The non-profit, free certificate authority Let's Encrypt shared some news from their executive director as they approach their 10th anniversary in 2025: Internally things have changed dramatically from what they looked like ten years ago, but outwardly our service hasn't changed much since launch. That's because the vision we had for how best to do our job remains as powerful today as it ever was: free 90-day TLS certificates via an automated API. Pretty much as many as you need. More than 500,000,000 websites benefit from this offering today, and the vast majority of the web is encrypted.

Our longstanding offering won't fundamentally change next year, but we are going to introduce a new offering that's a big shift from anything we've done before — short-lived certificates. Specifically, certificates with a lifetime of six days. This is a big upgrade for the security of the TLS ecosystem because it minimizes exposure time during a key compromise event.

Because we've done so much to encourage automation over the past decade, most of our subscribers aren't going to have to do much in order to switch to shorter lived certificates. We, on the other hand, are going to have to think about the possibility that we will need to issue 20x as many certificates as we do now. It's not inconceivable that at some point in our next decade we may need to be prepared to issue 100,000,000 certificates per day. That sounds sort of nuts to me today, but issuing 5,000,000 certificates per day would have sounded crazy to me ten years ago... It was hard to build Let's Encrypt. It was difficult to scale it to serve half a billion websites...

Charitable contributions from people like you and organizations around the world make this stuff possible. Since 2015, tens of thousands of people have donated. They've made a case for corporate sponsorship, given through their Donor-Advised Funds, or set up recurring donations, sometimes to give $3 a month. That's all added up to millions of dollars that we've used to change the Internet for nearly everyone using it.
Thanks to long-time Slashdot reader rastos1 for sharing the news.

America's 1994 "Communications Assistance for Law Enforcement Act" (or CALEA) created the security hole that helped enable a massive telecomm breach. But now America's FBI "is falling back on the same warmed-over, bad advice about encryption that it has trotted out for years," argues the Intercept: In response to the Salt Typhoon hack, attributed to state-backed hackers from China, the bureau is touting the long-debunked idea that federal agents could access U.S. communications without opening the door to foreign hackers. Critics say the FBI's idea, which it calls "responsibly managed encryption," is nothing more than a rebranding of a government backdoor. "It's not this huge about-face by law enforcement," said Andrew Crocker, the surveillance litigation director at the Electronic Frontier Foundation. "It's just the same, illogical talking points they have had for 30+ years, where they say, 'Encryption is OK, but we need to be able to access communications.' That is a circle that cannot be squared...."

In a blog post last month, encryption expert Susan Landau said CALEA had long been a "national security disaster waiting to happen... If you build a system so that it is easy to break into, people will do so — both the good guys and the bad. That's the inevitable consequence of CALEA, one we warned would come to pass — and it did," she said...

Sean Vitka, the policy director at the progressive group Demand Progress, said the hack has once again provided damning evidence that government backdoors cannot be secured. "If the FBI cannot keep their wiretap system safe, they absolutely cannot keep the skeleton key to all Apple phones safe," Vitka said.
Thanks to Slashdot reader mspohr for sharing the article.

An anonymous reader quotes a report from Ars Technica: A sophisticated and ongoing supply-chain attack operating for the past year has been stealing sensitive login credentials from both malicious and benevolent security personnel by infecting them with Trojanized versions of open source software from GitHub and NPM, researchers said. The campaign, first reported three weeks ago by security firm Checkmarx and again on Friday by Datadog Security Labs, uses multiple avenues to infect the devices of researchers in security and other technical fields. One is through packages that have been available on open source repositories for over a year. They install a professionally developed backdoor that takes pains to conceal its presence. The unknown threat actors behind the campaign have also employed spear phishing that targets thousands of researchers who publish papers on the arXiv platform.

The objectives of the threat actors are also multifaceted. One is the collection of SSH private keys, Amazon Web Services access keys, command histories, and other sensitive information from infected devices every 12 hours. When this post went live, dozens of machines remained infected, and an online account on Dropbox contained some 390,000 credentials for WordPress websites taken by the attackers, most likely by stealing them from fellow malicious threat actors. The malware used in the campaign also installs cryptomining software that was present on at least 68 machines as of last month. It's unclear who the threat actors are or what their motives may be. Datadog researchers have designated the group MUT-1244, with MUT short for "mysterious unattributed threat."

Healthcare giant Optum has restricted access to an internal AI chatbot used by employees after a security researcher found it was publicly accessible online, and anyone could access it using only a web browser. TechCrunch: The chatbot, which TechCrunch has seen, allowed employees to ask the company questions about how to handle patient health insurance claims and disputes for members in line with the company's standard operating procedures (SOPs).

While the chatbot did not appear to contain or produce sensitive personal or protected health information, its inadvertent exposure comes at a time when its parent company, health insurance conglomerate UnitedHealthcare, faces scrutiny for its use of artificial intelligence tools and algorithms to allegedly override doctors' medical decisions and deny patient claims.

Mossab Hussein, chief security officer and co-founder of cybersecurity firm spiderSilk, alerted TechCrunch to the publicly exposed internal Optum chatbot, dubbed "SOP Chatbot." Although the tool was hosted on an internal Optum domain and could not be accessed from its web address, its IP address was public and accessible from the internet and did not require users to enter a password.

HDMI Forum will announce new specifications with increased bandwidth capabilities at CES 2025, ahead of anticipated graphics card launches from AMD and NVIDIA. The announcement, scheduled for January 6, is expected to introduce HDMI 2.2 standard alongside a new cable supporting higher resolutions and refresh rates.

Current HDMI 2.1 specification maxes out at 48 Gbps bandwidth, allowing 10K resolution at 120 Hz with compression. The upgrade aims to compete with DisplayPort 2.1, which offers up to 80 Gbps bandwidth and is already supported by recent AMD and Intel GPUs.

Yahoo laid off around 25% of its cybersecurity team -- known as The Paranoids -- over the last year, TechCrunch has learned. From the report: Overall, the company has laid off or lost through attrition 40 to 50 people from a total of 200 employees in the cybersecurity team since the start of 2024, according to multiple current and former Yahoo employees who spoke to TechCrunch on condition of anonymity. (Yahoo is TechCrunch's parent company.)

The Paranoids are not the only team affected by the layoffs. Valeri Liborski, who was appointed Yahoo's chief technology officer in September, sent an email this week to employees announcing changes across the broader technology unit, including enterprise productivity and core services. The email to staff, which was obtained by TechCrunch, said: "This was a very difficult decision and one I have not taken lightly."

The Paranoids' so-called red team, or offensive security team -- which conducts cyberattack simulations to identify weaknesses in the company's network before external hackers can -- was eliminated entirely this week, and there have been at least three rounds of layoffs impacting the cybersecurity team this year, according to the sources.

An anonymous reader shares a report: Copilot has gone native for Windows Insiders and commandeered a popular keyboard shortcut in the process. The move from a Progressive Web App (PWA) to a native binary -- although most of it appears to still be a website, just not running as a PWA -- will be welcomed. Microsoft noted that once the app update has been installed, Copilot will appear in the system tray.

