A security researcher has publicly disclosed an exploit for a new Windows zero-day local privilege elevation vulnerability that gives admin privileges in Windows 10, Windows 11, and Windows Server. BleepingComputer reports: As part of the November 2021 Patch Tuesday, Microsoft fixed a 'Windows Installer Elevation of Privilege Vulnerability' vulnerability tracked as CVE-2021-41379. This vulnerability was discovered by security researcher Abdelhamid Naceri, who found a bypass to the patch and a more powerful new zero-day privilege elevation vulnerability after examining Microsoft's fix. Yesterday, Naceri published a working proof-of-concept exploit for the new zero-day on GitHub, explaining that it works on all supported versions of Windows.

"This variant was discovered during the analysis of CVE-2021-41379 patch. the bug was not fixed correctly, however, instead of dropping the bypass," explains Naceri in his writeup. "I have chosen to actually drop this variant as it is more powerful than the original one." Furthermore, Naceri explained that while it is possible to configure group policies to prevent 'Standard' users from performing MSI installer operations, his zero-day bypasses this policy and will work anyway. BleepingComputer tested Naceri's 'InstallerFileTakeOver' exploit, and it only took a few seconds to gain SYSTEM privileges from a test account with 'Standard' privileges, as demonstrated in [this video]. When BleepingComputer asked Naceri why he publicly disclosed the zero-day vulnerability, we were told he did it out of frustration over Microsoft's decreasing payouts in their bug bounty program. A Microsoft spokesperson said in a statement: "We are aware of the disclosure and will do what is necessary to keep our customers safe and protected. An attacker using the methods described must already have access and the ability to run code on a target victim's machine."

Naceri recommends users wait for Microsoft to release a security patch, as attempting to patch the binary will likely break the installer.

According to data collected by Microsoft's network of honeypot servers, most brute-force attackers primarily attempt to guess short passwords, with very few attacks targeting credentials that are either long or contain complex characters. From a report: "I analysed the credentials entered from over -- million brute force attacks against SSH. This is around 30 days of data in Microsoft's sensor network," said Ross Bevington, a security researcher at Microsoft. "77% of attempts used a password between 1 and 7 characters. A password over 10 characters was only seen in 6% of cases," said Bevington, who works as Head of Deception at Microsoft, a position in which he's tasked with creating legitimate-looking honeypot systems in order to study attacker trends.

The owner of Facebook and Instagram is delaying plans to encrypt users' messages until 2023 amid warnings from child safety campaigners that its proposals would shield abusers from detection. From a report: Mark Zuckerberg's social media empire has been under pressure to abandon its encryption plans, which the UK home secretary, Priti Patel, has described as "simply not acceptable." The National Society for the Prevention of Cruelty to Children (NSPCC) has said private messaging is the "frontline of child sexual abuse online" because it prevents law enforcement, and tech platforms, from seeing messages by ensuring that only the sender and recipient can view their content -- a process known as end-to-end encryption. The head of safety at Facebook and Instagram's parent company, Meta, announced that the encryption process would take place in 2023. The company had previously said the change would happen in 2022 at the earliest.

"We're taking our time to get this right and we don't plan to finish the global rollout of end-to-end encryption by default across all our messaging services until sometime in 2023," Antigone Davis wrote in the Sunday Telegraph. "As a company that connects billions of people around the world and has built industry-leading technology, we're determined to protect people's private communications and keep people safe online." Meta already uses end-to-end encryption on its WhatsApp messaging service and had been planning to extend that to its Messenger and Instagram apps in 2022. It has already encrypted voice and video calls on Messenger. Announcing the privacy drive in 2019, Zuckerberg, said: "People expect their private communications to be secure and to only be seen by the people they've sent them to -- not hackers, criminals, over-reaching governments or even the people operating the services they're using."

Web hosting company GoDaddy said on Monday email addresses of up to 1.2 million active and inactive Managed WordPress customers had been exposed in an unauthorized third-party access. From a report: The company said the incident was discovered on Sept. 6 and the third-party accessed the system using a compromised password.

Cryptographers are upset that "crypto" sometimes now refers to cryptocurrency, reports the Guardian: This lexical shift has weighed heavily on cryptographers, who, over the past few years, have repeated the rallying cry "Crypto means cryptography" on social media. T-shirts and hoodies trumpet the phrase and variations on it; there's a website dedicated solely to clarifying the issue. "'Crypto' for decades has been used as shorthand and as a prefix for things related to cryptography," said Amie Stepanovich, executive director of Silicon Flatirons Center at the University of Colorado Law School and creator of the pro-cryptography T-shirts, which have become a hit at conferences. "In fact, in the term cryptocurrency, the prefix crypto refers back to cryptography...."

[T]here remains an internecine feud among the tech savvy about the word. As Parker Higgins of the Freedom of the Press Foundation, who has spent years involved in cryptography activism, pointed out, the cryptography crowd is by nature deeply invested in precision — after all, designing and cracking codes is an endeavor in which, if you get things "a little wrong, it can blow the whole thing up...."

"Strong cryptography is a cornerstone of the way that people talk about privacy and security, and it has been under attack for decades" by governments, law enforcement, and "all sorts of bad actors", Higgins said. For its defenders, confusion over terminology creates yet another challenge.

Stepanovich acknowledged the challenge of opposing the trend, but said the weight of history is on her side. "The study of crypto has been around for ever," she said. "The most famous code is known as the Caesar cipher, referring to Julius Caesar. This is not new." Cryptocurrency, on the other hand, is a relatively recent development, and she is not ready to concede to "a concept that may or may not survive government regulation".

An anonymous reader writes: Given the widespread understanding that sophisticated hackers are regularly using zero-day vulnerabilities to break into high-value systems, why is it that when I search for "zero day" on Australia's most popular job search engine only one "real" job comes up? Is the security of the Internet totally dependent on dedicated hobbyists, part-time showboats, and people willing to take meagre bug bounties (on average paying $3,650 for a critical vulnerability) instead of selling their findings (sometimes for millions of dollars) to dubious buyers?
Are they all in-house security people hunting for zero-days as part of their regular responsibilities? Share your own thoughts in the comments.

Where are all the jobs preventing zero-day exploits?

In 2020 Microsoft's GitHub acquired NPM (makers of the default package manager for Node.js). The company's web page boasts that npm "is a critical part of the JavaScript community and helps support one of the largest developer ecosystems in the world."

But now BleepingComputer reports on two security flaws found (and remediated) in its software registry. Names of private npm packages on npmjs.com's 'replica' server (consumed by third-party services) were leaked — but in addition, a second flaw could've allowed attackers "to publish new versions of any existing npm package that they do not own or have rights to, due to improper authorization checks."

In a blog post this week GitHub's chief security officer explained the details: During maintenance on the database that powers the public npm replica at replicate.npmjs.com, records were created that could expose the names of private packages. This briefly allowed consumers of replicate.npmjs.com to potentially identify the names of private packages due to records published in the public changes feed. No other information, including the content of these private packages, was accessible at any time. Package names in the format of @owner/package for private packages created prior to October 20 were exposed between October 21 13:12:10Z UTC and October 29 15:51:00Z UTC. Upon discovery of the issue, we immediately began work on implementing a fix and determining the scope of the exposure. On October 29, all records containing private package names were removed from the replication database. While these records were removed from the replicate.npmjs.com service on this date, the data on this service is consumed by third-parties who may have replicated the data elsewhere. To prevent this issue from occuring again, we have made changes to how we provision this public replication database to ensure records containing private package names are not generated during this process.

