Google's security research unit is sounding the alarm on a set of vulnerabilities it found in certain Samsung chips included in dozens of Android models, wearables and vehicles, fearing the flaws could be soon discovered and exploited. From a report: Google's Project Zero head Tim Willis said the in-house security researchers found and reported 18 zero-day vulnerabilities in Exynos modems produced by Samsung over the past few months, including four top-severity flaws that could compromise affected devices "silently and remotely" over the cellular network.

"Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number," Willis said. By gaining the ability to remotely run code at a device's baseband level -- essentially the Exynos modems that convert cell signals to digital data -- an attacker would be able to gain near-unfettered access to the data flowing in and out of an affected device, including cellular calls, text messages, and cell data, without alerting the victim. The list of affected devices includes (but is not limited to): Samsung mobile devices, including the S22, M and A series handsets; Vivo mobile devices, including those in the S16, S15, S6, X70, X60 and X30 series; Google Pixel 6 and Pixel 7 series; and connected vehicles that use the Exynos Auto T5123 chipset.

Microsoft warned an infamous hacking group that is tied to Russia's military intelligence agency GRU could be gearing up for more ransomware attacks both inside and outside of Ukraine. From a report: Microsoft calls the group Iridium, but it is perhaps best known as Sandworm. It has been accused of attacks on Ukraine's electric power grid and government agencies, the 2018 Winter Olympics and businesses across the globe. Now, it appears to be preparing for a renewed destructive campaign, the software company said in a threat intelligence report on Wednesday. Russian hackers have been accused of bombarding Ukrainian institutions with "wiper malware" and DDoS attacks, a campaign that began even before President Vladimir Putin ordered troops to invade more than a year ago. However, Ukraine's defenses have largely fended off a major cyberwar with the help of foreign tech companies including Microsoft. The ransomware attack on Polish and Ukrainian transport services in October, attributed to Sandworm, may have been "a trial balloon" for further attacks, the report said. Microsoft warned it was a potential precursor to further Russian hacks beyond Ukrainian soil.

Cybercriminal gangs now releasing stolen photos of cancer patients, student records. From a report: In February, attackers from the Russia-based BlackCat ransomware group hit a physician practice in Lackawanna County, Pennsylvania, that's part of the Lehigh Valley Health Network (LVHN). At the time, LVHN said that the attack "involved" a patient photo system related to radiation oncology treatment. The health care group said that BlackCat had issued a ransom demand, "but LVHN refused to pay this criminal enterprise." After a couple of weeks, BlackCat threatened to publish data stolen from the system. "Our blog is followed by a lot of world media, the case will be widely publicized and will cause significant damage to your business," BlackCat wrote on their dark-web extortion site. "Your time is running out. We are ready to unleash our full power on you!" The attackers then released three screenshots of cancer patients receiving radiation treatment and seven documents that included patient information.

The medical photos are graphic and intimate, depicting patients' naked breasts in various angles and positions. And while hospitals and health care facilities have long been a favorite target of ransomware gangs, researchers say the situation at LVHN may indicate a shift in attackers' desperation and willingness to go to ruthless extremes as ransomware targets increasingly refuse to pay. "As fewer victims pay the ransom, ransomware actors are getting more aggressive in their extortion techniques," says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. "I think we'll see more of that. It follows closely patterns in kidnapping cases, where when victims' families refused to pay, the kidnappers might send an ear or other body part of the victim." Researchers say that another example of these brutal escalations came on Tuesday when the emerging ransomware gang Medusa published sample data stolen from Minneapolis Public Schools in a February attack that came with a $1 million ransom demand. The leaked screenshots include scans of handwritten notes that describe allegations of a sexual assault and the names of a male student and two female students involved in the incident.

India plans to force smartphone makers to allow removal of pre-installed apps and mandate screening of major operating system updates under proposed new security rules, according to two people and a government document seen by Reuters. From a report: The new rules, details of which have not been previously reported, could extend launch timelines in the world's No.2 smartphone market and lead to losses in business from pre-installed apps for players including Samsung, Xiaomi, Vivo, and Apple. India's IT ministry is considering these new rules amid concerns about spying and abuse of user data, said a senior government official, one of the two people, declining to be named as the information is not yet public. "Pre-installed apps can be a weak security point and we want to ensure no foreign nations, including China, are exploiting it. It's a matter of national security," the official added. India has ramped up scrutiny of Chinese businesses since a 2020 border clash between the neighbours, banning more than 300 Chinese apps, including TikTok. It has also intensified scrutiny of investments by Chinese firms.