However, the assistant's quick view feature has been given the Alt+Space keyboard shortcut. This is already used by many other applications, including Microsoft's own PowerToys. PowerToys Run, for example, uses Alt+Space to open a launcher into which users can type in the name of the service they are seeking. Alt+Space is also used to show the context menu of the active window. Therefore, Microsoft's decision to hand the shortcut over to Copilot is unlikely to please keyboard warriors who are used to their shortcuts working in a particular way.

The Windows vendor acknowledged that the shortcut was already in use by many apps, saying: "For any apps installed on your PC that might utilize this keyboard shortcut, Windows will register whichever app is launched first on your PC and running in the background as the app that is invoked when using Alt+Space."

Amazon has postponed implementing Microsoft's cloud-based Office suite for its workforce by one year, citing security concerns following a Russian cyber attack on Microsoft's systems. The delay affects a $1 billion, five-year contract signed last year to provide Microsoft 365 to Amazon's 1.5 million employees, making the e-commerce giant one of the largest customers of Microsoft's cloud productivity suite.

The decision came after Microsoft revealed that Midnight Blizzard, a Russia-linked hacking group, had breached several employee email accounts, including those of senior executives and cybersecurity staff. Amazon subsequently conducted its own security review and requested enhanced protection measures from Microsoft.

Startup Embodied is closing down, and its product, an $800 robot for kids ages 5 to 10, will soon be bricked. From a report: Embodied blamed its closure on a failed "critical funding round." On its website, it explained: "We had secured a lead investor who was prepared to close the round. However, at the last minute, they withdrew, leaving us with no viable options to continue operations. Despite our best efforts to secure alternative funding, we were unable to find a replacement in time to sustain operations."

The company didn't provide further details about the pulled funding. Embodied's previous backers have included Intel Capital, Toyota AI Ventures, Amazon Alexa Fund, Sony Innovation Fund, and Vulcan Capital, but we don't know who the lead investor mentioned above is. When it first announced Moxie in April 2020, Embodied described the robot as a "safe and engaging animate companion for children designed to help promote social, emotional, and cognitive development."

An anonymous reader shares a report: Russia has reportedly cut some regions of the country off from the rest of the world's internet for a day, effectively siloing them, according to reports from European and Russian news outlets reshared by the US nonprofit Institute for the Study of War (ISW) and Western news outlets.

Russia's communications authority, Roskomnadzor, blocked residents in Dagestan, Chechnya, and Ingushetia, which have majority-Muslim populations, ISW says. The three regions are in southwest Russia near its borders with Georgia and Azerbaijan. People in those areas couldn't access Google, YouTube, Telegram, WhatsApp, or other foreign websites or apps -- even if they used VPNs, according to a local Russian news site.

Russian digital rights NGO Roskomsvoboda told TechRadar that most VPNs didn't work during the shutdown, but some apparently did. It's unclear which ones or how many actually worked, though. Russia has been increasingly blocking VPNs more broadly, and Apple has helped the country's censorship efforts by taking down VPN apps on its Russian App Store. At least 197 VPNs are currently blocked in Russia, according to Russian news agency Interfax.

Security researchers have uncovered a new surveillance tool that they say has been used by Chinese law enforcement to collect sensitive information from Android devices in China. From a report: The tool, named "EagleMsgSpy," was discovered by researchers at U.S. cybersecurity firm Lookout. The company said at the Black Hat Europe conference on Wednesday that it had acquired several variants of the spyware, which it says has been operational since "at least 2017."

Kristina Balaam, a senior intelligence researcher at Lookout, told TechCrunch the spyware has been used by "many" public security bureaus in mainland China to collect "extensive" information from mobile devices. This includes call logs, contacts, GPS coordinates, bookmarks, and messages from third-party apps including Telegram and WhatsApp. EagleMsgSpy is also capable of initiating screen recordings on smartphones, and can capture audio recordings of the device while in use, according to research Lookout shared with TechCrunch.

A manual obtained by Lookout describes the app as a "comprehensive mobile phone judicial monitoring product" that can obtain "real-time mobile phone information of suspects through network control without the suspect's knowledge, monitor all mobile phone activities of criminals and summarize them."

An anonymous reader shares a report: Software vulnerability submissions generated by AI models have ushered in a "new era of slop security reports for open source" -- and the devs maintaining these projects wish bug hunters would rely less on results produced by machine learning assistants. Seth Larson, security developer-in-residence at the Python Software Foundation, raised the issue in a blog post last week, urging those reporting bugs not to use AI systems for bug hunting.

"Recently I've noticed an uptick in extremely low-quality, spammy, and LLM-hallucinated security reports to open source projects," he wrote, pointing to similar findings from the Curl project in January. "These reports appear at first glance to be potentially legitimate and thus require time to refute." Larson argued that low-quality reports should be treated as if they're malicious.

As if to underscore the persistence of these concerns, a Curl project bug report posted on December 8 shows that nearly a year after maintainer Daniel Stenberg raised the issue, he's still confronted by "AI slop" -- and wasting his time arguing with a bug submitter who may be partially or entirely automated.

chiguy writes: In October, a jury in a federal class-action lawsuit returned a verdict that found Cognizant intentionally discriminated against more than 2,000 non-Indian employees between 2013 and 2022. The verdict, which echoed a previously undisclosed finding from a 2020 US Equal Employment Opportunity Commission investigation, centered on discrimination claims based on race and national origin. Cognizant, based in Teaneck, New Jersey, was found to have preferred workers from India, most of whom joined the firm's US workforce of about 32,000 using skilled-worker visas called H-1Bs.

The case is part of a wave of recent discrimination claims against IT outsourcing companies that underscore growing concerns that these firms have exploited a broken employment-visa system to secure a cheaper, more malleable workforce. In the process, US workers say they've been disadvantaged. The industry, which provides computer services to other companies, makes extensive use of H-1Bs; over the past decade and a half, no employer has obtained more of them than Cognizant, federal records show.

Google's app store claims that their text-messaging app Google Messages means "conversations are end-to-end encrypted".

"That is some serious bullshit," argues tech blogger John Gruber: It's shamefully misleading regarding Google Messages's support for end-to-end encryption... Google Messages does support end-to-end encryption, but only over RCS and only if all participants in the chat are using a recent version of Google Messages. But the second screenshot in the Play Store listing flatly declares "Conversations are end-to-end encrypted", full stop...

I realize that "Some conversations are end-to-end encrypted" will naturally spur curiosity regarding which conversations are encrypted and which aren't, but that's the truth. And users of the app should be aware of that. "RCS conversations with other Google Messages users are encrypted" would work.

