Slashdot Mirror

Google will add a new security feature to Chrome OS, the company's web-based operating system that powers its Chromebooks devices, it announced this week. From a report: The new feature, named USBGuard, will block access to the USB port access while the device's screen is locked. According to a Chrome OS source code commit spotted by Chrome Story earlier this week, the new feature is currently available in Chrome OS Canary builds and is expected to land in the stable branch of Chrome OS soon. Once this happens, users can enable it by modifying the following Chrome OS flag: chrome://flags/#enable-usbguard . The way this security feature is meant to work is by preventing the operating system from reading or executing any code when a USB-based device is plugged in, and the screen is locked.

A day after the US Department of Justice charged two Chinese nationals for being members of a state-sponsored hacking group and accused the Chinese government of orchestrating a string of hacks around the world, five other governments have stepped in with similar accusations. From a report: Australia, Canada, Japan, New Zealand, and the UK have published official statements today formally blaming China of hacking their government agencies and local companies. All statements are in regards to the supposed involvement of the Chinese Ministry of State Security (MSS) in supporting the activity of a hacking group known as APT10. In a DOJ indictment yesterday, the US says this group hacked companies in 12 countries, and later breached cloud service providers, wormed through their infrastructure, and hacked even more companies. US officials said the primary purpose of these hacks was to steal trade secrets and intellectual property that the Chinese government later passed to local Chinese companies, helping create an unfair advantage for local firms on the global market.

According to a Navy Inspector General report, U.S. military troops used two Android apps that contained severe vulnerabilities in live combat scenarios. "The two apps are named KILSWITCH (Kinetic Integrated Low-Cost Software Integrated Tactical Combat Handheld) and APASS (Android Precision Assault Strike Suite)," reports ZDNet. From the report: Both apps work by showing satellite imagery of surroundings, including objectives, mission goals, nearby enemy and friendly forces. The two apps work as a modern-day replacement for radios and paper maps and allow troops to use a real-time messaging client to coordinate with other military branches, and even call in air-strike support with a few simple screen taps, according to a DARPA press release and accompanying YouTube video. The apps have been under development since 2012 and starting 2015, they have been made generally available to all U.S. troops via a public app store managed by the National Geospatial-Intelligence Agency. But according to a Navy Inspector General report from March that was made public today, both apps contained vulnerabilities that could have allowed enemy forces access to troops' information.

The heavily redacted report doesn't detail the nature of the two vulnerabilities, but it does point out that the Navy had failed to control the distribution of these two applications, and later failed to act in warning troops of the danger they were in for almost a year. The report says that the two apps, KILSWITCH and APASS, were never meant or approved to be deployed in live combat zones. But the two apps, because of their flashy features and easier to use interface, became wildly popular among U.S. troops, but also other military branches, including foreign allied forces.

Microsoft has been looking for ways to simplify the way users log into Office and find their documents via its Office.com portal. On December 19, the company is taking another step in this area by introducing something it's calling simply the Office app for Windows 10. ZDNet: This new Office app is the successor to the existing "My Office" app that's already available to Windows users. Starting today, Windows Insider testers in the Fast ring can download this new app to test it and it will roll out to all Windows 10 users "soon," officials said. My Office allows users to find and install all their Office 356 subscription-related components from a single place. It allows users to view and edit their recent documents, find tips, see their subscription benefits and more. The coming free Office for Windows 10 app can be used in conjunction with any Office variant -- Office 365 Commercial, Office 365 Consumer, a perpetual version of Office (like Office 2016 and 2019) or the web-based Office Online.

A previously unknown hacker group is behind a mounting number of breaches that have been reported by local governments across the US. From a report: In a report published today, US cyber-security vendor FireEye has revealed that this yet-to-be-identified hacker group has been breaking into Click2Gov servers and planting malware that stole payment card details. Click2Gov is a popular self-hosted payments solution, a product of US software supplier Superion. It is sold primarily to US local governments, and you can find a Click2Gov server installed anywhere from small towns to large metropolitan areas, where it's used to handle payments for utility bills, permits, fines, and more.

FireEye says this new hacker group has been attacking Click2Gov portals for almost a year. The company's investigators believe hackers are using one or more vulnerabilities in one of Click2Gov's components --the Oracle WebLogic Java EE application server-- to gain a foothold and install a web shell named SJavaWebManage on hacked portals. Forensic evidence suggests the hackers are using this web shell to turn on Click2Gov's debug mode, which, in turn, starts logging payment transactions, card details included.

Google engineers are currently working on a Chrome browser update that will block malicious websites from hijacking the browser's history and, indirectly, the Back button. From a report: The issue at hand is a well-known tactic often seen employed by many shady sites across the Internet. A user would visit a website, then he'd accidentally click or tap on an ad, and be taken to a new page. But when the user presses the Back button to go back to the previous page, the browser just reloads the same page over and over again, keeping the user trapped on the ad page. [...] Recent source code updates to the Chromium project, the open-source browser engine behind the Chrome browser, reveal that Google engineers are planning to crack down on this type of abusive behavior. These code updates will allow Chrome to detect when browser history entries have been generated by user interaction, or by an automated method.

Google has listened to user feedback and is currently testing a feature that will let G Suite users invite non-Google account holders to view, comment, suggest edits, and even directly edit Google Docs, Sheets, and Slides files. From a report: This wasn't possible until now, and G Suite users could only share documents and request feedback from users that owned a Google account. The way this new feature will work is via PINs (Personal Identification Numbers). Google said that G Suite users would be able to invite a non-Google user to view or edit a document via email. The said email would contain a link to the shared document. Non-Google users will be able to access the link and request an PIN that it would be delivered via a second email. Once they enter the PIN code, users can then view or edit the shared file -based on the assigned permissions.

Amazon may have turned off its Oracle data warehouse in favor of Amazon Web Services database technology, but no one else in their right mind would, Oracle's outspoken co-founder and CTO Larry Ellison says. From a report: "We have a huge technology leadership in database over Amazon," Ellison said on a conference call following the release of Oracle's second quarter financial results. "In terms of technology, there is no way that... any normal person would move from an Oracle database to an Amazon database." During last month's AWS re:Invent conference, AWS CTO Werner Vogels gave an in-the-weeds talk explaining why Amazon turned off its Oracle data warehouse. In a clear jab at Oracle, Vogels wrote off the "90's technology" behind most relational databases. Cloud native databases, he said, are the basis of innovation.

