Transportation

Why Boeing is Dismissing a Top Executive (barrons.com) 45

Last weekend Boeing announced that its CEO of Defense, Space, and Security "had left the company," according to Barrons. "Parting ways like this, for upper management, is the equivalent to firing," they write — though they add that setbacks on Starliner's first crewed test flight is "far too simple an explanation." Starliner might, however, have been the straw that broke the camel's back. [New CEO Kelly] Ortberg took over in early August, so his first material interaction with the Boeing Defense and Space business was the spaceship's failed test flight... Starliner has cost Boeing $1.6 billion and counting. That's lot of money, but not all that much in the context of the Defense business, which generates sales of roughly $25 billion a year.... [T]he overall Defense business has performed poorly of late, burdened by fixed price contracts that have become unprofitable amid years of higher than expected inflation. Profitability in the defense business has been declining since 2020 and started losing money in 2022. From 2022 to 2024 losses should total about $6 billion cumulatively, including Wall Street's estimates for the second half of this year.

Still, it felt like something had to give. And the change shows investors something about new CEO Ortberg. "At this critical juncture, our priority is to restore the trust of our customers and meet the high standards they expect of us," read part of an internal email sent to Boeing employees announcing the change. "Why his predecessor — David Calhoun — didn't pull this trigger earlier this year is a mystery," wrote Gordon Haskett analyst Don Bilson in a Monday note. "Can't leave astronauts behind."

"Ortberg's logic appears sound," the article concludes. "In recent years, Boeing has disappointed its airline and defense customers, including NASA...

"After Starliner, defense profitability, and the strike, Ortberg has to tackle production quality, production rates, and Boeing's ailing balance sheet. Boeing has amassed almost $60 billion in debt since the second tragic 737 MAX crash in March 2019."

Thanks to Slashdot reader Press2ToContinue for sharing the news.
Privacy

Meta Fined $102 Million For Storing 600 Million Passwords In Plain Text (appleinsider.com) 28

Meta has been fined $101.5 million by the Irish Data Protection Commission (DPC) for storing over half a billion user passwords in plain text for years, with some engineers having access to this data for over a decade. The issue, discovered in 2019, predominantly affected non-US users, especially those using Facebook Lite. AppleInsider reports: Meta Ireland was found guilty of infringing four parts of GDPR, including how it "failed to notify the DPC of a personal data breach concerning storage of user passwords in plain text." Meta Ireland did report the failure, but only some months after it was discovered. "It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," said Graham Doyle, Deputy Commissioner at the DPC, in a statement about the fine. "It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts."

Other than the fine and an official reprimand, the full extent of the DPC's ruling is yet to be released publicly. The details published so far do not reveal whether the passwords included any of US users as well as ones in Ireland or across the rest of the European Union. It's most likely that the issue concerns only non-US users, however. That's because in 2019, Facebook told CNN that the majority of the plain text passwords were for a service called Facebook Lite, which it described as being a cut-down service for areas of the world with slower connectivity.

Security

Flaw In Kia's Web Portal Let Researchers Track, Hack Cars (arstechnica.com) 16

SpzToid shares a report: Today, a group of independent security researchers revealed that they'd found a flaw in a web portal operated by the carmaker Kia that let the researchers reassign control of the Internet-connected features of most modern Kia vehicles -- dozens of models representing millions of cars on the road -- from the smartphone of a car's owner to the hackers' own phone or computer. By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any Internet-connected Kia vehicle's license plate and within seconds gain the ability to track that car's location, unlock the car, honk its horn, or start its ignition at will.

After the researchers alerted Kia to the problem in June, Kia appears to have fixed the vulnerability in its web portal, though it told WIRED at the time that it was still investigating the group's findings and hasn't responded to WIRED's emails since then. But Kia's patch is far from the end of the car industry's web-based security problems, the researchers say. The web bug they used to hack Kias is, in fact, the second of its kind that they've reported to the Hyundai-owned company; they found a similar technique for hijacking Kias' digital systems last year. And those bugs are just two among a slew of similar web-based vulnerabilities they've discovered within the last two years that have affected cars sold by Acura, Genesis, Honda, Hyundai, Infiniti, Toyota, and more.