Second, on November 2 we received a report to our security bug bounty program of a vulnerability that would allow an attacker to publish new versions of any npm package using an account without proper authorization. We quickly validated the report, began our incident response processes, and patched the vulnerability within six hours of receiving the report.

We determined that this vulnerability was due to inconsistent authorization checks and validation of data across several microservices that handle requests to the npm registry. In this architecture, the authorization service was properly validating user authorization to packages based on data passed in request URL paths. However, the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file. This discrepancy provided an avenue by which requests to publish new versions of a package would be authorized for one package but would actually be performed for a different, and potentially unauthorized, package. We mitigated this issue by ensuring consistency across both the publishing service and authorization service to ensure that the same package is being used for both authorization and publishing.

This vulnerability existed in the npm registry beyond the timeframe for which we have telemetry to determine whether it has ever been exploited maliciously. However, we can say with high confidence that this vulnerability has not been exploited maliciously during the timeframe for which we have available telemetry, which goes back to September 2020.
BleepingComputer adds: Both announcements come not too long after popular npm libraries, 'ua-parser-js,' 'coa,' and 'rc' were hijacked in a series of attacks aimed at infecting open source software consumers with trojans and crypto-miners. These attacks were attributed to the compromise of npm accounts [1, 2] belonging to the maintainers behind these libraries.

None of the maintainers of these popular libraries had two-factor authentication (2FA) enabled on their accounts, according to GitHub. Attackers who can manage to hijack npm accounts of maintainers can trivially publish new versions of these legitimate packages, after contaminating them with malware. As such, to minimize the possibility of such compromises from recurring in near future, GitHub will start requiring npm maintainers to enable 2FA, sometime in the first quarter of 2022.

GitHub's annual report on its user community "combined telemetry data from over four million repositories with direct survey from over 12,000 developers to identify current trends among software development companies and open-source projects," reports InfoQ.

ZDNet notes the data shows that remote developers "aren't planning to go back to the office." Before the pandemic, only 41% of developers worked at an office either full-time or part-time, but of the 12,000 surveyed in GitHub's 2021 State of the Octoverse report, just 10.7% expect to go back to the office after the pandemic ends... Pre-pandemic, 28.1% of developers had hybrid arrangements but after the pandemic, 47.8% expect some hybrid arrangements. Before the pandemic, 26.5% worked in places where all workers were remote. Now, 38.8% expect to be fully remote.
ZDNet also highlighted some other general statistics: GitHub says it now has 73 million developer users and that it gained 16 million new users in 2021. Users created 61 million new repositories and there were 170 million pull requests that got merged into projects... One of the biggest projects on GitHub is the container software Docker, which has a whopping 632,000 contributors from 215 countries and consists of 49,593 packages.
That's more than a magnitude larger than the estimated number of Linux contributors — and implies that for every 117 developers now on GitHub, there was one who contributed to Docker.

Meanwhile, 2021's most popular language rankings for GitHub are the same as 2020, with one exception: Shell has risen one position to become the 8th most popular language, edging out C (which now ranks as the 9th most popular language).

And InfoQ summarized some other interesting statistics from GitHub's report:

• Good, reliable, and up-to-date documentation can boost productivity by 50%.

• Documentation is often under-invested.

• The number of pull requests merged within the workday goes down by 17% with each additional reviewer.

Rockstar has issued an apology for the "unexpected technical issues" that marred the release of Grand Theft Auto: The Trilogy - The Definitive Edition last week and led to the quick removal of the PC version from Rockstar's online store. From a report: Last week, Rockstar said that the PC version of the game was being taken down "as we remove files unintentionally included in these versions." That led to reports that the package included copies of original soundtrack songs that had not been re-licensed for the new release. Other reports suggested that the original package accidentally included uncompiled source code and revealed some interesting programmer comments, including references to the infamous "hot coffee" scene that caused the game so much controversy back in 2005. Today, though, the developer admitted in a blog post that "the updated versions of these classic games did not launch in a state that meets our own standards of quality, or the standards our fans have come to expect."

We noted some of the remaster's many issues in our initial impressions, which recommended that you skip the bundle for now. Since then, players have chronicled countless bugs and questionable "remastering" decisions. Those range from disturbing textures to eye-searing rainfall to hilariously broken cutscenes to car-inflating wiggles to odd-looking character models and plain old typos that weren't in the original game.

Thousands of Firefox cookie databases containing sensitive data are available on request from GitHub repositories, data potentially usable for hijacking authenticated sessions. The Register reports: These cookies.sqlite databases normally reside in the Firefox profiles folder. They're used to store cookies between browsing sessions. And they're findable by searching GitHub with specific query parameters, what's known as a search "dork." Aidan Marlin, a security engineer at London-based rail travel service Trainline, alerted The Register to the public availability of these files after reporting his findings through HackerOne and being told by a GitHub representative that "credentials exposed by our users are not in scope for our Bug Bounty program."

Marlin then asked whether he could make his findings public and was told he's free to do so. "I'm frustrated that GitHub isn't taking its users' security and privacy seriously," Marlin told The Register in an email. "The least it could do is prevent results coming up for this GitHub dork. If the individuals who uploaded these cookie databases were made aware of what they'd done, they'd s*** their pants."

Marlin acknowledges that affected GitHub users deserve some blame for failing to prevent their cookies.sqlite databases from being included when they committed code and pushed it to their public repositories. "But there are nearly 4.5k hits for this dork, so I think GitHub has a duty of care as well," he said, adding that he's alerted the UK Information Commissioner's Office because personal information is at stake. Marlin speculates that the oversight is a consequence of committing code from one's Linux home directory. "I imagine in most of the cases, the individuals aren't aware that they've uploaded their cookie databases," he explained. "A common reason users do this is for a common environment across multiple machines."

There's some unusual activity brewing on Russian-speaking cybercrime forums, where hackers appear to be reaching out to Chinese counterparts for collaboration. BleepingComputer reports: These attempts to enlist Chinese threat actors are mainly seen on the RAMP hacking forum, which is encouraging Mandarin-speaking actors to participate in conversations, share tips, and collaborate on attacks. The forum has reportedly had at least thirty new user registrations that appear to come from China, so this could be the beginning of something notable. The researchers suggest that the most probable cause is that Russian ransomware gangs seek to build alliances with Chinese actors to launch cyber-attacks against U.S. targets, trade vulnerabilities, or even recruit new talent for their Ransomware-as-a-Service (RaaS) operations.

A threat analyst told BleepingComputer earlier this month that this initiative was started by a RAMP admin known as Kajit, who claims to have recently spent some time in China and can speak the language. In the prior version of RAMP, he had intimated that he would be inviting Chinese threat actors to the forum, which appears to now be taking place. However, Russian hackers attempting to collaborate with Chinese threat actors is not limited to the RAMP hacking forum as Flashpoint has also seen similar collaboration on the XSS hacking forum. [...] RAMP was set up last summer by a core member of the original Babuk ransomware gang, aiming to serve as a new place to leak valuable data stolen from cyberattacks and recruit ransomware affiliates. Further reading: US Says Iran-backed Hackers Are Now Targeting Organizations With Ransomware

Z00L00K writes: From Schneier on Security

I received email from two people who told me that Microsoft Edge enabled synching without warning or consent, which means that Microsoft sucked up all of their bookmarks. Of course they can turn synching off, but it's too late. Has this happened to anyone else, or was this user error of some sort? If this is real, can some reporter write about it? (Not that "user error" is a good justification. Any system where making a simple mistake means that you've forever lost your privacy isn't a good one. We see this same situation with sharing contact lists with apps on smartphones. Apps will repeatedly ask, and only need you to accidentally click "okay" once.) EDITED TO ADD: It's actually worse than I thought. Edge urges users to store passwords, ID numbers, and even passport numbers, all of which get uploaded to Microsoft by default when synch is enabled.

