An anonymous reader shares a report: Passport numbers for a group of Disney cruise line workers. Disney+ streaming revenue. Sales of Genie+ theme park passes. The trove of data from Disney that was leaked online by hackers earlier this summer includes a range of financial and strategy information that sheds light on the entertainment giant's operations, according to files viewed by The Wall Street Journal. It also includes personally identifiable information of some staff and customers.

The leaked files include granular details about revenue generated by such products as Disney+ and ESPN+; park pricing offers the company has modeled; and what appear to be login credentials for some of Disney's cloud infrastructure. (The Journal didn't attempt to access any Disney systems.) "We decline to comment on unverified information The Wall Street Journal has purportedly obtained as a result of a bad actor's illegal activity," a Disney spokesman said. Disney told investors in an August regulatory filing that it is investigating the unauthorized release of "over a terabyte of data" from one of its communications systems. It said the incident hadn't had a material impact on its operations or financial performance and doesn't expect that it will.

Data that a hacking entity calling itself Nullbulge released online spans more than 44 million messages from Disney's Slack workplace communications tool, upward of 18,800 spreadsheets and at least 13,000 PDFs, the Journal found. The scope of the material taken appears to be limited to public and private channels within Disney's Slack that one employee had access to. No private messages between executives appear to be included. Slack is only one online forum in which Disney employees communicate at work.

During a 2023 deployment, senior enlisted leaders aboard the Navy ship USS Manchester secretly installed a Starlink Wi-Fi network, allowing them exclusive internet access in violation of Navy regulations. "Unauthorized Wi-Fi systems like the one [then-Command Senior Chief Grisel Marrero] set up are a massive no-no for a deployed Navy ship, and Marrero's crime occurred as the ship was deploying to the West Pacific, where such security concerns become even more paramount among heightened tensions with the Chinese," reports Navy Times. From the report: As the ship prepared for a West Pacific deployment in April 2023, the enlisted leader onboard conspired with the ship's chiefs to install the secret, unauthorized network aboard the ship, for use exclusively by them. So while rank-and-file sailors lived without the level of internet connectivity they enjoyed ashore, the chiefs installed a Starlink satellite internet dish on the top of the ship and used a Wi-Fi network they dubbed "STINKY" to check sports scores, text home and stream movies. The enjoyment of those wireless creature comforts by enlisted leaders aboard the ship carried serious repercussions for the security of the ship and its crew. "The danger such systems pose to the crew, the ship and the Navy cannot be understated," the investigation notes.

Led by the senior enlisted leader of the ship's gold crew, then-Command Senior Chief Grisel Marrero, the effort roped in the entire chiefs mess by the time it was uncovered a few months later. Marrero was relieved in late 2023 after repeatedly misleading and lying to her ship's command about the Wi-Fi network, and she was convicted at court-martial this spring in connection to the scheme. She was sentenced to a reduction in rank to E-7 after the trial and did not respond to requests for comment for this report. The Navy has yet to release the entirety of the Manchester investigation file to Navy Times, including supplemental enclosures. Such records generally include statements or interview transcripts with the accused.

But records released so far show the probe, which wrapped in November, found that the entire chiefs mess knew about the secret system, and those who didn't buy into it were nonetheless culpable for not reporting the misconduct. Those chiefs and senior chiefs who used, paid for, helped hide or knew about the system were given administrative nonjudicial punishment at commodore's mast, according to the investigation. All told, more than 15 Manchester chiefs were in cahoots with Marrero to purchase, install and use the Starlink system aboard the ship. "This agreement was a criminal conspiracy, supported by the overt act of bringing the purchased Starlink onboard USS MANCHESTER," the investigation said. "Any new member of the CPO Mess which then paid into the services joined that conspiracy following the system's operational status."

Records obtained by Navy Times via a Freedom of Information Act request reveal a months-long effort by Marrero to obtain, install and then conceal the chiefs Wi-Fi network from superiors, including the covert installation of a Starlink satellite dish on the outside of the Manchester. When superiors became suspicious about the existence of the network and confronted her about it, Marrero failed to come clean on multiple occasions and provided falsified documents to further mislead Manchester's commanding officer, the investigation states. "The installation and usage of Starlink, without the approval of higher headquarters, poses a serious risk to mission, operational security, and information security," the investigation states.

