The Met Office is working with Microsoft to build a weather forecasting supercomputer in the UK. From a report: They say it will provide more accurate weather forecasting and a better understanding of climate change. The UK government said in February 2020 it would invest $1.6bn in the project. It is expected to be one of the top 25 supercomputers in the world when it is up and running in the summer of 2022. Microsoft plans to update it over the next decade as computing improves. "This partnership is an impressive public investment in the basic and applied sciences of weather and climate," said Morgan O'Neill, assistant professor at Stanford University, who is independent of the project. "Such a major investment in a state-of-the-art weather and climate prediction system by the UK is great news globally, and I look forward to the scientific advances that will follow." The Met Office said the technology would increase their understanding of the weather -- and will allow people to better plan activities, prepare for inclement weather and get a better understanding of climate change.

chicksdaddy shares a report from The Security Ledger: Websites for customers of agricultural equipment maker John Deere contained vulnerabilities that could have allowed a remote attacker to harvest sensitive information on the company's customers including their names, physical addresses and information on the Deere equipment they own and operate, The Security Ledger reported. The researcher known as "Sick Codes" published two advisories on Thursday warning about the flaws in the myjohndeere.com website and the John Deere Operations Center website and mobile applications. In a conversation with Security Ledger, the researcher said that a he was able to use VINs (vehicle identification numbers) taken from a farm equipment auction site to identify the name and physical address of the owner. Furthermore, a flaw in the myjohndeere.com website could allow an unauthenticated user to carry out automated attacks against the site, possibly revealing all the user accounts for that site.

Sick Codes disclosed both flaws to John Deere and also to the U.S. Government's Cybersecurity and Infrastructure Security Agency (CISA), which monitors food and agriculture as a critical infrastructure sector. The information obtained from the John Deere websites, including customer names and addresses, could put the company afoul of data security laws like California's CCPA or the Personal Information Protection Act in Deere's home state of Illinois. However, the national security consequences of the company's leaky website could be far greater. Details on what model combines and other equipment is in use on what farm could be of very high value to an attacker, including nation-states interested in disrupting U.S. agricultural production at key junctures, such as during planting or harvest time.

The consolidated nature of U.S. farming means that an attacker with knowledge of specific, Internet connected machinery in use by a small number of large-scale farming operations in the midwestern United States could launch targeted attacks on that equipment that could disrupt the entire U.S. food supply chain, researchers warn. The Agriculture sector and firms that supply it, like Deere, lag other industries in cyber security preparedness and resilience. A 2019 report (PDF) released by Department of Homeland Security concluded that the "adoption of advanced precision agriculture technology and farm information management systems in the crop and livestock sectors is introducing new vulnerabilities" (and that) "potential threats to precision agriculture were often not fully understood or were not being treated seriously enough by the front-line agriculture producers."

Still smarting from last month's dump of phone numbers belonging to 500 million Facebook users, the social media giant has a new privacy crisis to contend with: a tool that, on a massive scale, links Facebook accounts with their associated email addresses, even when users choose settings to keep them from being public. Wired reports: A video circulating on Tuesday showed a researcher demonstrating a tool named Facebook Email Search v1.0, which he said could link Facebook accounts to as many as 5 million email addresses per day. The researcher -- who said he went public after Facebook said it didn't think the weakness he found was "important" enough to be fixed -- fed the tool a list of 65,000 email addresses and watched what happened next. "As you can see from the output log here, I'm getting a significant amount of results from them," the researcher said as the video showed the tool crunching the address list. "I've spent maybe $10 to buy 200-odd Facebook accounts. And within three minutes, I have managed to do this for 6,000 [email] accounts."

The researcher [...] said that Facebook Email Search exploited a front-end vulnerability that he reported to Facebook recently but that "they [Facebook] do not consider to be important enough to be patched." Earlier this year, Facebook had a similar vulnerability that was ultimately fixed. "This is essentially the exact same vulnerability," the researcher says. "And for some reason, despite me demonstrating this to Facebook and making them aware of it, they have told me directly that they will not be taking action against it."

In a statement, Facebook said: "It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings." A Facebook representative didn't respond to a question asking if the company told the researcher it didn't consider the vulnerability important enough to warrant a fix. The representative said Facebook engineers believe they have mitigated the leak by disabling the technique shown in the video.

ewhac writes: Firefox has long had a built-in PDF viewer, allowing users to view PDF files in the browser without having to install a third-party application. In addition to the other weird things PDF files can contain, one of them is JavaScript. Putatively offered as a way to create self-validating forms, this scripting capability has been abused over the decades in just about every way you can imagine. Firefox's built-in viewer, although it has apparently had the ability to execute embedded JS for some time, never turned that feature on, making it a safe(r) way to open PDFs... Until now. The newly released Firefox version 88 has flipped that switch, and will now blithely execute JavaScript embedded in PDFs. Firefox's main preferences dialog offers no control for turning this "feature" off.

To turn off JavaScript execution in PDFs: Enter about:config in the address bar; click "I'll be careful." In the search box near the top, enter pdfjs.enableScripting. Change the setting to False. Close the page.

FlatEric521 shares a report: Moxie Marlinspike, the founder of the popular encrypted chat app Signal claims to have hacked devices made by the infamous phone unlocking company Cellebrite, which has famously worked with cops to circumvent encryption such as Signal's. In a blog post Wednesday, Marlinspike not only published details about the new exploits for Cellebrite devices but seemed to suggest that Signal's code could be theoretically altered to hack Cellebrite devices en masse. "We were surprised to find that very little care seems to have been given to Cellebrite's own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present," Marlinspike wrote in the post. "Any app could contain such a file, and until Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high confidence, the only remedy a Cellebrite user has is to not scan devices."

Marlinspike claims (whether you believe this portion of the post or not is up to you) that while he was on a walk he happened to find a Cellebrite phone unlocking device: "By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters." Along with his colleagues, Marlinspike analyzed the device and found that it included several vulnerabilities that could allow an attacker to include an "otherwise innocuous file in an app" that when it gets scanned by a Cellebrite device exploits it and tampers with the device and the data it can access.

A group of hackers executed a ransomware attack on Hoya, marking the second successful attack suffered by the Japanese firm in two years. From a report: "We can confirm that Hoya Vision Care US has experienced a cyberattack. Based on our initial forensics, the disruption appears to have been limited to our United States systems," a Hoya spokesperson said. "After identifying the threat, we quickly took action to contain it and contacted law enforcement. The company has engaged external experts to determine the nature and scope of this event. We will provide updates as more information becomes available." Hoya, named after the West Tokyo neighborhood where it was founded in 1941, is a glassmaker with about 37,000 employees worldwide and about $5 billion in annual revenue. The company gets last year 65% of its sales from contact lenses and glasses, while the rest comes Information technology devices and services such glass substrate used in the manufacturing of semiconductors and hard disk drives, according to 2020 company's report. The hacker group called Astro Team said on its blog last week that it targeted Hoya servers and stole about 300 gigabytes of confidential corporate data including finance, production, email messages, passwords and safety reports. In 2019, Hoya suffered a major cyberattack, infectong over 100 computers and forcing the company to shut down its factories for three days.