The remarks may have gotten under Ellison's skin. Moving from Oracle databases to AWS "is just incredibly expensive and complicated," he said Monday. "And you've got to be willing to give up tons of reliability, tons of security, tons of performance... Nobody, save maybe Jeff Bezos, gave the command, 'I want to get off the Oracle database." Ellison said that Oracle will not only hold onto its 50 percent relational database market share but will expand it, thanks to the combination of Oracle's new Generation 2 Cloud infrastructure and its autonomoius database technology. "You will see rapid migration of Oracle from on-premise to the Oracle public cloud," he said. "Nobody else is going to go through that forced march to go on to the Amazon database."

Consumers in Taiwan will only be able to use 4G services from 2019 as the government will shut down 3G services by the end of the year, according to a Sina news report on Monday, citing local Taiwan media reports. From a report: Although the vast majority of the population in Taiwan have shifted to 4G networks, there are still around 200,000 consumers using 3G. This has prompted local carriers to roll out incentives and promotions to get 3G users to shift onto the latest 4G plans. Taiwan's latest move to shut down 3G networks follows its earlier decision to remove all 2G networks on July 1, 2017, as local regulators and telecom operators continue to actively push for the development of 4G network coverage. As of March this year, the number of 4G users has already exceeded the population in Taiwan, said the report. The number of 3G users has declined to some 228,000 people in mid-November from 5.5 million in 2017.

An anonymous reader writes from a report via ZDNet: No data encryption, no antivirus programs, no multi-factor authentication mechanisms, and 28-year-old unpatched vulnerabilities are just some of the cyber-security failings described in a security audit of the U.S.' ballistic missile system released on Friday by the U.S. Department of Defense Inspector General (DOD IG). The report [PDF] was put together earlier this year, in April, after DOD IG officials inspected five random locations where the Missile Defense Agency (MDA) had placed ballistic missiles part of the Ballistic Missile Defense System (BMDS) -- a DOD program developed to protect U.S. territories by launching ballistic missiles to intercept enemy nuclear rockets.

Here is a summary of the findings: (1) Multi-factor authentication wasn't used consistently. (2) One base didn't even bother to configure its network to use multifactor authentication. (3) Patches weren't applied consistently. (4) One base didn't patch systems for flaws discovered in 1990. (5) Server racks weren't locked. (6) Security cameras didn't cover the entire base. (7) Door sensors showed doors closed when they were actually open. (8) Base personnel didn't challenge visitors on bases without proper badges, allowing access to secure areas. (9) One base didn't use antivirus or other security software. (10) Data stored on USB thumb drives was not encrypted. (11) IT staff didn't keep a database of who had access to the system and why.

dmoberhaus writes: An investigation into the decline of America's peyote, a hallucinogenic cactus that is critically important to the rituals of the Native American Church, the largest pan-tribal religious organization in the U.S. Motherboard spoke with Dawn Davis, a researcher using satellite data to track the destruction of peyote's habitat, as well as Salvador Johnson, one of only four people who is licensed to harvest and sell peyote in the U.S. by the DEA. "In 2011, Davis traveled to the peyote gardens for the first time and met with Johnson," reports Motherboard. "Davis said that Johnson was following many conservation best practices, such as cycling through the areas where peyote is harvested, but this hadn't slowed the steady decrease in the size and quantity of peyote buttons in his harvests. Today, the biggest threats to peyote continue to be rapid land development, poaching, and rooting by feral pigs -- problems that responsible harvesting by peyoteros can't solve."

While there has been an increase in the number of indigenous people growing peyote in greenhouses, this is only a temporary solution to the conservation crisis. Davis is advocating for conservation easements or tax breaks for landowners to encourage the protection of peyote. She also said it will be necessary to push for the DEA to reschedule peyote, which is still considered a Schedule I substance that has "no currently accepted medical use." This makes it exceedingly hard for individuals to become licensed peyoteros.

aafrn writes: Microsoft is sending users who search for Office 2019 download links via its Bing search engine to a website that teaches them the basics about pirating the company's Office suite. This happens every time users search for the term "office 2019 download" on Bing. The result is a Bing search card (highlighted search results) that links to a piracy tutorial that teaches users how to install uTorrent, download a torrent file, and install an Office crack file. Fortunately, the torrent download links are down, but experts believe the link was used to spread malware.

An anonymous reader writes: A new variant of the Shamoon malware was discovered on the network of an Italian and UAE oil and gas company. While the damage at the UAE firm is currently unknown, the malware has been confirmed to have destroyed files on about ten percent of the Italian company's PC fleet. Shamoon is one of the most dangerous strains of malware known to date. It was first deployed in two separate incidents that targeted the infrastructure of Saudi Aramco, Saudi Arabia's largest oil producer, in 2012 and 2016. During those incidents, the malware wiped files and replaced them with propaganda images (burning U.S. flag and body of Alan Kurdi). The 2012 attack was devastating in particular, with Shamoon wiping data on over 30,000 computers, crippling the company's activity for weeks. Historically, the malware has been tied to the Iranian regime, but it's unclear if Iranian hackers were behind these latest attacks. This new Shamoon version was revealed to the world when an Italian engineer uploaded the malware on VirusTotal, triggering detections at all major cyber-security firms across the globe.

A week after releasing v5.0 major update, WordPress has pushed the first security patch for its popular CMS service. ZDNet: Released hours ago, WordPress version 5.0.1 fixes seven security vulnerabilities (some of which allow site takeover) but also plugs a pretty serious privacy leak. The latter was found by the authors of the popular Yoast SEO plugin, who discovered that in some cases the activation screen for new users could end up being indexed by Google. With specially crafted Google searches, an attacker could find these pages and collect users' email addresses, and in some rare cases, default-generated passwords. This leak could have catastrophic consequences if the user has an admin role or if the user didn't change his default password, as is regularly advised.

Microsoft is working on a new "Microsoft 365 Consumer" bundle that "will be the consumer-focused complement to Microsoft's existing Microsoft 365 subscription bundle for business users," reports ZDNet. From the report: A couple of recent Microsoft job postings mention the consumer subscription bundle, which Microsoft has yet to announce publicly. One job posting for a Product Manager for the "M365 Consumer Subscription" notes: "The Subscription Product Marketing team is a new team being created to build and scale the Microsoft 365 Consumer Subscription." The job description says the product manager for this service will help "identify, build, position and market a great new Microsoft 365 Consumer Subscription."

