Slashdot Mirror

An anonymous reader quotes a report from ZDNet: A Russian-speaking grey-hat hacker is breaking into people's MikroTik routers and patching devices so they can't be abused by cryptojackers, botnet herders, or other cyber-criminals, ZDNet has learned. The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already. "I added firewall rules that blocked access to the router from outside the local network," Alexey said. "In the comments, I wrote information about the vulnerability and left the address of the @router_os Telegram channel, where it was possible for them to ask questions." But despite adjusting firewall settings for over 100,000 users, Alexey says that only 50 users reached out via Telegram. A few said "thanks," but most were outraged. The vigilante server administrator says he's been only fixing routers that have not been patched by their owners against a MikroTik vulnerability that came to light in late April.

An anonymous reader writes: Three Republican senators have sent a letter to Google demanding the company hand over an internal memo based on which Google decided to cover up a Google+ data leak instead of going public as most companies do. The existence of this internal memo came to light on Monday in a Wall Street Journal article that forced Google to go public with details about a Google+ API bug that could have been used to harvest data on Google users.

According to the report, the internal memo, signed by Google's legal and policy staff, advised Google top execs not to disclose the existence of the API bug fearing "immediate regulatory interest." Google's legal staff also feared that the bug would bring Google "into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal," and would "almost [guarantee] Sundar will testify before Congress," akin to Facebook's CEO. In a letter sent today to Google, three GOP senators want to see this internal memo for themselves by October 30, and also with on-the-record answers to seven questions in regards to what, why, and how Google handled the Google+ API data leak.

Millions of security cameras, DVRs, and NVRs contain vulnerabilities that can allow a remote attacker to take over devices with little effort, security researchers have revealed today. From a report: All vulnerable devices have been manufactured by Hangzhou Xiongmai Technology Co., Ltd. (Xiongmai hereinafter), a Chinese company based in the city of Hangzhou. But end users won't be able to tell that they're using a hackable device because the company doesn't sell any products with its name on them, but ships all equipment as white label products on which other companies put their logo on top. Security researchers from EU-based SEC Consult say they've identified over 100 companies that buy and re-brand Xiongmai devices as their own. All of these devices are vulnerable to easy hacks, researchers say. The source of all vulnerabilities is a feature found in all devices named the "XMEye P2P Cloud." The XMEye P2P Cloud works by creating a tunnel between a customer's device and an XMEye cloud account. Device owners can access this account via their browser or via a mobile app to view device video feeds in real time. SEC Consult researchers say that these XMEye cloud accounts have not been sufficiently protected. For starters, an attacker can guess account IDs because they've been based on devices' sequential physical addresses (MACs). Second, all new XMEye accounts use a default admin username of "admin" with no password.

WhatsApp developers have fixed a bug in the Android and iOS versions of the WhatsApp mobile app that allowed hackers to take over the application when users answered an incoming video call. From a report: Natalie Silvanovich, a security researcher with Google's Project Zero security research team, discovered the WhatsApp vulnerability at the end of August. She described the vulnerability as a "memory corruption bug in WhatsApp's non-WebRTC video conferencing implementation." "Heap corruption can occur when the WhatsApp mobile application receives a malformed RTP packet," Silvanovich said in a bug report. "This issue can occur when a WhatsApp user accepts a call from a malicious peer." It is unclear how popular the video feature is on WhatsApp, which is used by more than 1.2 billion users. But in July, the company said users were spending over two billion minutes on calls (including voice) each day.

Microsoft said Wednesday it had joined the Open Invention Network (OIN), an open-source patent consortium. As part of it, the company has essentially agreed to grant a royalty-free and unrestricted license to its entire patent portfolio to all other OIN members. From the press release: By joining OIN, Microsoft is demonstrating its commitment to open source software (OSS) and innovation through collaborative development. With more than 2,650 members [Editor's note: the members include Google, IBM, Red Hat, and SUSE], including numerous Fortune 500 enterprises, OIN is the largest patent non-aggression community in history and represents a core set of community values related to open source licensing, which has become the norm. "Open source development continues to expand into new products and markets to create unrivaled levels of innovation. Through its participation in OIN, Microsoft is explicitly acknowledging the importance of open source software to its future growth," said Keith Bergelt, CEO of Open Invention Network. "Microsoft's participation in OIN adds to our strong community, which through its breadth and depth has reduced patent risk in core technologies, and unequivocally signals for all companies who are using OSS but have yet to join OIN that the litmus test for authentic behavior in the OSS community includes OIN participation."

Erich Andersen, Corporate Vice President and Chief IP Counsel at Microsoft, said, "Microsoft sees open source as a key innovation engine, and for the past several years we have increased our involvement in, and contributions to, the open source community. We believe the protection OIN offers the open source community helps increase global contributions to and adoption of open source technologies. We are honored to stand with OIN as an active participant in its program to protect against patent aggression in core Linux and other important OSS technologies." Further reading: Why Microsoft may be relinquishing billions in Android patent royalties.

An anonymous reader quotes a report from ZDNet: New computerized weapons systems currently under development by the U.S. Department of Defense (DOD) can be easily hacked, according to a new report published today. The report was put together by the U.S. Government Accountability Office (GAO), an agency that provides auditing, evaluation, and investigative services for Congress. The report detailed some of the most eye-catching hacks GAO testers performed during their analysis: "In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing. Some programs fared better than others. For example, one assessment found that the weapon system satisfactorily prevented unauthorized access by remote users, but not insiders and near-siders. Once they gained initial access, test teams were often able to move throughout a system, escalating their privileges until they had taken full or partial control of a system. In one case, the test team took control of the operators' terminals. They could see, in real-time, what the operators were seeing on their screens and could manipulate the system. They were able to disrupt the system and observe how the operators responded. Another test team reported that they caused a pop-up message to appear on users' terminals instructing them to insert two quarters to continue operating. Multiple test teams reported that they were able to copy, change, or delete system data including one team that downloaded 100 gigabytes, approximately 142 compact discs, of data."

The report claims the DOD documented many of these "mission-critical cyber vulnerabilities," but Pentagon officials who met with GAO testers claimed their systems were secure, and "discounted some test results as unrealistic." GAO said all tests were performed on computerized weapons systems that are still under development. GAO officials highlighted that hackers can't yet take control over current weapons systems and turn them against the U.S. But if these new weapons systems go live, the threat is more than real, GAO said.

An academic study published last month shows that despite years worth of research into the woeful state of network traffic inspection equipment, vendors are still having issues in shipping appliances that don't irrevocably break TLS encryption for the end user. From a report: Encrypted traffic inspection devices (also known as middleware), either special hardware or sophisticated software, have been used in enterprise networks for more than two decades. System administrators deploy such appliances to create a man-in-the-middle TLS proxy that can look inside HTTPS encrypted traffic, to scan for malware or phishing links or to comply with law enforcement or national security requirements.

[...] In the last decade, security researchers have looked closely at the issue of TLS inspection appliances that break or downgrade encryption. There has been much research on the topic, from research teams from all over the world. But despite years worth of warnings and research, some vendors still fail at keeping the proper security level of a TLS connection when relaying traffic through their equipment/software. Academic research [PDF] published at the end of September by three researchers from Concordia University in Montreal, Canada, shows that network traffic inspection appliances still break TLS security, even today.