Greg Kroah-Hartman, who is one of the head honchos of the Linux kernel development and maintenance team, has banned the University of Minnesota (UMN) from further contributing to the Linux Kernel. The University had apparently introduced questionable patches into the kernel of Linux. From a report: The UMN had worked on a research paper dubbed "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits". Obviously, the "Open-Source Software" (OSS) here is indicating the Linux kernel and the University had stealthily introduced Use-After-Free (UAF) vulnerability to test the susceptibility of Linux. So far so good perhaps as one can see it as ethical experimenting. However, the UMN apparently sent another round of "obviously-incorrect patches" into the kernel in the form of "a new static analyzer" causing distaste to Greg Kroah-Hartman who has now decided to ban the University from making any further contributions.

wiredmikey shares a report from SecurityWeek: Google late Tuesday shipped another urgent security patch for its dominant Chrome browser and warned that attackers are exploiting one of the zero-days in active attacks. This is the fourth in-the-wild Chrome zero-day discovered so far in 2021 and the continued absence of IOC data or any meaningful information about the attacks continue to raise eyebrows among security experts.

The newest Chrome update -- 90.0.4430.85 -- is available for Windows, Mac and Linux users and is being rolled out via the browser's automatic update mechanism. The vulnerability being exploited is identified as CVE-2021-21224 and simply described as a "type confusion" in the V8 Chrome rendering engine. Google credited the Jose Martinez (tr0y4) from VerSprite Inc. for reporting the vulnerability. "Google is aware of reports that exploits for CVE-2021-21224 exist in the wild," the company said, with no additional details.

An anonymous reader quotes a report from Ars Technica: Hackers backed by nation-states are exploiting critical vulnerabilities in the Pulse Secure VPN to bypass two-factor authentication protections and gain stealthy access to networks belonging to a raft of organizations in the US Defense industry and elsewhere, researchers said. At least one of the security flaws is a zero-day, meaning it was unknown to Pulse Secure developers and most of the research world when hackers began actively exploiting it, security firm Mandiant said in a blog post published Tuesday. Besides CVE-2021-22893, as the zero-day is tracked, multiple hacking groups -- at least one of which likely works on behalf of the Chinese government -- are also exploiting several Pulse Secure vulnerabilities fixed in 2019 and 2020.

Used alone or in concert, the security flaws allow the hackers to bypass both single-factor and multifactor authentication protecting the VPN devices. From there, the hackers can install malware that persists across software upgrades and maintain access through webshells, which are browser-based interfaces that allow hackers to remotely control infected devices. Multiple intrusions over the past six months have hit defense, government, and financial organizations around the world, Tuesday's post reported. Separately, the US Cybersecurity and Infrastructure Security Agency said that targets also include US government agencies, critical infrastructure entities, and other private sector organizations." Mandiant said that it has uncovered "limited evidence" that tied one of the hacker groups to the Chinese government. Dubbed UNC2630, this previously unknown team is one of at least two hacking groups known to be actively exploiting the vulnerabilities. Tuesday's blog post also referred to another previously unseen group that Mandiant is calling UNC2717. In March, the group used malware Mandiant identifies as RADIALPULSE, PULSEJUMP, and HARDPULSE against Pulse Secure systems at a European organization. Pulse Secure on Tuesday published an advisory instructing users how to mitigate the currently unpatched security bug.

An anonymous reader writes: The operators of the REvil ransomware are demanding that Apple pay a ransom demand to avoid having confidential information leaked on the dark web. The REvil crew claims it came into possession of Apple product data after breaching Quanta Computer, a Taiwanese company that is the biggest laptop manufacturer in the world and which is also one of the companies that assemble official Apple products based on pre-supplied product designs and schematics.

The REvil gang posted 21 screenshots depicting Macbook schematics and threatened to publish new data every day until May 1, or until Apple or Quanta pay the ransom demand. The extortion attempt was also perfectly timed for maximum visibility to coincide with the Spring Loaded event, where Apple announced new products and software updates.

Facebook wants you to believe that the scraping of 533 million people's personal data from its platform, and the dumping of that data online by nefarious people, is something to be "normalised." The Register: A blundering Facebook public relations operative managed to send a journalist a copy of an internal document detailing the social network's strategy for containing the leaking of 533 million accounts -- and what the memo contained was infuriating though unsurprising. Belgian tech journalist Pieterjan van Leemputten asked the Mark Zuckerberg-owned company some questions about the theft and dumping online of account data earlier this month.

Miscreants had helped themselves to 70GB of names, phone numbers, dates of birth, email addresses, and more from people's Facebook profiles, thanks to a security weakness in the platform. Having stolen the data in 2019, crims bought and sold it among themselves before one shared it via a Tor-hidden site in early April, inviting anyone to come and help themselves to it all. Yet when van Leemputten asked Facebook's mouthpieces to respond, what he got in return was quite unexpected. As he told The Register: "Facebook accidentally sent me an internal email where they literally state that they will frame the recent 533 million data leak as a 'broad industry issue' and that they want to normalize this." The memo added, "To do this, the team is proposing a follow-up post in the next several weeks that talks more broadly about our anti-scraping work and provides more transparency around the amount of work we're doing in this area."

Now that Apple's lost item finder AirTag has officially been introduced, competitor Tile is going on record ahead of its testimony in front of Congress tomorrow about how it perceives Apple's latest product. In a statement, Tile CEO CJ Prober said today: "Our mission is to solve the everyday pain point of finding lost and misplaced things and we are flattered to see Apple, one of the most valuable companies in the world, enter and validate the category Tile pioneered. The reason so many people turn to Tile to locate their lost or misplaced items is because of the differentiated value we offer our consumers. In addition to providing an industry leading set of features via our app that works with iOS and Android devices, our service is seamlessly integrated with all major voice assistants, including Alexa and Google. And with form factors for every use case and many different styles at affordable prices, there is a Tile for everyone.

Tile has also successfully partnered with top brands like HP, Intel, Skullcandy and fitbit to enable our finding technology in mass market consumer categories like laptops, earbuds and wearables. With over 30 partners, we look forward to extending the benefits of Tile to millions of customers and enabling an experience that helps you keep track of all your important belongings. We welcome competition, as long as it is fair competition. Unfortunately, given Apple's well-documented history of using its platform advantage to unfairly limit competition for its products, we're skeptical. And given our prior history with Apple, we think it is entirely appropriate for Congress to take a closer look at Apple's business practices specific to its entry into this category. We welcome the opportunity to discuss these issues further in front of Congress tomorrow.

Geico, the second-largest auto insurer in the U.S., has fixed a security bug that let fraudsters steal customers' driver's license numbers from its website. From a report: In a data breach notice filed with the California attorney general's office, Geico said information gathered from other sources was used to "obtain unauthorized access to your driver's license number through the online sales system on our website." The insurance giant did not say how many customers were affected by the breach but said the fraudsters accessed customer driver's license numbers between January 21 and March 1. Companies are required to alert the state's attorney general's office when more than 500 state residents are affected by a security incident. Geico said it had "reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name." Many financially driven criminals target government agencies using stolen identities or data. But many U.S. states require a government ID -- like a driver's license -- to file for unemployment benefits. To get a driver's license number, fraudsters take public or previously breached data and exploit weaknesses in auto insurance websites to obtain a customer's driver's license number. That allows the fraudsters to obtain unemployment benefits in another person's name.