The job post notes that the team behind Microsoft 365 Consumer oversees the Windows platform, the Microsoft Surface device portfolio, Office 365 consumer plans, Skype, Cortana, Bing search, as well as the Microsoft Education team. If I were betting on what Microsoft 365 Consumer might include, I'd think some variant of Windows 10, Office 365 Home, Skype, Cortana, Bing, Outlook Mobile, Microsoft To-Do and maybe MSN apps and services could figure into the picture. Maybe this subscription will be tied to Surface devices only? Maybe a monthly leasing fee for Surfaces will be part of the bundle itself?

An anonymous reader writes: A new variant of the Shamoon malware was discovered on the network of an Italian and UAE oil and gas companies. While the damage at the UAE firm is currently unknown, the malware has been confirmed to have destroyed files on about ten percent of the Italian company's PC fleet.

Shamoon is one of the most dangerous strains of malware known to date. It was first deployed in two separate incidents that targeted the infrastructure of Saudi Aramco, Saudi Arabia's largest oil producer, in 2012 and 2016. During those incidents, the malware wiped files and replaced them with propaganda images (burning US flag, body of Alan Kurdi). The 2012 attack was devastating in particular, with Shamoon wiping data on over 30,000 computers, crippling the company's activity for weeks. Historically, the malware has been tied to the Iranian regime, but it's unclear if Iranian hackers were behind this latest attacks. This new Shamoon version was revealed to the world when an Italian engineer uploaded the malware on VirusTotal, triggering detections at all major cyber-security firms across the globe.

An anonymous reader writes: IT systems on boats aren't as air-gapped as people think and are falling victims to all sorts of cyber-security incidents, such as ransomware, worms, viruses, and other malware -- usually carried on board via USB sticks. These cyber-security incidents have been kept secret until now, and have only been recently revealed as past examples of what could go wrong, in a new "cyber-security guideline" released by 21 international shipping associations and industry groups. One of the many incidents: "A new-build dry bulk ship was delayed from sailing for several days because its ECDIS was infected by a virus. The ship was designed for paperless navigation and was not carrying paper charts. The failure of the ECDIS appeared to be a technical disruption and was not recognized as a cyber issue by the ship's master and officers. A producer technician was required to visit the ship and, after spending a significant time in troubleshooting, discovered that both ECDIS networks were infected with a virus. The virus was quarantined and the ECDIS computers were restored. The source and means of infection in this case are unknown. The delay in sailing and costs in repairs totaled in the hundreds of thousands of dollars (U.S.)." The document also highlights an incident involving ransomware. "For example, a shipowner reported not one, but two ransomware infections, both occurring due to partners, and not necessarily because of the ship's crew," reports ZDNet. Another ransomware incident occurred because the ship failed to set up proper (RDP) passwords: A ransomware infection on the main application server of the ship caused complete disruption of the IT infrastructure. The ransomware encrypted every critical file on the server and as a result, sensitive data were lost, and applications needed for ship's administrative operations were unusable. The incident was reoccurring even after complete restoration of the application server. The root cause of the infection was poor password policy that allowed attackers to brute force remote management services successfully. The company's IT department deactivated the undocumented user and enforced a strong password policy on the ship's systems to remediate the incident.

In a report published last week by cyber-security firm ESET, the company detailed 21 "new" Linux malware families. All operate in the same manner, as trojanized versions of the OpenSSH client. From a report: They are developed as second-stage tools to be deployed in more complex "botnet" schemes. Attackers would compromise a Linux system, usually a server, and then replace the legitimate OpenSSH installation with one of the trojanized versions.

Malware authors, ad farmers, and scammers are abusing a Firefox bug to trap users on malicious sites. From a report: This wouldn't be a big deal, as the web is fraught with this kind of malicious sites, but these websites aren't abusing some new never-before-seen trick, but a Firefox bug that Mozilla engineers appear to have failed to fix in the 11 years ever since it was first reported back in April 2007. The bug narrows down to a malicious website embedding an iframe inside their source code. The iframe makes an HTTP authentication request on another domain.

[...] For the past few years, malware authors, ad farmers, and scammers have been abusing this bug to lure users on sites where they show all sorts of nasties, such as tech support scams, ad farms that reload the page with new ads in a loop, pages that push users to buy fake gift cards, or sites that offer malware-laced software updates. Whenever users try to leave, the owners of these shady sites trigger the authentification modal in a loop.

SwiftOnSecurity, regarding Microsoft's switch to Chromium as Windows's built-in rendering engine: This isn't about Chrome. This is about ElectronJS. Microsoft thinks EdgeHTML cannot get to drop-in feature-parity with Chromium to replace it in Electron apps, whose duplication is becoming a significant performance drain. They want to single-instance Electron with their own fork. Electron is a cancer murdering both macOS and Windows as it proliferates. Microsoft must offer a drop-in version with native optimizations to improve performance and resource utilization. This is the end of desktop applications. There's nowhere but JavaScript. John Gruber of DaringFireball: I don't share the depth of their pessimism regarding native apps, but Electron is without question a scourge. I think the Mac will prove more resilient than Windows, because the Mac is the platform that attracts people who care. But I worry. In some ways, the worst thing that ever happened to the Mac is that it got so much more popular a decade ago. In theory, that should have been nothing but good news for the platform -- more users means more attention from developers. The more Mac users there are, the more Mac apps we should see.

The problem is, the users who really care about good native apps -- users who know HIG violations when they see them, who care about performance, who care about Mac apps being right -- were mostly already on the Mac. A lot of newer Mac users either don't know or don't care about what makes for a good Mac app.

Democrat Senator Mark Warner "says Google is profiting off advertising fraud and has no interest in addressing it," reports ZDNet -- and he's laying part of the blame on America's trade commissioners. Warner is just as mad about the FTC as he is about Google, claiming the FTC has failed to take action against the Mountain View-based company for more than two years since he and New York Democrat Senator Chuck Schumer first wrote the agency about Google's ad fraud problem. "The FTC's failure to act has had the effect of allowing Google to structure its own market," said Sen. Warner in a letter sent to the FTC... "While the company controls each link in the supply chain and therefore maintains the power to monitor activity in the digital advertising market from start to finish, it has continued to be caught flat-footed in identifying and addressing digital ad fraud."