Then, in the "report card" section of the listing, it states the following:

Data is encrypted in transit
Your data is transferred over a secure connection

Which, again, is only true sometimes. It's downright fraudulent to describe Google Messages's transit security this way.... [D]epending who you communicate with — iPhone users, Android users with old devices, Android users who use other text messaging apps — it's quite likely most of your messages won't be secure... E2EE is never available for SMS, and never available if a participant in the chat is using any RCS client (on Android or Apple Messages) other than Google Messages. That's an essential distinction that should be made clear, not obfuscated.
Gruber's earlier blog post had pointed out that the RCS standard "has no encryption; E2EE RCS chats in Google Messages use Google's proprietary extension and are exclusive to the Google Messages app, so RCS chats between Google Messages and other apps, most conspicuously Apple Messages, are not encrypted."

And in his newer post, Gruber adds, "While I'm at it, it's also embarrassing that Google Voice has no support for RCS at all. It's Google's own app and service, and Google has been the world's most vocal proponent of RCS messaging."

China-linked spies may still be lurking in U.S. telecommunications networks — but the breach could be much, much wider. In fact, a "couple dozen" countries were hit by the attack, the Wall Street Journal reported this week, citing a top U.S. national security adviser. "Chinese government hackers have compromised telecommunications infrastructure across the globe as part of a massive espionage campaign..." Speaking during a press briefing Wednesday, Anne Neuberger, President Biden's deputy national security adviser for cyber and emerging technology, said the so-called Salt Typhoon campaign is ongoing and that at least eight telecommunications firms in the U.S. had been breached... The Journal previously identified Verizon, AT&T, T-Mobile and Lumen Technologies among the victims... [M]etadata grabs appeared to be "regional" in focus, and were likely a means to identify phone lines of valuable senior government officials, which the hackers then targeted to steal encrypted text messages and listen in on some phone calls, the official said... President-elect Donald Trump, Vice President-elect JD Vance, senior congressional staffers and an array of U.S. security officials were among scores of individuals to have their calls and texts directly targeted, an intelligence-collection coup that likely ensnared their private communications with thousands of Americans, the Journal has reported.

The senior administration official said the global tally of countries victimized was currently believed to be in the "low, couple dozen" but didn't give a precise figure. The global campaign of hacking activity dates back at least a year or two, the official said.
"Neuberger, on the press briefing, said that it wasn't believed that classified communications were accessed in the breaches."

The Solana JavaScript SDK "was temporarily compromised yesterday in a supply chain attack," reports BleepingComputer, "with the library backdoored with malicious code to steal cryptocurrency private keys and drain wallets." Solana offers an SDK called "@solana/web3.js" used by decentralized applications (dApps) to connect and interact with the Solana blockchain. Supply chain security firm Socket reports that Solana's Web3.js library was hijacked to push out two malicious versions to steal private and secret cryptography keys to secure wallets and sign transactions... Solana confirmed the breach, stating that one of their publish-access accounts was compromised, allowing the attackers to publish two malicious versions of the library... Solana is warning developers who suspect they were compromised to immediately upgrade to the latest v1.95.8 release and to rotate any keys, including multisigs, program authorities, and server keypairs...

Once the threat actors gain access to these keys, they can load them into their own wallets and remotely drain all stored cryptocurrency and NFTs... Socket says the attack has been traced to the FnvLGtucz4E1ppJHRTev6Qv4X7g8Pw6WPStHCcbAKbfx Solana address, which currently contains 674.86 Solana and varying amounts of the Irish Pepe , Star Atlas, Jupiter, USD Coin, Santa Hat, Pepe on Fire, Bonk, catwifhat, and Genopets Ki tokens. Solscan shows that the estimated value of the stolen cryptocurrency is $184,000 at the time of this writing.

For anyone whose wallets were compromised in this supply chain attack, you should immediately transfer any remaining funds to a new wallet and discontinue the use of the old one as the private keys are now compromised.
Ars Technica adds that "In social media posts, one person claimed to have lost $20,000 in the hack."

The compromised library "receives more than ~350,000 weekly downloads on npm," Socket posted. (Although Solana's statement says the compromised versions "were caught within hours and have since been unpublished."

A ransomware attack on the multinational Stoli Group in August helped push two of the vodka-maker's U.S. subsidiaries into bankruptcy, according to the company's CEO. From a report: In a Texas bankruptcy court filing on November 29, CEO Chris Caldwell attributed a range of external factors to the financial woes of Stoli Group USA and Kentucky Owl (KO) -- which are facing $84 million in debt. But one of the most prominent was a ransomware attack this year that damaged the parent company's IT system.

"In August 2024, the Stoli Group's IT infrastructure suffered severe disruption in the wake of a data breach and ransomware attack," Caldwell said in the filing. "The attack caused substantial operational issues throughout all companies within the Stoli Group, including Stoli USA and KO, due to the Stoli Group's enterprise resource planning (ERP) system being disabled and most of the Stoli Group's internal processes (including accounting functions) being forced into a manual entry mode." Caldwell said the systems will be restored âoeno earlier than in the first quarter of 2025.â

An anonymous reader shared this report from NBC News: Amid an unprecedented cyberattack on telecommunications companies such as AT&T and Verizon, U.S. officials have recommended that Americans use encrypted messaging apps to ensure their communications stay hidden from foreign hackers...

In the call Tuesday, two officials — a senior FBI official who asked not to be named and Jeff Greene, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency — both recommended using encrypted messaging apps to Americans who want to minimize the chances of China's intercepting their communications. "Our suggestion, what we have told folks internally, is not new here: Encryption is your friend, whether it's on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible," Greene said. The FBI official said, "People looking to further protect their mobile device communications would benefit from considering using a cellphone that automatically receives timely operating system updates, responsibly managed encryption and phishing resistant" multi-factor authentication for email, social media and collaboration tool accounts...

The FBI and other federal law enforcement agencies have a complicated relationship with encryption technology, historically advocating against full end-to-end encryption that does not allow law enforcement access to digital material even with warrants. But the FBI has also supported forms of encryption that do allow some law enforcement access in certain circumstances.
Officials said the breach seems to include some live calls of specfic targets and also call records (showing numbers called and when). "The hackers focused on records around the Washington, D.C., area, and the FBI does not plan to alert people whose phone metadata was accessed."

"The scope of the telecom compromise is so significant, Greene said, that it was 'impossible" for the agencies "to predict a time frame on when we'll have full eviction.'"

China-linked spies are still lurking inside U.S. telecommunications networks roughly six months after American officials started investigating the intrusions, senior officials told reporters Tuesday. From a report: This is the first time U.S. officials have confirmed reports that Salt Typhoon hackers still have access to critical infrastructure -- and they're proving difficult to kick out. Officials added that they don't yet know the full scope of the intrusions, despite starting the investigation in late spring.

The Cybersecurity and Infrastructure Security Agency and FBI released guidance Tuesday for the communications sector to harden their networks against Chinese state-sponsored hackers. The guide includes basic steps like maintaining logs of activity on the network, keeping an inventory of all devices in the telecom's environment and changing any default equipment passwords. The hack has given Salt Typhoon unprecedented access to records from U.S. telecommunications networks about who Americans are communicating with, a senior FBI official told reporters during a briefing.