An anonymous reader quotes a Bloomberg article, written by Jason Leopold: The aurora borealis, or northern lights, is a colorful display in the night sky that comes from geomagnetic storms in space. When charged particles from the sun smash into the Earth's upper atmosphere, they create bright, kaleidoscopic ribbons of light, typically in polar regions. Really big solar action can interfere with GPS systems and power grids. That's exactly what happened on May 10, when there were three "coronal mass ejections" (my future metal band name) that produced one of the most powerful solar storms in 500 years, hence the dazzling, polychromatic sky visible even from South America. Turns out, the extreme space weather also disrupted life on Earth.

Six days after the northern lights, I filed a Freedom of Information Act request with NOAA. I was curious how the agency reacted to the atmospheric event and whether the public deserved to be concerned. I asked NOAA's Space Weather Prediction Center and National Weather Service for a wide range of records, including emails, photographs, satellite images and threat assessments. A couple of weeks ago, NOAA turned over some interesting documents. The short version is, while we marveled at the light show, scientists were concerned. According to one internal memo, the geomagnetic storm was an "extreme," rare event and if NOAA scientists hadn't been on their game it could have been catastrophic.

A May 14, three-page after action memo disseminated by Clinton Wallace, the director of the Space Weather Prediction Center, described the storm's impact and explained the celestial phenomenon. He said "Solar Cycle 25," a phase of solar sunspot activity that began in December 2019 and continues through 2030, "has been more active than anticipated, with an intense surge in solar activity marking the beginning of May." "A large group of unstable sunspots on the Sun's surface unleashed several powerful solar flares, immediately affecting the Earth's outer atmosphere and causing disruptions in high-frequency (HF) radio communications," he wrote. "This had significant implications for trans-oceanic aviation, which relies heavily on HF radio for communication over long distances."

On May 9, a day before the northern lights extravaganza, staff at the Space Weather Prediction Center "activated" the North American Electric Reliability Corp. hotline to make sure the regulator was prepared. Wallace's memo said NERC gave about 3,000 electric utility companies a six-hour head start to get ready. The space weather officials also advised the Federal Emergency Management Agency and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency on preparedness. Wallace wrote in his memo that the storm caused "significant disruptions across multiple sectors, including navigation, power grids, aviation, and satellite operations." He also noted that the severity of the geomagnetic storm "underscored the interconnectedness and vulnerability of modern infrastructure to space weather." Although Wallace said the space weather scientists took steps to mitigate any potential disaster, their work "highlighted areas for improvement in preparedness and response." He didn't elaborate.

The YubiKey 5, the most widely used hardware token for two-factor authentication based on the FIDO standard, contains a cryptographic flaw that makes the finger-size device vulnerable to cloning when an attacker gains brief physical access to it, researchers said Tuesday. ArsTechnica: The cryptographic flaw, known as a side channel, resides in a small microcontroller that's used in a vast number of other authentication devices, including smartcards used in banking, electronic passports, and the accessing of secure areas. While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven't tested other devices using the microcontroller, which is SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contain the same vulnerability.

YubiKey-maker Yubico issued an advisory in coordination with a detailed disclosure report from NinjaLab, the security firm that reverse-engineered the YubiKey 5 series and devised the cloning attack. All YubiKeys running firmware prior to version 5.7 -- which was released in May and replaces the Infineon cryptolibrary with a custom one -- are vulnerable. Updating key firmware on the YubiKey isn't possible. That leaves all affected YubiKeys permanently vulnerable.

U.S. oilfield services firm Halliburton said on Tuesday an unauthorized third party had accessed and removed data from its systems, providing details regarding the cyberattack in August. From a report: The company said it is evaluating the nature and scope of information that was removed, but added that the incident is not reasonably likely to have a material impact. Halliburton declined to comment in response to Reuters' requests for additional information on the nature of data removed and expenses incurred due to the cyber incident. It also did not immediately confirm whether it had been contacted by the hackers. U.S energy firms have suffered multiple cyberattacks, including ransomware attacks, in recent years. In 2021, Colonial Pipeline was forced to pay $4.4 million in ransom as its executives were not sure about the severity of the breach.

Efforts to add Rust code to the Linux kernel has suffered a setback as one of the maintainers of the Rust for Linux project has stepped down -- citing frustration with "nontechnical nonsense," according to The Register: Wedson Almeida Filho, a software engineer at Microsoft who has overseen the Rust for Linux project, announced his resignation in a message to the Linux kernel development mailing list. "I am retiring from the project," Filho declared. "After almost four years, I find myself lacking the energy and enthusiasm I once had to respond to some of the nontechnical nonsense, so it's best to leave it up to those who still have it in them."