Sen. Warner also called out Google for proving unwilling to address misuse of its advertising platform for the "rampant proliferation of online disinformation" -- referring to how various foreign entities have used Google ads to push political agendas, both in the US and other countries of the world. "As long as Google stands to profit from the sale of additional advertisements, the financial incentive for it to voluntarily root out and address fraud remains minimal," Sen. Warner added.

Microsoft's Visual Basic .NET now ranks above JavaScript, PHP, SQL on TIOBE's index of programming language popularity, which ZDNet notes is "the highest it's ever been since [TIIOBE] started tracking the Microsoft language in 2001." Tiobe analysts said it was "very surprising" that Visual Basic .Net is now the fifth most popular language, only behind C++, Python, C, and Java. It's even ahead of JavaScript, which currently lies in seventh place, down from sixth a year ago. C# meanwhile fell from fifth spot a year ago to sixth this month. The language index still reckons Visual Basic .Net will "sooner or later go into decline", but concedes it's popular for dedicated office applications in small and medium enterprises, and is probably still used by many developers because it's easy to learn.
TIOBE's methodology "basically...comes down to counting hits for the search query +"<language> programming," TIOBE explains on its web page -- though its results don't always agree with other analysts.

InfoWorld points out that on this month's PyPL Popularity of Programming Language index, which analyzes how often language tutorials are searched for on Google, VB.NET "doesn't even register Visual Basic.Net or Visual Basic among its Top 10 languages" -- and JavaScript comes in third, behind only Python and Java.

The FCC is launching an investigation into whether one or more major carriers gave the agency inaccurate maps of their broadband coverage, violating the rules of an initiative that provides subsidies for rural coverage. ZDNet reports: The initiative, called the Mobility Fund Phase II program "can play a key role in extending high-speed Internet access to rural areas across America," he continued. "In order to reach those areas, it's critical that we know where access is and where it is not."

The initiative is reallocating $4.5 billion in previously-approved funding to bring high-speed mobile broadband service to rural Americans over the course of 10 years. The agency is using a competitive reverse auction to distribute the funds to private providers. To determine eligibility, mobile providers were required to submit current, standardized coverage data.

The US Department of Homeland Security (DHS) is interested in acquiring technology solutions that can track newer cryptocurrencies, such as Zcash and Monero. From a report: According to a pre-solicitation document [PDF], the DHS wants to know if this is possible, before filing an official solicitation request later down the line. The DHS said that "prior efforts have addressed Bitcoin analytics," but now the agency and the law enforcement agencies under its supervision are looking into similar cryptocurrency analytics solutions that can be used to track so-called privacy coins -- cryptocurrencies that support anonymous transactions.

"A key feature underlying these newer blockchain platforms that is frequently emphasized is the capability for anonymity and privacy protection," the DHS document said. "While these features are desirable, there is similarly a compelling interest in tracing and understanding transactions and actions on the blockchain of an illegal nature. This proposal calls for solutions that enable law enforcement investigations to perform forensic analysis on blockchain transactions," it added.

Charlie Osborne, writing for ZDNet: However, there is a problem that no-one is talking about: the conflict between the rapid acceleration of wireless technologies and politics which is, unwittingly, going to render some of these improvements potentially pointless.

In the UK and across Europe, there are two laws of particular interest: the EU's 2018 General Data Protection Regulation (GDPR) and the so-called Cookie Law, passed in 2012. Ever heard someone expel a breath and a long list of expletives while they are attempting to look something up, book a service, or fact-check through the Internet on their smartphone? The likelihood is, they've come across both regulations in full force, stirring up annoyance and a rapid, frustrated smashing of fingers to screen as pop-ups scream for consent, T&Cs demand acceptance, and visitors must go through tick-lists of what data they are happy to be collected and in what manner.

The EU's GDPR, which enforced data reform, protection, and collection changes across Europe, has resulted in a plethora of pop-ups which delight in lecturing visitors on data collection practices. Combine these two well-meaning regulations and you have a melting pot of sheer frustration when it comes to mobile browsing. When you are forced to stop and be lectured by pop-ups at every turn which must be manually shut down, one by one, it really doesn't matter how quickly you were brought to the page in the first place.

Charlie Osborne, writing for ZDNet: However, there is a problem that no-one is talking about: the conflict between the rapid acceleration of wireless technologies and politics which is, unwittingly, going to render some of these improvements potentially pointless.

In the UK and across Europe, there are two laws of particular interest: the EU's 2018 General Data Protection Regulation (GDPR) and the so-called Cookie Law, passed in 2012. Ever heard someone expel a breath and a long list of expletives while they are attempting to look something up, book a service, or fact-check through the Internet on their smartphone? The likelihood is, they've come across both regulations in full force, stirring up annoyance and a rapid, frustrated smashing of fingers to screen as pop-ups scream for consent, T&Cs demand acceptance, and visitors must go through tick-lists of what data they are happy to be collected and in what manner.

The EU's GDPR, which enforced data reform, protection, and collection changes across Europe, has resulted in a plethora of pop-ups which delight in lecturing visitors on data collection practices. Combine these two well-meaning regulations and you have a melting pot of sheer frustration when it comes to mobile browsing. When you are forced to stop and be lectured by pop-ups at every turn which must be manually shut down, one by one, it really doesn't matter how quickly you were brought to the page in the first place.

Earlier today, Australia's House of Representatives passed the Assistance and Access Bill. The Anti-Encryption Bill, as it is known as, would allow the nation's police and anti-corruption forces to ask, before forcing, internet companies, telcos, messaging providers, or anyone deemed necessary, to break into whatever content agencies they want access to. "While the Bill can still be blocked by the Senate -- Australian Twitter has been quite vocal over today's proceedings, especially in regards to the [Australian Labor Party's] involvement," reports Gizmodo. ZDNet highlights the key findings from a report from the Parliamentary Joint Committee on Intelligence and Security (PJCIS): The threshold for industry assistance is recommended to be lifted to offenses with maximum penalties in excess of three years; Technical Assistance Notices (TANs) and Technical Capability Notices (TCNs) will be subjected to statutory time limits, as well as any extension, renewal, or variation to the notices; the systemic weakness clause to apply to all listing acts and things; and the double-lock mechanism of approval from Attorney-General and Minister of Communications will be needed, with the report saying the Communications Minister will provide "a direct avenue for the concerns of the relevant industry to be considered as part of the approval process."