Decentralized lending protocol Euler Finance was hit by an attack that drained $197 million in cryptocurrencies from its platform on Monday, making it the largest hack in its corner of the digital-assets market this year. From a report: The bulk of the hacker's loot -- worth roughly $135 million -- was denominated in staked Ether tokens (stETH), while the remainder was held in wrapped Bitcoin and stablecoins DAI and USDC, according to security firm BlockSec. Some of the proceeds from the attack are already being laundered through Tornado Cash, a US-sanctioned platform which enables users to obfuscate their transaction history, security companies PeckShield Inc and Elliptic said.

The incident on Monday morning in London has almost wiped out Euler's on-chain value, leaving only around $9.7 million locked on the platform, data from DeFiLlama show. Euler Finance allows users to lend and borrow large amounts of cryptoassets through an automated service that does not require human intervention. The protocol's EUL token fell more than 50% to a low of $2.88 after the attack was disclosed, according to pricing data from CoinGecko. Details of the hack weren't immediately provided by the platform's developer Euler Labs.

By the end of 2023, GitHub will require all code contributors to enable two-factor authentication — part of "a platform-wide effort to secure software development by improving account security."

But on Monday they'll start rolling it out, according to a new blog post, reaching out to "smaller" groups of developers and administrators "to notify them of their 2FA enrollment requirement." If your account is selected for enrollment, you will be notified via email and see a banner on GitHub.com, asking you to enroll. You'll have 45 days to configure 2FA on your account — before that date nothing will change about using GitHub except for the reminders. We'll let you know when your enablement deadline is getting close, and once it has passed you will be required to enable 2FA the first time you access GitHub.com.

You'll have the ability to snooze this notification for up to a week, but after that your ability to access your account will be limited. Don't worry: this snooze period only starts once you've signed in after the deadline, so if you're on vacation or out of office, you'll still get that one week period to set up 2FA when you're back at your desk....

Twenty-eight (28) days after you enable 2FA, you'll be asked to perform a 2FA check-up while using GitHub.com, which validates that your 2FA setup is working correctly. Previously signed-in users will be able to reconfigure 2FA if they have misconfigured or misplaced second factors during onboarding.
GitHub's blog post says their gradual rollout plan "will let us make sure developers are able to successfully onboard, and make adjustments as needed before we scale to larger groups as the year progresses." InfoWorld summarizes the options: Users can choose between 2FA methods such as TOTP (Time-based One-Time Password), SMS (Short Message Service), security keys, or GitHub Mobile as a preferred 2FA method. GitHub advises using security keys and TOTPs wherever possible; SMS does not provide the same level of protection and is no longer recommended under NIST 800-63B, the company said.
Internally GitHub is also testing passkeys, according to their blog post. "Protecting developers and consumers of the open source ecosystem from these types of attacks is the first and most critical step toward securing the supply chain."

Stack Overflow explored the "hype cycle" by asking thousands of real developers whether nascent tech trends have really proven themselves, and how they feel about them. "With AI-assisted technologies in the news, this survey's aim was to get a baseline for perceived utility and impact" of various technologies, writes Stack Overflow's senior analyst for market research and insights.

The results? "Open source is clearly positioned as the north star to all other technologies, lighting the way to the chosen land of future technology prosperity." Technologies such as blockchain or AI may dominate tech media headlines, but are they truly trusted in the eyes of developers and technologists? On a scale of zero (Experimental) to 10 (Proven), the top proven technologies by mean score are open source with 6.9, cloud computing with 6.5, and machine learning with 5.9. The lowest scoring were quantum computing with 3.7, nanotechnology with 4.5, and low code/no code with 4.6....