Also from one comment:

Ted November 17, 2021 8:29 AM It looks like Microsoft released some documentation on "Microsoft Edge -- Policies" for Enterprise on 11-9-21. It is only a 472 minute read, but there is some info on Forced Synching, for example: ForceSync Force synchronization of browser data and do not show the sync consent prompt https://docs.microsoft.com/en-...

shoor writes: As much as 38 percent of the Internet's domain name lookup servers are vulnerable to a new attack that allows hackers to send victims to maliciously spoofed addresses masquerading as legitimate domains, like bankofamerica.com or gmail.com. The exploit, unveiled in research presented today, revives the DNS cache-poisoning attack that researcher Dan Kaminsky disclosed in 2008. He showed that, by masquerading as an authoritative DNS server and using it to flood a DNS resolver with fake lookup results for a trusted domain, an attacker could poison the resolver cache with the spoofed IP address. From then on, anyone relying on the same resolver would be diverted to the same imposter site.

The sleight of hand worked because DNS at the time relied on a transaction ID to prove the IP number returned came from an authoritative server rather than an imposter server attempting to send people to a malicious site. The transaction number had only 16 bits, which meant that there were only 65,536 possible transaction IDs. Kaminsky realized that hackers could exploit the lack of entropy by bombarding a DNS resolver with off-path responses that included each possible ID. Once the resolver received a response with the correct ID, the server would accept the malicious IP and store the result in cache so that everyone else using the same resolver -- which typically belongs to a corporation, organization, or ISP -- would also be sent to the same malicious server.

The U.S. government, along with counterparts in Australia and the U.K, have warned that Iranian state-backed hackers are targeting U.S. organizations in critical infrastructure sectors -- in some cases with ransomware. From a report: The rare warning linking Iran with ransomware landed in a joint advisory Wednesday, issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the U.K's National Cyber Security Centre (NCSC). The advisory said that Iran-backed attackers have been exploiting Fortinet vulnerabilities since at least March and a Microsoft Exchange ProxyShell vulnerability since October to gain access to U.S. critical infrastructure organizations in the transport and public health sectors, as well as organizations in Australia. The aim of the hackers is ultimately to leverage this access for follow-on operations such as data exfiltration, extortion and ransomware deployment. In May this year, for example, the hackers abused Fortigate gear to access a web server hosting the domain for a U.S. municipal government. The following month, CISA and the FBI observed the hackers exploiting Fortinet vulnerabilities to access the networks of a U.S.-based hospital specializing in healthcare for children. The joint advisory has been released alongside a separate report from Microsoft on the evolution of Iranian APTs, which are "increasingly utilizing ransomware to either collect funds or disrupt their targets." In the report, Microsoft said it has been tracking six Iranian threat groups that have been deploying ransomware and exfiltrating data in attacks that started in September 2020.

The recent hack at app-based investment platform Robinhood also impacted thousands of phone numbers, Motherboard has learned. From the report: Originally, Robinhood said that the breach included the email addresses of 5 million customers, the full names of 2 million customers, and other data from a smaller group of users. Motherboard obtained a copy of the stolen phone numbers from a source who presented themselves as a proxy for the hackers. The file includes around 4,400 phone numbers.

When asked if the numbers belonged to Robinhood customers, the company told Motherboard in a statement that "We've determined that several thousand entries in the list contain phone numbers, and the list also contains other text entries that we're continuing to analyze." "We continue to believe that the list did not contain Social Security numbers, bank account numbers, or debit card numbers and that there has been no financial loss to any customers as a result of the incident. We'll continue making appropriate disclosures to affected people," the statement added. Robinhood said it plans to update its blog post about the breach with the new information about the phone numbers.

Google Chrome 96 was released yesterday, and users are reporting problems with Twitter, Discord, and Instagram caused by the new version. BleepingComputer reports: The issues have been reported to Google in a Chromium bug post where Google employees have started to investigate the problems. "We're continuing to see user reports about this behavior, including reports from our social team," notes Google product manager Craig Tumblison. "One user has shared that disabling the "chrome://flags/#cross-origin-embedder-policy-credentialless" flag resolves the behavior. Another report shares a specific error message: "The connection was rejected at https://cards-frame.twitter.com". Test team, would you be able to try enabling that flag to see if the behavior appears?"

The 'chrome://flags/#cross-origin-embedder-policy-credentialles' flag is related to a new Cross-Origin-Embedder-Policy feature released with Chrome 96. Google states that you can fix these bugs in some cases by setting the "chrome://flags/#cross-origin-embedder-policy-credentialless" to disabled. If you are affected by these issues, you can copy and paste the above chrome:// address into the Google Chrome address bar and press enter. When the experimental flag appears, please set it to Disabled and relaunch the browser when prompted.

Google, Instagram, AWS, Twitter, Spotify, Discord, Etsy, Shopify, TikTok and dozens of other services are facing outages, according to several users report on DownDetector. It's unclear at this time what has caused the issue and how widespread it is.

Cloudflare says it has blocked a distributed denial-of-service (DDoS) attack that peaked at just under 2 Tbps, making it one of the largest ever recorded. From a report: The internet company said in a blog post that the attack was launched from approximately 15,000 bots running a variant of the original Mirai code on exploited Internet of Things (IoT) devices and unpatched GitLab instances. The DDoS attack comes just two weeks after Rapid7 warned of a GitLab vulnerability -- rated a full 10.0 on the CVSS severity scale -- that could be exploited to allow an attacker to remotely run code, like botnet malware, on an affected server. Rapid7 found that at least half of the 60,000 internet-facing GitLab instances remain unpatched, and warned that it expected "exploitation to increase" as details of the bug became public. The company wasn't wrong; Cloudflare said it blocked the massive DDoS attack just one week later. From its analysis of the attack, Cloudflare believes that it was a multi-vector attack that combined both DNS amplification attacks along with UDP floods.

Mozilla launched Firefox Relay as a free product that gives you five email aliases you can use every time you need to sign up for a random account online. From a report: Now, the organization has introduced a paid Premium tier for the service that will give you access to even more aliases. You'll get your own subdomain (yourdomain.mozmail.com) when you subscribe, and you'll be able to create an unlimited number of emails. The tier will also give you access to a summary dashboard with the emails you make, the option to use your aliases when you reply to messages and a 150 kb attachment allowance. After you sign up for Relay, you'll have to install its Firefox extension to be able to take advantage of its features. Every time you visit a website that asks for an email address, the Relay icon will appear on your browser, and you can click it to generate a random address.The service will forward messages you get using your aliases to your primary email account, and you can block all messages from coming in or even delete the alias when it starts getting spam. Mozilla didn't say how much a Premium subscription will cost in the future, but it's offering the tier at an introductory price of $1/EUR1 per month for a limited time.

An anonymous reader quotes a report from The Record: The Emotet malware botnet is back up and running once again almost ten months after an international law enforcement operation took down its command and control servers earlier this year in January. The comeback is surprising because after taking over Emotet's server infrastructure, law enforcement officials also orchestrated a mass-uninstall of the malware from all infected computers on April 25, effectively wiping out the entire botnet across the internet.