The report's recommendations also call for a review after 18 months of the Bill coming into effect by the Independent National Security Legislation Monitor; TANs issued by state and territory police forces to be approved by the Australian Federal Police commissioner; companies issued with notices are able to appeal to the Attorney-General to disclose publicly the fact they are issued a TCN; and the committee will review the passed legislation in the new year and report by April 3, 2019, right around when the next election is expected to be called. In short: "Testimony from experts has been ignored; actual scrutiny of the Bill is kicked down the road for the next Parliament; Labor has made sure it is not skewered by the Coalition and seen to be voting against national security legislation on the floor of Parliament; and any technical expert must have security clearance equal to the Australia's spies, i.e. someone who has been in the spy sector." Further reading: Australia Set To Spy on WhatsApp Messages With Encryption Law.

UPDATE: The encryption bill has passed the Senate with a final vote of 44-12, with Labor and the Coalition voting for it. "Australia's security and intelligence agencies now have legal authority to force encryption services to break the encryptions, reports The Guardian. Story is developing...

Earlier today, Australia's House of Representatives passed the Assistance and Access Bill. The Anti-Encryption Bill, as it is known as, would allow the nation's police and anti-corruption forces to ask, before forcing, internet companies, telcos, messaging providers, or anyone deemed necessary, to break into whatever content agencies they want access to. "While the Bill can still be blocked by the Senate -- Australian Twitter has been quite vocal over today's proceedings, especially in regards to the [Australian Labor Party's] involvement," reports Gizmodo. ZDNet highlights the key findings from a report from the Parliamentary Joint Committee on Intelligence and Security (PJCIS): The threshold for industry assistance is recommended to be lifted to offenses with maximum penalties in excess of three years; Technical Assistance Notices (TANs) and Technical Capability Notices (TCNs) will be subjected to statutory time limits, as well as any extension, renewal, or variation to the notices; the systemic weakness clause to apply to all listing acts and things; and the double-lock mechanism of approval from Attorney-General and Minister of Communications will be needed, with the report saying the Communications Minister will provide "a direct avenue for the concerns of the relevant industry to be considered as part of the approval process."

The report's recommendations also call for a review after 18 months of the Bill coming into effect by the Independent National Security Legislation Monitor; TANs issued by state and territory police forces to be approved by the Australian Federal Police commissioner; companies issued with notices are able to appeal to the Attorney-General to disclose publicly the fact they are issued a TCN; and the committee will review the passed legislation in the new year and report by April 3, 2019, right around when the next election is expected to be called. In short: "Testimony from experts has been ignored; actual scrutiny of the Bill is kicked down the road for the next Parliament; Labor has made sure it is not skewered by the Coalition and seen to be voting against national security legislation on the floor of Parliament; and any technical expert must have security clearance equal to the Australia's spies, i.e. someone who has been in the spy sector." Further reading: Australia Set To Spy on WhatsApp Messages With Encryption Law.

UPDATE: The encryption bill has passed the Senate with a final vote of 44-12, with Labor and the Coalition voting for it. "Australia's security and intelligence agencies now have legal authority to force encryption services to break the encryptions, reports The Guardian. Story is developing...

In what appears to be a first on the cyber-espionage scene, a nation-state-backed hacking group has used a Google Chrome extension to infect victims and steal passwords and cookies from their browsers. From a report: This is the first time an APT (Advanced Persistent Threat -- an industry term for nation-state hacking groups) has been seen (ab)using a Chrome extension, albeit it's not the first time one has used a browser extension, as the Russian-linked Turla APT previously used a Firefox add-on in 2015. According to a report that's going to be published later today by the ASERT team at Netscout reveals the details of a spear-phishing campaign that's been pushing a malicious Chrome extension since at least May 2018.

Hackers used spear-phishing emails to lure victims on websites copied from legitimate academic organizations. These phishing sites, now down, showed a benign PDF document but prevented users from viewing it, redirecting victims to the official Chrome Web Store page to install a (now removed) Chrome extension named Auto Font Manager.

An anonymous reader writes from a report via ZDNet: Three academics from Northeastern University and three researchers from IBM Research have discovered a new variation of the Spectre CPU vulnerability that can be exploited via browser-based code. The vulnerability, which researchers codenamed SplitSpectre, is a variation of the original Spectre v1 vulnerability discovered last year and which became public in January 2018. The difference in SplitSpectre is not in what parts of a CPU's microarchitecture the flaw targets, but how the attack is carried out. Researchers say a SplitSpectre attack is both faster and easier to execute, improving an attacker's ability to recover code from targeted CPUs. The research team says they were successfully able to carry out a SplitSpectre attack against Intel Haswell and Skylake CPUs, and AMD Ryzen processors, via SpiderMonkey 52.7.4, Firefox's JavaScript engine. The good news is that existing Spectre mitigations would thwart the SplitSpectre attacks.

Kubernetes has become the most popular cloud container orchestration system by far, so it was only a matter of time until its first major security hole was discovered. And the bug, CVE-2018-1002105, aka the Kubernetes privilege escalation flaw, is a doozy. It's a CVSS 9.8 critical security hole. From a report: With a specially crafted network request, any user can establish a connection through the Kubernetes application programming interface (API) server to a backend server. Once established, an attacker can send arbitrary requests over the network connection directly to that backend. Adding insult to injury, these requests are authenticated with the Kubernetes API server's Transport Layer Security (TLS) credentials. Can you say root? I knew you could. Worse still, "In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation." So, yes, anyone who knows about this hole can take command of your Kubernetes cluster.

An anonymous reader writes: A Twitter user using the pseudonym of @TheHackerGiraffe has hacked over 50,000 printers to print out flyers telling people to subscribe to PewDiePie's YouTube channel. The message the printers received was a simple one. It urged people to subscribe to PewDiePie's YouTube channel in order for PewDiePie -- a famous YouTuber from Sweden, real name Felix Kjellberg -- to keep the crown of most subscribed to YouTube channel.

If this sounds ...odd... it's because over the past month, an Indian record label called T-Series has caught up andsurpassed PewDiePie, once considered untouchable in terms of YouTube followers. The Swedish Youtube star made a comeback after his fans banded together in various social media campaigns, but T-Series is catching up with PewDiePie again.