[When asked for the next technology that everyone will use], AI comes in at the top of the list by a large margin, but our three top proven selections (open source, machine learning, cloud computing) follow after....

It's one thing to believe a technology has a prosperous future, it's another to believe a technology deserves a prosperous future. Alongside the emergent sentiment, respondents also scored the same technologies on a zero (Negative Impact) to 10 (Positive Impact) scale for impact on the world. The top positive mean scoring technologies were open source with 7.2, sustainable technologies with 6.6 and machine learning with 6.5; the top negative mean scoring technologies were low code/no code, InnerSource, and blockchain all with 5.3. Seeing low code/no code and blockchain score so low here makes sense because both could be associated with questionable job security in certain developer careers; however it's surprising that AI is not there with them on the negative end of the spectrum. AI-assisted technology had an above average mean score for positive impact (6.2) and the percent positive score is not that far off from those machine learning and cloud computing (28% vs. 33% or 32%).

Possibly what we are seeing here as far as why developers would not rate AI more negatively than technologies like low code/no code or blockchain but do give it a higher emergent score is that they understand the technology better than a typical journalist or think tank analyst. AI-assisted tech is the second highest chosen technology on the list for wanting more hands-on training among respondents, just below machine learning. Developers understand the distinction between media buzz around AI replacing humans in well-paying jobs and the possibility of humans in better quality jobs when AI and machine learning technologies mature. Low code/no code for the same reason probably doesn't deserve to be rated so low, but it's clear that developers are not interested in learning more about it.

Open source software is the overall choice for most positive and most proven scores in sentiment compared to the set of technologies we polled our users about.
One quadrant of their graph shows three proven technologies which developers still had negative feelings about: biometrics, serverless computing, and rapid prototyping tools. (With "Internet of Things" straddling the line between positive and negative feelings.)

And there were two technologies which 10% of respondents thought would never be widely used in the future: low code/no code and blockchain. "Post-FTX scandal, it's clear that most developers do not feel blockchain is positive or proven," the analyst writes.

"However there is still desire to learn as more respondents want training with blockchain than cloud computing. There's a reason to believe in the direct positive impact of a given technology when it pays the bills."

Fortune reports: The thousands of layoffs in Big Tech are thanks to an over-hiring spree to satisfy the "vanity" of bosses at the likes of Meta and Alphabet, according to a member of the so-called PayPal Mafia. Speaking remotely at an event hosted by banking firm Evercore, Silicon Valley VC Keith Rabois said Meta and Google had hired thousands of people to do "fake work" to hit hiring metrics out of "vanity".

Rabois, who was an executive at PayPal in the early 2000s alongside Tesla CEO Elon Musk, said the axing of droves of jobs is overdue. "All these people were extraneous, this has been true for a long time, the vanity metric of hiring employees was this false god in some ways," Rabois said, according to Insider. "There's nothing for these people to do — it's all fake work. Now that's being exposed, what do these people actually do, they go to meetings."

The DoorDash investor added Google had intentionally hired engineers and tech talent to stop them from being snapped up by competitors.

Politico reports: Governments and businesses have spent two decades rushing to the cloud — trusting some of their most sensitive data to tech giants that promised near-limitless storage, powerful software and the knowhow to keep it safe.

Now the White House worries that the cloud is becoming a huge security vulnerability.

So it's embarking on the nation's first comprehensive plan to regulate the security practices of cloud providers like Amazon, Microsoft, Google and Oracle, whose servers provide data storage and computing power for customers ranging from mom-and-pop businesses to the Pentagon and CIA.... Among other steps, the Biden administration recently said it will require cloud providers to verify the identity of their users to prevent foreign hackers from renting space on U.S. cloud servers (implementing an idea first introduced in a Trump administration executive order). And last week the administration warned in its national cybersecurity strategy that more cloud regulations are coming — saying it plans to identify and close regulatory gaps over the industry....