The cyber risks facing the United Kingdom are being "widely underestimated," the country's new cyber chief will warn on Tuesday as he launches the National Cyber Security Centre's (NCSC) annual review. From a report: In his first major speech since joining the NCSC -- part of the signals and cyber intelligence agency GCHQ -- Richard Horne will drive a shift in tone in how the cybersecurity agency communicates these risks. Despite some evidence showing cyberattacks growing year-on-year for half a decade, the NCSC has not previously confirmed the trend nor expressed alarm about it.

"What has struck me more forcefully than anything else since taking the helm at the NCSC is the clearly widening gap between the exposure and threat we face, and the defences that are in place to protect us," Horne will say, according to an advance preview of his speech on Tuesday. Citing the intelligence that NCSC has access to as an agency within GCHQ, Horne will warn that "hostile activity in UK cyberspace has increased in frequency, sophistication and intensity," adding that despite growing activity from Russian and Chinese threat actors, the agency believes British society as a whole is failing to appreciate the severity of the risk. The annual review reveals that the agency's incident management team handled a record number of cyber incidents over the past 12 months -- 430 compared to 371 last year -- 89 of which were considered nationally significant incidents.

An anonymous reader shares a report: ChatGPT users have spotted an unusual glitch that prevents the AI chatbot from saying the name 'David Mayer.' OpenAI's hugely popular AI tool responds to requests to write the name with an error message, stating: "I'm unable to produce a response." The chat thread is then ended, with people forced to open a new chat window in order to keep interacting with ChatGPT.

"Spacecraft, satellites, and space-based systems all face cybersecurity threats that are becoming increasingly sophisticated and dangerous," reports CNBC.

"With interconnected technologies controlling everything from navigation to anti-ballistic missiles, a security breach could have catastrophic consequences." Critical space infrastructure is susceptible to threats across three key segments: in space, on the ground segment and within the communication links between the two. A break in one can be a cascading failure for all, said Wayne Lonstein, co-founder and CEO at VFT Solutions, and co-author of Cyber-Human Systems, Space Technologies, and Threats. "In many ways, the threats to critical infrastructure on Earth can cause vulnerabilities in space," Lonstein said. "Internet, power, spoofing and so many other vectors that can cause havoc in space," he added. The integration of artificial intelligence into space projects has heightened the risk of sophisticated cyber attacks orchestrated by state actors and individual hackers. AI integration into space exploration allows more decision-making with less human oversight.

For example, NASA is using AI to target scientific specimens for planetary rovers. However, reduced human oversight could make these missions more prone to unexplained and potentially calamitous cyberattacks, said Sylvester Kaczmarek, chief technology officer at OrbiSky Systems, which specializes in the integration of AI, robotics, cybersecurity, and edge computing in aerospace applications. Data poisoning, where attackers feed corrupted data to AI models, is one example of what could go wrong, Kaczmarek said. Another threat, he said, is model inversion, where adversaries reverse-engineer AI models to extract sensitive information, potentially compromising mission integrity. If compromised, AI systems could be used to interfere with or take control of strategically important national space missions...

The U.S. government is tightening up the integrity and security of AI systems in space. The 2023 Cyberspace Solarium Commission report stressed the importance of designating outer space as a critical infrastructure sector, urging enhanced cybersecurity protocols for satellite operators... The rivalry between the U.S. and China includes the new battleground of space. As both nations ramp up their space ambitions and militarized capabilities beyond Earth's atmosphere, the threat of cyberattacks targeting critical orbital assets has become an increasingly pressing concern... Space-based systems increasingly support critical infrastructure back on Earth, and any cyberattacks on these systems could undermine national security and economic interests.

"A flaw in a WordPress anti-spam plugin with over 200,000 installations allows rogue plugins to be installed on affected websites," reports Search Engine Journal.

The authentication bypass vulnerability lets attackers gain full access to websites without a username or password, according to the article, and "Security researchers rated the vulnerability 9.8 out of 10, reflecting the high level of severity..." The flaw in the Spam protection, Anti-Spam, FireWall by CleanTalk plugin, was pinpointed by security researchers at Wordfence as caused by reverse DNS spoofing... [T]he attackers can trick the Ant-Spam plugin that the malicious request is coming from the website itself and because that plugin doesn't have a check for that the attackers gain unauthorized access... Wordfence recommends users of the affected plugin to update to version 6.44 or higher.
Thanks to Slashdot reader bleedingobvious for sharing the news.

An anonymous reader shares a report: Google Cloud dangled hundreds of million of euros worth of financial incentives to ally itself with an association of European cloud providers that had lodged a complaint against Microsoft, according to confidential documents seen by The Register.

Amit Zavery, the former Vice President of Google Cloud Platform, presented to a selection of members of the Cloud Infrastructure Service Providers in Europe (CISPE) trade body, then to the board and finally to the entire organization, according to sources that asked to remain anonymous.

In the presentation, seen by us, Zavery offered to provide a Members Innovation Fund of $4.2 million, which Google described as $105,000 per member to be used as "immediate funding for projects and license fees of CISPE members to support innovation in open cloud ecosystems." CISPE actually has 36 members now, including Oxya, Leaseweb, UpCloud and AWS -- the latter being the only non-European participant. The number has grown from 27 in July. Google also offered to contribute an additional $10.6 million to the trade association, described in the presentation as "participating and membership resources."

The ongoing cybersecurity incident affecting a North West England NHS group has forced sites to fall back on pen-and-paper operations. From a report: The Wirral University Teaching Hospital NHS Trust updated its official line on the incident on Wednesday evening, revealing new details about the case, but remains coy about the true nature of the attack.

"After detecting suspicious activity, as a precaution, we isolated our systems to ensure that the problem did not spread. This resulted in some IT systems being offline," the updated statement said.

"We have reverted to our business continuity processes and are using paper rather than digital in the areas affected. We are working closely with the national cybersecurity services and we are planning to return to normal services at the earliest opportunity."

A bipartisan group of 12 senators has urged the TSA inspector general to investigate the agency's use of facial recognition technology, citing concerns over privacy, civil liberties, and its expansion to over 430 airports without sufficient safeguards or proven effectiveness. Gizmodo reports: "This technology will soon be in use at hundreds of major and mid-size airports without an independent evaluation of the technology's precision or an audit of whether there are sufficient safeguards in place to protect passenger privacy," the senators wrote. The letter was signed by Jeffrey Merkley (D-OR), John Kennedy (R-LA), Ed Markey (D-MA), Ted Cruz (R-TX), Roger Marshall (R-Kansas), Ron Wyden (D-OR), Steve Daines (R-MT), Elizabeth Warren (D-MA), Bernie Sanders (I-VT), Cynthia Lummis (R-WY), Chris Van Hollen (D-MD), and Peter Welch (D-VT).