An anonymous reader quotes a report from ZDNet: As global connectivity grows, allowing more data to be generated and collected, a growing portion of that data will be real-time information, according to IDC. By 2025, nearly 30 percent of the so-called "global datasphere" will be real-time information, IDC says in a new white paper, sponsored by Seagate. By comparison, real-time data represented 15 percent of the datasphere in 2017, according to the report. IDC defines the "global datasphere" as "the quantification of the amount of data created, captured, and replicated across the world." All told, of the 150 billion devices that will be connected across the globe in 2025, most will be creating real-time data, IDC says. The global datasphere is expected to grow from 23 Zettabytes (ZB) in 2017 to 175 ZB by 2025. One zettabyte is equivalent to a trillion gigabytes.

An anonymous reader quotes a report from ZDNet: New Delhi police have arrested 63 suspects in the last two months working and operating 26 call centers that were engaging in tech support scams, posing as tech support staff at Microsoft, Google, Apple, and other major tech companies. The raids on Delhi-based call centers have taken place over the last two months, Microsoft said. Police first raided 10 call centers and arrested 24 people in October, and then raided 16 other call centers and made 39 more arrests this week.

Microsoft said its staff received over 7,000 victim reports associated with the 16 call centers raided this week, from over 15 countries. Users reported paying between $100 and $500 for unnecessary tech support services and products. The raids resulted in the seizure of substantial evidence including call scripts, live chats, voice call recordings and customer records from tech support fraud operations, Microsoft said. The Delhi police's crackdown on tech support call centers came after Microsoft filed legal complaints earlier this year. Microsoft has been collecting customer complaints about tech support scams since 2014, via its "Report a technical support scam" portal.

A cyber-criminal group known as ScamClub has hijacked over 300 million browser sessions over 48 hours to redirect users to adult and gift card scams, a cyber-security firm revealed this week. From a report: The traffic hijacking has taken place via a tactic known as malvertising, which consists of placing malicious code inside online ads. In this particular case, the code used by the ScamClub group hijacked a user's browsing session from a legitimate site, where the ad was showing, and redirected victims through a long chain of temporary websites, a redirection chain that eventually ended up on a website pushing an adult-themed site or a gift card scam.

These types of malvertising campaigns have been going on for years, but this particular campaign stood out due to its massive scale, experts from cyber-security firm Confiant told ZDNet today. "On November 12 we've seen a huge spike in our telemetry," Jerome Dang, Confiant co-founder and CTO, told ZDNet in an email. Dangu says his company worked to investigate the huge malvertising spike and discovered ScamClub activity going back to August this year.

PolygamousRanchKid shares a report from ZDNet (with some commentary): IBM has launched a unit designed for human resources to better find talent and recruit using artificial intelligence. The company is wrapping its latest HR effort, dubbed IBM Talent & Transformation, which includes select Watson services. According to IBM, its suite of AI tools can help HR become a growth engine to enable digital transformation. AI can be used to revamp workflow, employee engagement, recruitment and retention while providing a more diverse workforce. (I can still program Fortran; I learned it from Forman S. Acton -- does that make me diverse enough?) Big Blue's Talent & Transformation suite includes a Watson Talent Suite that rolls up behavioral science, AI and psychology and applies it to HR. (Sounds like the recipe for The Apocalypse to me.) IBM Garage, which serves as a test bed to meld HR, AI and culture, will also be available. (Garage? It sounds like the creepy CRISPR basement of a mad scientist to me.)

An anonymous reader quotes writes: "Hardware giant Dell announced today a security breach that took place earlier this month, on November 9," reports ZDNet. "Dell says it detected an unauthorized intruder (or intruders) 'attempting to extract Dell.com customer information' from its systems, such as customer names, email addresses, and hashed passwords." These are accounts used for shopping on the official website and the official support forums. "Though it is possible some of this information was removed from Dell's network, our investigations found no conclusive evidence that any was extracted," the company said in a press release, also adding that hackers didn't target payment card or any other sensitive customer information. After it detected the breach, Dell initiated a password reset for all Dell.com customer accounts. The company also said it notified law enforcement and hired a digital forensics firm to perform an independent investigation.

Amazon Web Services announced a slew of new or updated offerings at its cloud-computing conference in Las Vegas, seeking to maintain its lead in the market for internet-based computing. Following is a rundown.

Amazon Elastic Inference is a new service that lets customers attach GPU-powered inference acceleration to any Amazon EC2 instance and reduces deep learning costs by up to 75 percent. From a report: "What we see typically is that the average utilization of these P3 instances GPUs are about 10 to 30 percent, which is pretty wasteful with elastic inference. You don't have to waste all that costs and all that GPU," AWS chief executive Andy Jassy said onstage at the AWS re:Invent conference earlier today. "[Amazon Elastic Inference] is a pretty significant game changer in being able to run inference much more cost-effectively." While the majority of workloads in the cloud are Linux-based, Amazon Web Services (AWS) CEO Andy Jassy said he is well aware that Windows is still significant, and as a result his company launched a new fully managed Windows file system built on native Windows file servers. From a report: "What we were hoping to do was make this Windows file system work as part of EFS -- would have been much easier for us to layer on another file system ... because it's much easier if you're trying to build a business at scale," he explained. However, he said customers wanted a native Windows file system and they "weren't being flexible." "So we changed our approach," he continued. Inferentia is company's own dedicated machine learning chip. From a report: "Inferentia will be a very high-throughput, low-latency, sustained-performance very cost-effective processor," AWS CEO Andy Jassy explained during the announcement. Holger Mueller, an analyst with Constellation Research, says that while Amazon is far behind, this is a good step for them as companies try to differentiate their machine learning approaches in the future. Inferentia supports popular frameworks like INT8, FP16 and mixed precision. What's more, it supports multiple machine learning frameworks, including TensorFlow, Caffe2 and ONNX. TechCrunch writes about SageMaker Ground Truth: You can't build a good machine learning model without good training data. But building those training sets is hard, often manual work, that involves labeling thousand and thousands of images, for example. With SageMaker, AWS has been working on a service that makes building machine learning models a lot easier. But until today, that labeling task was still up to the user. Now, however, the company is launching SageMaker Ground Truth, a training set labeling service. Using Ground Truth, developers can point the service at the storage buckets that hold the data and allow the service to automatically label it. What's nifty here is that you can both set a confidence level for the fully automatic service or you can send the data to human laborers. GeekWire writes about the self-driving racing league and DeepRacer : Amazon Web Services chief and big sports fan Andy Jassy on Wednesday in Las Vegas unveiled a first-of-its-kind global autonomous racing league called AWS DeepRacer. The league features AWS DeepRacer, a 1/18th scale radio-controlled, self-driving four-wheel race car designed to help developers learn about reinforcement learning, a type of machine learning feature found in Amazon SageMaker. It features an Intel Atom processor; a 4-megapixel camera with 1080p resolution; multiple USB ports; and a 2-hour battery. And OutPosts: Starting next year, AWS will allow customers to order the same hardware that it uses to power its cloud services to run in their own data centers through a service called AWS Outposts. Building on its partnership with VMware, AWS Outposts will allow customers to enjoy a consistent set of hardware, software and services across their own servers and cloud servers, said AWS CEO Andy Jassy. Customers will have two options: they can run VMware Cloud on AWS on AWS Outposts, or they can run something called "AWS native" to enable this hybrid cloud setup. AWS will "deliver racks, install them, and then we'll do all the maintenance and repair on them," Jassy said.