The White House unveiled on Tuesday a 100-day plan intended to protect the U.S. power grid from cyber-attacks, mainly by creating a stronger relationship between U.S. national security agencies and the mostly private utilities that run the electrical system. From a report: The plan is among the first big steps toward fulfilling the Biden administration's promise to urgently improve the country's cyber defenses. The nation's power system is both highly vulnerable to hacking and a target for nation-state adversaries looking to counter the U.S. advantage in conventional military and economic power. "The United States faces a well-documented and increasing cyber threat from malicious actors seeking to disrupt the electricity Americans rely on to power our homes and businesses," Secretary of Energy Jennifer Granholm said. Although the plan is billed as a 100-day sprint -- which includes a series of consultations between utilities and the government -- it will likely take years to fully implement, experts say. It will ask utilities to pay for and install technology to better detect hacks of the specialized computers that run the country's power systems, known as industrial control systems. The Edison Electric Institute, the trade group that represents all U.S. investor-owned electric companies, praised the White House plan and the Biden administration's focus on cybersecurity. "Given the sophisticated and constantly changing threats posed by adversaries, America's electric companies remain focused on securing the industrial control systems that operate the North American energy grid," said EEI president Tom Kuhn.

AmiMoJo writes: WordPress announced over the weekend that they plan on treating Google's new FLoC tracking technology as a security concern and hence block it by default on WordPress sites. For some time, browsers have begun to increasingly block third-party browser cookies used by advertisers for interest-based advertising. In response, Google introduced a new ad tracking technology called Federated Learning of Cohorts, or FLoC, that uses a web browser to anonymously place users into interest or behavioral buckets based on how they browse the web. After Google began testing FLoC this month in Google Chrome, there has been a consensus among privacy advocates that Google's FLoC implementation just replaces one privacy risk with another one.

"WordPress powers approximately 41% of the web -- and this community can help combat racism, sexism, anti-LGBTQ+ discrimination and discrimination against those with mental illness with four lines of code," says WordPress. WordPress states that this code is planned for WordPress 5.8, scheduled for release in July 2021. As FLoC is expected to roll out sooner, WordPress is considering back-porting this code to earlier versions to "amplify the impact" on current versions of the blogging platform. Further reading: Nobody is Flying To Join Google's FLoC.

As online identity management grows in importance, Mastercard swooped in this morning and bought identity verification company Ekata for $850 million. From a report: Mastercard certainly sees the rapid digital transformation that is happening in online commerce, a move that was accelerated by COVID. It's a transformation that once started isn't likely to change back to the old ways of doing business, even when we get past the pandemic. With Ekata, the company gets a solution that can verify the online identity of a person making the transaction in real time using various signals that can indicate if this is fraudulent or true as they open an account or transact business. The company provides a score and other data that predicts the likelihood this person is who they say they are. It's not unlike a credit risk score, except for identity. That was one of the primary reasons Mastercard decided to acquire Ekata, according to Ajay Bhalla, president of cyber and intelligence solutions at the company. "With the addition of Ekata, we will advance our identity capabilities and create a safer, seamless way for consumers to prove who they say they are in the new digital economy," Bhalla said in a statement.

Long-time Slashdot reader xiando shares news from LinuxReviews: Linux Kernel Runtime Guard (LKRG) is a security module for the Linux kernel developed by Openwall. The latest release adds compatibility with Linux kernels up to soon to be released 5.12, support for building LKRG into kernel images, support for old 32-bit x86 machines and more...

The Linux Kernel Runtime Guard is an out-of-tree kernel module you can install as a kernel module, or, with the 0.9.0 release, build into your Linux kernel. It does run-time integrity checks to detect security vulnerability exploits against the Linux kernel.
An Openwall developer also notes in the announcement that "During LKRG development and testing I've found 7 Linux kernel bugs, 4 of them have CVE numbers."

In 2018 Oracle's Larry Ellison bought the historic Cal Neva Lodge on the scenic north shore of California's Lake Tahoe for $36 million. Then in 2019 Mark Zuckerberg bought a $59 million compound on Lake Tahoe's west shore.

But now a wave of techies are moving in, reports Outside magazine, "freed by COVID from cubicles and work commutes. They migrated, laptops in tow, to mountain towns all over the West, transforming them into modern-day boomtowns: 'Zoom-towns.'" "It's the wildest time," says realtor Katey Brandenburg, who works on Tahoe's Nevada side. For her and other realtors around the lake, the autumn of 2020 felt like winning the lottery. "I paid off a lifetime of debt — 28 years of loans, college, credit cards, and cars — in three months."

All told, 2020 saw more than 2,350 homes sold across the Tahoe Basin, for a boggling $3.28 billion, up from $1.76 billion in 2019, according to data analyzed by Sierra Sotheby's. That $3 billion stat is on a par with 2020 home-sales revenues in Aspen, Colorado (albeit there, the latest average home-sale price came in at $11 million). The trend is in line with real estate records being shattered from Sun Valley, Idaho, to Stowe, Vermont. And according to a just-released market update, it hasn't stopped: in the first quarter of 2021, median prices for single-family homes increased by an astronomical 70 percent year over year in Truckee, 72 percent in South Lake, and 81 percent in Incline Village...

"A disproportionate number of people who purchased homes in Tahoe in 2020 are employees of some of the largest tech companies in the Bay Area," says Deniz Kahramaner, founder of Atlasa, a real estate brokerage firm that specializes in data analytics. Of the 2,280 new-home buyers Atlasa identified throughout the Tahoe region in 2020, roughly 30 percent worked at software companies. The top three employers were Google (54 buyers), Apple (46), and Facebook (34)...

There is, however, one glaring issue with all this rapid, high-priced growth: the people who actually make a mountain town run — the ski instructors and patrollers, lift operators and shuttle drivers, housekeepers and snowcat mechanics, cooks and servers — can no longer afford to live there.
The article does note higher property taxes going toward public services (along with "more money eventually pumping into bars and restaurants.") And it also acknowledges affordable housing has for decades been an issue in tourist towns.

"It's just suddenly on steroids..."

America's top law enforcement agency "obtained a court order that allowed it to remove a backdoor program from hundreds of private Microsoft Exchange servers that were hacked through zero-day vulnerabilities earlier this year," reports CSO. (Thanks to detritus. (Slashdot reader #46,421) for sharing the news...) Earlier this week, the Department of Justice announced that the FBI was granted a search and seizure warrant by a Texas court that allows the agency to copy and remove web shells from hundreds of on-premise Microsoft Exchange servers owned by private organizations. A web shell is a type of program that hackers install on hacked web servers to grant them backdoor access and remote command execution capabilities on those servers through a web-based interface.

In this case, the warrant targeted web shells installed by a cyberespionage group dubbed Hafnium that is believed to have ties to the Chinese government. In early March, Microsoft reported that Hafnium has been exploiting previously unpatched vulnerabilities in Microsoft Exchange to compromise servers. At the same time, the company released patches for those vulnerabilities, as well as indicators of compromise and other detection tools, but this didn't prevent other groups of attackers from exploiting the vulnerabilities after they became public. In its warrant application, dated April 13, the FBI argues that despite the public awareness campaigns by Microsoft, CISA and the FBI itself, many servers remained infected with the web shell deployed by Hafnium. While the exact number has been redacted from the unsealed warrant, the DOJ said in a press release that it was "hundreds."

The FBI asked for, and received court approval, to access the malicious web shells through the passwords set by the original attackers and then use that access against the malware itself by executing a command that will delete the web shell, which is essentially an .aspx script deployed on the server. The FBI was also allowed to make a copy of the web shells first because they could constitute evidence.

The warrant states that it "does not authorize the seizure of any tangible property" or the copying or alteration of any content from the servers aside from the web shell themselves, which are identified in the warrant by their unique file paths. This means the FBI was not granted permission to patch the vulnerabilities to protect the servers from future exploitation or to remove any additional malware or tools that hackers might have already deployed...