[O]ver the weekend, security researcher Luca Ebach said he spotted that another malware botnet named TrickBot was helping the Emotet gang get back on its feet by installing the Emotet malware on systems that had been previously infected with TrickBot. "We used to call this Operation ReachAround back when Emotet was dropped by Trickbot in the past," a spokesperson for Cryptolaemus, a group of security researchers who tracked Emotet in the past, told The Record today. [...]

Cryptolaemus said that right now, the Emotet gang is not sending out any new email spam but relying on the TrickBot gang to help them create an initial footprint of their new botnet incarnation before ramping up spam operations again. But if Emotet's comeback will succeed remains to be seen. It would be very hard for Emotet to reach its previous size any time in the coming months; however, the malware strain itself remains a very sophisticated and capable threat that shouldn't be ignored.

Intel has disclosed two high-severity vulnerabilities that affect a wide range of Intel processor families, allowing threat actors and malware to gain higher privilege levels on the device. BleepingComputer reports: The flaws were discovered by SentinelOne and are tracked as CVE-2021-0157 and CVE-2021-0158, and both have a CVSS v3 score of 8.2 (high). The former concerns the insufficient control flow management in the BIOS firmware for some Intel processors, while the latter relies on the improper input validation on the same component. These vulnerabilities could lead to escalation of privilege on the machine, but only if the attacker had physical access to vulnerable devices.

Intel hasn't shared many technical details around these two flaws, but they advise users to patch the vulnerabilities by applying the available BIOS updates. This is particularly problematic because motherboard vendors do not release BIOS updates often and don't support their products with security updates for long. Considering that 7th gen Intel Core processors came out five years ago, it's doubtful that MB vendors are still releasing security BIOS updates for them. As such, some users will be left with no practical way to fix the above flaws. In these cases, we would suggest that you set up a strong password for accessing the BIOS settings. Intel also released a separate advisory for a high-severity elevation of privilege flaw (CVE-2021-0146) that affects several car models that use the Intel Atom E3900. "Intel has released a firmware update to mitigate this flaw, and users will get it through patches supplied by the system manufacturer," the report says.

HPE has confirmed that a "limited subset" of customer data was taken in a data breach involving its subsidiary Aruba Networks, a maker of networking equipment. From a report: The enterprise technology giant said in a statement that an unauthorized person used a private key to gain access to customer data stored in its Aruba Central cloud. HPE did not say how the hacker obtained the private key, but said the key allowed access to cloud servers in multiple regions where customer data was stored. HPE bought Aruba Networks in 2015 for $3 billion in cash. Aruba provides networking gear, like wireless access points, and network security for companies. Through its dashboard, Aruba Central, companies can centrally monitor and manage their Wi-Fi networks. It's the Wi-Fi data collected in Aruba Central that HPE said was compromised. HPE said two datasets were exposed: one for network analytics containing information about devices accessing a customer's Wi-Fi network, and a second dataset containing location data about devices on the network.

"If current progress continues, quantum computers will be able to crack public key cryptography," writes CNET, "potentially creating a serious threat to the crypto world, where some currencies are valued at hundreds of billions of dollars." If encryption is broken, attackers can impersonate the legitimate owners of cryptocurrency, NFTs or other such digital assets. "Once quantum computing becomes powerful enough, then essentially all the security guarantees will go out of the window," Dawn Song, a computer security entrepreneur and professor at the University of California, Berkeley, told the Collective[i] Forecast forum in October. "When public key cryptography is broken, users could be losing their funds and the whole system will break...."

"We expect that within a few years, sufficiently powerful computers will be available" for cracking blockchains open, said Nir Minerbi, CEO of quantum software maker Classiq Technologies.

The good news for cryptocurrency fans is the quantum computing problem can be fixed by adopting the same post-quantum cryptography technology that the computing industry already has begun developing. The U.S. government's National Institute of Standards and Technology, trying to get ahead of the problem, is several years into a careful process to find quantum-proof cryptography algorithms with involvement from researchers around the globe. Indeed, several cryptocurrency and blockchain efforts are actively working on quantum resistant software...

A problem with the post-quantum cryptography algorithms under consideration so far, though, is that they generally need longer numeric encryption keys and longer processing times, says Peter Chapman, CEO of quantum computer maker IonQ. That could substantially increase the amount of computing horsepower needed to house blockchains...

The real quantum test for cryptocurrencies will be governance structures, not technologies, says Hunter Jensen, chief technology officer of Permission.io, a company using cryptocurrency for a targeted advertising system... "It will be the truly decentralized currencies which will get hit if their communities are too slow and disorganized to act," said Andersen Cheng, chief executive at Post Quantum, a London based company that sells post-quantum encryption technology.

Long-time Slashdot reader davidwr brings news of "an exploit in the FBI's Law Enforcement Enterprise Portal web site that would let anyone send an email to any arbitrary recipient..."

Security researcher Brian Krebs reports: Late in the evening of November 12 ET, tens of thousands of emails began flooding out from the FBI address eims@ic.fbi.gov, warning about fake cyberattacks.

Around that time, KrebsOnSecurity received an email from the same email address. "Hi its pompompurin," read the message. "Check headers of this email it's actually coming from FBI server. I am contacting you today because we located a botnet being hosted on your forehead, please take immediate action thanks." A review of the email's message headers indicated it had indeed been sent by the FBI, and from the agency's own Internet address. The domain in the "from:" portion of the email I received — eims@ic.fbi.gov — corresponds to the FBI's Criminal Justice Information Services division (CJIS).

According to the Department of Justice... "CJIS systems are available to the criminal justice community, including law enforcement, jails, prosecutors, courts, as well as probation and pretrial services..."

In an interview with KrebsOnSecurity, Pompompurin said the hack was done to point out a glaring vulnerability in the FBI's system. "I could've 1000% used this to send more legit looking emails, trick companies into handing over data etc.," Pompompurin said.
Instead Pompompurin apparently sent emails with the subject line, "Urgent: Threat actor in systems," with the body (apparently from eims@ic.fbi.gov) warning that "Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack...." The email then blames the real-world founder of two dark web intelligence companies (apparently the subject of a long standing feud with Pompompurin's community), and ultimately closes with the words "Stay safe, U.S. Department of Homeland Security — Cyber Threat Detection and Analysis — Network Analysis Group."

The FBI issued a statement in response to the incident — saying "The impacted hardware was taken offline quickly upon discovery of the issue."

Costco Wholesale Corporation has warned customers in notification letters sent this month that their payment card information might have been stolen while recently shopping at one of its stores. BleepingComputer reports: Costco discovered the breach after finding a payment card skimming device in one of its warehouses during a routine check conducted by Costco personnel. The company removed the device, notified the authorities, and is now working with law enforcement agents who are investigating the incident. "We recently discovered a payment card skimming device at a Costco warehouse you recently visited," Costco told potentially impacted customers in breach notification letters. "Our member records indicate that you swiped your payment card to make a purchase at the affected terminal during the time the device may have been operating."

Costco added that individuals impacted by this incident might have had their payment information stolen if those who planted the card theft device were able to gain access to the info before the skimmer was found and removed. "If unauthorized parties were able to remove information from the device before it was discovered, they may have acquired the magnetic stripe of your payment card, including your name, card number, card expiration date, and CVV," Costco revealed. The retailer advised the customers to monitor their bank and credit card statements for fraudulent charges and report suspicious transactions to relevant financial institutions. Data breach notification letters sent to affected individuals did not disclose the total number of impacted customers or the warehouse location where the skimmer device was found.