Catalin Cimpanu, reporting for ZDNet: Microsoft has issued a security advisory this week warning that two applications accidentally installed two root certificates on users' computers, and then leaked the private keys for all. The software developer's mistake means that malicious third-parties can extract the private keys from the two applications and use them to issue forged certificates to spoof legitimate websites and software publishers for years to come.

The two applications are HeadSetup and HeadSetup Pro, both developed by German audio hardware company Sennheiser. The software is used to set up and manage softphones -- software apps for making telephone calls via the Internet and a computer, without needing an actual physical telephone. The issue with the two HeadSetup apps came to light earlier this year when German cyber-security firm Secorvo found that versions 7.3, 7.4, and 8.0 installed two root Certification Authority (CA) certificates into the Windows Trusted Root Certificate Store of users' computers but also included the private keys for all in the SennComCCKey.pem file.

Just over a week after a global problem with its multi-factor authentication (MFA) service plagued a number of users, another Microsoft MFA outage is impacting a number of customers. Many, but not all, of the customers reporting problems today seem to be U.S.-based. From a report: Starting around 9:15 a.m. ET, a number of Office 365 customers began reporting on Twitter that they were unable to sign into that service because of an MFA issue. Office 365 is one of a number of Microsoft services that uses Azure Active Directory MFA to authenticate. Around 10:15 a.m. ET, Microsoft's Azure status dashboard was updated to reflect the possibility of a cross-region potential outage impacting MFA. "Impacted customers may experience failures when attempting to authenticate into Azure resources where MFA is required by policy. Engineers are investigating the issue and the next update will be provided in 60 minutes or as events warrant," the dashboard status said.

German government would like to regulate what kind of routers are sold and installed across the country. From a report: The German government published at the start of the month an initial draft for rules on securing Small Office and Home Office (SOHO) routers. Published by the German Federal Office for Information Security (BSI), the rules have been put together with input from router vendors, German telecoms, and the German hardware community. Once approved, router manufacturers don't have to abide by these requirements, but if they do, they can use a special sticker on their products showing their compliance. The 22-page document, available in English here, lists tens of recommendations and rules for various router functions and features.

Friday Greg Kroah-Hartman released stable point releases of Linux kernel 4.19.4, as well as 4.14.83 and 4.9.139. While they were basic maintenance updates, the 4.19.4 and 4.14.83 releases are significant because they also reverted the performance-killing Spectre patches (involving "Single Thread Indirect Branch Predictors", or STIBP) that had been back-ported from Linux 4.20, according to Phoronix:

There is improved STIBP code on the way for Linux 4.20 that by default just applies STIBP to SECCOMP threads and processes requesting it via prctl() but otherwise is off by default (that behavior can also be changed via kernel parameters). Once that code is ready to go for Linux 4.20, we may see it then back-ported to these stable trees.

Aside from reverting STIBP, these point releases just have various fixes in them as noted for 4.19.4, 4.14.83, and 4.9.139.
Last Sunday Linus Torvalds complained that the performance impact of the STIPB code "was clearly way more expensive than people were told," according to ZDNet: "When performance goes down by 50 percent on some loads, people need to start asking themselves whether it was worth it. It's apparently better to just disable SMT entirely, which is what security-conscious people do anyway," wrote Torvalds. "So why do that STIBP slow-down by default when the people who *really* care already disabled SMT?"

Catalin Cimpanu, reporting for ZDNet: Academics from the Vrije University in Amsterdam, Holland, have published a research paper this week describing a new variation of the Rowhammer attack. For readers unfamiliar with the term, Rowhammer is the name of a class of exploits that takes advantage of a hardware design flaw in modern memory cards. By default, a memory card stores temporary data inside storage units named cells, which are arranged on the physical silicon chip in multiple rows, in the form of a grid. [...] In research [PDF] published today, named ECCploit, academics expanded the previous Rowhammer techniques with yet another variation. This one, they said, bypasses ECC memory, one of the memory protections that hardware makers said could detect and prevent Rowhammer attacks in the past.

ECC stands for Error-Correcting Code and is a type of memory storage included as a control mechanism with high-end RAM, typically deployed with expensive or mission-critical systems. ECC memory works by protecting against rogue bit flips, like the ones caused by Rowhammer attacks. Surprisingly, it wasn't developed to deal with Rowhammer. It was initially developed in the 90s to protect against bit flips caused by alpha particles, neutrons, or other cosmic rays, but when Rowhammer came out, it also proved to be effective against it, as well. But after spending months reverse engineering the designs of ECC memory, the Vrije University team discovered that this protection mechanism has its limits.

Malware targeting Linux users may not be as widespread as the strains targeting the Windows ecosystem, but Linux malware is becoming just as complex and multi-functional as time passes by. ZDNet reports: The latest example of this trend is a new trojan discovered this month by Russian antivirus maker Dr.Web. This new malware strain doesn't have a distinctive name, yet, being only tracked under its generic detection name of Linux.BtcMine.174. But despite the generic name, the trojan is a little bit more complex than most Linux malware, mainly because of the plethora of malicious features it includes. The trojan itself is a giant shell script of over 1,000 lines of code. This script is the first file executed on an infected Linux system. The first thing this script does is to find a folder on disk to which it has write permissions so it can copy itself and later use to download other modules. Once the trojan has a foothold on the system it uses one of two privilege escalation exploits CVE-2016-5195 (also known as Dirty COW) and CVE-2013-2094 to get root permissions and have full access to the OS.