The FBI sent an email message from an official email account, including a copy of the warrant, to the email addresses associated with the domain names of the infected servers.
An official statement from the Department of Justice is already using the past tense, announcing that U.S. authorities "have executed a court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers in the United States. They were running on-premises versions of Microsoft Exchange Server software used to provide enterprise-level email service."

wiredmikey shares a report from SecurityWeek: Security response professionals are scrambling to measure the fallout from a software supply chain compromise of Codecov Bash Uploader that went undetected since January and exposed sensitive secrets like tokens, keys and credentials from organizations around the world. The hack occurred four months ago but was only discovered in the wild by a Codecov customer on the morning of April 1, 2021, the company said. Codecov is considered the vendor of choice for measuring code coverage in the tech industry. The company's tools help developers understand and measure lines of codes executed by a test suite and is widely deployed in big tech development pipelines. The company claims that more than 29,000 enterprises use its code coverage insights to check code quality and maintain code coverage. Codecov did not say how many customers were impacted or had data stolen in the incident.

According to Codecov, the altered version of the Bash Uploader script could potentially affect:
- Any credentials, tokens, or keys that our customers were passing through their CI runner that would be accessible when the Bash Uploader script was executed.
- Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys.
- The git remote information (URL of the origin repository) of repositories using the Bash Uploaders to upload coverage to Codecov in CI.

The Google Project Zero security team has updated its vulnerability disclosure guidelines to add a cushion of 30 days to some security bug disclosures, so end-users have enough time to patch software and prevent attackers from weaponizing bugs. From a report: This week's changes are of particular importance because a large part of the cybersecurity community has adopted Project Zero's rules as the unofficial methodology for disclosing a security bug to software vendors and then to the general public. Prior to today, Google Project Zero researchers would give software vendors 90 days to fix a security bug. When the bug was patched, or at the end of the 90 days time window, Google researchers would publish details about the bug online (on their bug tracker). Starting this week, Project Zero says it will wait 30 days before publishing any details about the bug. The reasoning behind the extra time window is to allow users of the affected products time to update their software, an operation that can usually take days or weeks in some complex corporate networks.

A mystery photo and a geography enthusiast helped locate a missing California hiker who is now safely back home. From a report: Rene Compean of Palmdale was on a hike Monday near Mount Waterman, a popular ski destination in the San Gabriel Mountains in Southern California. While the 45-year-old was on his outdoor adventure, he snapped a picture. Compean texted the shot to a friend. And then, he went off the map. He was reported missing at 6 p.m. by a friend, who received one last text from Compean saying he was worried he was lost and his cell phone battery was running low. The photo was turned over to investigators at the Los Angeles County Sheriff's Department who posted it to social media, asking if anyone recognized the spot in the photograph. Benjamin Kuo saw the message and thought he might be able to help. The report adds: As a satellite image aficionado, he was already familiar with tracking California wildfires in remote areas. "I've got a very weird hobby, which is I love taking a look at photos and figuring out where they're taken," Kuo told NBC Los Angeles. Using satellite images, maps and the scenery below Compean's feet in the photo, Kuo was able to estimate the coordinates of where he believed the man had gone missing. Kuo sent his tip to the sheriff's office, and a helicopter was sent to survey the area Tuesday. There, as if by magic, was Compean.

Google is all alone with its proposed advertising technology -- FLoC-- to replace third-party cookies. Every major browser that uses the open source Chromium project has declined to use it, and it's unclear what that will mean for the future of advertising on the web. Firefox, Safari, Microsoft Edge, Vivaldi, and Brave have said they are not implementing Google's FLoC into their browsers.

The Internet of Secure Things Alliance, an IoT security certification body (a.k.a. ioXt), has launched a new security certification for mobile apps and VPNs. From a report: The new ioXt compliance program includes a 'mobile application profile' -- a set of security-related criteria against which apps can be certified. The profile or mobile app assessment includes additional requirements for virtual private network (VPN) applications. Google and Amazon had a hand in shaping the criteria, along with number of certified labs such as NCC Group and Dekra, and mobile app security testing vendors such as NowSecure. Google's VPN within the Google One service is one of the first to be certified against the criteria. Mobile app makers can get their apps certified against a set of security and privacy requirements. The ioXt Alliance has a broad cross-section of members from the tech industry, with its board comprising execs from Amazon, Comcast, Facebook, Google, Legrand, Resideo, Schneider Electric, T-Mobile, the Zigbee Alliance, and the Z-Wave Alliance. About 20 industry figures helped write the requirements for the mobile app profile, including Amit Agrawal, a principal security architect at Amazon, and Brooke Davis from the Strategic Partnerships team at Google Play. Both are vice-chairs of the mobile app profile group.

An anonymous reader writes: Charles Schwab is suing one of its former customers after the retail brokerage allegedly sent more than $1.2 million to an account of the Louisiana woman and then could not get the money back. Schwab meant to send $82.56 to Kelyn Spadoni's Fidelity Brokerage Services account in February, but a computer glitch caused it to erroneously transfer more than $1.2 million, according to the lawsuit. Schwab tried to get the money back, but repeated calls and texts to Spadoni, who lives in a suburb of New Orleans, were not returned, the brokerage said in the lawsuit. "We are fully cooperating with authorities in an effort to resolve this issue," Schwab said in a statement on Tuesday. Fidelity declined comment. After receiving the money in her account, Spadoni transferred a quarter of the money to another account, after which she bought a house and a car using the funds, Jefferson Parish Sheriff's Office spokesman Captain Jason Rivarde said in an interview on Tuesday. "Obviously you are not planning to give the money back if you spent it," he said. When Spadoni signed up with Schwab in January, the agreement she signed included a section that said any overpayment of funds must be returned, said the lawsuit, filed March 30.

Google Earth has partnered with NASA, the U.S. Geological Survey, the EU's Copernicus Climate Change Service, and Carnegie Mellon University's CREATE Lab to bring users time-lapse images of the planet's surface -- 24 million satellite photos taken over 37 years. Together they offer photographic evidence of a planet changing faster than at any time in millennia. Shorelines creep in. Cities blossom. Trees fall. Water reservoirs shrink. Glaciers melt and fracture. From a report: "We can objectively see global warming with our own eyes," said Rebecca Moore, director of Google Earth. "We hope that this can ground everyone in an objective, common understanding of what's actually happening on the planet, and inspire action." Timelapse, the name of the new Google Earth feature, is the largest video on the planet, according to a statement from the company, requiring 2 million hours to process in cloud computers, and the equivalent of 530,000 high-resolution videos. The tool stitches together nearly 50 years of imagery from the U.S.'s Landsat program, which is run by NASA and the USGS. When combined with images from complementary European Sentinel-2 satellites, Landsat provides the equivalent of complete coverage of the Earth's surface every two days. Google Earth is expected to update Timelapse about once a year.

Dell has announced the long-expected spinoff of VMware, the computing virtualization company it has majority-owned since it bought then-owner EMC Corp. in 2016. From a report: The computing giant said it will spin off its 81% equity ownership in VMware, creating two standalone companies when the move is completed in the fourth quarter of this year. That timing depends on conditions such as a favorable Internal Revenue Service opinion that the transaction qualifies for tax-free status for Dell shareholders. The idea is to simplify the companies' capital structures, since arguably investors have valued both companies' stocks lower than they might have because of the uncertainties related to the complex capital structures. Dell's shares rose about 9% in after-hours trading, while VMware's shares rose about 1.6% in late trading. Under the spinoff, which Dell had signaled last year, VMware will distribute a cash dividend of about $11.5 billion to $12 billion to shareholders, which of course include publicly held Dell itself. Chairman and Chief Executive Michael Dell, along with financial partner Silver Lake Partners, own 60% of Dell shares. Dell will get $9.3 billion to $9.7 billion of that dividend, which the company said will help it get more investment-grade ratings and enable it to pay down debt it has gradually been reducing since buying EMC.