An anonymous reader writes: "A French police officer has been charged and arrested last week for selling confidential data on the dark web in exchange for Bitcoin," reports ZDNet. French authorities caught him after they took down the "Black Hand" dark web marketplace. Sifting through the marketplace data, they found French police documents sold on the site. All the documents had unique identifiers, which they used to track down the French police officer who was selling the data under the name of Haurus.

Besides selling access to official docs, they also found he ran a service to track the location of mobile devices based on a supplied phone number. He advertised the system as a way to track spouses or members of competing criminal gangs. Investigators believe Haurus was using the French police resources designed with the intention to track criminals for this service. He also advertised a service that told buyers if they were tracked by French police and what information officers had on them.

Amid reports of users facing a number of issues after updating their computers to Windows 10 October 2018 Update, Microsoft said Saturday it was pausing the rollout of the latest version of its Windows 10 desktop operating system. ZDNet: In a support document updated today, October 6, the Redmond-based OS maker said it took this decision after users complained that v1809 had deleted files after the update. We have paused the rollout of the Windows 10 October 2018 Update (version 1809) for all users as we investigate isolated reports of users missing some files after updating. Microsoft employs a gradual rollout scheme, and not all Windows 10 users have received its latest bi-annual OS update. The October 2018 Update is no longer available for download, and Microsoft urges users who manually downloaded a Windows 10 installation package to wait until new installation media is available. "We will provide an update when we resume rolling out the Windows 10 October 2018 Update to customers," Microsoft said.

TechCrunch's security editor, Zack Whittaker, analyzes Bloomberg's recent report that China infiltrated Apple, Amazon and others via a tiny microchip inserted into servers at the data centers associated with these companies. With Apple and Amazon refuting Bloomberg's claims, Whittaker talks about the "murky world of national security reporting" and the difficulties of reporting stories of this magnitude with anonymous sources. An anonymous reader shares an excerpt from his report: Today's bombshell Bloomberg story has the internet split: either the story is right, and reporters have uncovered one of the largest and jarring breaches of the U.S. tech industry by a foreign adversary or it's not, and a lot of people screwed up. Welcome to the murky world of national security reporting. I've covered cybersecurity and national security for about five years, most recently at CBS, where I reported exclusively on several stories -- including the U.S. government's covert efforts to force tech companies to hand over their source code in an effort to find vulnerabilities and conduct surveillance. And last year I revealed that the National Security Agency had its fifth data breach in as many years, and classified documents showed that a government data collection program was far wider than first thought and was collecting data on U.S. citizens. Even with this story, my gut is mixed.

Naturally, people are skeptical of this "spy chip" story. On one side you have Bloomberg's decades-long stellar reputation and reporting acumen, a thoroughly researched story citing more than a dozen sources -- some inside the government and out -- and presenting enough evidence to present a convincing case. On the other, the sources are anonymous -- likely because the information they shared wasn't theirs to share or it was classified, putting sources in risk of legal jeopardy. But that makes accountability difficult. No reporter wants to say "a source familiar with the matter" because it weakens the story. It's the reason reporters will tag names to spokespeople or officials so that it holds the powers accountable for their words. And, the denials from the companies themselves -- though transparently published in full by Bloomberg -- are not bulletproof in outright rejection of the story's claims. These statements go through legal counsel and are subject to government regulation. These statements become a counterbalance -- turning the story from an evidence-based report into a "he said, she said" situation. That puts the onus on the reader to judge Bloomberg's reporting. Reporters can publish the truth all they want, but ultimately it's down to the reader to believe it or not. Whittaker ends by saying "Bloomberg's delivery could have been better," and that they "missed an opportunity to be more open and transparent in how it came to the conclusions that it did."

"Journalism isn't proprietary," Whittaker writes. "It should be open to as many people as possible. If you're not transparent in how you report things, you lose readers' trust. That's where the story rests on shaky ground. Admittedly, as detailed and as well-sourced as the story is, you -- and I -- have to put a lot of trust and faith in Bloomberg and its reporters."

TechCrunch's security editor, Zack Whittaker, analyzes Bloomberg's recent report that China infiltrated Apple, Amazon and others via a tiny microchip inserted into servers at the data centers associated with these companies. With Apple and Amazon refuting Bloomberg's claims, Whittaker talks about the "murky world of national security reporting" and the difficulties of reporting stories of this magnitude with anonymous sources. An anonymous reader shares an excerpt from his report: Today's bombshell Bloomberg story has the internet split: either the story is right, and reporters have uncovered one of the largest and jarring breaches of the U.S. tech industry by a foreign adversary or it's not, and a lot of people screwed up. Welcome to the murky world of national security reporting. I've covered cybersecurity and national security for about five years, most recently at CBS, where I reported exclusively on several stories -- including the U.S. government's covert efforts to force tech companies to hand over their source code in an effort to find vulnerabilities and conduct surveillance. And last year I revealed that the National Security Agency had its fifth data breach in as many years, and classified documents showed that a government data collection program was far wider than first thought and was collecting data on U.S. citizens. Even with this story, my gut is mixed.

Naturally, people are skeptical of this "spy chip" story. On one side you have Bloomberg's decades-long stellar reputation and reporting acumen, a thoroughly researched story citing more than a dozen sources -- some inside the government and out -- and presenting enough evidence to present a convincing case. On the other, the sources are anonymous -- likely because the information they shared wasn't theirs to share or it was classified, putting sources in risk of legal jeopardy. But that makes accountability difficult. No reporter wants to say "a source familiar with the matter" because it weakens the story. It's the reason reporters will tag names to spokespeople or officials so that it holds the powers accountable for their words. And, the denials from the companies themselves -- though transparently published in full by Bloomberg -- are not bulletproof in outright rejection of the story's claims. These statements go through legal counsel and are subject to government regulation. These statements become a counterbalance -- turning the story from an evidence-based report into a "he said, she said" situation. That puts the onus on the reader to judge Bloomberg's reporting. Reporters can publish the truth all they want, but ultimately it's down to the reader to believe it or not. Whittaker ends by saying "Bloomberg's delivery could have been better," and that they "missed an opportunity to be more open and transparent in how it came to the conclusions that it did."

"Journalism isn't proprietary," Whittaker writes. "It should be open to as many people as possible. If you're not transparent in how you report things, you lose readers' trust. That's where the story rests on shaky ground. Admittedly, as detailed and as well-sourced as the story is, you -- and I -- have to put a lot of trust and faith in Bloomberg and its reporters."