About 10,000 enterprise servers running Palo Alto Networks' GlobalProtect VPN are vulnerable to a just-patched buffer overflow bug with a severity rating of 9.8 out of a possible 10. From a report: Security firm Randori said on Wednesday that it discovered the vulnerability 12 months ago and for most of the time since has been privately using it in its red team products, which help customers test their network defenses against real-world threats. The norm among security professionals is for researchers to privately report high-severity vulnerabilities to vendors as soon as possible rather than hoarding them in secret. CVE-2021-3064, as the vulnerability is tracked, is a buffer overflow flaw that occurs when parsing user-supplied input in a fixed-length location on the stack. A proof-of-concept exploit Randori researchers developed demonstrates the considerable damage that can result.

"Our team was able to gain a shell on the affected target, access sensitive configuration data, extract credentials, and more," researchers from Randori wrote on Wednesday. "Once an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally." Over the past few years, hackers have actively exploited vulnerabilities in a raft of enterprise firewalls and VPNs from the likes of Citrix, Microsoft, and Fortinet, government agencies warned earlier this year. Similar enterprise products, including those from Pulse Secure and Sonic Wall, have also come under attack. Now, Palo Alto Networks' GlobalProtect may be poised to join the list.

Google researchers caught hackers targeting users in Hong Kong exploiting what were at the time unknown vulnerabilities in Apple's Mac operating system. According to the researchers, the attacks have the hallmarks of government-backed hackers. From a report: On Thursday, Google's Threat Analysis Group (TAG), the company's elite team of hacker hunters, published a report detailing the hacking campaign. The researchers didn't go as far as pointing the finger at a specific hacking group or country, but they said it was "a well resourced group, likely state backed."

"We do not have enough technical evidence to provide attribution and we do not speculate about attribution," the head of TAG Shane Huntley told Motherboard in an email. "However, the nature of the activity and targeting is consistent with a government backed actor." Erye Hernandez, the Google researcher who found the hacking campaign and authored the report, wrote that TAG discovered the campaign in late August of this year. The hackers had set up a watering hole attack, meaning they hid malware within the legitimate websites of "a media outlet and a prominent pro-democracy labor and political group" in Hong Kong. Users who visited those websites would get hacked with an unknown vulnerability -- in other words, a zero-day -- and another exploit that took advantage of a previously patched vulnerability for MacOS that was used to install a backdoor on their computers, according to Hernandez.

Over the weekend, the hacking group Fail0verflow claimed to have obtained PS5 root keys allow them to decrypt the console's firmware. "Additionally, Andy Nguyen (a security engineer at Google who's better known under his handle, theflow0) managed to access the PS5's debug settings menu on a retail PS5 over the weekend, too," adds The Verge. Is this the first steps towards jailbreaking Sony's latest console? The Verge's Chaim Gartenberg reports: The two exploits are particularly notable due to the level of access they theoretically give to the PS5's software. Decrypted firmware -- which is possible through Fail0verflow's keys -- would potentially allow for hackers to further reverse engineer the PS5 software and potentially develop the sorts of hacks that allowed for things like installing Linux, emulators, or even pirated games on past Sony consoles.

For now, the two exploits won't result in much of a change for PS5 owners -- there's no sudden PS5 jailbreak available today, and neither Nguyen nor Fail0verflow have published the details of their respective hacks -- nor is it even clear if they ever will. Nguyen has already said that he has "no plans for disclosure" of his hack, while Wololo.net notes that Fail0verflow held off on publishing its PS4 hacks last console generation until Sony patched things, meaning that it's possible none of this will lead to concrete changes in the PS5 hacking scene.

New submitter Computershack shares a report from the BBC: A global police operation has dealt a devastating blow to one of the most prolific cyber-crime gangs in history. The co-ordinated action against the REvil gang was announced on Monday by Romanian police, the US Department of Justice (DOJ) and Europol. The raid, which took place both on and offline, led to the arrests of two alleged hackers in Romania and one accused cyber-criminal from Ukraine. REvil has been blamed for major hacks on global businesses in recent years. The US also announced that it had successfully retrieved more than $6 million in cryptocurrency from the gang in a so-called 'claw back' hacking operation.

Robinhoood was hacked last week by someone who socially engineered a customer service representative to gain access to the email addresses of more than 5 million customers, the full names of 2 million other customers, and other data from a much smaller group of customers, the company said in a blog post published Monday. The hacker then allegedly attempted to extort the company. Motherboard reports: "The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems," Robinhood wrote in the blog post. "At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people."

"We also believe that for a more limited number of people -- approximately 310 in total -- additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed," it added. "We are in the process of making appropriate disclosures to affected people." Robinhood wrote that "the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident.â

An investor group led by buyout firms Advent International, Permira Advisers and others agreed to take McAfee private in a deal that values the cybersecurity software maker at more than $14 billion including debt. From a report: The private equity consortium will pay $26 a share in cash, according to a statement Monday. Crosspoint Capital Partners, Canada Pension Plan Investment Board, GIC Pvt Ltd. and a wholly owned subsidiary of the Abu Dhabi Investment Authority are also part of the group of buyers. The purchase price represents a premium of about 23% over McAfee's closing share price of $21.21 on Nov. 4, the day before Bloomberg News first reported details of the potential deal. The shares were up less than 1% Monday morning in New York to $25.55. McAfee has total debt of about $4 billion, according to data compiled by Bloomberg. Founded by cybersecurity entrepreneur John McAfee in 1987, the company was a pioneer in developing antivirus software for personal computers. McAfee left in 1994, and was found dead in a Spanish prison cell in June this year, hours after Spain's National Court approved his extradition to the U.S. over multiple tax fraud charges.

Chinese officials said last week that a foreign intelligence agency hacked several of its airlines in 2020 and stole passenger travel records. From a report: The hacking campaign was disclosed last week by officials from the Ministry of State Security, China's civilian intelligence, security, and secret police agency. The hacking campaign was discovered after one of China's airlines reported a security breach to MSS officials in January 2020. Investigators said they linked the hacks to a custom trojan that the attackers used to exfiltrate passenger details and other data from this first target. A subsequent investigation found other airlines compromised in the same way. "After an in-depth investigation, it was confirmed that the attacks were carefully planned and secretly carried out by an overseas spy intelligence agency," the MSS said in a press release distributed via state news channels last Monday. The MSS did not formally attribute the attack to any foreign agency or country.

So apparently three Stanford professors are offering some tough-love to young people in the tech community. Mehran Sahami first worked at Google when it was still a startup (recruited to the company by Sergey Brin). Currently a Stanford CS professor, Sahami explained in 2019 that "I want students who engage in the endeavor of building technology to think more broadly about what are the implications of the things that they're developing — how do they impact other people? I think we'll all be better off."

Now Sahami has teamed up with two more Stanford professors to write a book calling for "a mature reckoning with the realization that the powerful technologies dominating our lives encode within them a set of values that we had no role in choosing and that we often do not even see..."

At a virtual event at Silicon Valley's Computer History Museum, the three professors discussed their new book, System Error: Where Big Tech Went Wrong and How We Can Reboot — and thoughtfully and succinctly distilled their basic argument. "The System Error that we're describing is a function of an optimization mindset that is embedded in computer science, and that's embedded in technology," says political scientist Jeremy Weinstein (one of the book's co-authors). "This mindset basically ignores the competing values that need to be 'refereed' as new products are designed. It's also embedded in the structure of the venture capital industry that's driving the growth of Silicon Valley and the growth of these companies, that prioritizes scale before we even understand anything about the impacts of technology in society. And of course it reflects the path that's been paved for these tech companies to market dominance by a government that's largely been in retreat from exercising any oversight."