Google today announced that it is moving FeedBurner to a new infrastructure but also deprecating its email subscription service. From a report: If you're an internet user of a certain age, chances are you used Google's FeedBurner to manage the RSS feeds of your personal blogs and early podcasts at some point. During the Web 2.0 era, it was the de facto standard for feed management and analytics, after all. Founded in 2004, with Dick Costolo as one of its co-founders (before he became Twitter's CEO in 2010), it was acquired by Google in 2007. Ever since, FeedBurner lingered in an odd kind of limbo. While Google had no qualms shutting down popular services like Google Reader in favor of its ill-fated social experiments like Google+, FeedBurner just kept burning feeds day in and day out, even as Google slowly deprecated some parts of the service, most notably its advertising integrations. [...] But in July, it is also shutting down some non-core features that don't directly involve feed management, most importantly the FeedBurner email subscription service that allowed you to get emailed alerts when a feed updates. Feed owners will be able to download their email subscriber lists (and will be able to do so after July, too).

Parallels today announced the release of Parallels Desktop 16.5 for Mac with full support for M1 Macs, allowing for the Windows 10 ARM Insider Preview and ARM-based Linux distributions to be run in a virtual machine at native speeds on M1 Macs. From a report: Parallels says running a Windows 10 ARM Insider Preview virtual machine natively on an M1 Mac results in up to 30 percent better performance compared to a 2019 model 15-inch MacBook Pro with an Intel Core i9 processor, 32GB of RAM, and Radeon Pro Vega 20 graphics. Parallels also indicates that on an M1 Mac, Parallels Desktop 16.5 uses 2.5x less energy than on the latest Intel-based MacBook Air. Microsoft does not yet offer a retail version of ARM-based Windows, with the Windows 10 ARM Insider Preview available on Microsoft's website for Windows Insider program members. The ability to run macOS Big Sur in a virtual machine is a feature that Parallels hopes to add support for in Parallels Desktop later this year as well.

The Swedish government dropped today its investigation into the 2017 hack of its sports authority, citing legal constraints that would have prevented prosecutors from charging the Russian hackers responsible for the intrusion, which officials claimed were mere pawns operating on behalf of a "foreign power." From a report: This marks the first time that such a legal clause is cited by prosecutors investigating cyber-espionage hacking groups. Today's statement from the Swedish Prosecution Authority also marks the first time that Swedish officials formally blamed the Russian government for the 2017 hack of the Swedish Sports Confederation (SSC). Citing a recently-concluded investigation from the Swedish Security Service, which also involved foreign intelligence services, Swedish prosecutors said that one of Russia's military hacker groups breached its sports body between December 2017 and May 2018 and stole medical records for Swedish athletes.

A White House plan to rapidly shore up the security of the U.S. power grid will begin with a 100-day sprint, but take years more to transform utilities' ability to fight off hackers, Bloomberg reported Wednesday, citing a draft version of the plan confirmed by two people. From the report: The plan is the policy equivalent of a high-wire act: it provides incentives for electric companies to dramatically change the way they protect themselves against cyber-attacks while trying to avoid political tripwires that have stalled previous efforts, the details suggest. Among its core tenets, the Biden administration's so-called "action plan" will incentivize power utilities to install sophisticated new monitoring equipment to more quickly detect hackers, and to share that information widely with the U.S. government. It will ask utilities to identify critical sites which, if attacked, could have an outsized impact across the grid, according to a six-page draft of the plan, which was drawn up by the National Security Council and described in detail to Bloomberg News. And it will expand a partially classified Energy Department program to identify flaws in grid components that could be exploited by the country's cyber-adversaries, including Russia, Iran and China.

Nearly a year after the Internet Engineering Task Force took up a plan to replace words that could be considered racist, the debate is still raging. The New York Times: What started as an earnest proposal has stalled as members of the task force have debated the history of slavery and the prevalence of racism in tech. Some companies and tech organizations have forged ahead anyway, raising the possibility that important technical terms will have different meanings to different people -- a troubling proposition for an engineering world that needs broad agreement so technologies work together. While the fight over terminology reflects the intractability of racial issues in society, it is also indicative of a peculiar organizational culture that relies on informal consensus to get things done.

The Internet Engineering Task Force eschews voting, and it often measures consensus by asking opposing factions of engineers to hum during meetings. The hums are then assessed by volume and ferocity. Vigorous humming, even from only a few people, could indicate strong disagreement, a sign that consensus has not yet been reached. The I.E.T.F. has created rigorous standards for the internet and for itself. Until 2016, it required the documents in which its standards are published to be precisely 72 characters wide and 58 lines long, a format adapted from the era when programmers punched their code into paper cards and fed them into early IBM computers. "We have big fights with each other, but our intent is always to reach consensus," said Vint Cerf, one of the founders of the task force and a vice president at Google. "I think that the spirit of the I.E.T.F. still is that, if we're going to do anything, let's try to do it one way so that we can have a uniform expectation that things will function."

An anonymous reader quotes a report from ZDNet: Good news, disabled Australians! You'll soon be getting an app that will implement a welfare compliance regime designed by the people who brought you robo-debt. But don't worry, it'll have blockchain. No, this isn't good news at all. What makes it worse is that it's clear the government wants to extend technology-driven compliance to all Australians, with an emphasis on cracking down on your mistakes, not theirs. Kathryn Campbell, Secretary of the Department of Social Services, says the long-term plan is to have one app for all Commonwealth government services. "One to rule the world," she said last month, apparently oblivious to how evil that sounds.

Senators are already worried that the disability app, intended to be used by participants in the National Disability Insurance Scheme (NDIS) to claim expenses against their support plan, will go the way of COVIDSafe: Millions of dollars spent on technology that doesn't really do the job. The intention was to fix a poor web experience, and allow claims to be made from a mobile device. But instead of simply creating a better website, in 2018, the Digital Transformation Agency (DTA) joined forces with CSIRO's Data61 and the Commonwealth Bank to trial blockchain-based smart money that would magically know whether the expense was legitimate or not. According to the CEO of the National Disability Insurance Agency (NDIA), Martin Hoffman, that pilot app has been "very popular and well-received," and the feedback has been "extremely positive." The app will be "fully available in the coming months, first on Google Play and then Apple's app store," he said. "Given the horrendously complex NDIS environment, defective processes and vulnerable people, there needs to be considerable caution in the application of blockchain technology," wrote former NDIS Technology Authority chief Marie Johnson in a submission [PDF] to the Parliamentary Joint Standing Committee on the NDIS. "Blockchain in itself -- as with other technology innovations -- does not address fundamental design and human rights issues. Ethics is paramount. The involvement of the Commonwealth Bank itself raises further ethics issues, given the value of participant data; the size of the market; and the yet to be realized emarket honey pot of data, funds and services."

You can view the detailed "Making Money Smart: Empowering NDIS participants with Blockchain technologies" report here (PDF).