[...] Memory safety bugs are regularly cited as the major source of serious software vulnerabilities by organizations overseeing large projects written in C and C++. So in recent years there's been a concerted push from large developers like Microsoft and Google, as well as from government entities like the US Cybersecurity and Infrastructure Security Agency, to use memory-safe programming languages -- among them Rust. Discussions about adding Rust to Linux date back to 2020 and were realized in late 2022 with the release of Linux 6.1. "I truly believe the future of kernels is with memory-safe languages," Filho's note continued. "I am no visionary but if Linux doesn't internalize this, I'm afraid some other kernel will do to it what it did to Unix."

Notorious for a hardworking culture, Japan launched an initiative to help people cut back. But three years into the effort, the country is having a hard time coaxing people to take a four-day workweek. From a report: Japanese lawmakers first proposed a shorter work week in 2021. The guidelines aimed to encourage staff retention and cut the number of workers falling ill or dying from overwork in an economy already suffering from a huge labor shortage. The guidelines also included overtime limits and paid annual leave. However, the initiative has had a slow start: According to the Ministry of Health, Labor, and Welfare, only about 8% of companies in Japan allow employees to take three or more days off a week.

It's not just companies -- employees are hesitant, too. Electronics manufacturer Panasonic, one of Japan's largest companies, opted into the effort in early 2022. Over two years in, only 150 of its 63,000 eligible employees have chosen to take up four-day schedules, a representative of the company told the Associated Press. Other major companies to introduce a four-day workweek include Uniqlo parent Fast Retailing, electronics giant Hitachi, and financial firm Mizuho. About 85% of employers report giving workers the usual two days off a week. Much of the reluctance to take an extra day off boils down to a culture of workers putting companies before themselves, including pressure to appear like team players and hard workers. This intense culture stems from Japan's postwar era, where, in an effort to boost the economy, then-Prime Minister Shigeru Yoshida enlisted major corporations to offer their employees lifelong job security, asking only that workers repay them with loyalty.

Politico reports U.S. states have no uniform way of policing the use of overseas subcontractors in election technology, "let alone to understand which individual software components make up a piece of code."

For example, to replace New Hampshire's old voter registration database, state election officials "turned to one of the best — and only — choices on the market," Politico: "a small, Connecticut-based IT firm that was just getting into election software." But last fall, as the new company, WSD Digital, raced to complete the project, New Hampshire officials made an unsettling discovery: The firm had offshored part of the work. That meant unknown coders outside the U.S. had access to the software that would determine which New Hampshirites would be welcome at the polls this November.

The revelation prompted the state to take a precaution that is rare among election officials: It hired a forensic firm to scour the technology for signs that hackers had hidden malware deep inside the coding supply chain. The probe unearthed some unwelcome surprises: software misconfigured to connect to servers in Russia ["probably by accident," they write later] and the use of open-source code — which is freely available online — overseen by a Russian computer engineer convicted of manslaughter, according to a person familiar with the examination and granted anonymity because they were not authorized to speak about it... New Hampshire officials say the scan revealed another issue: A programmer had hard-coded the Ukrainian national anthem into the database, in an apparent gesture of solidarity with Kyiv.

None of the findings amounted to evidence of wrongdoing, the officials said, and the company resolved the issues before the new database came into use ahead of the presidential vote this spring. This was "a disaster averted," said the person familiar with the probe, citing the risk that hackers could have exploited the first two issues to surreptitiously edit the state's voter rolls, or use them and the presence of the Ukrainian national anthem to stoke election conspiracies. [Though WSD only maintains one other state's voter registration database — Vermont] the supply-chain scare in New Hampshire — which has not been reported before — underscores a broader vulnerability in the U.S. election system, POLITICO found during a six-month-long investigation: There is little oversight of the supply chain that produces crucial election software, leaving financially strapped state and county offices to do the best they can with scant resources and expertise.

The technology vendors who build software used on Election Day face razor-thin profit margins in a market that is unforgiving commercially and toxic politically. That provides little room for needed investments in security, POLITICO found. It also leaves states with minimal leverage over underperforming vendors, who provide them with everything from software to check in Americans at their polling stations to voting machines and election night reporting systems. Many states lack a uniform or rigorous system to verify what goes into software used on Election Day and whether it is secure.
The article also points out that many state and federal election officials "insist there has been significant progress" since 2016, with more regular state-federal communication. "The Cybersecurity and Infrastructure Security Agency, now the lead federal agency on election security, didn't even exist back then.