If you're a tab-hoarder, and you use Chrome browser, Google may have some news for you soon. The company is working on a scrollable tabstrip to make it easier for users to navigate through tabs, a developer was quoted as saying. Peter Casting, who works on Chrome UI, said, "scrollable tabstrip is in the works. In the meantime, try shift-clicking and ctrl-clicking to select multiple tabs at once, then drag out to separate Windows to group tabs by Window." TechDows, which first reported the development: We're expecting this as the related bug, the 'UI: tab overflow' bug created 10 years back, reports opening too many tabs causes add tab button (+) to disappear and tabs do not scroll then, the expected result has been mentioned as 'scrollable tabs.' Further reading: Google is raiding Firefox for Chrome's next UI features.

IBM has devised materials and processes that could help improve the efficiency of chip production at the 7nm node and beyond. From a report: The company's researchers are working on challenges in the emerging field of 'area-selective deposition', a technology that could help overcome limitations on lithographic techniques to create patterns on silicon in 7nm processes. Semi Engineering has a neat account of lithographic patterning and why at 7nm there's growing interest in area-selective deposition. Techniques such as 'multiple patterning' helped ensure integrated circuits kept scaling, but as chips have shrunk from 28nm to 7nm processes, chipmakers have needed to process more layers with ever-smaller features that need more precise placement on patterns. Those features need to align between layers. When they don't, it leads to 'edge placement error' (EPE), a challenge that Intel lithography expert Yan Borodovsky believed lithography couldn't solve and which would ultimately impede Moore's Law.

An anonymous reader quotes a report from ZDNet: The Russian Federation has responded to a lawsuit filed by the Democratic National Committee and has requested the overseeing court to throw out the lawsuit altogether. The lawsuit, filed by the DNC in April 2018, names a slew of figures as defendants, such as the Russian state, Russia's military intelligence service GRU, the hacker known as Guccifer 2.0, WikiLeaks and its founder Julian Assange, and several members of the Trump campaign, such as Donald Trump, Jr., Paul Manafort, Roger Stone, Jared Kushner, and George Papadopoulos. According to an 87-page indictment, the DNC accused Russia and the other defendants of carrying out the hacking of DNC servers in 2016 and then leaking data online via the WikiLeaks portal in an orchestrated manner for the benefit of the Trump presidential campaign.

The lawsuit, which has its own Wikipedia page and was likened to a lawsuit the DNC filed against Nixon after the Watergate scandal, seeks damages, but also for the court to issue a declaration about the defendants' conspiracy. But in a letter sent to a New York court, presented by the Russian Embassy in the U.S. and signed by a representative of the Russian Ministry of Justice, the Russian Federation wants the lawsuit thrown out. In the 12-page letter, the Russian Federation argues that the U.S. Foreign Sovereign Immunities Act ("FSIA") grants Russia immunity. "The FSIA provides that foreign sovereign States enjoy absolute jurisdictional immunity from suit unless a plaintiff can demonstrate that one of the FSIA's enumerated 'exceptions' applies'," the letter argues. "The DNC's allegations regarding a purported 'military attack' by 'Russia's military intelligence agency' do not fall within any of the FSIA's enumerated exceptions to the Russian Federation's sovereign immunity."

"Any alleged 'military attack' is a quintessential sovereign act that does not fall within any exception to the FSIA or the customary international law of foreign sovereign immunity. The Russian Federation's sovereign immunity with respect to claims based upon such allegations is absolute."

Daniel's Hosting, one of the largest providers of Dark Web hosting services, was hacked this week and taken offline, ZDNet reports. From a report: The hack took place on Thursday, November 15, according to Daniel Winzen, the software developer behind the hosting service. "As per my analysis it seems someone got access to the database and deleted all accounts," he said in a message posted on the DH portal today. Winzen said the server's root account was also deleted, and that all 6,500+ Dark Web services hosted on the platform are now gone. "Unfortunately, all data is lost and per design, there are no backups," Winzen told ZDNet in an email today. "I will bring my hosting back up once the vulnerability has been identified and fixed."

Amazon's Web Services division rolled out new security features to AWS account owners last week that are meant to prevent accidental data exposures caused by the misconfiguration of S3 data storage buckets. From a report: Starting today, AWS account owners will have access to four new options inside their S3 dashboards under the "Public access settings for this account" section. These four new options allow the account owner to set a default access setting for all of an account's S3 buckets. These new account-level settings will override any existing or newly created bucket-level ACLs (access control lists) and policies. Account owners will have the ability to apply these new settings for S3 buckets that will be created from now onwards, to apply the new setting retroactively, or both.

An anonymous reader quotes ZDNet: Google will be launching a fund of $200,000 to sponsor the development and implementation of performance-related features in third-party JavaScript frameworks... Frameworks with original ideas to improve performance and those which ship "on by default" performance-boosting features will be favored in the funds allocation process. Nicole Sullivan, Chrome Product Manager, and Malte Ubl, Google Engineering Lead, have told ZDNet that the popularity, size, or the adoption of any participant framework will not count as a defining factor for being selected to receive funding. "The objective of this initiative is to help developers hit performance goals and hence serve their users with high-quality user experiences by default and ensure that this happens at scale," the two told ZDNet in an email...

"One key factor is also whether the respective feature can be turned on by default and thus have maximum impact rather than being only made available optionally," Sullivan and Ubl said.... "We want developers to be creative in approaching and solving the performance problem on the web but at a high-level we'll be looking at features that directly impact loading performance (e.g. use of feature policies, smart bundling, code-splitting, differential serving) and runtime performance (e.g. breaking tasks into smaller, schedulable chunks & keeping fps high)...."

But in addition to putting up funds to help frameworks improve their codebase, Google has also invited the development teams some of these frameworks to provide feedback in a more prominent role as part of the Google Chrome development process... "Frameworks sometimes make web apps slower. They are also our best hope to make it faster," a slide in Sullivan and Ubl's Chrome Dev Summit presentation read.
"It's still JavaScript," complains long-time Slashdot reader tepples. "The fastest script is the script that is not loaded at all."