Government

White House Agonizes Over UN Cybercrime Treaty (politico.com) 43

The United Nations is set to vote on a treaty later this year intended to create norms for fighting cybercrime -- and the Biden administration is fretting over whether to sign on. Politico: The uncertainty over the treaty stems from fears that countries including Russia, Iran and China could use the text as a guise for U.N. approval of their widespread surveillance measures and suppression of the digital rights of their citizens. If the United States chooses not to vote in favor of the treaty, it could become easier for these adversarial nations -- named by the Cybersecurity and Infrastructure Security Agency as the biggest state sponsors of cybercrime -- to take the lead on cyber issues in the future. And if the U.S. walks away from the negotiating table now, it could upset other nations that spent several years trying to nail down the global treaty with competing interests in mind.

While the treaty is not set for a vote during the U.N. General Assembly this week, it's a key topic of debate on the sidelines, following meetings in New York City last week, and committee meetings set for next month once the world's leaders depart. The treaty was troubled from its inception. A cybercrime convention was originally proposed by Russia, and the U.N. voted in late 2019 to start the process to draft it -- overruling objections by the U.S. and other Western nations. Those countries were worried Russia would use the agreement as an alternative to the Budapest Convention -- an existing accord on cybercrime administered by the Council of Europe, which Russia, China and Iran have not joined.

Microsoft

Controversial Windows Recall AI Search Tool Returns (securityweek.com) 68

wiredmikey writes: Three months after pulling previews of the controversial Windows Recall feature due to public backlash, Microsoft says it has completely overhauled the security architecture with proof-of-presence encryption, anti-tampering and DLP checks, and screenshot data managed in secure enclaves outside the main operating system.

In an interview with SecurityWeek, Microsoft vice president David Weston said the company's engineers rewrote the security model of Windows Recall to reduce attack surface on Copilot+ PCs and minimize the risk of malware attackers targeting the screenshot data store.

The Almighty Buck

Promises of 'Passive Income' On Amazon Led To Death Threats For Negative Online Review, FTC Says (cnbc.com) 78

"The Federal Trade Commission is cracking down on 'automation' companies that launch and manage online businesses on behalf of customers in exchange for an upfront investment," reports CNBC's Annie Palmer. "The latest case targets Ascend Ecom, which ran an e-commerce money-making scheme, primarily on Amazon." The FTC accuses the e-commerce company of defrauding consumers of at least $25 million through false claims, deceptive marketing practices, and attempts to suppress negative reviews. From the report: Jamaal Sanford received a disturbing email in May of last year. The message, whose sender claimed to be part of a "Russian shadow team," contained Sanford's home address, social security number and his daughter's college. It came with a very specific threat. The sender said Sanford, who lives in Springfield, Missouri, would only only be safe if he removed a negative online review. "Do not play tough guy," the email said. "You have nothing to gain by keeping the reviews and EVERYTHING to lose by not cooperating."

Months earlier, Sanford had left a scathing review for an e-commerce "automation" company called Ascend Ecom on the rating site Trustpilot. Ascend's purported business was the launching and managing of Amazon storefronts on behalf of clients, who would pay money for the service and the promise of earning thousands of dollars in "passive income." Sanford had invested $35,000 in such a scheme. He never recouped the money and is now in debt, according to a Federal Trade Commission lawsuit unsealed on Friday. His experience is a key piece of the FTC's suit, which accuses Ascend of breaking federal laws by making false claims related to earnings and business performance, and threatening or penalizing customers for posting honest reviews, among other violations. The FTC is seeking monetary relief for Ascend customers and to prevent Ascend from doing business permanently.

Privacy

NIST Proposes Barring Some of the Most Nonsensical Password Rules (arstechnica.com) 180

Ars Technica's Dan Goodin reports: Last week, NIST released its second public draft of SP 800-63-4, the latest version of its Digital Identity Guidelines. At roughly 35,000 words and filled with jargon and bureaucratic terms, the document is nearly impossible to read all the way through and just as hard to understand fully. It sets both the technical requirements and recommended best practices for determining the validity of methods used to authenticate digital identities online. Organizations that interact with the federal government online are required to be in compliance. A section devoted to passwords injects a large helping of badly needed common sense practices that challenge common policies. An example: The new rules bar the requirement that end users periodically change their passwords. This requirement came into being decades ago when password security was poorly understood, and it was common for people to choose common names, dictionary words, and other secrets that were easily guessed.

Since then, most services require the use of stronger passwords made up of randomly generated characters or phrases. When passwords are chosen properly, the requirement to periodically change them, typically every one to three months, can actually diminish security because the added burden incentivizes weaker passwords that are easier for people to set and remember. Another requirement that often does more harm than good is the required use of certain characters, such as at least one number, one special character, and one upper- and lowercase letter. When passwords are sufficiently long and random, there's no benefit from requiring or restricting the use of certain characters. And again, rules governing composition can actually lead to people choosing weaker passcodes.

