certain laptop was the source of the street-jumping Wi-Fi intrusion. The hackers had penetrated that device, which was plugged into a dock connected to the local network via Ethernet, and then switched on its Wi-Fi, allowing it to act as a radio-based relay into the target network. Volexity found that, to break into that target's Wi-Fi, the hackers had used credentials they'd somehow obtained online but had apparently been unable to exploit elsewhere, likely due to two-factor authentication.

Volexity eventually tracked the hackers on that second network to two possible points of intrusion. The hackers appeared to have compromised a VPN appliance owned by the other organization. But they had also broken into the organization's Wi-Fi from another network's devices in the same building, suggesting that the hackers may have daisy-chained as many as three networks via Wi-Fi to reach their final target. "Who knows how many devices or networks they compromised and were doing this on," says Adair. Volexity had presumed early on in its investigation that the hackers were Russian in origin due to their targeting of individual staffers at the customer organization focused on Ukraine. Then in April, fully two years after the original intrusion, Microsoft warned of a vulnerability in Windows' print spooler that had been used by Russia's APT28 hacker group -- Microsoft refers to the group as Forest Blizzard -- to gain administrative privileges on target machines. Remnants left behind on the very first computer Volexity had analyzed in the Wi-Fi-based breach of its customer exactly matched that technique. "It was an exact one-to-one match," Adair says.

Slashdot Top Deals