"Perhaps most importantly, more than 95% of U.S. voters now vote by hand or on machines that leave some type of paper trail, which officials can audit after Election Day."

The Washington Post writes that Telegram's "anything-goes approach" to its 950 million users "has also made it one of the internet's largest havens for child predators, experts say...."

"Durov's critics say his public idealism masks an opportunistic business model that allows Telegram to profit from the worst the internet has to offer, including child sexual abuse material, or CSAM... " [Telegram is] an app of choice for political organizing, including by dissidents under repressive regimes. But it is equally appealing for terrorist groups, criminal organizations and sexual predators, who use it as a hub to share and consume nonconsensual pornography, AI "deepfake" nudes, and illegal sexual images and videos of exploited minors, said Alex Stamos, chief information security officer at the cybersecurity firm SentinelOne. "Due to their advertised policy of not cooperating with law enforcement, and the fact that they are known not to scan for CSAM, Telegram has attracted large groups of pedophiles trading and selling child abuse materials," Stamos said.

That reach comes even though many Telegram exchanges don't actually use the strong forms of encryption available on true private messaging apps, he added. Telegram is used for private messaging, public posts and group chats. Only one-to-one conversations can be encrypted in a way that even Telegram can't access them. And that occurs only if users choose the option, meaning the company could turn over everything else to governments if it wanted to... French prosecutors argue that Durov is in fact responsible for Telegram's emergence as a global haven for illegal content, including CSAM, because of his reluctance to moderate it and his refusal to help authorities police it, among other allegations...

David Kaye, a professor at University of California, Irvine School of Law and former U.N. special rapporteur on freedom of expression... said that while Telegram has at times banned groups and taken down [CSAM] content in response to law enforcement, its refusal to share data with investigators sets it apart from most other major tech companies. Unlike U.S.-based platforms, Telegram is not required by U.S. law to report instances of CSAM to the National Center for Missing and Exploited Children, or NCMEC. Many online platforms based overseas do so anyway — but not Telegram. "NCMEC has tried to get them to report, but they have no interest and are known for not wanting to work with [law enforcement agencies] or anyone in this space," a NCMEC spokesperson said.
The Post also writes that Telegram "has repeatedly been revealed to serve as a tool to store, distribute and share child sexual imagery." (They cite several examples, including two different men convicted to minimum sentences of at least 10 years for using the service to purchase CSAM and solicit explicit photos from minors.)

CSO Online reports that North Korea "is actively infiltrating Western companies using skilled IT workers who use fake identities to pose as remote workers with foreign companies, typically but not exclusively in the U.S."

Slashdot reader snydeq shares their report, which urges information security officers "to carry out tighter vetting of new hires to ward off potential 'moles' — who are increasingly finding their way onto company payrolls and into their IT systems." The schemes are part of illicit revenue generation efforts by the North Korean regime, which faces financial sanctions over its nuclear weapons program, as well as a component of the country's cyberespionage activities.

The U.S. Treasury department first warned about the tactic in 2022. Thosands of highly skilled IT workers are taking advantage of the demand for software developers to obtain freelance contracts from clients around the world, including in North America, Europe, and East Asia. "Although DPRK [North Korean] IT workers normally engage in IT work distinct from malicious cyber activity, they have used the privileged access gained as contractors to enable the DPRK's malicious cyber intrusions," the Treasury department warned... North Korean IT workers present themselves as South Korean, Chinese, Japanese, or Eastern European, and as U.S.-based teleworkers. In some cases, DPRK IT workers further obfuscate their identities by creating arrangements with third-party subcontractors.

Christina Chapman, a resident of Arizona, faces fraud charges over an elaborate scheme that allegedly allowed North Korean IT workers to pose as U.S. citizens and residents using stolen identities to obtain jobs at more than 300 U.S. companies. U.S. payment platforms and online job site accounts were abused to secure jobs at more than 300 companies, including a major TV network, a car manufacturer, a Silicon Valley technology firm, and an aerospace company... According to a U.S. Department of Justice indictment, unsealed in May 2024, Chapman ran a "laptop farm," hosting the overseas IT workers' computers inside her home so it appeared that the computers were located in the U.S. The 49-year-old received and forged payroll checks, and she laundered direct debit payments for salaries through bank accounts under her control. Many of the overseas workers in her cell were from North Korea, according to prosecutors. An estimated $6.8 million were paid for the work, much of which was falsely reported to tax authorities under the name of 60 real U.S. citizens whose identities were either stolen or borrowed...