The latest NIST guidelines now state that:
- Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords and
- Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator. ("Verifiers" is bureaucrat speak for the entity that verifies an account holder's identity by corroborating the holder's authentication credentials. Short for credential service provider, "CSPs" are a trusted entity that assigns or registers authenticators to the account holder.) In previous versions of the guidelines, some of the rules used the words "should not," which means the practice is not recommended as a best practice. "Shall not," by contrast, means the practice must be barred for an organization to be in compliance.
Several other common sense practices mentioned in the document include: 1. Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
2. Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
3. Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
4. Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
5. Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
6. Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
7. Verifiers and CSPs SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.
8. Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., "What was the name of your first pet?") or security questions when choosing passwords.
9. Verifiers SHALL verify the entire submitted password (i.e., not truncate it).

Businesses

Dozens of Fortune 100 Companies Have Unwittingly Hired North Korean IT Workers (therecord.media) 29

"Dozens of Fortune 100 organizations" have unknowingly hired North Korean IT workers using fake identities, generating revenue for the North Korean government while potentially compromising tech firms, according to Google's Mandiant unit. "In a report published Monday [...], researchers describe a common scheme orchestrated by the group it tracks as UNC5267, which has been active since 2018," reports The Record. "In most cases, the IT workers 'consist of individuals sent by the North Korean government to live primarily in China and Russia, with smaller numbers in Africa and Southeast Asia.'" From the report: The remote workers "often gain elevated access to modify code and administer network systems," Mandiant found, warning of the downstream effects of allowing malicious actors into a company's inner sanctum. [...] Using stolen identities or fictitious ones, the actors are generally hired as remote contractors. Mandiant has seen the workers hired in a variety of complex roles across several sectors. Some workers are employed at multiple companies, bringing in several salaries each month. The tactic is facilitated by someone based in the U.S. who runs a laptop farm where workers' laptops are sent. Remote technology is installed on the laptops, allowing the North Koreans to log in and conduct their work from China or Russia.

Workers typically asked for their work laptops to be sent to different addresses than those listed on their resumes, raising the suspicions of companies. Mandiant said it found evidence that the laptops at these farms are connected to a "keyboard video mouse" device or multiple remote management tools including LogMeIn, GoToMeeting, Chrome Remote Desktop, AnyDesk, TeamViewer and others. "Feedback from team members and managers who spoke with Mandiant during investigations consistently highlighted behavior patterns, such as reluctance to engage in video communication and below-average work quality exhibited by the DPRK IT worker remotely operating the laptops," Mandiant reported.

In several incident response engagements, Mandiant found the workers used the same resumes that had links to fabricated software engineer profiles hosted on Netlify, a platform often used for quickly creating and deploying websites. Many of the resumes and profiles included poor English and other clues indicating the actor was not based in the U.S. One characteristic repeatedly seen was the use of U.S-based addresses accompanied by education credentials from universities outside of North America, frequently in countries such as Singapore, Japan or Hong Kong. Companies, according to Mandiant, typically don't verify credentials from universities overseas.
Further reading: How Not To Hire a North Korean IT Spy
Security

Kaspersky Defends Stealth Swap of Antivirus Software on US Computers (techcrunch.com) 29

Cybersecurity firm Kaspersky has defended its decision to automatically replace its antivirus software on U.S. customers' computers with UltraAV, a product from American company Pango, without explicit user consent. The forced switch, affecting nearly one million users, occurred as a result of a U.S. government ban on Kaspersky software.

Kaspersky spokesperson Francesco Tius told TechCrunch that the company informed eligible U.S. customers via email about the migration, which began in early September. Windows users experienced an automatic transition to ensure continuous protection, while Mac and mobile users were instructed to manually install UltraAV. Some customers expressed alarm at the unannounced software swap. Kaspersky blamed missed notifications on unregistered email addresses, directing users to in-app messages and an online FAQ. The abrupt change raises concerns about user autonomy and privacy in software updates, particularly as UltraAV lacks an established security track record.
Privacy

Tor Project Merges With Tails (torproject.org) 17

The Tor Project: Today the Tor Project, a global non-profit developing tools for online privacy and anonymity, and Tails, a portable operating system that uses Tor to protect users from digital surveillance, have joined forces and merged operations. Incorporating Tails into the Tor Project's structure allows for easier collaboration, better sustainability, reduced overhead, and expanded training and outreach programs to counter a larger number of digital threats. In short, coming together will strengthen both organizations' ability to protect people worldwide from surveillance and censorship.