So far, cloud providers have haven't done enough to prevent criminal and nation-state hackers from abusing their services to stage attacks within the U.S., officials argued, pointing in particular to the 2020 SolarWinds espionage campaign, in which Russian spooks avoided detection in part by renting servers from Amazon and GoDaddy. For months, they used those to slip unnoticed into at least nine federal agencies and 100 companies. That risk is only growing, said Rob Knake, the deputy national cyber director for strategy and budget. Foreign hackers have become more adept at "spinning up and rapidly spinning down" new servers, he said — in effect, moving so quickly from one rented service to the next that new leads dry up for U.S. law enforcement faster than it can trace them down.

On top of that, U.S. officials express significant frustration that cloud providers often up-charge customers to add security protections — both taking advantage of the need for such measures and leaving a security hole when companies decide not to spend the extra money. That practice complicated the federal investigations into the SolarWinds attack, because the agencies that fell victim to the Russian hacking campaign had not paid extra for Microsoft's enhanced data-logging features.... Part of what makes that difficult is that neither the government nor companies using cloud providers fully know what security protections cloud providers have in place. In a study last month on the U.S. financial sector's use of cloud services, the Treasury Department found that cloud companies provided "insufficient transparency to support due diligence and monitoring" and U.S. banks could not "fully understand the risks associated with cloud services."

williamyf writes: The fine folks at Backblaze have published their first ever report that includes their SSD fleet. To the surprise of no one, SSDs are more more reliable (0.98% AFR) than HDDs (1.64% AFR). The surprising thing thing was how small the difference is (0.66% AFR).

A TL;DR article by well regarded storage reporter Chris Mellor is here. Also worthy of note: S.M.A.R.T. attribute usage among SSD makers is neither standardized, nor very smart:

"Klein notes that the SMART (Self-Monitoring, Analysis, and Reporting Technology) used for drive state reporting is applied inconsistently by manufacturers. "Terms like wear leveling, endurance, lifetime used, life used, LBAs [Logical Block Address] written, LBAs read, and so on are used inconsistently between manufacturers, often using different SMART attributes, and sometimes they are not recorded at all."

That means you can't use such SMART statistics to make valid comparisons between the drives. "Come on, manufacturers. Standardize your SMART numbers."

An anonymous reader quotes a report from The Guardian: WhatsApp would refuse to comply with requirements in the online safety bill that attempted to outlaw end-to-end encryption, the chat app's boss has said, casting the future of the service in the UK in doubt. Speaking during a UK visit in which he will meet legislators to discuss the government's flagship internet regulation, Will Cathcart, Meta's head of WhatsApp, described the bill as the most concerning piece of legislation currently being discussed in the western world.

He said: "It's a remarkable thing to think about. There isn't a way to change it in just one part of the world. Some countries have chosen to block it: that's the reality of shipping a secure product. We've recently been blocked in Iran, for example. But we've never seen a liberal democracy do that. "The reality is, our users all around the world want security," said Cathcart. "Ninety-eight per cent of our users are outside the UK. They do not want us to lower the security of the product, and just as a straightforward matter, it would be an odd choice for us to choose to lower the security of the product in a way that would affect those 98% of users."

The UK government already has the power to demand the removal of encryption thanks to the 2016 investigatory powers act, but WhatsApp has never received a legal demand to do so, Cathcart said. The online safety bill is a concerning expansion of that power, because of the "grey area" in the legislation. Under the bill, the government or Ofcom could require WhatsApp to apply content moderation policies that would be impossible to comply with without removing end-to-end encryption. If the company refused to do, it could face fines of up to 4% of its parent company Meta's annual turnover -- unless it pulled out of the UK market entirely.

A top House official said that a "significant data breach" at the health insurance marketplace for Washington, D.C., on Tuesday potentially exposed personal identifiable information of hundreds of lawmakers and staff. NBC News reports: In a letter obtained by NBC News, Chief Administrative Officer Catherine L. Szpindor said Wednesday that the U.S. Capitol Police and the FBI had alerted her to a data breach at DC Health Link, the Affordable Care Act online marketplace that administers health care plans for members of Congress and certain Capitol Hill staff. "Currently, I do not know the size and scope of the breach, but have been informed by the Federal Bureau of Investigation (FBI) that account information and [personally identifiable information] of hundreds of Member and House staff were stolen," Szpindor said. "I expect to have access to the list of impacted enrollees later today and will notify you directly if your information was compromised." Szpindor added that it did not appear that House lawmakers were "the specific target of the attack" on DC Health Link.