Sahami thinks our technological landscape should have a protective infrastructure like the one regulating our roads and highways. "It's not a free-for all where the ultimate policy is 'If you were worried about driving safely then don't drive.'" Instead there's lanes and traffic lights and speed bumps — an entire safe-driving infrastructure which arrived through regulation." Or (as their political science professor/co-author Rob Reich tells the site), "Massive system problems should not be framed as choices that can be made by individual consumers."

Sahami also thinks breaking up big tech monopolies would just leaves smaller "less equipped" companies to deal with the same problems — but that positive changes in behavior might instead come from government scrutiny. But Reich also wants to see professional ethics (like the kind that are well-established in biomedical fields). "In the book we point the way forward on a number of different fronts about how to accelerate that..."

And he argues that at colleges, just one computing-ethics class isn't enough. "Ethics must be embedded through the entire curriculum."

"Suspected foreign hackers have breached nine organizations in the defense, energy, health care, technology and education sectors," reports CNN, citing their exclusive glimpse at findings from security firm Palo Alto Networks.

At least one of the breached organizations is in the U.S., they add, and in cooperation with America's National Security Agency (or NSA), security researchers "are exposing an ongoing effort by these unidentified hackers to steal key data from U.S. defense contractors and other sensitive targets." It's the type of cyber espionage that security agencies in both the Biden and Trump administrations have aggressively sought to expose before it does too much damage. The goal in going public with the information is to warn other corporations that might be targeted and to burn the hackers' tools in the process... [T]he hackers have stolen passwords from some targeted organizations with a goal of maintaining long-term access to those networks, Ryan Olson, a senior Palo Alto Networks executive, told CNN. The intruders could then be well placed to intercept sensitive data sent over email or stored on computer systems until they are kicked out of the network.

Olson said that the nine confirmed victims are the "tip of the spear" of the apparent spying campaign, and that he expects more victims to emerge. It's unclear who is responsible for the activity, but Palo Alto Networks said some of the attackers' tactics and tools overlap with those used by a suspected Chinese hacking group... Cybersecurity firm Mandiant earlier this year revealed that China-linked hackers had been exploiting a different software vulnerability to breach defense, financial and public sector organizations in the US and Europe....

In the activity revealed by Palo Alto Networks, the attackers are exploiting a vulnerability in software that corporations use to manage their network passwords. CISA and the FBI warned the public in September that hackers were exploiting the software flaw and urged organizations to update their systems. Days later, the hackers tracked by Palo Alto Networks scanned 370 computer servers running the software in the US alone, and then began to exploit the software. Olson encouraged organizations that use the Zoho software to update their systems and search for signs of a breach.

Federal officials told CNN the revelation of the hacking activity is evidence of their close work with cybersecurity firms to stay on top of threats.

SolarWinds investors have sued the software company's directors, alleging they knew about and failed to monitor cybersecurity risks to the company ahead of a breach that created a vulnerability in thousands of its customers' systems. Reuters reports: The lawsuit filed in Delaware on Thursday appears to be the first based on records shareholders demanded from the company after Reuters reported last December that malicious code inserted into one of the company's software updates left U.S. government agencies and companies exposed. The lawsuit names a mix of current and former directors as defendants. Led by a Missouri pension fund, the investors allege that the board failed to implement procedures to monitor cybersecurity risks, such as requiring the company's management to report on those risks regularly. They are seeking damages on behalf of the company and to reform the company's policies on cybersecurity oversight.

While they wrestle with the immediate danger posed by hackers today, US government officials are preparing for another, longer-term threat: attackers who are collecting sensitive, encrypted data now in the hope that they'll be able to unlock it at some point in the future. MIT Technology Review reports: The threat comes from quantum computers, which work very differently from the classical computers we use today. Instead of the traditional bits made of 1s and 0s, they use quantum bits that can represent different values at the same time. The complexity of quantum computers could make them much faster at certain tasks, allowing them to solve problems that remain practically impossible for modern machines -- including breaking many of the encryption algorithms currently used to protect sensitive data such as personal, trade, and state secrets. While quantum computers are still in their infancy, incredibly expensive and fraught with problems, officials say efforts to protect the country from this long-term danger need to begin right now.

Faced with this "harvest now and decrypt later" strategy, officials are trying to develop and deploy new encryption algorithms to protect secrets against an emerging class of powerful machines. That includes the Department of Homeland Security, which says it is leading a long and difficult transition to what is known as post-quantum cryptography. [...] DHS recently released a road map for the transition, beginning with a call to catalogue the most sensitive data, both inside the government and in the business world. [Tim Maurer, who advises the secretary of homeland security on cybersecurity and emerging technology] says this is a vital first step "to see which sectors are already doing that, and which need assistance or awareness to make sure they take action now." The US, through NIST, has been holding a contest since 2016 that aims to produce the first quantum-computer-proof algorithms by 2024 [...].

As more organizations begin to consider the looming threat, a small and energetic industry has sprouted up, with companies already selling products that promise post-quantum cryptography. But DHS officials have explicitly warned against purchasing them, because there is still no consensus about how such systems will need to work. "No," the department stated unequivocally in a document (PDF) released last month. "Organizations should wait until strong, standardized commercial solutions are available that implement the upcoming NIST recommendations to ensure interoperability as well as solutions that are strongly vetted and globally acceptable."

One cybersecurity expert says the cyberattack on the Newfoundland and Labrador health-care system may be the worst in Canadian history, and has implications for national security. CBC News reports: David Shipley, the CEO of a cybersecurity firm in Fredericton, said he's seen similar breaches before, but usually on a smaller scale. "We've never seen a health-network takedown this large, ever," Shipley said in an interview with CBC News. "The severity of this is what really sets it apart." Discovered on Saturday morning, the cyberattack has delayed thousands of appointments and procedures this week, including almost all non-emergency appointments in the Eastern Health region. After refusing to confirm the cause of the disruption for days, Health Minister John Haggie said Wednesday the system has been victim of a cyberattack. Sources have told CBC News the security breach is a ransomware attack, a type of crime in which hackers gain control of a system and hand back the reins only when a ransom has been paid. [...]

Shipley said he normally argues against giving in to ransom demands but the provincial government might have to pay up in this instance since lives are at stake. The government has not confirmed there has been a ransom demand. On Thursday morning, staff at the Health Sciences Centre in St. John's were told the system used to manage patient health and financial information at the hospital is back online. The system -- called Meditech -- only has information from before last weekend, and will need to be updated. It isn't yet clear what the restoration of the system will mean for services at the hospital, or if the system is back online in other parts of the province.

wiredmikey shares a report from SecurityWeek: The U.S. government wants to find the people responsible for the Colonial Pipeline ransomware attack (and many others) and it's putting up multi-million rewards for data on the operators behind the DarkSide extortion campaign. The Department of State on Thursday offered up to $10 million for information leading to the identification or location of senior members of the DarkSide gang that caused major gas disruptions earlier this year. In addition, the U.S. State Department is offering a reward of up to $5 million for information leading to the arrest and/or conviction in any country "of any individual conspiring to participate in or attempting to participate in a DarkSide variant ransomware incident." "In offering this reward, the United States demonstrates its commitment to protecting ransomware victims around the world from exploitation by cyber criminals," it added. "The United States looks to nations who harbor ransomware criminals that are willing to bring justice for those victim businesses and organizations affected by ransomware."