Countering the threat of global mass surveillance and censorship to a free Internet, Tor and Tails provide essential tools to help people around the world stay safe online. By joining forces, these two privacy advocates will pool their resources to focus on what matters most: ensuring that activists, journalists, other at-risk and everyday users will have access to improved digital security tools.

In late 2023, Tails approached the Tor Project with the idea of merging operations. Tails had outgrown its existing structure. Rather than expanding Tails's operational capacity on their own and putting more stress on Tails workers, merging with the Tor Project, with its larger and established operational framework, offered a solution. By joining forces, the Tails team can now focus on their core mission of maintaining and improving Tails OS, exploring more and complementary use cases while benefiting from the larger organizational structure of The Tor Project.

This solution is a natural outcome of the Tor Project and Tails' shared history of collaboration and solidarity. 15 years ago, Tails' first release was announced on a Tor mailing list, Tor and Tails developers have been collaborating closely since 2015, and more recently Tails has been a sub-grantee of Tor. For Tails, it felt obvious that if they were to approach a bigger organization with the possibility of merging, it would be the Tor Project.

IT

WordPress.org Denies Service To WP Engine (theregister.com) 70

WordPress has escalated its feud with WP Engine, a hosting provider, by blocking the latter's servers from accessing WordPress.org resources -- and therefore from potentially vital software updates. From a report: WordPress is an open source CMS which is extensible using plugins. Its home is WordPress.org, which also hosts resources such as themes and plugins for the CMS. A vast ecosystem of plugins exists from numerous suppliers, but WordPress.org is the main source. Many WordPress users rely on several plugins. Preventing WP Engine users from accessing plugin updates is therefore serious, as it could mean users can't update plugins that have security issues, or other fixes.

WordPress co-founder and CEO Matt Mullenweg recently called WP Engine a "cancer" and accused it of profiting from WordPress without contributing to development of the CMS. Mullenweg has sought to have WP Engine pay trademark license fees -- a move he feels would represent a financial contribution commensurate with the benefits it derives from the project. WP Engine doesn't want or intend to pay. Mullenweg argued that if WP Engine won't pay, it should not be able to benefit from resources at WordPress.org.

Security

Critical Unauthenticated RCE Flaw Impacts All GNU/Linux Systems (cybersecuritynews.com) 153

"Looks like there's a storm brewing, and it's not good news," writes ancient Slashdot reader jd. "Whether or not the bugs are classically security defects or not, this is extremely bad PR for the Linux and Open Source community. It's not clear from the article whether this affects other Open Source projects, such as FreeBSD." From a report: A critical unauthenticated Remote Code Execution (RCE) vulnerability has been discovered, impacting all GNU/Linux systems. As per agreements with developers, the flaw, which has existed for over a decade, will be fully disclosed in less than two weeks. Despite the severity of the issue, no Common Vulnerabilities and Exposures (CVE) identifiers have been assigned yet, although experts suggest there should be at least three to six. Leading Linux distributors such as Canonical and RedHat have confirmed the flaw's severity, rating it 9.9 out of 10. This indicates the potential for catastrophic damage if exploited. However, despite this acknowledgment, no working fix is still available. Developers remain embroiled in debates over whether some aspects of the vulnerability impact security.
Government

OpenAI Pitched White House On Unprecedented Data Center Buildout (yahoo.com) 38

An anonymous reader quotes a report from Bloomberg: OpenAI has pitched the Biden administration on the need for massive data centers that could each use as much power as entire cities, framing the unprecedented expansion as necessary to develop more advanced artificial intelligence models and compete with China. Following a recent meeting at the White House, which was attended by OpenAI Chief Executive Officer Sam Altman and other tech leaders, the startup shared a document with government officials outlining the economic and national security benefits of building 5-gigawatt data centers in various US states, based on an analysis the company engaged with outside experts on. To put that in context, 5 gigawatts is roughly the equivalent of five nuclear reactors, or enough to power almost 3 million homes. OpenAI said investing in these facilities would result in tens of thousands of new jobs, boost the gross domestic product and ensure the US can maintain its lead in AI development, according to the document, which was viewed by Bloomberg News. To achieve that, however, the US needs policies that support greater data center capacity, the document said. "Whatever we're talking about is not only something that's never been done, but I don't believe it's feasible as an engineer, as somebody who grew up in this," said Joe Dominguez, CEO of Constellation Energy Corp. "It's certainly not possible under a timeframe that's going to address national security and timing."
Google