TechCrunch's security editor, Zack Whittaker, analyzes Bloomberg's recent report that China infiltrated Apple, Amazon and others via a tiny microchip inserted into servers at the data centers associated with these companies. With Apple and Amazon refuting Bloomberg's claims, Whittaker talks about the "murky world of national security reporting" and the difficulties of reporting stories of this magnitude with anonymous sources. An anonymous reader shares an excerpt from his report: Today's bombshell Bloomberg story has the internet split: either the story is right, and reporters have uncovered one of the largest and jarring breaches of the U.S. tech industry by a foreign adversary or it's not, and a lot of people screwed up. Welcome to the murky world of national security reporting. I've covered cybersecurity and national security for about five years, most recently at CBS, where I reported exclusively on several stories -- including the U.S. government's covert efforts to force tech companies to hand over their source code in an effort to find vulnerabilities and conduct surveillance. And last year I revealed that the National Security Agency had its fifth data breach in as many years, and classified documents showed that a government data collection program was far wider than first thought and was collecting data on U.S. citizens. Even with this story, my gut is mixed.

Naturally, people are skeptical of this "spy chip" story. On one side you have Bloomberg's decades-long stellar reputation and reporting acumen, a thoroughly researched story citing more than a dozen sources -- some inside the government and out -- and presenting enough evidence to present a convincing case. On the other, the sources are anonymous -- likely because the information they shared wasn't theirs to share or it was classified, putting sources in risk of legal jeopardy. But that makes accountability difficult. No reporter wants to say "a source familiar with the matter" because it weakens the story. It's the reason reporters will tag names to spokespeople or officials so that it holds the powers accountable for their words. And, the denials from the companies themselves -- though transparently published in full by Bloomberg -- are not bulletproof in outright rejection of the story's claims. These statements go through legal counsel and are subject to government regulation. These statements become a counterbalance -- turning the story from an evidence-based report into a "he said, she said" situation. That puts the onus on the reader to judge Bloomberg's reporting. Reporters can publish the truth all they want, but ultimately it's down to the reader to believe it or not. Whittaker ends by saying "Bloomberg's delivery could have been better," and that they "missed an opportunity to be more open and transparent in how it came to the conclusions that it did."

"Journalism isn't proprietary," Whittaker writes. "It should be open to as many people as possible. If you're not transparent in how you report things, you lose readers' trust. That's where the story rests on shaky ground. Admittedly, as detailed and as well-sourced as the story is, you -- and I -- have to put a lot of trust and faith in Bloomberg and its reporters."

A wave of reports about hijacked WhatsApp accounts in Israel has forced the government's cyber-security agency to send out a nation-wide security alert on Tuesday, ZDNet has learned. From a report: The alert, authored by the Israel National Cyber Security Authority, warns about a relatively new method of hijacking WhatsApp accounts using mobile providers' voicemail systems. This new hacking method was first documented last year by Ran Bar-Zik, an Israeli web developer at Oath. The general idea is that users who have voicemail accounts for their phone numbers are at risk if they don't change that account's default password, which in most cases tends to be either 0000 or 1234. The possibility of an account takeover happens when an attacker tries to add a legitimate user's phone number to a new WhatsApp app installation on his own phone. Following normal security procedures, the WhatsApp service would then send a one-time code via SMS to that phone number. This would typically alert a user to an ongoing attack, but Bar-Zik argues that a hacker could easily avoid this by carrying out the attack during nighttime or when he is sure the user is away from his phone.

Businesses seem to be setting the bar for "good" customer service too low, according to a recent study, which could have significant business impact as the customer experience becomes even more vital as customers decide to buy. From a report: Boston, Mass.- based identity and access company LogMeIn recently released a study to analyze the business impact and consumer attitudes of today's customers and their journey to a sale. It surveyed over 5,000 respondents consisting of business leaders and consumers around the globe. Its 2018 AI Customer Experience study shows that over one-third of consumers were not impressed with their customer journey. Over four out of five (83 percent) of consumers citied an average or poor experience, saying that they had at least one issue while interacting with a brand. Conversely, 80 percent of businesses believe their customers would give them a favorable review -- even whilst admitting that less than half of customer queries are resolved during the first interaction. Two-thirds (68 percent) of business respondents agree that their agents struggle with the volume of customer enquiries, and 61 percent of consumers feel that it takes too long for an enquiry to be resolved.

Catalin Cimpanu, writing for ZDNet: Jigsaw, a technology incubator created by Google and operated as a subsidiary under the Alphabet brand, has released today an Android app named Intra that can encrypt DNS queries as a protection against DNS manipulation at the ISP (internet service provider) level. DNS manipulation is one of the most common forms of online censorship used by oppressive regimes or unscrupulous ISPs, used to block access to news sites, information portals, social media platforms, undesirable software, and more. Intra protects against DNS manipulation by keeping DNS traffic hidden from third-parties with state-level surveillance capabilities, such as internet service providers in countries with autocratic regimes. Reports suggest that Alphabet tested the app with a few dozen political activists in Venezuela before the global roll-out.

A new encryption bill that's expected to be passed in Australia is facing strong opposition from tech heavyweights. A new group called "Alliance for a Safe and Secure Internet" has been formed by Australian industry, technology, and human rights groups to persuade the country from passing the bill, reports ZDNet. "The membership of the new alliance consists of Australian Communications Consumer Action Network, Access Now, Ai Group, Australian Information Industry Association, Amnesty International Australia, AMTA, Blueprint for Free Speech, members of Communications Alliance sans NBN, DIGI, Digital Rights Watch, Future Wise, Hack for Privacy, Human Rights Law Centre, Internet Australia, IoT Alliance Australia, and Liberty Victoria." The Guardian also notes that Google and Facebook are part of the group. From the report: The Bill is currently before the Parliamentary Joint Committee on Intelligence and Security, with a minuscule three-week window for submissions closing on Friday, October 12 and a hearing set for Friday, October 19. The proposed legislation would allow the nation's police and anti-corruption forces to ask, before forcing, internet companies, telcos, messaging providers, or anyone deemed necessary, to break into whatever content interception agencies want access to.

"This Bill stands to have a huge impact on millions of Australians, so it is crucial that lawmakers reject this proposal in its present form before we sleepwalk into a digital dystopia," said board member of Digital Rights Watch and alliance spokesperson Lizzie O'Shea. "The rushed processes coupled with the lack of transparency can only mean that expert opinions from Australia and abroad are being disregarded, and deep concerns about privacy erosion and lack of judicial review have simply been tossed aside."

Microsoft today announced that the Windows 10 October 2018 update is now available. While the update is fairly minor, it does offer a number of interesting new features. TechCrunch reports: The most interesting of these is probably the new "Your Phone" app, which allows you to text from your PC using an Android phone that also runs Microsoft's mobile companion app. In later iterations, that app will also sync notifications to your desktop, but for now, that's not an option. There also are tools for continuing your workflow as you switch from your phone to PC (or vice versa). These features work for iOS users, too. As far as syncing between devices goes, it's worth noting that the update also will allow you to share your clipboard between PCs.

Since everybody likes a dark mode these days, the Windows 10 File Explorer now also includes a dark theme. There's also a revamped search experience, as well as a new screenshot tool. While the release includes plenty of other tweaks, both in terms of functionality and design, the most anticipated feature, Sets, didn't make it into this release. Sets is probably the biggest change to the overall Windows user experience since the release of Windows 10, so maybe it's no surprise that Microsoft is trying to perfect this. And perfection takes a while. ZDNet has highlighted many of the "smaller" new features, such as the improved Windows search functionality, battery details for Bluetooth devices, and a built-in Clipboard manager that can sync clips across devices signed into the same Microsoft account.