While the TSA's facial recognition program is currently optional and only in a few dozen airports, the agency announced in June that it plans to expand the technology to more than 430 airports. And the senators' letter quotes a talk given by TSA Administrator David Pekoske in 2023 in which he said "we will get to the point where we require biometrics across the board." [...] The latest letter urges the TSA's inspector general to evaluate the agency's facial recognition program to determine whether it's resulted in a meaningful reduction in passenger delays, assess whether it's prevented anyone on no-fly lists from boarding a plane, and identify how frequently it results in identity verification errors.

An anonymous reader quotes a report from Ars Technica: Over the past decade, a new class of infections has threatened Windows users. By infecting the firmware that runs immediately before the operating system loads, these UEFI bootkits continue to run even when the hard drive is replaced or reformatted. Now the same type of chip-dwelling malware has been found in the wild for backdooring Linux machines. Researchers at security firm ESET said Wednesday that Bootkitty -- the name unknown threat actors gave to their Linux bootkit -- was uploaded to VirusTotal earlier this month. Compared to its Windows cousins, Bootkitty is still relatively rudimentary, containing imperfections in key under-the-hood functionality and lacking the means to infect all Linux distributions other than Ubuntu. That has led the company researchers to suspect the new bootkit is likely a proof-of-concept release. To date, ESET has found no evidence of actual infections in the wild.

Still, Bootkitty suggests threat actors may be actively developing a Linux version of the same sort of unkillable bootkit that previously was found only targeting Windows machines. "Whether a proof of concept or not, Bootkitty marks an interesting move forward in the UEFI threat landscape, breaking the belief about modern UEFI bootkits being Windows-exclusive threats," ESET researchers wrote. "Even though the current version from VirusTotal does not, at the moment, represent a real threat to the majority of Linux systems, it emphasizes the necessity of being prepared for potential future threats." [...] As ESET notes, the discovery is nonetheless significant because it demonstrates someone -- most likely a malicious threat actor -- is pouring resources and considerable know-how into creating working UEFI bootkits for Linux. Currently, there are few simple ways for people to check the integrity of the UEFI running on either Windows or Linux devices. The demand for these sorts of defenses will likely grow in the coming years.

An anonymous reader quotes a report from KrebsOnSecurity: Two men have been arrested for allegedly stealing data from and extorting dozens of companies that used the cloud data storage company Snowflake, but a third suspect -- a prolific hacker known as Kiberphant0m -- remains at large and continues to publicly extort victims. However, this person's identity may not remain a secret for long: A careful review of Kiberphant0m's daily chats across multiple cybercrime personas suggests they are a U.S. Army soldier who is or was recently stationed in South Korea.

Kiberphant0m's identities on cybercrime forums and on Telegram and Discord chat channels have been selling data stolen from customers of the cloud data storage company Snowflake. At the end of 2023, malicious hackers discovered that many companies had uploaded huge volumes of sensitive customer data to Snowflake accounts that were protected with nothing more than a username and password (no multi-factor authentication required). After scouring darknet markets for stolen Snowflake account credentials, the hackers began raiding the data storage repositories for some of the world's largest corporations. Among those was AT&T, which disclosed in July that cybercriminals had stolen personal information, phone and text message records for roughly 110 million people. Wired.com reported in July that AT&T paid a hacker $370,000 to delete stolen phone records.

On October 30, Canadian authorities arrested Alexander Moucka, a.k.a. Connor Riley Moucka of Kitchener, Ontario, on a provisional arrest warrant from the United States, which has since indicted him on 20 criminal counts connected to the Snowflake breaches. Another suspect in the Snowflake hacks, John Erin Binns, is an American who is currently incarcerated in Turkey. Investigators say Moucka, who went by the handles Judische and Waifu, had tasked Kiberphant0m with selling data stolen from Snowflake customers who refused to pay a ransom to have their information deleted. Immediately after news broke of Moucka's arrest, Kiberphant0m was clearly furious, and posted on the hacker community BreachForums what they claimed were the AT&T call logs for President-elect Donald J. Trump and for Vice President Kamala Harris. [...] Also on Nov. 5, Kiberphant0m offered call logs stolen from Verizon's push-to-talk (PTT) customers -- mainly U.S. government agencies and emergency first responders. Kiberphant0m denies being in the U.S. Army and said all these clues were "a lengthy ruse designed to create a fictitious persona," reports Krebs.

"I literally can't get caught," Kiberphant0m said, declining an invitation to explain why. "I don't even live in the USA Mr. Krebs." A mind map illustrates some of the connections between and among Kiberphant0m's apparent alter egos.

Nearly 89% of smart device manufacturers fail to disclose how long they will provide software updates for their products, a Federal Trade Commission staff study found this week. The review of 184 connected devices, including hearing aids, security cameras and door locks, revealed that 161 products lacked clear information about software support duration on their websites.

Basic internet searches failed to uncover this information for two-thirds of the devices. "Consumers stand to lose a lot of money if their smart products stop delivering the features they want," said Samuel Levine, Director of the FTC's Bureau of Consumer Protection. The agency warned that manufacturers' failure to provide software update information for warranted products costing over $15 may violate the Magnuson Moss Warranty Act. The FTC also cautioned that companies could violate the FTC Act if they misrepresent product usability periods. The study excluded laptops, personal computers, tablets and automobiles from its review.

Microsoft has confirmed that Windows 11 24H2 has issues with USB-connected devices that support the Scanner Communication Language (eSCL) protocol. From a report: A compatibility hold has been applied to the hardware. The hold means that hardware connected to a USB device supporting the eSCL protocol will not be offered an upgrade to Windows 11 24H2. Microsoft said: "This issue primarily affects USB-connected multifunction devices or standalone scanners that support scan functionality and the eSCL protocol."

According to Microsoft, the issue lies in device discovery. Install Windows 11 24H2, wait for it to discover USB-connected peripherals, and... nothing. Or as Microsoft put it: "You might observe that your device does not discover the USB-connected peripheral and the device discovery does not complete." The company added: "This issue is caused due to the device not switching out of eSCL mode to USB mode, which allows the scanner drivers to be matched."

An anonymous reader quotes a report from TechCrunch: Security researchers have uncovered two previously unknown zero-day vulnerabilities that are being actively exploited by RomCom, a Russian-linked hacking group, to target Firefox browser users and Windows device owners across Europe and North America. RomCom is a cybercrime group that is known to carry out cyberattacks and other digital intrusions for the Russian government. The group -- which was last month linked to a ransomware attack targeting Japanese tech giant Casio -- is also known for its aggressive stance against organizations allied with Ukraine, which Russia invaded in 2014.

Researchers with security firm ESET say they found evidence that RomCom combined use of the two zero-day bugs -- described as such because the software makers had no time to roll out fixes before they were used to hack people -- to create a "zero click" exploit, which allows the hackers to remotely plant malware on a target's computer without any user interaction. "This level of sophistication demonstrates the threat actor's capability and intent to develop stealthy attack methods," ESET researchers Damien Schaeffer and Romain Dumont said in a blog post on Monday. [...] Schaeffer told TechCrunch that the number of potential victims from RomCom's "widespread" hacking campaign ranged from a single victim per country to as many as 250 victims, with the majority of targets based in Europe and North America. Mozilla and the Tor Project quickly patched a Firefox-based vulnerability after being alerted by ESET, with no evidence of Tor Browser exploitation. Meanwhile, Microsoft addressed a Windows vulnerability on November 12 following a report by Google's Threat Analysis Group, indicating potential use in government-backed hacking campaigns.