Google Complains To EU Over Microsoft Cloud Practices (reuters.com) 22

Alphabet unit Google filed a complaint to the European Commission on Wednesday against what it said were Microsoft's anti-competitive practices to lock customers into Microsoft's cloud platform Azure. From a report: Google, whose biggest cloud computing rivals are Microsoft and Amazon Web Services, said Microsoft was exploiting its dominant Windows Server operating system to prevent competition. Google Cloud Vice President Amit Zavery told a briefing that Microsoft made customers pay a 400% mark-up to keep running Windows Server on rival cloud computing operators. This did not apply if they used Azure. Users of rival cloud systems would also get later and more limited security updates, Zavery said.

Google pointed to a 2023 study by cloud services organization CISPE which found that European businesses and public sector bodies were paying up to 1 billion euros ($1.12 billion) per year on Microsoft licensing penalties. Microsoft in July clinched a 20-million-euro deal to settle an antitrust complaint about its cloud computing licensing practices with CISPE, averting an EU investigation. However, the settlement did not include Amazon Web Services, Google Cloud Platform and AliCloud, prompting criticism from the first two companies.

China

China-Linked Hackers Breach US Internet Providers in New 'Salt Typhoon' Cyberattack (msn.com) 16

Hackers linked to the Chinese government have broken into a handful of U.S. internet-service providers in recent months in pursuit of sensitive information, WSJ reported Wednesday, citing people familiar with the matter. From the report: The hacking campaign, called Salt Typhoon by investigators, hasn't previously been publicly disclosed and is the latest in a series of incursions that U.S. investigators have linked to China in recent years. The intrusion is a sign of the stealthy success Beijing's massive digital army of cyberspies has had breaking into valuable computer networks in the U.S. and around the globe.

In Salt Typhoon, the actors linked to China burrowed into America's broadband networks. In this type of intrusion, bad actors aim to establish a foothold within the infrastructure of cable and broadband providers that would allow them to access data stored by telecommunications companies or launch a damaging cyberattack. Last week, U.S. officials said they had disrupted a network of more than 200,000 routers, cameras and other internet-connected consumer devices that served as an entry point into U.S. networks for a China-based hacking group called Flax Typhoon. And in January, federal officials disrupted Volt Typhoon, yet another China-linked campaign that has sought to quietly infiltrate a swath of U.S. critical infrastructure.

"The cyber threat posed by the Chinese government is massive," said Christopher Wray, the Federal Bureau of Investigation's director, speaking earlier this year at a security conference in Germany. "China's hacking program is larger than that of every other major nation, combined." U.S. security officials allege that Beijing has tried and at times succeeded in burrowing deep into U.S. critical infrastructure networks ranging from water-treatment systems to airports and oil and gas pipelines. Top Biden administration officials have issued public warnings over the past year that China's actions could threaten American lives and are intended to cause societal panic. The hackers could also disrupt the U.S.'s ability to mobilize support for Taiwan in the event that Chinese leader Xi Jinping orders his military to invade the island.

Security

Kansas Water Facility Switches to Manual Operations Following Cyberattack (securityweek.com) 28

A small city in Kansas switched was forced to switch its water treatment facility to manual operations after a suspected cyberattack was discovered on September 22. The precautionary measure was taken "to ensure plant operations remained secure," the city said. It reassured residents that the drinking water is safe and the water supply remains unaffected. SecurityWeek.com reports: Arkansas City says it has notified the relevant authorities of the incident and that they are working with cybersecurity experts to address the issue and return the facility's operations to normal. "Enhanced security measures are currently in place to protect the water supply, and no changes to water quality or service are expected for residents," the city said. While the city's notification does not share further details on the incident, it appears that the water treatment plant might have fallen victim to a ransomware attack. Switching to manual operations suggests that systems were shut down to contain the attack, which is the typical response to incidents involving ransomware.
Security

CrowdStrike Overhauls Testing and Rollout Procedures To Avoid System Crashes (securityweek.com) 36

wiredmikey writes: CrowdStrike says it has revamped several testing, validation, and update rollout processes to prevent a repeat of the embarrassing July outage that caused widespread disruption on Windows systems around the world.