An anonymous reader writes: Apple has quietly fixed a security issue affecting some laptops that shipped with Intel chips that were mistakenly left configured into "manufacturing mode." The issue was discovered by two security researchers bug hunting for security flaws in Intel's Management Engine. While digging around through the tens of ME configuration options, the two spotted a feature that they believed could lead to problems, if left enabled by accident on Intel chips.

The configuration they eyed was named Manufacturing Mode, and it's an Intel ME option that desktop, server, laptop, or mobile OEMs can enable for Intel chips and use it for testing ME's remote management features. As the name implies, this configuration option should be enabled only on manufacturing lines to enable automated configuration and testing operations, but disabled before shipping the end product. Leaving an Intel ME chip in Manufacturing Mode allows attackers to change ME settings and disable security controls, opening a chip for other attacks.

The two researchers said they only tested Lenovo and Apple laptops for the presence of Intel ME chips in Manufacturing Mode. Other laptops or computers may also be affected. Instructions on how to spot Intel ME chips in Manufacturing Mode and how to disable it are available here. Apple fixed the issue in June, with the release of macOS High Sierra 10.13.5, and Security Update 2018-003 for macOS Sierra and El Capitan.

The FBI has solved the final mystery surrounding a strain of Mac malware that was used by an Ohio man to spy on people for 14 years. From a report: The man, 28-year-old Phillip Durachinsky, was arrested in January 2017, and charged a year later, in January 2018. US authorities say he created the Fruitfly Mac malware (Quimitchin by some AV vendors) back in 2003 and used it until 2017 to infect victims and take control off their Mac computers to steal files, keyboard strokes, watch victims via the webcam, and listen in on conversations via the microphone. Court documents reveal Durachinsky wasn't particularly interested in financial crime but was primarily focused on watching victims, having collected millions of images on his computer, including many of underage children. Durachinsky created the malware when he was only 14, and used it for the next 14 years without Mac antivirus programs ever detecting it on victims' computers. [...]

Describing the Fruitfly/Quimitchin malware, the FBI said the following: "The attack vector included the scanning and identification of externally facing services, to include the Apple Filing Protocol (AFP, port 548), RDP or other VNC, SSH (port 22), and Back to My Mac (BTMM), which would be targeted with weak passwords or passwords derived from third party data breaches." In other words, Durachinsky had used a technique know as port scanning to identify internet or network-connected Macs that were exposing remote access ports with weak or no passwords.

After breaking into the top three most popular programming languages for the first time this month, behind C and Java, Python has also won the hearts of hackers and web nasties, according to attack statistics published this week by web security biz Imperva. From a report: The company says more than a third of daily attacks against sites the company protects come from a malicious or legitimate tool coded in Python. Imperva says that around 77 percent of all the sites the company protects, have been attacked by at least one Python-based tool. Furthermore, when the company looked at the list of tools that hackers used for their attacks, more than a quarter were coded in Python, by far the attackers' favorite tool. "Hackers, like developers, enjoy Python's advantages which makes it a popular hacking tool," the Imperva team says.

Google launched today a new set of services for enterprise customers of VirusTotal, a website that lets users test suspicious files and URLs against an aggregate of multiple antivirus scanning engines at the same time. From a report: This collection of new tools is part of the new VirusTotal Enterprise service, which Google described as "the most significant upgrade in VirusTotal's 14-year history." As the name implies, this new service is specifically aimed at enterprise customers and is an expansion of VirusTotal's current Premium Services. Google says VirusTotal Enterprise consists of existing VirusTotal capabilities, but also new functionality, such as improved threat detection and a faster search system that uses a brand new interface that unifies capabilities in VirusTotal's free and paid sites. "VirusTotal Enterprise allows users to search for malware samples (using VT Intelligence), hunt for future malware samples (using VT Hunt with YARA), analyze malware relationships (using VT Graph), and automate all these tasks with our API," Google said.

An anonymous reader shares a report: Three years ago, Mark Russinovich, CTO of Azure, Microsoft's cloud program, said, "One in four [Azure] instances are Linux." Then, in 2017, it was 40 percent Azure virtual machines (VM) were Linux. Today, Scott Guthrie, Microsoft's executive vice president of the cloud and enterprise group, said in an interview, "Slightly over half of Azure VMs are Linux. That's right. Microsoft's prize cloud, Linux, not Windows Server, is now the most popular operating system. Windows Server isn't going to be making a come back. Every month, Linux goes up," Guthrie said. And it's not just Azure users who are turning to Linux.

"Native Azure services are often running on Linux," Guthrie added. "Microsoft is building more of these services. For example, Azure's Software Defined Network (SDN) is based on Linux." It's not just on Azure that Microsoft is embracing Linux. "Look at our simultaneous release of SQL Server on Linux. All of our projects now run on Linux," Guthrie said.

At its Ignite 2018 conference, Microsoft said that Windows 10 has been installed on over 700 million active devices. Neowin reports of the confusion around this estimate, noting that "the last milestone was 600 million active devices" announced on November 29, 2017, nearly 10 months ago. From the report: If you follow Windows 10 news, this might not even seem like a major development. That's because the firm's communication around this has been wildly inconsistent. It started off when Windows and Devices chief Terry Myerson announced that he's leaving Microsoft, and he wrote in a farewell letter that Windows 10 is installed on nearly 700 million active devices. That was almost six months ago. At the firm's Build conference in May and at the Insider Dev Tour in July, Microsoft announced that Windows 10 is installed on over 700 million devices, only to retract those statements later on and say they were mistakes. But today after almost six months of "nearly 700 million", Windows 10 is officially installed on over 700 million devices.

Mozilla announced today a new recovery option for Firefox Accounts, the user system included inside the Firefox browser. ZDNet: Starting today, users can generate a one-time recover key that will be associated with their account, and which they can use to regain access to Firefox data if they ever forget their passwords. Firefox Accounts is included with all recent versions of the Firefox browser.

Most users are familiar with it because of Firefox Sync, the system that synchronizes Firefox data such as passwords, browsing history, open tabs, bookmarks, installed add-ons, and general browser options between multiple Firefox instances. But while Sync does the actual synchronization, Firefox Accounts is at the core of Sync and is the system that manages the identities of Firefox users. Sync works by taking a user's Firefox account password and encrypting the user's browser data on the local computer.

A new academic study published today reveals that Android-based password managers have a hard time distinguishing between legitimate and fake applications, leading to easy phishing scenarios. From a report: The study looked at how password managers work on modern versions of the Android OS, and which of the OS features attackers can abuse to collect user credentials via phishing attacks carried out via fake, lookalike apps. What the research team found was that password managers, initially developed for desktop browsers, aren't as secure as their desktop versions. The problem comes from the fact that mobile password managers have a hard time associating a user's stored website credentials with a mobile application and then creating a link between that website and an official app.