American hospitals and healthcare organizations would be required to adopt multi-factor authentication (MFA) and other minimum cybersecurity standards under new legislation proposed by a bipartisan group of US senators. From a report: The Health Care Cybersecurity and Resiliency Act of 2024 [PDF], introduced on Friday by US Senators Bill Cassidy (R-Louisiana), Mark Warner (D-Virginia), John Cornyn (R-Texas), and Maggie Hassan (D-New Hampshire), would, among other things, require better coordination between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) around cybersecurity in the healthcare and public health sector.

This includes giving HHS a year to implement a cybersecurity incident response plan and update the types of information displayed publicly via the department's breach reporting portal. Currently, all healthcare orgs that are considered "covered entities" under the US Health Insurance Portability and Accountability Act (HIPAA) are required to notify HHS if they are breached. The new law would require breached entities to report how many people were affected by the security incident.

It would also mandate that the portal include details on "any corrective action taken against a covered entity that provided notification of a breach" as well as "recognized security practices that were considered" during the breach investigation, plus any other information that the HHS secretary deems necessary.

Blue Yonder, a Panasonic subsidiary specializing in AI-driven supply chain solutions, experienced a recent ransomware attack that impacted many of its customers. "Among its 3,000 customers are high-profile organizations like DHL, Renault, Bayer, Morrisons, Nestle, 3M, Tesco, Starbucks, Ace Hardware, Procter & Gamble, Sainsbury, and 7-Eleven," reports BleepingComputer. From the report: On Friday, the company warned that it was experiencing disruptions to its managed services hosting environment due to a ransomware incident that occurred the day before, on November 21. "On November 21, 2024, Blue Yonder experienced disruptions to its managed services hosted environment, which was determined to be the result of a ransomware incident," reads the announcement. "Since learning of the incident, the Blue Yonder team has been working diligently together with external cybersecurity firms to make progress in their recovery process. We have implemented several defensive and forensic protocols."

Blue Yonder claims it has detected no suspicious activity in its public cloud environment and is still processing multiple recovery strategies. [...] As expected, this has impacted clients directly, as a spokesperson for UK grocery store chain Morrisons has confirmed to the media they have reverted to a slower backup process. Sainsbury told CNN that it had contingency plans in place to overcome the disruption. A Saturday update informed customers that the restoration of the impacted services continued, but no specific timelines for complete restoration could be shared yet. Another update published on Sunday reiterated the same, urging clients to monitor the customer update page on Blue Yonder's website over the coming days.

A firmware update has left QNAP network-attached storage device owners unable to access their systems, with standard reset procedures failing to resolve the issue.

The problematic update, QTS 5.2.2.2950 build 20241114, was released last week before being partially withdrawn, according to user reports on QNAP's community forums. QNAP, the Taiwan-based storage manufacturer, has not specified which models are affected by the faulty firmware.

Palo Alto Networks boasts 70,000 customers in 150 countries, including 85% of the Fortune 500.

But this week "thousands of Palo Alto Networks firewalls were compromised by attackers exploiting two recently patched security bug," reports the Register: The intruders were able to deploy web-accessible backdoors to remotely control the equipment as well as cryptocurrency miners and other malware. Roughly 2,000 devices had been hijacked as of Wednesday — a day after Palo Alto Networks pushed a patch for the holes — according to Shadowserver and Onyphe. As of Thursday, the number of seemingly compromised devices had dropped to about 800. The vendor, however, continues to talk only of a "limited number" of exploited installations... The Register has asked for clarification, including how many compromised devices Palo Alto Networks is aware of, and will update this story if and when we hear back from the vendor.

Rumors started swirling last week about a critical security hole in Palo Alto Networks appliances that allowed remote unauthenticated attackers to execute arbitrary code on devices. Exploitation requires access to the PAN-OS management interface, either across the internet or via an internal network. The manufacturer did eventually admit that the firewall-busting vulnerability existed, and had been exploited as a zero-day — but it was still working on a patch. On Tuesday, PAN issued a fix, and at that time said there were actually two vulnerabilities. The first is a critical (9.3 CVSS) authentication bypass flaw tracked as CVE-2024-0012. The second, a medium-severity (6.9 CVSS) privilege escalation bug tracked as CVE-2024-9474. The two can be chained together to allow remote code execution (RCE) against the PAN-OS management interface... once the attackers break in, they are using this access to deploy web shells, Sliver implants, and/or crypto miners, according to Wiz threat researchers.

Craig Newmark "is alarmed about potential cybersecurity risks in the U.S.," according to Yahoo Finance. The 71-year-old Craigslist founder says "our country is under attack now" in a new interview with Yahoo Finance executive editor Brian Sozzi on his Opening Bid podcast.

But Newmark also revealed what he's doing about it: [H]e started Craig Newmark Philanthropies to primarily invest in projects to protect critical American infrastructure from cyberattacks. He told Sozzi he is now spending $200 million more to address the issue, on top of an initial $100 million pledge revealed in September of this year. He encouraged other wealthy people to join him in the fight against cyberattacks. "I tell people, 'Hey, the people who protect us could use some help. The amounts of money comparatively are small, so why not help out,'" he said... The need for municipalities and other government entities to act rather than react remains paramount, warns Newmark. "I think a lot about this," said Newmark.

"I've started to fund networks of smart volunteers who can help people protect infrastructure, particularly [for] the small companies and utilities across the country who are responsible for most of our electrical and power supplies, transportation infrastructure, [and] food distribution.... A lot of these systems have no protection, so an adversary could just compromise them, saying unless you do what we need, we can start shutting off these things," he continued. Should that happen, recovery "could take weeks and weeks without your water supply or electricity."
A web page at Craig Newmark Philanthropies offers more details Craig was part of the whole "duck and cover" thing, in the 50s and 60s, and realizes that we need civil defense in the cyber domain, "cyber civil defense." This is patriotism, for regular people.

He's committed $100 million to form a Cyber Civil Defense network of groups who are starting to protect the country from cyber threats. Attacks on our power grids, our cyber infrastructure and even the internet-connected gadgets and appliances in our homes are real. If people think that's alarmist, tell them to "Blame Craig." The core of Cyber Civil Defense [launched in 2022] includes groups like Aspen Digital, Global Cyber Alliance, and Consumer Reports, focusing on citizen cyber education and literacy, cyber tool development, and cybersecurity workforce programs aimed at diversifying the growing field.
It's already made significant investments in groups like the Ransomware Task Force and threat watchdog group Shadowserver Foundation...

Slashdot reader Bruce66423 shared this report from the Guardian: Staff have resigned at Starling Bank after its new chief executive demanded thousands of workers attend its offices more frequently, despite lacking enough space to host them.