April showers bring hours of patches as Microsoft delivers its Patch Tuesday fun-fest consisting of over a hundred CVEs, including four Exchange Server vulnerabilities reported to the company by the US National Security Agency (NSA). The Register reports: Forty-four different products and services are affected, mainly having to do with Azure, Exchange Server, Office, Visual Studio Code, and Windows. Among the vulnerabilities, four have been publicly disclosed and a fifth is being actively exploited. Nineteen of the CVEs have been designated critical. "This month's release includes a number of critical vulnerabilities that we recommend you prioritize, including updates to protect against new vulnerabilities in on-premise Exchange Servers," Microsoft said in its blog post. "These new vulnerabilities were reported by a security partner through standard coordinated vulnerability disclosure and found internally by Microsoft. We have not seen the vulnerabilities used in attacks against our customers.

Clicking through Microsoft's coy links to CVE-2021-28480 (9.8 severity), CVE-2021-28481 (9.8 severity), CVE-2021-28482 (8.8 severity), and CVE-2021-28483 (9.0 severity), you'll find the unspecified security partner is the NSA. Exchange Server 2013 CU23, Exchange Server 2016 CU19 and CU20, and Exchange Server 2019 CU8 and CU9 are affected by this set of problems. "NSA urges applying critical Microsoft patches released today, as exploitation of these #vulnerabilities could allow persistent access and control of enterprise networks," the signals intelligence agency said via Twitter.

Catalin Cimpanu, reporting at Record: Security researchers have found a new set of vulnerabilities that impact hundreds of millions of servers, smart devices, and industrial equipment. Called NAME:WRECK, the vulnerabilities have been discovered by enterprise IoT security firm Forescout as part of its internal research program named Project Memoria -- which the company describes as "an initiative that aims at providing the cybersecurity community with the largest study on the security of TCP/IP stacks." Although never visible to end-users, TCP/IP stacks are libraries that vendors add to their firmware to support internet connectivity and other networking functions for their devices. These libraries are very small but, in most cases, underpin the most basic functions of a device, and any vulnerability here exposes users to remote attacks. The NAME:WRECK research is the fifth set of vulnerabilities impacting TCP/IP libraries that have been disclosed over the past three years, and the third set disclosed part of Project Memoria.

Hackers could take control of victims' computers just by tricking them into clicking on a Steam invite to play Counter Strike: Global Offensive, Motherboard reports, citing a bug filing review. From a report: A bug in the game engine used in Counter Strike: Global Offensive could be exploited by hackers to take full control of a target's machine. A security researcher alerted Valve about the bug in June of 2019. Valve is the maker of Source Engine, which is used by CS:GO, Team Fortress 2, and several other games. The researcher, who goes by the name Florian, said that while that the bug has been fixed in some games that use the Source engine, it is still present in CS:GO, and he demonstrated it in a call with Motherboard. Florian's correspondence with Valve occurred on HackerOne, the bug bounty platform used by the company to get reports about vulnerabilities. Valve admitted that it was being slow to respond, even though it classified the bug as "critical" in the thread with the researchers, which Motherboard reviewed. "I am honestly very disappointed because they straight up ignored me most of the time," Florian said in an online chat.

An Indian security researcher has published today proof-of-concept exploit code for a recently discovered vulnerability impacting Google Chrome, Microsoft Edge, and other Chromium-based browsers like Opera and Brave. From a report: The researcher, Rajvardhan Agarwal, told The Record today that the exploit code is for a Chromium bug that was used during the Pwn2Own hacking contest that took place last week. During the contest, security researchers Bruno Keith (@bkth_) & Niklas Baumstark (@_niklasb) of Dataflow Security used a vulnerability to run malicious code inside Chrome and Edge, for which they received $100,000. Per contest rules, details about this bug were handed over to the Chrome security team so the bug could be patched as soon as possible. While details about the exact nature of the bug were never publicly disclosed, Agarwal told The Record he spotted the patches for this bug by looking at the source code commits to the V8 JavaScript engine, a component of the Chromium open-source browser project, which allowed him to recreate the Pwn2Own exploit, which he uploaded earlier today on GitHub, and shared on Twitter. However, while Chromium developers have patched the V8 bug last week, the patch has not yet been integrated into official releases of downstream Chromium-based browsers such as Chrome, Edge, and others, which are still vulnerable to attacks.

Microsoft's long-awaited new webcam is finally here, alongside a number of accessories designed for the work from home era. From a report: Rumors of a new Microsoft webcam have been circulating for years, and the result is what Microsoft calls the Modern Webcam. It's a fairly basic and affordable 1080p webcam that will start shipping for $69.99 in June. The Microsoft Modern Webcam will support up to 1080p HDR output at 30fps and connects via USB-A, not USB-C. It's not the 4K webcam found on Microsoft's Surface Hub 2, and it doesn't include Windows Hello support either. It's really a simple webcam designed for students or workers to quickly add a better video calling option to an existing laptop or PC. Microsoft is also including a privacy shutter and LED indicator to let people easily see when the webcam is active. Microsoft is also launching a new USB-C speaker. The Modern USB-C Speaker is designed primarily for Microsoft Teams, and it even includes a button to launch a control panel for Teams with quick actions for meetings.

An anonymous reader quotes a report from ZDNet: The next few years will see billions of users regularly using facial recognition technology to secure payments made through their smartphone, tablets or smartwatches, according to new analysis carried out by Juniper Research. Smartphone owners are already used to staring at their screens to safely unlock their devices without having to dial in a secret code; now, facial recognition will increasingly be deployed to verify the identity of a user making a payment with their handset, whether that's via an app or directly in-store, in wallet mode.

In addition to facial features, Juniper Research's analysts predict that a host of biometrics will be used to authenticate mobile payments, including fingerprint, iris and voice recognition. Biometric capabilities will reach 95% of smartphones globally by 2025, according to the researchers; by that time, users' biological characteristics will be authenticating over $3 trillion-worth of payment transactions -- up from $404 billion in 2020. [...] "All you need for software-based facial recognition is a front-facing camera on the device and accompanying software," Nick Maynard, lead analyst at Juniper Research, tells ZDNet. "In a hardware-based system, there will be additional hardware layers that add additional security levels. It's increasingly important to differentiate because hardware-based systems are the more secure of the two." Maynard's research shows that between now and 2025, the number of handsets using hardware-based systems will grow by a dramatic 376% to reach 17% of smartphones. Juniper expects the number of smartphone owners using [software-based facial recognition systems] to secure payments to grow by 120% to 2025, to reach 1.4 billion devices -- that is, roughly 27% of smartphones globally. "Hardware-based systems obviously have additional costs per device," adds Maynard, "but the reason it is growing well is really that Apple has been driving it forward. They've made the technology a part of their high-end devices, and shown that hardware-based facial recognition technology can be done and can be very secure."

"Software-based facial recognition is strong because it's very easy to deploy," Maynard continues, "but we are expecting a shift towards hardware-based systems as software becomes invalidated by fraudster approaches. Fraudster methods are always evolving, and the hardware needs to evolve with it."

An anonymous reader writes: If you're a frequent user of WhatsApp, you may want to keep an eye on a disturbing hole discovered in its security this weekend. It's possible for an attacker to completely suspend your WhatsApp account, without any recourse for the individual user, and all they need is your phone number. At the time of writing there's no solution for this issue.