[...] Researchers say they tested the way five Android password managers create internal maps (connections) between a locally installed app and legitimate internet sites and found that four of the five were vulnerable to abuse. Android versions of password managers from Keeper, Dashlane, LastPass, and 1Password were found to be vulnerable and have prompted the user to auto-fill credentials on fake apps during tests. Researchers found that Google's Smart Lock app did not fall for this fake package name trick, and the reason was because it used a system named Digital Asset Links to authenticate and connect apps to a particular online service.

An anonymous reader quotes a report from ZDNet: On Sept. 24, Microsoft announced what it's calling the Windows Virtual Desktop (WMD). WVD will allow users to virtualize Windows 7 and 10, Office 365 ProPlus apps and other third-party applications by running them remotely in Azure virtual machines. Using WMD, customers will be able to provide remote desktop sessions with multiple users logged into the same Windows 10 or Windows Server virtual machine. They also can opt to virtualize the full desktop or individual Microsoft Store and/or line-of-business applications. The WMD service also supports full VDI with Windows 10 and Windows 7, Microsoft officials told Ars Technica. (Those wanting to virtualize Windows 7 after Microsoft support ends in January 2020 will be able to do so for three years without paying for Extended Security Updates.)

Licenses for WVD will be provided for no additional cost as part of Windows Enterprise and Education E3 and E5 subscriptions. The aforementioned Windows 10 Enterprise for Virtual Desktops edition won't be released as a separate version of Windows 10 at all. That name is just for licensing purposes, officials said. Microsoft officials said a public preview of WVD will be available later this year, and those interested can request notification of the preview's availability. To use WVD, users need an Azure subscription and will be charged for the storage and compute their virtual machines use. Microsoft also plans to offer WVD via Microsoft Cloud Solution Providers and is working with third parties like Citrix to build on top of WVD, officials said.

Catalin Cimpanu, writing for ZDNet: Singapore authorities have fined a Chinese security researcher with SGD$5,000 (USD$3,600) for hacking into a local hotel's WiFi system without authorization and then publishing a blog post about it, revealing passwords for the hotel's internal network. The incident took place at the end of August, this year, when Zheng Dutao, 23, of China, visited Singapore to attend the Hack In The Box conference that took place in the city. Zheng took it upon himself, without asking for permission first, to hack into the WiFi network of a Fragrance Hotel branch, where he checked in for the conference's duration. The researcher, who works for Chinese internet giant Tencent, hacked into the hotel's internet gateway system, an AntLabs IG3100 device that controls access to the WiFi network for staff and guests alike. He discovered that the device was using a factory default Telnet password, which he used to gain access to a limited shell on the device. [...] The researcher didn't report the security issues to the hotel but instead wrote a blog post about his findings, which he later shared online.

Microsoft has a new 'North Star' for search: One, unified, smart search box that will span Windows, Office, Bing and more. From a report: For the past several years, Microsoft been working to unify and personalize its search experience across Office 365. But now the company is going a step further and bringing Windows 10 the same search experience. At Ignite last year, Microsoft said its holy grail for search was to enable people to search from wherever they were without interrupting their workflow. Bing for Business -- a way to turn Bing into an Intranet search service -- also debuted last year. At this year's Ignite, Microsoft is refining and expanding that search mission. Microsoft's plan is to put the search box "in a consistent, prominent place across Edge, Bing, Windows and Office apps, so that search is always one click away." The company also is "supercharging" the search box so that users can more easily find people, related content, commands for apps and more before they actually start typing in the search box, as it will be contextually aware and offer proactive search results and suggestions. Today, September 24, Microsoft is starting to roll out a preview of this Microsoft Search feature to Office.com, Bing.com (where it's no longer called Bing for Business, but, instead Microsoft Search in Bing) and the SharePoint Mobile app. Microsoft Search will be coming to Edge, Windows and other versions of Office in the coming months, going into 2019.

Catalin Cimpanu, writing for ZDNet: Starting with Chrome 69, whenever a Chrome user would access a Google-owned site, the browser would take that user's Google identity and log the user into the Chrome in-browser account system -- also known as Sync. This system, Sync, allows users to log in with their Google accounts inside Chrome and optionally upload and synchronize local browser data (history, passwords, bookmarks, and other) to Google's servers. Sync has been present in Chrome for years, but until now, the system worked independently from the logged-in state of Google accounts. This allowed users to surf the web while logged into a Google account but not upload any Chrome browsing data to Google's servers, data that may be tied to their accounts.

Now, with the revelations of this new auto-login mechanism, a large number of users are angry that this sneaky modification would allow Google to link that person's traffic to a specific browser and device with a higher degree of accuracy. That criticism proved to be wrong, as Google engineers have clarified on Twitter that this auto-login operation does not start the process of synchronizing local data to Google's servers, which will require a user click. Furthermore, they also revealed that the reason why this mechanism was added was for privacy reasons in the first place. Chrome engineers said the auto-login mechanism was added in the browser because of shared computers/browsers. Well-respected cryptographer Matthew Green was disappointed by the move. In a post, he wrote: [...] In the rest of this post, I'm going to talk about why this matters. From my perspective, this comes down to basically four points:
1. Nobody on the Chrome development team can provide a clear rationale for why this change was necessary, and the explanations they've given don't make any sense.
2. This change has enormous implications for user privacy and trust, and Google seems unable to grapple with this.
3. The change makes a hash out of Google's own privacy policies for Chrome.
4. Google needs to stop treating customer trust like it's a renewable resource, because they're screwing up badly.

An anonymous reader quotes a report from ZDNet: A class-action lawsuit has been filed in Illinois against fast food restaurant chain Wendy's accusing the company of breaking state laws in regards to the way it stores and handles employee fingerprints. The complaint is centered around Wendy's practice of using biometric clocks that scan employees' fingerprints when they arrive at work, when they leave, and when they use the Point-Of-Sale and cash register systems.

Plaintiffs, represented by former Wendy's employees Martinique Owens and Amelia Garcia, claim that Wendy's breaks state law -- the Illinois Biometric Information Privacy Act (BIPA) -- because the company does not make employees aware of how it handles their data. More specifically, the lawsuit claims that Wendy's does not inform employees in writing of the specific purpose and length of time for which their fingerprints were being collected, stored, and used, as required by the BIPA, and nor does it obtain a written release from employees with explicit consent to obtain and handle the fingerprints in the first place. Wendy's also doesn't provide a publicly available retention schedule and guidelines for permanently destroying employees' fingerprints after they leave the company, plaintiffs said. [The plaintiffs also claim that Wendy's sends this data to a third-party without their consent.]

Twitter has started notifying developers today about an API bug that accidentally shared direct messages (private messages) or protected tweets from a Twitter business account with other developers. From a report: According to a support page published today, Twitter said the bug only manifested for Twitter business accounts where the account owner used the Account Activity API (AAAPI) to allow other developers access to that account's data. Because of the bug, the AAAPI sent DMs and protected tweets to the wrong person instead of the authorized developer. Twitter said it discovered the bug on September 10, and fixed it the same day. They also said the bug was active between May 2017 and September 2018, for almost 16 months. The bug represents a serious privacy issue, especially for Twitter business accounts that use DMs to handle customer complaints that in some cases may include private user information.