Microsoft has started warning Windows 11 users that certain features in the operating system are failing to load due to an expired certificate. The certificate expired on October 31st, and Microsoft warns that some Windows 11 users aren't able to open apps like the Snipping Tool, touch keyboard, or emoji panel. From a report: A patch is available to fix some of the issues, but it's currently in preview, meaning you have to install it manually from Windows Update. The patch, KB4006746, will fix the touch keyboard, voice typing, emoji panel, and issues with the getting started and tips sections of Windows 11. You'll be able to find this patch by checking for updates in the Windows Update section of Settings in Windows 11. Microsoft's patch doesn't address the problems with the Snipping Tool app, though. "To mitigate the issue with Snipping Tool, use the Print Screen key on your keyboard and paste the screenshot into your document," recommends Microsoft. "You can also paste it into Paint to select and copy the section you want."

The bots convincingly and effortlessly help hackers break into Coinbase, Amazon, PayPal, and bank accounts. From a report: The call came from PayPal's fraud prevention system. Someone had tried to use my PayPal account to spend $58.82, according to the automated voice on the line. PayPal needed to verify my identity to block the transfer. "In order to secure your account, please enter the code we have sent your mobile device now," the voice said. PayPal sometimes texts users a code in order to protect their account. After entering a string of six digits, the voice said, "Thank you, your account has been secured and this request has been blocked. Don't worry if any payment has been charged to your account: we will refund it within 24 to 48 hours. Your reference ID is 1549926. You may now hang up," the voice said.

But this call was actually from a hacker. The fraudster used a type of bot that drastically streamlines the process for hackers to trick victims into giving up their multi-factor authentication codes or one-time passwords (OTPs) for all sorts of services, letting them log in or authorize cash transfers. Various bots target Apple Pay, PayPal, Amazon, Coinbase, and a wide range of specific banks. Whereas fooling victims into handing over a login or verification code previously would often involve the hacker directly conversely with the victim, perhaps pretending to be the victim's bank in a phone call, these increasingly traded bots dramatically lower the barrier of entry for bypassing multi-factor authentication.

A top U.S. cybersecurity official offered a dire warning to members of Congress on Wednesday, saying the "American way of life" faces serious risks amid the drumbeat of ransomware attacks and physical threats to the nation's critical infrastructure. From a report: Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, known as CISA, told the House Homeland Security Committee Wednesday that "ransomware has become a scourge on nearly every facet of our lives, and it's a prime example of the vulnerabilities that are emerging as our digital and our physical infrastructure increasingly converge." Her appearance, aside National Cyber Director Chris Inglis, comes as the private sector and governments have grappled with pervasive cyberattacks during the last 12 months. Some attacks, including the Colonial Pipeline breach in May, have led to gas shortages, disrupted supply chains and exposed federal systems to significant compromise.

Easterly's testimony came after CISA issued a binding operational directive that would create a catalog of known exploited cybersecurity vulnerabilities and would require federal agencies to fix these flaws within specific time frames. It would apply to all software and hardware on federal information systems, including those managed by an agency or hosted by third parties. While the directive would only apply to federal agencies, Easterly said in a statement she wants every organization to adopt the directive "and prioritize mitigation of vulnerabilities listed in CISA's public catalog." Representative John Katko, a Republican from New York, said, "The volume of alerts, advisories, and directives goes to show the pervasiveness of vulnerabilities affecting owners and operators of critical infrastructure, and federal networks." Inglis said that privately owned critical infrastructure, which accounts for 85% of the total, is "increasingly core to the government's imperative to protect and provide for national security."

An anonymous reader quotes a report from ZDNet: LFX supports projects and empowers open source teams by enabling them to write better, more secure code, drive engagement, and grow sustainable software ecosystems," the Linux Foundation says. Now, to address the growing threat of software supply chain attacks, the foundation is upgrading its LFX Security module to deal with these attacks. Jim Zemlin, the Linux Foundation's executive director, announced this new tooling today at the Linux Foundation Membership Summit.

Enhanced and free to use, LFX Security makes it easier for open source projects to secure their code. Specifically, the LFX Security module now includes automatic scanning for secrets-in-code and non-inclusive language, adding to its existing automated vulnerability detection capabilities. Software security firm BluBracket is contributing this functionality to the LFX as part of its mission to make software safer and more secure. This functionality builds on contributions from open source developer security company Snyk, helping make LFX the leading vulnerability detection platform for the open source community. [...] LFX Security will be further scaled out in 2022, helping to solve challenges for hundreds of thousands of critical open source projects under the Open Source Security Foundation. LFX Security is free and available now.

The National Bank of Pakistan (NBP) has suffered what two sources have described to The Record as a "destructive" cyberattack. From a report: The incident, which took place on the night between Friday and Saturday, impacted the bank's backend systems and affected servers used to interlink the bank's branches, the backend infrastructure controlling the bank's ATM network, and the bank's mobile apps. While the attack crippled some of these systems, no funds were reported missing, according to the bank and people familiar with the attack and the current investigation. "Immediate steps were taken to isolate the affected systems," the bank said in a statement on Saturday. Recovery efforts were in full swing over the weekend, and by Monday, NBP reported that more than 1,000 branches opened and catered to customers as normal and that all ATMs nationwide had been fully restored.

"Virtually all compilers -- programs that transform human-readable source code into computer-executable machine code -- are vulnerable to an insidious attack in which an adversary can introduce targeted vulnerabilities into any software without being detected," warns cybersecurity expert Brian Krebs in a new report. An anonymous reader shares an excerpt: Researchers with the University of Cambridge discovered a bug that affects most computer code compilers and many software development environments. At issue is a component of the digital text encoding standard Unicode, which allows computers to exchange information regardless of the language used. Unicode currently defines more than 143,000 characters across 154 different language scripts (in addition to many non-script character sets, such as emojis). Specifically, the weakness involves Unicode's bi-directional or "Bidi" algorithm, which handles displaying text that includes mixed scripts with different display orders, such as Arabic -- which is read right to left -- and English (left to right). But computer systems need to have a deterministic way of resolving conflicting directionality in text. Enter the "Bidi override," which can be used to make left-to-right text read right-to-left, and vice versa.

"In some scenarios, the default ordering set by the Bidi Algorithm may not be sufficient," the Cambridge researchers wrote. "For these cases, Bidi override control characters enable switching the display ordering of groups of characters." Bidi overrides enable even single-script characters to be displayed in an order different from their logical encoding. As the researchers point out, this fact has previously been exploited to disguise the file extensions of malware disseminated via email. Here's the problem: Most programming languages let you put these Bidi overrides in comments and strings. This is bad because most programming languages allow comments within which all text -- including control characters -- is ignored by compilers and interpreters. Also, it's bad because most programming languages allow string literals that may contain arbitrary characters, including control characters.

"So you can use them in source code that appears innocuous to a human reviewer [that] can actually do something nasty," said Ross Anderson, a professor of computer security at Cambridge and co-author of the research. "That's bad news for projects like Linux and Webkit that accept contributions from random people, subject them to manual review, then incorporate them into critical code. This vulnerability is, as far as I know, the first one to affect almost everything." The research paper, which dubbed the vulnerability "Trojan Source," notes that while both comments and strings will have syntax-specific semantics indicating their start and end, these bounds are not respected by Bidi overrides. [...] Anderson said such an attack could be challenging for a human code reviewer to detect, as the rendered source code looks perfectly acceptable. "If the change in logic is subtle enough to go undetected in subsequent testing, an adversary could introduce targeted vulnerabilities without being detected," he said. Equally concerning is that Bidi override characters persist through the copy-and-paste functions on most modern browsers, editors, and operating systems.