In testimony before the House Subcommittee on Cybersecurity, CrowdStrike vice president Adam Meyers outlined a new set of protocols that include carefully controlled rollouts of software updates, better validation of code inputs, and new testing procedures to cover a broader array of problematic scenarios.

Earth

Low-Lying Pacific Islands Pin Hopes on UN Meeting as Sea Rise Threatens Survival (theguardian.com) 61

An anonymous reader shares a report: The Pacific country of Kiribati might be surrounded by water, but on land its population is running dry. The ocean around them is steadily encroaching, contaminating underground wells and leeching salt into the soil. "Our waters have been infected," climate activist and law student Christine Tekanene says. "Those who are affected, they now can't survive with the water that changed after sea level rise." The freshwater crisis is just one of the many threats driven by rising seas in Kiribati. Its people live on a series of atolls, peaking barely a couple of metres above a sprawling tract of the Pacific Ocean. As global temperatures rise and ice sheets melt, Kiribati -- and other low-lying nations like it -- are experiencing extreme and regular flooding, frequent coastal erosion and persistent food and water insecurity.

This week the United Nations general assembly will hold a high-level meeting to address the existential threats posed by sea level rise as the issue climbs the international agenda; last year the UN security council debated it for the first time. Wednesday's meeting aims to build political consensus on action to address the widespread social, economic and legal consequences of rising seas. Samoa's UN representative, Fatumanava Dr Pa'olelei Luteru, says the upcoming UN meeting is long overdue and "extremely important" for island nations. "Economically, militarily, we're not powerful," says Luteru, who also serves as the current chair of the Alliance of Small Island States (AOSIS). "At least within the context of the UN and the multilateral system we have the possibility and the opportunity to engage and achieve some of the things that are a priority for us."

Botnet

11 Million Devices Infected With Botnet Malware Hosted In Google Play (arstechnica.com) 12

Ars Technica's Dan Goodin reports: Five years ago, researchers made a grim discovery -- a legitimate Android app in the Google Play market that was surreptitiously made malicious by a library the developers used to earn advertising revenue. With that, the app was infected with code that caused 100 million infected devices to connect to attacker-controlled servers and download secret payloads. Now, history is repeating itself. Researchers from the same Moscow, Russia-based security firm reported Monday that they found two new apps, downloaded from Play 11 million times, that were infected with the same malware family. The researchers, from Kaspersky, believe a malicious software developer kit for integrating advertising capabilities is once again responsible. [...]

The researchers found Necro in two Google Play apps. One was Wuta Camera, an app with 10 million downloads to date. Wuta Camera versions 6.3.2.148 through 6.3.6.148 contained the malicious SDK that infects apps. The app has since been updated to remove the malicious component. A separate app with roughly 1 million downloads -- known as Max Browser -- was also infected. That app is no longer available in Google Play. The researchers also found Necro infecting a variety of Android apps available in alternative marketplaces. Those apps typically billed themselves as modified versions of legitimate apps such as Spotify, Minecraft, WhatsApp, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox. People who are concerned they may be infected by Necro should check their devices for the presence of indicators of compromise listed at the end of this writeup.

Microsoft

Microsoft Tightens Digital Defenses with Sweeping Security Overhaul (geekwire.com) 32

Microsoft unveiled detailed security reforms Monday, five months after CEO Satya Nadella pledged to prioritize cybersecurity following major breaches. The 25-page Secure Future Initiative report [PDF] outlines technical and governance changes addressing criticisms in an April 2024 Cyber Safety Review Board report that deemed Microsoft's security culture "inadequate."

Microsoft said it implemented significant security upgrades to its Entra ID and Microsoft Account systems, introducing Azure-managed hardware security modules for access token signing keys. The company has also purged 5.75 million inactive tenants to minimize potential attack vectors and adopted a new testing system with secure defaults to prevent legacy-related security issues. Concurrently, Microsoft has enhanced its network tracking capabilities, now monitoring over 99 percent of its physical network through a centralized inventory system, which aids in firmware compliance and logging.

Internal security measures have been tightened, with engineering teams facing stricter access controls. Personal access tokens are now limited to seven days, SSH access has been disabled for internal engineering repositories, and access to critical engineering systems has been restricted to fewer groups. Additionally, Microsoft has extended its audit log retention period to a minimum of two years, bolstering its ability to investigate and respond to potential security incidents.

Slashdot Top Deals