Cloudflare announced on Monday a new service named the "Cloudflare Onion Service" that can distinguish between bots and legitimate Tor traffic. The main advantage of this new service is, said Cloudflare, that Tor users will see far less, or even no CAPTCHAs when accessing a Cloudflare-protected website via the Tor Browser. A reader writes: The new Cloudflare Onion Service needed the Tor team to make "a small tweak in the Tor binary," hence it will only work with recent versions of the Tor Browser -- the Tor Browser 8.0 and the new Tor Browser for Android, both launched earlier this month. Tor users have been complaining about seeing too many CAPTCHAs when accessing a Cloudflare-protect site for years now. In February 2016, Tor Project administrators went as far as to accuse Cloudflare of "sabotaging Tor traffic" by forcing Tor users to solve CAPTCHA fields ten times or more, in some cases.

Cloudflare responded to accusations a month later, claiming the company was only showing CAPTCHAs because 94 percent of all Tor traffic was either automated bots or originating from malicious actors. Half a year later, in October 2016, Cloudflare started looking into methods of removing CAPTCHAS for Tor users. Their first foray was the Challenge Bypass Specification and a Tor Browser extension, but that project didn't go too far, and has been eventually replaced by the new Cloudflare Onion Service today.

Hackers were able to steal $60 million worth of company and user funds belonging to the Zaif Japanese cryptocurrency exchange. The breach occurred last week, but the company discovered the hack on Monday, September 17. An anonymous reader shares the report from ZDNet: Investigators are still gathering details, but Zaif said the hack took place on September 14, between 17:00 and 19:00 local time, when the attacker siphoned off three types of cryptocurrencies from the company's "hot wallets." [A "hot wallet" is a term used to describe a cryptocurrency addresses with light security measures where a cryptocurrency exchange keeps funds for immediate transactions, such as cryptocurrency-to-cryptocurrency or cryptocurrency-to-fiat (and vice versa) operations.] Zaif says the hacker stole Bitcoin, Bitcoin Cash, and MonaCoin from its hot wallet, all three worth 6.7 billion Japanese yen (roughly $59.67 million) when combined. Of the 6.7 billion stolen yen, 2.2 billion yen -- 32 percent -- were Zaif funds, while 4.5 billion yen were customer funds. Zaif plans to secure a 5 billion yen loan to pay back affected customers.

A file named WaitList.dat, found only on touchscreen-capable Windows PCs, may be collecting your sensitive data like passwords and emails. According to ZDNet, in order for the file to exist users have to enable "the handwriting recognition feature that automatically translates stylus/touchscreen scribbles into formatted text." From the report: The handwriting to formatted text conversion feature has been added in Windows 8, which means the WaitList.dat file has been around for years. The role of this file is to store text to help Windows improve its handwriting recognition feature, in order to recognize and suggest corrections or words a user is using more often than others. "In my testing, population of WaitList.dat commences after you begin using handwriting gestures," [Digital Forensics and Incident Response expert Barnaby Skeggs] told ZDNet in an interview. "This 'flicks the switch' (registry key) to turn the text harvester functionality (which generates WaitList.dat) on." "Once it is on, text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just the files interacted via the touchscreen writing feature," Skeggs says.

Since the Windows Search Indexer service powers the system-wide Windows Search functionality, this means data from all text-based files found on a computer, such as emails or Office documents, is gathered inside the WaitList.dat file. This doesn't include only metadata, but the actual document's text. "The user doesn't even have to open the file/email, so long as there is a copy of the file on disk, and the file's format is supported by the Microsoft Search Indexer service," Skeggs told ZDNet. "On my PC, and in my many test cases, WaitList.dat contained a text extract of every document or email file on the system, even if the source file had since been deleted," the researcher added. Furthermore, Skeggs says WaitList.dat can be used to recover text from deleted documents.

Cloudflare wants routing issues to be a thing of the past by deploying a new feature to try to stop route leaks and hijacks in their tracks. From a report: Cloudflare told TechCrunch that rolling out resource public key infrastructure (RPKI) to all of its customers for free will make it far more difficult to reroute traffic -- either by accident or deliberately. RPKI, in a nutshell, helps to ensure that traffic goes to the right place through a route that's verified as legitimate and correct by using cryptographically signed certificates.

"When two networks connect with each other -- say, AT&T and Verizon -- they announce the set of IP addresses for which they should be sent traffic," said Nick Sullivan, Cloudflare's head of cryptography. "The RPKI is a security framework to make sure a network announces only its legitimate IP addresses." Cloudflare's push in the right direction follows an effort by the National Institute for Standards and Technology, which last week published its first draft of a new standard, which incorporates RPKI as one of three components that will help prevent route leaks and hijacks. A possible approval is expected in the coming weeks.

Liam Tung reporting for ZDNet: Ubuntu maintainer Canonical and Microsoft have teamed up to release an optimized Ubuntu Desktop image that's available through Microsoft's Hyper-V gallery. The Ubuntu Desktop image should deliver a better experience when running it as a guest on a Windows 10 Pro host, according to Canonical. The optimized version is Ubuntu Desktop 18.04.1 LTS release, also known as Bionic Beaver. Microsoft's work with Canonical was prompted by its users who wanted a "first-class experience" on Linux virtual machines (VMs) as well as Windows VMs. To achieve this goal, Microsoft worked with the developers of XRDP, an open-source remote-desktop protocol (RDP) for Linux based on Microsoft's RDP for Windows. Thanks to that work, XRDP now supports Microsoft's Enhanced Session Mode, which allows Hyper-V to use the open-source implementation of RDP to connect to Linux VMs. This in turn gives Ubuntu VMs on Windows hosts a better mouse experience, an integrated clipboard, windows resizing, and shared folders for easier file transfers between host and guest. Microsoft's Hyper-V Quick Create VM setup wizard should also help improve the experience. "With the Hyper-V Quick Create feature added in the Windows 10 Fall Creators Update, we have partnered with Ubuntu and added a virtual machine image so in a few quick minutes, you'll be up and developing," said Clint Rutkas, a senior technical product manager on Microsoft's Windows Developer Team. "This is available now -- just type 'Hyper-V Quick Create' in your start menu."