For the first interview of its new series on "The New World of Work," Harvard Business Review asked Microsoft CEO Satya Nadella what team collaboration will look like in workplaces of the future. And Nadella begins by arguing that this tail-end of the pandemic brings "real structural changes" — and two megatrends for the future workplace: One is the trend around hybrid work, which is a result of the changed expectations of everyone around the flexibility that they want to exercise in when, where, and how they work. And then the second mega trend is what Ryan Roslansky, who is the CEO of LinkedIn, termed, which I like, which is the great reshuffle. Not only are people talking about when, where, and how they work, but also why they work. They really want to recontract, in some sense, the real meaning of work and sort of asking themselves the question of which company do they want to work for and what job function or profession they want to pursue...

I think we should sort of perhaps just get grounded on what are we seeing in the expectations. For example, when we see all of the data, the reality is close to 70% of the people say they want flexibility. At the same time, 70% also want that human connection so that they can collaborate. So therein lies that hybrid paradox. Interestingly enough, if you look at the other sort of confounding piece of data: 50-odd percent of the people say they want to come into work so that they can have focus time. Fifty-odd percent also want to stay at home so that they can have focus time.

So the real thing I would say is right now, it's probably best not to be overly dogmatic. Because I don't think we have settled on the new norms... [W]e are taking what I would call a much more organic approach right now. What I would say is what we want to practice and what we want to evangelize is empowering every manager and every individual to start coming up with norms that work for that team, given the context of what that team is trying to get done. In some sense, we are really saying, let's just use an organic process to build up through empowerment new norms that work for the company to be productive.
"Nobody quits companies," Nadella says at one point. "They quit managers."

And towards the end, when he's asked what's the greatest source of innovation, he answers: empathy. To me, what I have sort of come to realize, what is the most innate in all of us is that ability to be able to put ourselves in other people's shoes and see the world the way they see it. That's empathy. That's at the heart of design thinking. When we say innovation is all about meeting unmet, unarticulated, needs of the marketplace, it's ultimately the unmet and articulated needs of people, and organizations that are made up of people. And you need to have deep empathy.

So I would say the source of all innovation is what is the most humane quality that we all have, which is empathy.

"New Android malware can root infected devices to take complete control and silently tweak system settings, as well as evade detection using code abstraction and anti-emulation checks," reports BleepingComputer.

Cybersecurity company Lookout said on its blog that they'd spotted the malware on Google Play "and prominent third-party stores such as the Amazon Appstore and the Samsung Galaxy Store.... To protect Android users, Google promptly removed the app as soon as we notified them of the malware." We named the malware "AbstractEmu" after its use of code abstraction and anti-emulation checks to avoid running while under analysis. A total of 19 related applications were uncovered, seven of which contain rooting functionality, including one on Play that had more than 10,000 downloads...

This is a significant discovery because widely-distributed malware with root capabilities have become rare over the past five years. As the Android ecosystem matures there are fewer exploits that affect a large number of devices, making them less useful for threat actors... By using the rooting process to gain privileged access to the Android operating system, the threat actor can silently grant themselves dangerous permissions or install additional malware — steps that would normally require user interaction. Elevated privileges also give the malware access to other apps' sensitive data, something not possible under normal circumstances...

AbstractEmu does not have any sophisticated zero-click remote exploit functionality used in advanced APT-style threats, it is activated simply by the user having opened the app. As the malware is disguised as functional apps, most users will likely interact with them shortly after downloading... By rooting the device, the malware is able to silently modify the device in ways that would otherwise require user interaction and access data of other apps on the device.
"Apps bundling the malware included password managers and tools like data savers and app launchers," reports BleepingComputer, "all of them providing the functionality they promised to avoid raising suspicions..."

Lookout's blog post said they'd spotted people affected by the malware in 17 different countries.

The Tesla Oracle blog reports on a newly-released security feature "that enables Tesla owners to remotely view what's happening around their vehicles in real-time using their mobile phones..."

"While you have opened the live camera view of your parked Tesla car, you can talk back to the people in the vehicle's surroundings." The Tesla vehicle will change your voice, amplify and output it via an external speaker installed under the car. Teslas built since January 2019 have this speaker installed as part of the pedestrian warning system, a requirement by the NHTSA. In the last year's holiday software update package, Tesla introduced the Boombox feature using this external speak. Boombox lets Tesla owners add custom horn and pedestrian warning sounds to the vehicle.

Tesla owners will now be able to warn potential vandals more explicitly by giving them verbal warnings from a remote location...
In a tweet Wednesday, Elon Musk joked the feature was also "great for practical jokes."

According to a post on the Signal blog, a federal grand jury in the Central District of California has subpoena'd Signal for a whole pile of user data, like subscriber information, financial information, transaction histories, communications, and more. HotHardware reports: The thing is, the subpoena is moot: Signal simply doesn't have the data to provide. The company can't provide any of the data that the grand jury is asking for because, as the company itself notes, "Signal doesn't have access to your messages, your chat list, your groups, your contacts, your stickers, [or] your profile name or avatar." The only things that Signal can offer up to the court are Unix timestamps for when the accounts in question were created and last accessed the service.

The announcement (and, we suppose, this news post) essentially amounts to an advertisement for Signal, but it's an amusing -- or possibly distressing -- anecdote nonetheless. While Signal is secure, keep in mind that the messages still originate from your device, which means that other apps on your device (like, say, your keyboard) could still be leaking your data. Lest you doubt Signal's story, the app creators have published the subpoena, suitably redacted, on their blog.

Hive, a ransomware group that has hit over 30 organizations since June 2021, now also encrypts Linux and FreeBSD using new malware variants specifically developed to target these platforms. BleepingComputer reports: However, as Slovak internet security firm ESET discovered, Hive's new encryptors are still in development and still lack functionality. The Linux variant also proved to be quite buggy during ESET's analysis, with the encryption completely failing when the malware was executed with an explicit path. It also comes with support for a single command line parameter (-no-wipe). In contrast, Hive's Windows ransomware comes with up to 5 execution options, including killing processes and skipping disk cleaning, uninteresting files, and older files. The ransomware's Linux version also fails to trigger the encryption if executed without root privileges because it attempts to drop the ransom note on compromised devices' root file systems.

An anonymous reader quotes a report from Motherboard: So far this year, almost 1,000 schools across the country have suffered from a ransomware attack, and in some cases had classes disrupted because of it, according to tallies by Emsisoft, a cybersecurity company that specializes in tracking and investigating ransomware attacks, and another cybersecurity firm Recorded Future. Brett Callow, a researcher at Emsisoft shared the list with Motherboard. It includes 73 school districts, comprising 985 schools. Callow said that it's very likely there's some schools that are missing from the list, meaning the total number of victims is likely higher than 1,000. The list includes schools such as the Mesquite Independent School District in Texas, which comprises 49 different schools; the Haverhill Public Schools in Massachusetts, which comprises 16 schools; and the Visalia Unified School District in California, which comprises 41 schools.

"There is a huge jump in ransomware attacks hitting schools starting in 2019 and that trend is accelerating," Allan Liska, a researcher at cybersecurity firm Recorded Future who tracks ransomware, told Motherboard in an online chat. [...] Schools are getting hit every other week, and 2021 was worse than 2020, according to Liska, who said that last year he and his company catalogued 56 ransomware attacks impacting almost 700 schools. "The thing is, as bad as it is right now it will likely get worse before it gets better. While most ransomware attacks are not targeted there are two sectors that ransomware groups do seem to enjoy going after are healthcare and schools," Liska said. "It seems like schools are basically proving ground for ransomware actors to test out their skills. Schools pay significantly less in average ransom than most sectors (when they pay, which is rare), so the ransomware groups are not going after schools for the money."