In his first major policy change since taking over from the UK digital bank's founder, Anne Boden, in March, Raman Bhatia has ordered all hybrid staff — many of whom were in the office only one or two days a week, or on an ad-hoc basis — to travel to work for a minimum of 10 days each month. But the bank, which operates online only, admitted that some of its offices would not be equipped to handle the influx... "We are considering ways in which we can create more space," an email sent by Starling's human resources team and seen by the Guardian said.

Starling has 3,231 staff, the vast majority of whom are in the UK with some also in Dublin. However, the Guardian understands that the bank has only about 900 desks, including 260 at its Cardiff site, 320 in its London headquarters and 155 in Southampton. The bank has a further 160 desks in its newest site in Manchester, where it has signed a 10-year lease to occupy the fifth floor of the Landmark building, which also houses Santander UK and HSBC staff... Some staff have already resigned over the "rushed" announcement, while others have threatened to do so...

The return to office announcement came a month after the Financial Conduct Authority hit Starling with a £29m fine after discovering "shockingly lax" controls that it said left the financial system "wide open to criminals". That included failures in its automated screening system for individuals facing government sanctions.
Starling Bank issued this statement to explain its reasoning. "By bringing colleagues together in person, our aim is to achieve greater collaboration that will benefit our customers as we enter Starling's next phase of growth."

The article also notes that the U.K. supermarket chain Asda "has also toughened its stance, making it compulsory for thousands of workers at its offices in Leeds and Leicester to spend at least three days a week at their desks from the new year."

"Steven Adair, of cybersecurity firm Veloxity, revealed at the Cyberwarcon security conference how Russian hackers were able to daisy-chain as many as three separate Wi-Fi networks in their efforts to attack victims," writes Longtime Slashdot reader smooth wombat. Wired reports: Adair says that Volexity first began investigating the breach of its DC customer's network in the first months of 2022, when the company saw signs of repeated intrusions into the customer's systems by hackers who had carefully covered their tracks. Volexity's analysts eventually traced the compromise to a hijacked user's account connecting to a Wi-Fi access point in a far end of the building, in a conference room with external-facing windows. Adair says he personally scoured the area looking for the source of that connection. "I went there to physically run down what it could be. We looked at smart TVs, looked for devices in closets. Is someone in the parking lot? Is it a printer?" he says. "We came up dry."

Only after the next intrusion, when Volexity managed to get more complete logs of the hackers' traffic, did its analysts solve the mystery: The company found that the hijacked machine which the hackers were using to dig around in its customer's systems was leaking the name of the domain on which it was hosted -- in fact, the name of another organization just across the road. "At that point, it was 100 percent clear where it was coming from," Adair says. "It's not a car in the street. It's the building next door." With the cooperation of that neighbor, Volexity investigated that second organization's network and found that a certain laptop was the source of the street-jumping Wi-Fi intrusion. The hackers had penetrated that device, which was plugged into a dock connected to the local network via Ethernet, and then switched on its Wi-Fi, allowing it to act as a radio-based relay into the target network. Volexity found that, to break into that target's Wi-Fi, the hackers had used credentials they'd somehow obtained online but had apparently been unable to exploit elsewhere, likely due to two-factor authentication.

Volexity eventually tracked the hackers on that second network to two possible points of intrusion. The hackers appeared to have compromised a VPN appliance owned by the other organization. But they had also broken into the organization's Wi-Fi from another network's devices in the same building, suggesting that the hackers may have daisy-chained as many as three networks via Wi-Fi to reach their final target. "Who knows how many devices or networks they compromised and were doing this on," says Adair. Volexity had presumed early on in its investigation that the hackers were Russian in origin due to their targeting of individual staffers at the customer organization focused on Ukraine. Then in April, fully two years after the original intrusion, Microsoft warned of a vulnerability in Windows' print spooler that had been used by Russia's APT28 hacker group -- Microsoft refers to the group as Forest Blizzard -- to gain administrative privileges on target machines. Remnants left behind on the very first computer Volexity had analyzed in the Wi-Fi-based breach of its customer exactly matched that technique. "It was an exact one-to-one match," Adair says.

Microsoft has released a public preview of its redesigned Windows Recall feature, five months after withdrawing the original version due to security concerns. The feature will initially be available only on Qualcomm Snapdragon X Elite and Plus Copilot+ PCs running Windows Insider Dev channel build 26120.2415.

Recall, which continuously captures and indexes screenshots and text for later search, now includes mandatory encryption, opt-in activation, and Windows Hello authentication. The feature requires Secure Boot, BitLocker encryption, and attempts to automatically mask sensitive data like passwords and credit card numbers. The feature is exclusive to Copilot+ PCs equipped with neural processing units for local AI processing.

The Register's Simon Sharwood reports: Japan's National Consumer Affairs Center on Wednesday suggested citizens start "digital end of life planning" and offered tips on how to do it. The Center's somewhat maudlin advice is motivated by recent incidents in which citizens struggled to cancel subscriptions their loved ones signed up for before their demise, because they didn't know their usernames or passwords. The resulting "digital legacy" can be unpleasant to resolve, the agency warns, so suggested four steps to simplify ensure our digital legacies aren't complicated:

- Ensuring family members can unlock your smartphone or computer in case of emergency;
- Maintain a list of your subscriptions, user IDs and passwords;
- Consider putting those details in a document intended to be made available when your life ends;
- Use a service that allows you to designate someone to have access to your smartphone and other accounts once your time on Earth ends.

The Center suggests now is the time for it to make this suggestion because it is aware of struggles to discover and resolve ongoing expenses after death. With smartphones ubiquitous, the org fears more people will find themselves unable to resolve their loved ones' digital affairs -- and powerless to stop their credit cards being charged for services the departed cannot consume.

An anonymous reader quotes a report from KrebsOnSecurity: The financial technology firm Finastra is investigating the alleged large-scale theft of information from its internal file transfer platform, KrebsOnSecurity has learned. Finastra, which provides software and services to 45 of the world's top 50 banks, notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the company. London-based Finastra has offices in 42 countries and reported $1.9 billion in revenues last year. The company employs more than 7,000 people and serves approximately 8,100 financial institutions around the world. A major part of Finastra's day-to-day business involves processing huge volumes of digital files containing instructions for wire and bank transfers on behalf of its clients.

On November 8, 2024, Finastra notified financial institution customers that on Nov. 7 its security team detected suspicious activity on Finastra's internally hosted file transfer platform. Finastra also told customers that someone had begun selling large volumes of files allegedly stolen from its systems. "On November 8, a threat actor communicated on the dark web claiming to have data exfiltrated from this platform," reads Finastra's disclosure, a copy of which was shared by a source at one of the customer firms. "There is no direct impact on customer operations, our customers' systems, or Finastra's ability to serve our customers currently," the notice continued. "We have implemented an alternative secure file sharing platform to ensure continuity, and investigations are ongoing." But its notice to customers does indicate the intruder managed to extract or "exfiltrate" an unspecified volume of customer data.