Security researchers have found evidence that a piece of malware peddled as "lawful intercept" software to government agencies has been deployed against victims located in 45 countries, a number that far outweighs the number of known operators, meaning that some of them are conducting illegal cross-border surveillance. The findings come from a report published by Citizen Lab, a digital rights watchdog at the University of Toronto's Munk School of Global Affairs. ZDNet: The malware, known as Pegasus (or Trident), was created by Israeli cyber-security firm NSO Group and has been around for at least three years -- when it was first detailed in a report over the summer of 2016. The malware can operate on both Android and iOS devices, albeit it's been mostly spotted in campaigns targeting iPhone users primarily. On infected devices, Pegasus is a powerful spyware that can do many things, such as record conversations, steal private messages, exfiltrate photos, and much much more. Citizen Lab's researchers explained how they were able to arrive at the conclusion. They said they identified 1,091 IP addresses that matched their fingerprint for NSO's spyware. Then, they clustered the IP addresses into 36 separate operators with traces in 45 countries where these government agencies "may be conducting surveillance operations" between August 2016 and August 2018. Motherboard adds: Some of the countries where the researchers spotted Pegasus in democratic countries, such as the United States, France, and the UK, but there's also countries with questionable human rights records such as the United Arab Emirates, Bahrain, Mexico, Turkey, and Yemen. There's a caveat though. In some cases, the researchers aren't sure if the traces they found indicate an infection -- thus a target that may have been hacked from a foreign country -- or an operator. [...] "I can only hope that our research is causing these companies to think twice about sales where there is the potential for spyware abuse, causing potential customers to think twice about being associated with a company dealing with repressive governments, and causing potential investors to think twice about the inherently risky business of selling spyware to dictators." The report includes a corroboration of sorts from security firm Lookout, which noted that it had detected "three digits" Pegasus infections around the world.

An anonymous reader quotes a report from ZDNet: A zero-day vulnerability present in security cameras and surveillance equipment using Nuuo software is thought to impact hundreds of thousands of devices worldwide. Researchers from cybersecurity firm Tenable disclosed the bug, which has been assigned as CVE-2018-1149. The vulnerability cannot get much more serious, as it allows attackers to remotely execute code in the software, the researchers said in a security advisory on Monday. Nuuo, describing itself as a provider of "trusted video management" software, offers a range of video solutions for surveillance systems in industries including transport, banking, government, and residential areas.

Dubbed "Peekaboo," the zero-day stack buffer overflow vulnerability, when exploited, allows threat actors to view and tamper with video surveillance recordings and feeds. It is also possible to use the bug to steal data including credentials, IP addresses, port usage, and the make & models of connected surveillance devices. In addition, the bug could be used to fully disable cameras and surveillance products. Peekaboo specifically impacts the NVRMini 2 NAS and network video recorder, which acts as a hub for connected surveillance products. When exploited, the product permitted access to the control management system (CMS) interface, which further exposes credentials of all connected video surveillance cameras connected to the storage system.

AI holds a great deal of promise for medical professionals who want to get the most out of medical imaging. However, when it comes to studying brain tumors, there's an inherent problem with the data: abnormal brain images are, by definition, uncommon. New research from Nvidia aims to solve that. From a report: A group of researchers from Nvidia, the Mayo Clinic, and the MGH & BWH Center for Clinical Data Science this weekend are presenting a paper on their work using generative adversarial networks (GANs) to create synthetic brain MRI images. GANs are effectively two AI systems that are pitted against each other -- one that creates synthetic results within a category, and one that identifies the fake results. Working against each other, they both improve. GANs could help expand the data sets that doctors and researchers have to work with, especially when it comes to particularly rare brain diseases.

Catalin Cimpanu, writing for ZDNet: A security researcher has discovered a vulnerability in the WebKit rendering engine used by Safari that crashes and restarts the iOS devices -- iPhones and iPads. The vulnerability can be exploited by loading an HTML page that uses specially crafted CSS code. The CSS code isn't very complex and tries to apply a CSS effect known as backdrop-filter to a series of nested page segments (DIVs). Backdrop-filter is a relative new CSS property and works by blurring or color shifting to the area behind an element. This is a heavy processing task, and some software engineers and web developers have speculated that the rendering of this effect takes a toll on iOS' graphics processing library, eventually leading to a crash of the mobile OS altogether.

An anonymous reader writes: A hacker going online by the pseudonym of "aabbccddeefg" has exploited a vulnerability to steal over 44,400 EOS coins ($220,000) from a blockchain-based betting app. The hack targeted a blockchain app that lets users bet with EOS coins in a classic dice game.

The entire incident is quite hilarious because four days before it happened, the company behind the app was boasting on Twitter that every other dice betting game had been hacked and lost funds. "DEOS Games, a clone and competitor of our dice game, has suffered a severe hack today that drained their bankroll," the company said in a now deleted tweet. "As of now every single dice game and clone site has been hacked. We have the biggest bankroll, the best developers, and a superior UI. Play on."

While the hack is somewhat the definition of karma police, it is also quite funny because the hacker himself didn't really care about hiding his tracks or laundering the stolen funds. "So this guy hacks EOSBET and what does he do? Play space invaders. I'm not even kidding...," a user analyzing the hacker's account said.

Trailrunner7 tipped us off to this story on ZDNet: A multi-year study on the stock price evolution for breached companies reveals that data breaches have a long-term impact on a company's stock price, even if it's somewhat minimal. The study, carried out by the research team behind the CompariTech web portal, looked only at companies listed on the New York Stock Exchange that suffered and publicly disclosed breaches of one million records and over in the past three years. In total, the list included 28 companies, such as Apple, Adobe, Anthem, Community Health Systems, Dun & Bradstreet, eBay, Equifax, Experian, Global Payments, Home Depot, Health Net, Heartland Payment Systems, JP Morgan Chase, LinkedIn, Monster, T-Mobile, Sony, Staples, Target, TJ Maxx, Under Armour, Vodafone, and Yahoo. "In the long term, breached companies underperformed the market," the CompariTech team concluded in their report.

"After 1 year, Share price grew 8.53% on average, but underperformed the NASDAQ by -3.7%. After 2 years, average share price rose 17.78%, but underperformed the NASDAQ by -11.35%. And after three years, average share price is up by 28.71% but down against the NASDAQ by -15.58%." Study authors noted that the impact of data breaches likely diminished over time, but the damage was still visible in the stock's NASDAQ performance indicator even after three years, in some cases. Although other factors also weighed into how a stock performed, the fact that all of the analyzed breached companies had a poor performance cannot be ignored.
Finance and payment companies suffered the largest drops in their stock prices after a data breach -- with the drops being larger when the breached data included "highly sensitive" info like credit card and social security numbers.

An anonymous reader quotes Digital Trends: With the launch of Chrome 69, Google stunned users last week with a surprising decision to no longer display the "www" and "m" part of the URL in the Chrome search bar, but user backlash forced Google to soften its stance. Google's course reversal, although welcomed by users, is only short term, and the search giant said it will change course once again with the release of the Chrome 70 browser....

Critics have argued that by not displaying the special-case subdomains, it was harder for users to identify sites as legitimate, and the move could lead to more scams on the internet. Others go as far as questioning Google's motives for not displaying the "www" and "m" portion of a web address, and these users speculated that the move may be to disguise Google's AMP -- or Accelerated Mobile Pages -- subdomain to make it indistinguishable for the actual domain....

With the launch of Chrome 70, Google plans on hiding the 'www' portion of a web address inside the search bar, but it will continue to display the 'm' subdomain. "We are not going to elide 'm' in M70 because we found large sites that have a user-controlled 'm' subdomain," Google Chromium product manager Emily Schecter said. "There is more community consensus that sites should not allow the 'www' subdomain to be user controlled."
ZDNet notes that while Chrome's billion-plus users were surprised, "Apple's Safari likewise hides the www and m but it hasn't caused as much concern, likely because of Google's outsized influence over the web and Chrome's dominance of the browser market."