Ukrainian national Oleksandr Didenko, 27, of Kyiv, was separately charged over a years-long scheme to create fake accounts at U.S. IT job search platforms and with U.S.-based money service transmitters. "Didenko sold the accounts to overseas IT workers, some of whom he believed were North Korean, and the overseas IT workers used the false identities to apply for jobs with unsuspecting companies," according to the U.S. Department of Justice. Didenko, who was arrested in Poland in May, faces U.S. extradition proceedings...

How this type of malfeasance plays out from the perspective of a targeted firm was revealed by security awareness vendor KnowBe4's candid admission in July that it unknowingly hired a North Korean IT spy... A growing and substantial body of evidence suggests KnowBe4 is but one of many organizations targeted by illicit North Korean IT workers. Last November security vendor Palo Alto reported that North Korean threat actors are actively seeking employment with organizations based in the U.S. and other parts of the world...

Mandiant, the Google-owned threat intel firm, reported last year that "thousands of highly skilled IT workers from North Korea" are hunting work. More recently, CrowdStrike reported that a North Korean group it dubbed "Famous Chollima" infiltrated more than 100 companies with imposter IT pros.
The article notes the infiltrators use chatbots to tailor the perfect resume "and further leverage AI-created deepfakes to pose as real people." And the article includes this quote from a former intelligence analyst for the U.S. Air Force turned cybersecurity strategist at Sysdig. "In some cases, they may try to get jobs at tech companies in order to steal their intellectual property before using it to create their own knock-off technologies."

The article closes with its suggested "countermeasures," including live video-chats with prospective remote-work applicants — and confirming an applicant's home address.

An anonymous reader quotes a report from Ars Technica, written by Dan Goodin: A judge in Ohio has issued a temporary restraining order against a security researcher who presented evidence that a recent ransomware attack on the city of Columbus scooped up reams of sensitive personal information, contradicting claims made by city officials. The order, issued by a judge in Ohio's Franklin County, came after the city of Columbus fell victim to a ransomware attack on July 18 that siphoned 6.5 terabytes of the city's data. A ransomware group known as Rhysida took credit for the attack and offered to auction off the data with a starting bid of about $1.7 million in bitcoin. On August 8, after the auction failed to find a bidder, Rhysida released what it said was about 45 percent of the stolen data on the group's dark web site, which is accessible to anyone with a TOR browser.

Columbus Mayor Andrew Ginther said on August 13 that a "breakthrough" in the city's forensic investigation of the breach found that the sensitive files Rhysida obtained were either encrypted or corrupted, making them "unusable" to the thieves. Ginther went on to say the data's lack of integrity was likely the reason the ransomware group had been unable to auction off the data. Shortly after Ginther made his remarks, security researcher David Leroy Ross contacted local news outlets and presented evidence that showed the data Rhysida published was fully intact and contained highly sensitive information regarding city employees and residents. Ross, who uses the alias Connor Goodwolf, presented screenshots and other data that showed the files Rhysida had posted included names from domestic violence cases and Social Security numbers for police officers and crime victims. Some of the data spanned years.

On Thursday, the city of Columbus sued Ross (PDF) for alleged damages for criminal acts, invasion of privacy, negligence, and civil conversion. The lawsuit claimed that downloading documents from a dark web site run by ransomware attackers amounted to him "interacting" with them and required special expertise and tools. The suit went on to challenge Ross alerting reporters to the information, which ii claimed would not be easily obtained by others. "Only individuals willing to navigate and interact with the criminal element on the dark web, who also have the computer expertise and tools necessary to download data from the dark web, would be able to do so," city attorneys wrote. "The dark web-posted data is not readily available for public consumption. Defendant is making it so." The same day, a Franklin County judge granted the city's motion for a temporary restraining order (PDF) against Ross. It bars the researcher "from accessing, and/or downloading, and/or disseminating" any city files that were posted to the dark web. The motion was made and granted "ex parte," meaning in secret before Ross was informed of it or had an opportunity to present his case.

The Pidgin messaging app removed the ScreenShareOTR plugin from its third-party plugin list after it was found to be used to install keyloggers, information stealers, and malware targeting corporate networks. BleepingComputer reports: The plugin was promoted as a screen-sharing tool for secure Off-The-Record (OTR) protocol and was available for both Windows and Linux versions of Pidgin. According to ESET, the malicious plugin was configured to infect unsuspecting users with DarkGate malware, a powerful malware threat actors use to breach networks since QBot's dismantling by the authorities. [...] Those who installed it are recommended to remove it immediately and perform a full system scan with an antivirus tool, as DarkGate may be lurking on their system.