Out of an "abundance of caution," Szpindor said, lawmakers may opt to freeze family credit at three major credit bureaus, Equifax, Experian and Transunion. The data breach has also affected Senate offices, according to an email sent to Senate offices Wednesday afternoon that said the Senate Sergeant at Arms was informed by law enforcement about a data breach. The notice said that the "data included the full names, date of enrollment, relationship (self, spouse, child), and email address, but no other Personally Identifiable Information (PII)."

An anonymous reader shares a report: Nvidia released a new driver update for its GeForce graphics cards that, among other things, introduced a new Video Super Resolution upscaling technology that could make low-resolution videos look better on high-resolution screens. But the driver (version 531.18) also apparently came with a bug that caused high CPU usage on some PCs after running and then closing a game. Nvidia has released a driver hotfix (version 531.26) that acknowledges and should fix the issue, which was apparently being caused by an undisclosed bug in the "Nvidia Container," a process that exists mostly to contain other processes that come with Nvidia's drivers. It also fixes a "random bugcheck" issue that may affect some older laptops with GeForce 1000-series or MX250 and MX350 GPUs.

The European Central Bank plans to test the cyber resilience of the euro zone's top banks after a sharp rise in cyberattacks, including after Russia's invasion of Ukraine, ECB supervisory chief Andrea Enria told a Lithuanian newspaper. From a report: "Next year we are launching a thematic stress test on cyber resilience, which will try to test how banks are able to respond to and recover from a successful cyberattack," Enria told Verslo zinios. The ECB has long been warning banks to be alert for cyberattacks from Russia after the European Union passed a long series of sanctions against Moscow over its invasion of Ukraine. "There has been a significant increase in cyberattacks," Enria said. "We cannot apportion this to any specific source, but it is a fact that the number of these attacks has increased since the war started." Enria said that part of the problem is that banks are outsourcing some of their critical IT infrastructure to outside providers or other entities in their group.

Global shutter sensors with no skew or distortion have been promised as the future of cameras for years now, but so far only a handful of products with that tech have made it to market. Now, Raspberry Pi is offering a 1.6-megapixel global shutter camera module to hobbyists for $50, providing a platform for machine vision, hobbyist shooting and more. From a report: The Raspberry Pi Global Shutter Camera uses a 6.3mm Sony IMX296 sensor, and requires a Raspberry Pi board with a CSI camera connector. Like other global shutter sensors, it works by pairing each pixel with an analog storage element, so that light signals can be captured and stored by all pixels simultaneously. By comparison, regular CMOS sensors read and store the light captured by pixels from top to bottom and left to right. That can cause diagonal skew on fast moving subjects, or very weird distortion on rotating objects like propellers.

schwit1 shares an excerpt from a Substack article, written by former cybersecurity reporter Catalin Cimpanu: The Canada Revenue Agency (CRA), the tax department of Canada, recently updated its terms and conditions to force taxpayers to agree that CRA is not liable if their personal information is stolen while using the My Account online service portal -- which, ironically, all Canadians must use when doing their taxes and/or running their business. The CRA's terms of use assert the agency is not liable because they have "taken all reasonable steps to ensure the security of this Web site."

Excerpt from the CRA terms statement: "10. The Canada Revenue Agency has taken all reasonable steps to ensure the security of this Web site. We have used sophisticated encryption technology and incorporated other procedures to protect your personal information at all times. However, the Internet is a public network and there is the remote possibility of data security violations. In the event of such occurrences, the Canada Revenue Agency is not responsible for any damages you may experience as a result."

Unfortunately, that is not true. After reviewing the HTTP responses from the CRA My Account login page, it's clear the agency has not configured even some of the most basic security features. For example, security protections for their cookies are not configured, nor are all the recommended security headers used. Not only is that not "all reasonable steps," but the CRA is missing the very basics for securing online web applications.