Pakistan's IT Industry Association (P@SHA) -- the nation's sole tech biz lobby group -- has warned that government policy could lead to business closures and financial losses among its constituents, and damage the nation's IT exports. From a report: P@SHA's main beef is with a slowing of internet access speeds, and government-imposed service outages. Pakistan went offline in May 2022 around the time of mass political protests and blackouts have since persisted -- prompting services like freelance gig platform Fiverr to warn clients that hiring members from Pakistan could mean potential disruptions.

Fiverr matters in Pakistan, because the nation has a policy of encouraging freelancers to sell their services online as part of a plan to grow tech services exports. The nation even floated the idea of providing its freelance workers with a tax holiday, subsidized broadband and health insurance as a way of supporting the online labor force.

But freelancers have had a hard time of it since the August 2024 introduction of what appears to be a new national firewall. Pakistan has long tried to limit access to what it feels is inappropriate content, and the firewall was aimed at helping that effort. But it greatly slowed internet access speeds -- making life hard for freelancers and other online businesses.

Five local privilege escalation (LPE) vulnerabilities in the Linux utility "needrestart" -- widely used on Ubuntu to manage service updates -- allow attackers with local access to escalate privileges to root. The flaws were discovered by Qualys in needrestart version 0.8, and fixed in version 3.8. BleepingComputer reports: Complete information about the flaws was made available in a separate text file, but a summary can be found below:

- CVE-2024-48990: Needrestart executes the Python interpreter with a PYTHONPATH environment variable extracted from running processes. If a local attacker controls this variable, they can execute arbitrary code as root during Python initialization by planting a malicious shared library.
- CVE-2024-48992: The Ruby interpreter used by needrestart is vulnerable when processing an attacker-controlled RUBYLIB environment variable. This allows local attackers to execute arbitrary Ruby code as root by injecting malicious libraries into the process.
- CVE-2024-48991: A race condition in needrestart allows a local attacker to replace the Python interpreter binary being validated with a malicious executable. By timing the replacement carefully, they can trick needrestart into running their code as root.
- CVE-2024-10224: Perl's ScanDeps module, used by needrestart, improperly handles filenames provided by the attacker. An attacker can craft filenames resembling shell commands (e.g., command|) to execute arbitrary commands as root when the file is opened.
- CVE-2024-11003: Needrestart's reliance on Perl's ScanDeps module exposes it to vulnerabilities in ScanDeps itself, where insecure use of eval() functions can lead to arbitrary code execution when processing attacker-controlled input. The report notes that attackers would need to have local access to the operation system through malware or a compromised account in order to exploit these flaws. "Apart from upgrading to version 3.8 or later, which includes patches for all the identified vulnerabilities, it is recommended to modify the needrestart.conf file to disable the interpreter scanning feature, which prevents the vulnerabilities from being exploited," adds BleepingComputer.

Owners of older models of D-Link VPN routers are being told to retire and replace their devices following the disclosure of a serious remote code execution (RCE) vulnerability. From a report: Most of the details about the bug are being kept under wraps given the potential for wide exploitation. The vendor hasn't assigned it a CVE identifier or really said much about it at all other than that it's a buffer overflow bug that leads to unauthenticated RCE.

Unauthenticated RCE issues are essentially as bad as vulnerabilities get, and D-Link warned that if customers continued to use the affected products, the devices connected to them would also be put at risk. Previous bugs in similar products from other vendors have carried warnings that attackers could exploit them to install rootkits and use that persistent access to surveil an organization's web traffic, potentially stealing data such as credentials. Further reading: D-Link Won't Fix Critical Flaw Affecting 60,000 Older NAS Devices.

Apple has pushed out security updates that it says are "recommended for all users," after fixing a pair of security bugs used in active cyberattacks targeting Mac users. From a report: In a security advisory on its website, Apple said it was aware of two vulnerabilities that "may have been actively exploited on Intel-based Mac systems." The bugs are considered "zero day" vulnerabilities because they were unknown to Apple at the time they were exploited.

[...] The vulnerabilities were reported by security researchers at Google's Threat Analysis Group, which investigates government-backed hacking and cyberattacks, suggesting that a government actor may be involved in the attacks.

Microsoft has announced sweeping changes to Windows security architecture, including new recovery capabilities designed to prevent system-wide outages following July's CrowdStrike incident that disabled 8.5 million Windows devices.

The Windows Resiliency Initiative introduces Quick Machine Recovery, allowing IT administrators to remotely fix unbootable systems through an enhanced Windows Recovery Environment. Microsoft is also mandating stricter testing and deployment practices for security vendors under its Microsoft Virus Initiative, including gradual rollouts and monitoring procedures.

The company is also developing a framework to move antivirus processing outside the Windows kernel, with a preview planned for security partners in July 2025.

WhatsApp's newly unsealed court documents have exposed the extensive reach of NSO Group's Pegasus spyware operation, which targeted "between hundreds and tens of thousands" of devices, according to testimony from the company's head of research and development. The Israeli surveillance firm charged government customers up to $6.8 million for one-year licenses, generating at least $31 million in revenue in 2019 alone, TechCrunch first reported.

The documents detail previously unknown hacking tools named "Hummingbird," "Eden," and "Heaven," developed specifically to compromise WhatsApp users' devices. The revelations emerge from WhatsApp's ongoing 2019 lawsuit against NSO Group for alleged violations of U.S. anti-hacking laws.

Further reading: NSO, Not Government Clients, Operates Its Spyware.

Microsoft is planning to launch a new purpose-built miniature PC for its Windows 365 cloud service next year. The Verge: Windows 365 Link is a $349 device that acts like a thin client PC to connect to the cloud and stream a version of Windows 11. The Link device is designed to be a compact, fanless, and easy-to-use cloud PC for your local monitors and peripherals. It's meant to be the ideal companion to Microsoft's Windows 365 service, which lets businesses transition employees over to virtual machines that exist in the cloud and can be streamed securely to multiple devices. Windows 365 Link cannot run local apps.

In a technical blog post, Microsoft veteran Raymond Chen has explained why Windows 95's installation process required users to pass through three different operating systems -- MS-DOS, Windows 3.1, and Windows 95. The design choice stemmed from the need to support upgrades from multiple starting points while maintaining a graphical user interface throughout the process.

Rather than creating separate installers for MS-DOS, Windows 3.1, and Windows 95 users, developers opted for a unified approach using three chained setup programs. The process began with installing a minimal version of Windows 3.1 when starting from MS-DOS, followed by a 16-bit Windows application that handled core installation tasks, and concluded with a 32-bit Windows 95 program for final configuration steps.

Apple has stopped selling its Lightning-to-3.5mm headphone jack adapter in the U.S. and most countries, with limited stock remaining only in select European markets. The $9 accessory, introduced with iPhone 7 in 2016 (after the "courageous" move to stop including the headphone jack in iPhones), allowed users to connect traditional headphones to Lightning port iPhones. The discontinuation comes as Apple transitions to USB-C ports across its iPhone lineup.