TechRepublic quotes a community feedback post that had argued that "Lying about the hostname to novices and power users alike in the name of simplifying the UI seems imprudent from a security perspective."

An anonymous reader quotes a report from ZDNet: Users of Kodi, a popular media player and platform designed for TVs and online streaming, have been the targets of a malware campaign, ZDNet has learned from cyber-security firm ESET. According to a report that will be published later today and shared with ZDNet in advance, the company's malware analysts have uncovered that at least three popular repositories of Kodi add-ons have been infected and helped spread a malware strain that secretly mined cryptocurrency on users' computers.

ESET researchers say they found malicious code hidden in some of the add-ons found on three add-on repositories known as Bubbles, Gaia, and XvBMC, all offline at the time of writing, after receiving copyright infringement complaints. Researchers said that some of the add-ons found on these repositories would contain malicious code that triggered the download of a second Kodi add-on, which, in turn, would contain code to fingerprint the user's OS and later install a cryptocurrency miner. While Kodi can run on various platforms, ESET says that the operators of this illicit cryptocurrency mining operation only delivered a miner for Windows and Linux users. The crooks reportedly mined for Monero, infecting over 4,700 victims and generating over 62 Monero coins, worth today nearly $7,000.

Security researchers have discovered a flaw with nearly all modern computers that allow potential hackers to steal sensitive information from your locked devices. CNET adds: The attack only takes about five minutes to pull off, if the hacker has physical access to the computer, F-Secure principal security consultant Olle Segerdahl said in a statement Thursday. Cold boot attacks can steal data on a computer's RAM, where sensitive information is briefly stored after a forced reboot. These attacks have been known since 2008, and most computers today have a safety measure where it removes the data stored on RAM to prevent hackers from stealing sensitive information. It's also not a common threat for the average person, since both access to the computer and special tools -- like a program on a USB stick -- are needed to carry out the attack. But Segerdahl and researchers from F-Secure said they've found a way to disable that safety measure and extract data using cold boot attacks. [Further reading: ZDNet] "It takes some extra steps compared to the classic cold boot attack, but it's effective against all the modern laptops we've tested," he said in a statement. Per F-Secure, there is no patch to address the new vulnerability just yet. For now, the firm recommends that you make tweaks to your system settings so that your computer automatically shuts down or hibernates instead of entering sleep mode when you close your screen.

Loon, the former Google X project and now independent Alphabet company, has developed an antenna system that could create a far greater ground coverage than previously possible. From a report: According to Loon each of its balloons, from 20km (12.4 miles) above earth, can cover an area of about 80km (49.7 miles) in diameter and serve about 1,000 users on the ground using an LTE connection. However, Loon balloons need a backhaul connection from an access point on the ground and without that connection the balloons can't provide connectivity to users on the ground. But on Tuesday the company revealed it had sent data across a network of seven balloons from a single ground connection spanning a distance of 1,000 kilometers, or about 621 miles. It also achieved its longest ever point-to-point link, sending data between two balloons over a distance of 600km (373 miles). The tests were carried out across California and Nevada, with the balloons punting data packets between each other from "desert to mountains and back again", according to Loon.

A year after unveiling the AirPower all-in-one wireless charger for the iPhone, Apple Watch and AirPods, Apple has now erased all references to AirPower from its website. The company has yet to ship it. From a report: A year ago during the iPhone X unveiling Apple announced AirPower -- an all-in-one wireless charger for the iPhone, Apple Watch and AirPods. The product never shipped, and today it seems that Apple has scrubbed almost all traces of it off its website. At the time of writing this is the only reference to AirPower I can find on Apple's website. So what happened to AirPower? Well, while only Apple really knows (and at the time of writing Apple hasn't responded to a request for information), it seems like the product was vaporware and that the promise of an all-in-one charger has died. I can't think off the top of my head of another product that Apple has announced at a major event and then failed to deliver, which suggests that some things are beyond the reach of even a company as powerful as Apple.

A year after unveiling the AirPower all-in-one wireless charger for the iPhone, Apple Watch and AirPods, Apple has now erased all references to AirPower from its website. The company has yet to ship it. From a report: A year ago during the iPhone X unveiling Apple announced AirPower -- an all-in-one wireless charger for the iPhone, Apple Watch and AirPods. The product never shipped, and today it seems that Apple has scrubbed almost all traces of it off its website. At the time of writing this is the only reference to AirPower I can find on Apple's website. So what happened to AirPower? Well, while only Apple really knows (and at the time of writing Apple hasn't responded to a request for information), it seems like the product was vaporware and that the promise of an all-in-one charger has died. I can't think off the top of my head of another product that Apple has announced at a major event and then failed to deliver, which suggests that some things are beyond the reach of even a company as powerful as Apple.

T-Mobile and Ericsson have signed a multi-year $3.5 billion agreement to build out T-Mobile's 5G infrastructure. The telecommunications company "will deploy Ericsson's Radio System portfolio, including 5G New Radio and NR hardware and software compliant with 3GPP standards," reports ZDNet. From the report: According to the companies, the contract also encompasses Ericsson's digital services solutions, including dynamic orchestration, business support systems or BSS, and Ericsson Cloud Core. Meanwhile, T-Mobile's already installed base of Ericsson Radio System radios will be able to run 5G NR technology via remote software installation. T-Mobile and Ericsson rival Nokia also announced a $3.5 billion 5G deal back in July. Add it up and T-Mobile is investing $7 billion in 5G between the two companies. As part the Nokia agreement, T-Mobile said it would use Nokia's 5G network technology including software, services and hardware. The carrier also said Nokia would help make its "600 MHz and 28 GHz millimeter wave 5G capabilities compliant with 3GPP 5G New Radio (NR) standards" -- echoing its current plans with Ericsson. In other 5G-related news, Verizon will begin offering installation of its 5G home broadband in select markets on October 1st. "Customers [in Houston, Indianapolis, Los Angeles, and Sacramento] will be able to begin ordering service once the installation is complete, with pricing set at $50 for Verizon Wireless customers and $70 for non-VZW customers," reports PhoneDog. Network speeds are expected to be around 300Mbps, with peak speeds nearing 1Gbps. There will also be no data caps.

An anonymous reader shares a report: A cyber-criminal operation known as Magecart is believed to have been behind the recent card breach announced last week by British Airways. The operation has been active since 2015 when RisqIQ and ClearSky researchers spotted the malware for the first time. The group's regular mode of operation involves hacking into online stores and hiding JavaScript code that steals payment card information entered into store checkout pages, information such as credit card numbers, names, addresses, and whatever is collected via payment forms. The group has been very active in the past three years, being blamed for injecting card skimming scripts on thousands of sites, with the most recent trove of compromised sites being discovered two weeks ago. Of all its hacks, the most notorious incident was when the group compromised a third-party chat provider and used its infrastructure to drop malicious scripts on the Ticketmaster checkout page. [...] In a report published today, researchers at RisqIQ say they found clues linking the same Magecart operation to the British Airways breach. This breach was announced last week when British Airways said that an unidentified hacker compromised its systems and stole the card details of over 380,000 users.