This newly-discovered flaw uses two separate vectors. The attacker installs WhatsApp on a new device and enters your number to activate the chat service. They can't verify it, because of course, the two-factor authentication system is sending the login prompts to your phone instead. After multiple repeated and failed attempts, your login is locked for 12 hours. Here's where the tricky part comes in: with your account locked, the attacker sends a support message to WhatsApp from their email address, claiming that their (your) phone has been lost or stolen, and that the account associated with your number needs to be deactivated. WhatsApp "verifies" this with a reply email, and suspends your account without any input on your end. The attacker can repeat the process several times in succession to create a semi-permanent lock on your account. The results are disturbing, but at the very least, this method can't be used to actually gain access to an account, merely to block access by its legitimate owner. Confidential text messages and contacts are not exposed. The proof-of-concept attack was first reported by Forbes from security researchers Luis Marquez Carpintero and Ernesto Canales Perena. There's no indication that it's being used in the wild.

CIStud writes: The rumors have persisted for some time, and now Logitech has officially confirmed it has discontinued its once-vaunted Harmony remote controls, including the line of Logitech Harmony Pro programmable remotes for custom installers. Logitech plans to continue maintaining the Harmony database and software. The discontinuation does not affect the operation or the warranty on any Harmony remotes being used by integrators' clients already in the field. Logitech also plans to continue to offer service and support for Harmony remotes. The company also points out that the decision does not affect a customer's ability to interface with the Harmony universal remotes via their Amazon Alexa or Google Assistant voice controls.

Austin, Texas is America's fastest-growing major metro area, reports Bloomberg Businessweek, growing 30% from 2010 to 2019. But today a minimum wage worker hoping to afford a one-bedroom rental "would now need to work a 125-hour week."

And meanwhile, homeowner Matthew Congrove says he's now getting a half-dozen all-cash offers on his house every week. "In the boldest attempt, a stranger simply showed up at his home unannounced and asked to buy it..." Even Congrove — a software engineer who moved from Florida seven years ago — is most concerned about how the new wave of tech workers is affecting his adopted city's culture. Lately, he's seen more T-shirts bearing startup logos than band names. New condos have sprouted up where quirky bungalows once stood. And the commute time to his downtown office has tripled. "They just keep coming," Congrove says. "The fleece vests, the tech bros — that's definitely imported from California."

During the pandemic, Austin has welcomed more new residents from the Bay Area than from any other region outside Texas, according to records provided to Bloomberg by the U.S. Postal Service... Oracle late last year said it was moving its headquarters to Austin, and a stream of tech elites including prominent investor Jim Breyer and the chief executive officers of Dropbox and Splunk made plans to relocate. Elon Musk, the second-richest man in the world, is now a resident of Texas — though he hasn't said where — and Tesla Inc. is building a factory in Austin's outskirts, where Musk has said the company will need 10,000 people by 2022. He's also expanding the Austin area operations for Boring Co. and SpaceX, and has moved his personal foundation to the city's downtown.

For all his boosterism, even Musk recognizes the potential hazards of the influx he's helping spark. In a tweet on April 4, he called out the "urgent need to build more housing in greater Austin area!"

The region is facing the same boomtown dynamics that have plagued San Francisco for decades.... "There is a fairly broad-based concern that some of the things that aren't working in other areas are going to be brought here," says Dax Williamson, a managing director for Silicon Valley Bank who leads its technology banking practice for Central Texas. "If we price out the musicians we're going to find ourselves in a bad place." In a sign that may already be happening, Tesla recently selected a warehouse in southern Austin that served as music rehearsal space, with plans to transform it into a $2.5 million Tesla showroom this summer.

Hating California is a tradition in Texas, but Austin's growing pains aren't all California's fault. According to the Austin Chamber, more than half of newcomers from 2014 to 2018 came from other parts of the state, followed by just 8% from California and 3% from New York... Still, out-of-state arrivals from affluent cities tend to be richer than average existing residents and, as a consequence, have a greater impact on the local economy. "Probably 5 out of 10 of my clients are Californians, and others could say the same thing," says Susan Horton, president of the Austin Board of Realtors. "The majority are all tech people, and the last wave were all coming to work at Tesla."

While difficult negotiations continue over a deal to curtail Iran's nuclear ambitions, this morning Iran suddenly experienced a blackout at its underground Natanz atomic facility, the Associated Press reports: While there was no immediate claim of responsibility, suspicion fell immediately on Israel, where its media nearly uniformly reported a devastating cyberattack orchestrated by the country caused the blackout. Israeli Prime Minister Benjamin Netanyahu later Sunday night toasted his security chiefs, with the head of the Mossad, Yossi Cohen, at his side on the eve of his country's Independence Day... Netanyahu, who also met Sunday with U.S. Defense Secretary Lloyd Austin, has vowed to do everything in his power to stop the nuclear deal...

Natanz has been targeted by sabotage in the past. The Stuxnet computer virus, discovered in 2010 and widely believed to be a joint U.S.-Israeli creation, once disrupted and destroyed Iranian centrifuges at Natanz amid an earlier period of Western fears about Tehran's program. Natanz suffered a mysterious explosion at its advanced centrifuge assembly plant in July that authorities later described as sabotage. Iran now is rebuilding that facility deep inside a nearby mountain. Iran also blamed Israel for the November killing of a scientist who began the country's military nuclear program decades earlier.

Multiple Israeli media outlets reported Sunday that an Israeli cyberattack caused the blackout in Natanz. Public broadcaster Kan said the Mossad was behind the attack. Channel 12 TV cited "experts" as estimating the attack shut down entire sections of the facility. While the reports offered no sourcing for their information, Israeli media maintains a close relationship with the country's military and intelligence agencies...

On Tuesday, an Iranian cargo ship said to serve as a floating base for Iran's paramilitary Revolutionary Guard forces off the coast of Yemen was struck by an explosion, likely from a limpet mine. Iran has blamed Israel for the blast. That attack escalated a long-running shadow war in Mideast waterways targeting shipping in the region.

Inside.com's developer newsletter reports: The PHP team no longer believes the git.php.net server was compromised in a recent attack, which prompted PHP to move servers to GitHub and caused the team to temporarily put releases on hold until mid-April...

In an update offering further insight into the root cause of the late March attack, the team says because it's possible the master.php.net user database was exposed, master.php.net has been moved to main.php.net. The team also reset php.net passwords, and you can visit https://main.php.net/forgot.php to set a new password. In addition, git.php.net and svn.php.net are both read-only now.

Two malicious commits were pushed to the php-src repo from PHP founder Rasmus Lerdorf and PHP core developer Nikita Popov, Popov announced March 28. After an investigation, the PHP team reassured users these malicious commits never reached end-users. However, the team decided to move to GitHub after determining maintaining its own git infrastructure is "an unnecessary security risk."
"In 2019, the PHP team temporarily shut down its Git server after discovering that an attacker had maliciously replaced the official PHP Extension and Application Repository with a malicious one," reports CPO magazine. But this newer supply chain attack "targeted any server that uses PHP ZLib compression when sending data. Most servers use this functionality on almost all content except images and archives that are already size optimized." The supply chain attack would have turned PHP into a remote web shell through which the attackers could execute any command without authentication. This is because the malicious attackers would have the same privileges as the web server running PHP. The backdoor is triggered at the start of a request by checking if the request contains the word "zerodium." If this condition was met, PHP executes the code in the "User-Agentt" request header. The header closely resembles the PHP "User-Agent" request for checking for browser properties.

The rest of the request would thus be treated as a command that could be executed on a PHP server using the server's privileges. This would allow the hackers to run any arbitrary command without the need for further privileges...

PHP powers 80% of all websites. Thus, a successful supply chain attack exploiting the language could prove catastrophic.