After publishing our story, Pidgin's maintainer and lead developer, Gary Kramlich, notified us on Mastodon to say that they do not keep track of how many times a plugin is installed. To prevent similar incidents from happening in the future, Pidgin announced that, from now on, it will only accept third-party plugins that have an OSI Approved Open Source License, allowing scrutiny into their code and internal functionality.

A recent indictment (PDF) of an Alaska man stands out due to the sophisticated use of multiple encrypted communication tools, privacy-focused apps, and dark web technology. "I've never seen anyone who, when arrested, had three Samsung Galaxy phones filled with 'tens of thousands of videos and images' depicting CSAM, all of it hidden behind a secrecy-focused, password-protected app called 'Calculator Photo Vault,'" writes Ars Technica's Nate Anderson. "Nor have I seen anyone arrested for CSAM having used all of the following: [Potato Chat, Enigma, nandbox, Telegram, TOR, Mega NZ, and web-based generative AI tools/chatbots]." An anonymous reader shares the report: According to the government, Seth Herrera not only used all of these tools to store and download CSAM, but he also created his own -- and in two disturbing varieties. First, he allegedly recorded nude minor children himself and later "zoomed in on and enhanced those images using AI-powered technology." Secondly, he took this imagery he had created and then "turned to AI chatbots to ensure these minor victims would be depicted as if they had engaged in the type of sexual contact he wanted to see." In other words, he created fake AI CSAM -- but using imagery of real kids.

The material was allegedly stored behind password protection on his phone(s) but also on Mega and on Telegram, where Herrera is said to have "created his own public Telegram group to store his CSAM." He also joined "multiple CSAM-related Enigma groups" and frequented dark websites with taglines like "The Only Child Porn Site you need!" Despite all the precautions, Herrera's home was searched and his phones were seized by Homeland Security Investigations; he was eventually arrested on August 23. In a court filing that day, a government attorney noted that Herrera "was arrested this morning with another smartphone -- the same make and model as one of his previously seized devices."

The government is cagey about how, exactly, this criminal activity was unearthed, noting only that Herrera "tried to access a link containing apparent CSAM." Presumably, this "apparent" CSAM was a government honeypot file or web-based redirect that logged the IP address and any other relevant information of anyone who clicked on it. In the end, given that fatal click, none of the "I'll hide it behind an encrypted app that looks like a calculator!" technical sophistication accomplished much. Forensic reviews of Herrera's three phones now form the primary basis for the charges against him, and Herrera himself allegedly "admitted to seeing CSAM online for the past year and a half" in an interview with the feds.

An anonymous reader quotes a report from Ars Technica: A controversial bill aimed at enforcing safety standards for large artificial intelligence models has now passed the California State Assembly by a 45-11 vote. Following a 32-1 state Senate vote in May, SB-1047 now faces just one more procedural state senate vote before heading to Governor Gavin Newsom's desk. As we've previously explored in depth, SB-1047 asks AI model creators to implement a "kill switch" that can be activated if that model starts introducing "novel threats to public safety and security," especially if it's acting "with limited human oversight, intervention, or supervision." Some have criticized the bill for focusing on outlandish risks from an imagined future AI rather than real, present-day harms of AI use cases like deep fakes or misinformation. [...]

If the Senate confirms the Assembly version as expected, Newsom will have until September 30 to decide whether to sign the bill into law. If he vetoes it, the legislature could override with a two-thirds vote in each chamber (a strong possibility given the overwhelming votes in favor of the bill). At a UC Berkeley Symposium in May, Newsom said he worried that "if we over-regulate, if we overindulge, if we chase a shiny object, we could put ourselves in a perilous position." At the same time, Newsom said those over-regulation worries were balanced against concerns he was hearing from leaders in the AI industry. "When you have the inventors of this technology, the godmothers and fathers, saying, 'Help, you need to regulate us,' that's a very different environment," he said at the symposium. "When they're rushing to educate people, and they're basically saying, 'We don't know, really, what we've done, but you've got to do something about it,' that's an interesting environment." Supporters of the AI safety bill include state senator Scott Weiner and AI experts including Geoffrey Hinton and Yoshua Bengio. Bengio supports the bill as a necessary step for consumer protection and insists that AI should not be self-regulated by corporations, akin to other industries like pharmaceuticals and aerospace.