The terms of use also state that users are not allowed to use "any script, robot, spider, Web crawler, screen scraper, automated query program or other automated device or any manual process to monitor or copy the content contained in any online services." Looking at the HTTP response headers using web browser developer tools doesn't breach the terms of services, but the CRA must be well aware that internet users perform scans like this all the time. And it's not the legitimate My Account users who are likely to be the culprits. Unfortunately for Canadians, threat actors don't read terms of use pages. A statement like this doesn't protect anyone, except CRA, from being held responsible for failing to properly secure Canadian citizens' personal data.

China's government could use TikTok to control data on millions of American users, FBI Director Christopher Wray told a U.S. Senate hearing on Wednesday, saying the Chinese-owned video app "screams" of security concerns. Reuters reports: Wray told a Senate Intelligence Committee hearing on worldwide threats to U.S. security that the Chinese government could also use TikTok to control software on millions of devices and drive narratives to divide Americans over Taiwan or other issues. "Yes, and I would make the point on that last one, in particular, that we're not sure that we would see many of the outward signs of it happening if it was happening," Wray said of concerns China could feed misinformation to users. "This is a tool that is ultimately within the control of the Chinese government - and it, to me, it screams out with national security concerns," Wray said. Yesterday, the White House said it backed a bill in Congress to give the Biden administration new powers to ban TikTok and other foreign technologies that could pose security threats.

wiredmikey writes: Electronics giant Acer has confirmed getting hacked after a hacker offered to sell 160 Gb of files allegedly stolen from the company's systems. "We have recently detected an incident of unauthorized access to one of our document servers for repair technicians. While our investigation is ongoing, there is currently no indication that any consumer data was stored on that server," Acer told SecurityWeek in an emailed statement. Acer issued the statement after a hacker announced on a popular cybercrime forum that he is selling more than 2,800 files totaling 160 Gb for an unspecified amount of Monero cryptocurrency. The cybercriminal claims the files include confidential slides, staff manuals, confidential product documentation, binary files, information on backend infrastructure, disk images, replacement digital product keys, and BIOS-related information.

An anonymous reader quotes a report from InterestingEngineering: The U.S. Air Force's Global Strike Command awarded a new $75.5 million contract to New York-based firm Persistent Systems. The aim is to build a unified security system for 400 operational Minuteman III intercontinental-range nuclear missile silos secured in remote areas throughout the U.S. It will be the world's largest wireless ad-hoc network, helping secure the U.S.'s nuclear arsenal amid growing concerns over global nuclear security.

Persistent Systems will roll out its Infrastructure-based Regional Operation Network (IRON) offering across three Air Force bases as part of the Regional Operating Picture (ROP) program. According to the company, the new security network will cover an area of 25,000 square miles (64,750 sq km), making it the world's largest wireless ad-hoc network. The IRON offering is an easy-to-deploy Integrated MANET Antenna System on fixed towers and poles. It will allow the U.S. Air Force to connect 75 operation centers and more than 1,000 Security Force vehicles. The ROP program will allow constant communication to an Operations Center via the towers. Meanwhile, the personnel at that Operations Center will know the exact location of any Security Forces on a digital map. Both will be able to share critical data seamlessly.

German police said Monday they have disrupted a ransomware cybercrime gang tied to Russia that has been blackmailing large companies and institutions for years, raking in millions of euros. From a report: Working with law enforcement partners including Europol, the FBI and authorities in Ukraine, police in Duesseldorf said they were able to identify 11 individuals linked to a group that has operated in various guises since at least 2010. The gang allegedly behind the ransomware, known as DoppelPaymer, appears tied to Evil Corp, a Russia-based syndicate engaged in online bank theft well before ransomware became a global scourge. Among its most prominent victims were Britain's National Health Service and Duesseldorf University Hospital, whose computers were infected with DoppelPaymer in 2020. A woman who needed urgent treatment died after she had to be taken to another city for treatment.

Ransomware is the world's most disruptive cybercrime. Gangs mostly based in Russia break into networks and steal sensitive information before activating malware that scrambles data. The criminals demand payment in exchange for decryption keys and a promise not to dump the stolen data online. In a 2020 alert, the FBI said DoppelPaymer had been used since late 2019 to target critical industries worldwide including healthcare, emergency services and education, with six- and seven-figure ransoms routinely demanded.