"Using just your phone number, a remote attacker can easily deactivate WhatsApp on your phone and then stop you getting back in," reports a new article in Forbes. "Even two-factor authentication will not stop this..."

The attacker triggers a 12-hour freeze on new verification codes being sent to your phone — then simply reports that same phone number as a lost/stolen phone needing deactivation. There are apparently no follow-up questions, and "an automated process has been triggered, without your knowledge, and your account will now be deactivated," Forbes writes.

The phone can't be reactivated without one of those verification codes blocked by that 12-hour freeze (which the attacker can renew for another 12-hour window, until the next day WhatsApp blocks those reactivating codes indefinitely). "There is no sophistication to this attack — that's the real issue here and WhatsApp should address it immediately..." Forbes complains. This shouldn't happen. It shouldn't be possible. Not with a platform used by 2 billion people. Not this easily. When researchers, Luis Márquez Carpintero and Ernesto Canales Pereña, warned they could kill WhatsApp on my phone, blocking me from my own account using just my phone number, I was doubtful. But they were right...

Despite its vast user base, WhatsApp is creaking at the seams. Its architecture has fallen behind its rivals, missing key features such as multi-device access and fully encrypted backups. As the world's most popular messenger focuses on mandating new terms of service to enable Facebook's latest money-making schemes, these much-needed advancements remain "in development...."
Reached for comment, WhatsApp told Forbes that any victims of the attack should contact their support team — adding that such an attack would "violate our terms of service."

But Forbes adds "your other option would be to follow Mark Zuckerberg's reported example and start to use Signal..." Unfortunately, playing down the seriousness of security risks has become the in-house style at Facebook. Back in 2019, I reported on a vulnerability that allowed private user phone numbers to be pulled from Facebook databases at scale using automated bots. That hack was acknowledged by Facebook but dismissed as an "unlikely problem." Some 533 million users might now disagree.

A software mistake caused a flight on Tui airlines "to take off heavier than expected," according to The Guardian, citing an investigation by the UK's Air Accidents Investigation Branch An update to the airline's reservation system while its planes were grounded due to the coronavirus pandemic led to 38 passengers on the flight being allocated a child's "standard weight" of 35kg [77 pounds] as opposed to the adult figure of 69kg [152 pounds]. This caused the load sheet — produced for the captain to calculate what inputs are needed for take-off — to state that the Boeing 737 was more than 1,200kg lighter [2,645 pounds] than it actually was.

Investigators described the glitch as "a simple flaw" in an IT system. It was programmed in an unnamed foreign country where the title "Miss" is used for a child and "Ms" for an adult female.

Despite the issue, the thrust used for the departure from Birmingham on 21 July 2020 was only "marginally less" than it should have been, and the "safe operation of the aircraft was not compromised", the AAIB said.
They're still classifying it as a "serious incident" — and also note that because of the same software glitch, two more UK flights also took off on the same day with inaccurate load sheets.

An anonymous reader quotes a report from Motherboard: U.S. Customs and Border Protection (CBP), part of the Department of Homeland Security, recently paid encrypted messaging platform Wickr over $700,000, Motherboard has found. The news highlights the value of end-to-end encryption to law enforcement, while other federal law enforcement agencies routinely lambast the technology for what they say results in visibility on criminals' activities "going dark."

The contract is related to "Wickr licenses and support," dates from September 2020, and totals at $714,600, according to public procurement records. Wickr is likely most well known for its free consumer app, which lets users send encrypted messages to one another, as well as make encrypted video and audio calls. The app also offers an auto-burn feature, where messages are deleted from a users' device after a certain period of time, with the company claiming these messages "can never be uncovered," according to its website. Wickr also offers various paid products to private companies and government agencies. Wickr Pro and Wickr Enterprise are marketed towards businesses; Wickr RAM is geared specifically for the military. [...] It is not clear which specific Wickr product CBP paid for. A CBP spokesperson told Motherboard in a statement that "The Federal Acquisition Regulations (FAR) and other laws prohibit the unauthorized use and disclosure of proprietary information from federal government contract actions. All publicly available information on this contract has been made available at the link you have provided. Any other information is considered proprietary to the awardee (WICKR) and shall not be divulged outside of the Government."

An anonymous reader quotes a report from ZDNet: A zero-day vulnerability in Zoom which can be used to launch remote code execution (RCE) attacks has been disclosed by researchers. The researchers from Computest demonstrated a three-bug attack chain that caused an RCE on a target machine, and all without any form of user interaction. As Zoom has not yet had time to patch the critical security issue, the specific technical details of the vulnerability are being kept under wraps. However, an animation of the attack in action demonstrates how an attacker was able to open the calculator program of a machine running Zoom following its exploit. As noted by Malwarebytes, the attack works on both Windows and Mac versions of Zoom, but it has not -- yet -- been tested on iOS or Android. The browser version of the videoconferencing software is not impacted. Computest researchers Daan Keuper and Thijs Alkemade earned themselves $200,000 for this Zoom discovery, as it was part of the Pwn2Own contest.

In a statement to Tom's Guide, Zoom thanked the Computest researchers and said the company was "working to mitigate this issue with respect to Zoom Chat." In-session Zoom Meetings and Zoom Video Webinars are not affected. "The attack must also originate from an accepted external contact or be a part of the target's same organizational account," Zoom added. "As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust."

Security researchers say APKPure, a widely popular app for installing older or discontinued Android apps from outside of Google's app store, contained malicious adware that flooded the victim's device with unwanted ads. From a report: Kaspersky Lab said that it alerted APKPure on Thursday that its most recent app version, 3.17.18, contained malicious code that siphoned off data from a victim's device without their knowledge, and pushed ads to the device's lock screen and in the background to generate fraudulent revenue for the adware operators. But the researchers said that the malicious code had the capacity to download other malware, potentially putting affected victims at further risk.

A Google proposal which enables a web browser to treat a group of domains as one for privacy and security reasons has been opposed by the W3C Technical Architecture Group (TAG). From a report: Google's First Party Sets (FPS) relates to the way web browsers determine whether a cookie or other resource comes from the same site to which the user has navigated or from another site. The browser is likely to treat these differently, an obvious example being the plan to block third-party cookies. The proposal suggests that where multiple domains owned by the same entity -- such as google.com, google.co.uk, and youtube.com -- they could be grouped into sets which "allow related domain names to declare themselves as the same first-party." The idea allows for sites to declare their own sets by means of a manifest in a known location. It also states that "the browser vendor could maintain a list of domains which meet its UA [User Agent] policy, and ship it in the browser."

In February 2019, Google software engineer Mike West requested a TAG review and feedback on the proposal was published yesterday. "It has been reviewed by the TAG and represents a consensus view," the document says. According to the TAG, "the architectural plank of the origin has remained relatively steady" over the last 10 years, despite major changes in web technology. It added: "We are concerned that this proposal weakens the concept of origin without considering the full implications of this action." The group identified some vagueness in the proposal, such as whether FPS applies to permissions such as access to microphone and camera. A Google Chrome engineering manager has stated: "No, we are not proposing to change the scope for permissions. The current scope for FPS is only to be treated as a privacy boundary where browsers impose cross-site tracking limitations." But the TAG reckons that the precise scope of FPS should be laid out in the proposal. A second concern is over the suggestion that browser vendors would ship their own lists. "This could lead to more application developers targeting specific browsers and writing web apps that only work (or are limited to) those browsers, which is not a desirable outcome," said the TAG.