Stanford professor Fei-Fei Li opposes the bill, arguing that it could have harmful effects on the AI ecosystem by discouraging open-source collaboration and limiting academic research due to the liability placed on developers of modified models. A group of business leaders also sent an open letter Wednesday urging Newsom to veto the bill, calling it "fundamentally flawed."

Google says it has evidence that Russian government hackers are using exploits that are "identical or strikingly similar" to those previously made by spyware makers Intellexa and NSO Group. From a report: In a blog post on Thursday, Google said it is not sure how the Russian government acquired the exploits, but said this is an example of how exploits developed by spyware makers can end up in the hands of "dangerous threat actors." In this case, Google says the threat actors are APT29, a group of hackers widely attributed to Russia's Foreign Intelligence Service, or the SVR. APT29 is a highly capable group of hackers, known for its long-running and persistent campaigns aimed at conducting espionage and data theft against a range of targets, including tech giants Microsoft and SolarWinds, as well as foreign governments.

Google said it found the hidden exploit code embedded on Mongolian government websites between November 2023 and July 2024. During this time, anyone who visited these sites using an iPhone or Android device could have had their phone hacked and data stolen, including passwords, in what is known as a "watering hole" attack. The exploits took advantage of vulnerabilities in the iPhone's Safari browser and Google Chrome on Android that had already been fixed at the time of the suspected Russian campaign. Still, those exploits nevertheless could be effective in compromising unpatched devices.

According to a new survey from Bitkom, cybercrime and other acts of sabotage have cost German companies around $298 billion in the past year, up 29% on the year before. Reuters reports: Bitkom surveyed around 1,000 companies from all sectors and found that 90% expect more cyberattacks in the next 12 months, with the remaining 10% expecting the same level of attacks. Some 70% of companies that were targeted attributed the attacks to organised crime, the survey found, adding 81% of companies reported data theft, including customer data, access data and passwords, as well as intellectual property such as patents. Around 45% of companies said they could attribute at least one attack to China, up from 42% in the previous year. Attacks blamed on Russia came in second place at 39%.

The increase in attacks has prompted companies to allocate 17% of their IT budget to digital security, up from 14% last year, but only 37% said they had an emergency plan to react to security incidents in their supply chain, the survey showed.

snydeq writes: CSO Online's Sarah Wiedemar reports on a rising trend in the Russia cybersecurity community: bug bounty programs, which the researcher says could have far-reaching implications as the bounty ecosystem matures. From the report: "Given the current uncertainty that Russian bug bounty hunters and vulnerability researchers are facing when dealing with Western bug bounty programs, Russian IT companies have begun to fill that vacuum. [...] Russian bug bounty platforms have a high probability for substantial growth in the next few years. They provide a credible Western alternative not only to Russian hackers, but also for all other vulnerability researchers located in countries that could potentially face international financial sanctions in the future.

From a Western perspective, a potential problematic development could be that Russian hackers decide to sell vulnerabilities found in Western products to Russian zero-day acquisition companies such as Operation Zero. Thus, instead of reporting them to Western bug bounty platforms for free, they sell to the highest bidder. Those zero-day acquisition companies in turn sell them on to Russian law enforcement and security agencies, which could lead to increased espionage campaigns in Western countries. Western policy makers would do well to keep an eye on the evolution of Russia's bug bounty ecosystem." Although bug bounty programs have existed in Russia since 2012, they weren't widely adopted due to distrust from the government and dominance of Western platforms. Recently, new platforms like Bug Bounty RU, Standoff 365, and BI.ZONE have emerged, attracting thousands of bug hunters and major Russian companies. "In 2023, the total number of bug hunters on these platforms amounted to 20,000 people," notes Wiedemar. The Russian government has also begun participating, launching programs for 10 of its e-government systems.

However, legal ambiguities remain, as ethical hacking is still considered illegal in Russia, with potential prison sentences. Despite this, there are ongoing legislative efforts to legalize ethical hacking, alongside broader government initiatives to enhance cybersecurity, including increased fines for data breaches and the potential creation of a cybersecurity agency akin to the US CISA.

Apple announced that CFO Luca Maestri will step down at the start of next year, transitioning to head of its corporate services team to lead "information systems and technology, information security, and real estate and development." Kevan Parekh will take over as CFO. The Verge reports: Maestri joined Apple in 2013 after serving as the CFO of Xerox. He became the CFO just one year later, replacing Peter Oppenheimer. CNBC notes that when he took over, Apple's annual revenue was $183 billion, and last year, it reached $383 billion. Apple also announced an expansion to its share repurchase program to $90 billion, which Maestri would oversee.

This spring, Apple announced it would increase the amount from $90 billion to $110 billion, breaking its own record of $100 billion. It also reported an increase in revenue from its services business of 14 percent, even as sales of iPhones and iPads were down from the previous year. In Apple's announcement, it said, "...Maestri enabled essential investments and practiced robust financial discipline, which together helped the company more than double its revenue, with services revenue growing more than five times."

Kevan Parekh, Apple's vice president of financial planning and analysis, will take Maestri's place managing the finances of the now $3 trillion company. Parekh has been at Apple for 11 years and previously worked in senior leadership positions at Thomson Reuters and General Motors. Last week, Apple announced that it's splitting its App Store group into two teams, with App Store vice president Matt Fischer leaving the role in October.

The state-sponsored Chinese hacking campaign known as Volt Typhoon is exploiting a bug in a California-based startup to hack American and Indian internet companies, according to security researchers. From a report: Volt Typhoon has breached four US firms, including internet service providers, and another in India through a vulnerability in a Versa Networks server product, according to Lumen's unit Black Lotus Labs. Their assessment, much of which was published in a blog post on Tuesday, found with "moderate confidence" that Volt Typhoon was behind the breaches of unpatched Versa systems and said exploitation was likely ongoing.

Versa, which makes software that manages network configurations and has attracted investment from Blackrock and Sequoia Capital, announced the bug last week and offered a patch and other mitigations. The revelation will add to concerns over the susceptibility of US critical infrastructure to cyberattacks. The US this year accused Volt Typhoon of infiltrating networks that operate critical US services, including some of the country's water facilities, power grid and communications sectors, in order to cause disruptions during a future crisis, such as an invasion of Taiwan.

An anonymous reader quotes a report from Bloomberg: People in a quiet neighborhood in Carthage, a town in Moore County, North Carolina, heard a series of six loud pops a few minutes before 8:00 p.m. on Dec. 3, 2022. A resident named Michael Campbell said he ducked at the sound. Another witness told police they thought they were hearing fireworks. The noise turned out to be someone shooting a rifle at a power substation next door to Campbell's home. The substation, operated by the utility Duke Energy Corp., consists of equipment that converts electricity into different voltages as it's transported to the area and then steered into individual houses. The shots hit the radiator of an electrical transformer, a sensitive piece of technology whose importance would likely be understood only by utility company employees. It began dumping a "vast amount" of oil, according to police reports. A subsequent investigation has pointed to a local right-wing group, one of a wave of attacks or planned attacks on power infrastructure.

By 8:10 the lights in Carthage went out. Minutes later, a security alarm went off at a Duke Energy substation 10 miles away, this one protected from view by large pine trees. When company personnel responded, they found that someone had shot its transformer radiator, too. Police found shell casings on the ground at the site and noticed someone had slashed the tires on nearby service trucks. The substations were designed to support each other, with one capable of maintaining service if the other went down. Knocking out both facilities prevented the company from rerouting power. Police described the two incidents as a coordinated attack. About 45,000 families and businesses remained dark for four days. This was a burden for area grocery stores and local emergency services. One woman, 87-year-old Karin Zoanelli, died in the hours after the shooting when the blackout caused her oxygen machine to stop operating. The North Carolina Medical Examiner's office classified the death as a homicide.

The attack on Duke's facilities in Moore County remains unsolved, but law enforcement officials and other experts suspect it's part of a rising trend of far-right extremists targeting power infrastructure in an attempt to sow chaos. The most ambitious of these saboteurs hope to usher in societal collapse, paving the way for the violent overthrow of the US government, according to researchers who monitor far-right communities. Damaging the power grid has long been a fixation of right-wing extremists, who have plotted such attacks for many years. They've been getting a boost recently from online venues such as "Terrorgram," a loose network of channels on the social media platform Telegram where users across the globe advocate violent white supremacism. In part, people use Terrorgram to egg one another on -- a viral meme shows a stick figure throwing a Molotov cocktail at electrical equipment. People on the forum have also seized on recent anti-immigration riots in the UK, inciting people there to clash with police. In June 2022, months before the Moore County shootings, users on the forum began offering more practical support in the form of a 261-page document titled "Hard Reset," which includes specific directions on how to use automatic weapons, explosives and mylar balloons to disrupt electricity. One of the document's suggestions is to shoot high-powered firearms at substation transformers.