"Quanta not patching vulnerable baseboard management controllers leaves data centers vulnerable," writes long-time Slashdot reader couchslug. "Pantsdown was disclosed in 2019..." Ars Technica reports: In January 2019, a researcher disclosed a devastating vulnerability in one of the most powerful and sensitive devices embedded into modern servers and workstations. With a severity rating of 9.8 out of 10, the vulnerability affected a wide range of baseboard management controllers (BMC) made by multiple manufacturers. These tiny computers soldered into the motherboard of servers allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of computers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control just about every other aspect of the system -- even when it's turned off. Pantsdown, as the researcher dubbed the threat, allowed anyone who already had some access to the server an extraordinary opportunity. Exploiting the arbitrary read/write flaw, the hacker could become a super admin who persistently had the highest level of control for an entire data center.

Over the next few months, multiple BMC vendors issued patches and advisories that told customers why patching the vulnerability was critical. Now, researchers from security firm Eclypsium reported a disturbing finding: for reasons that remain unanswered, a widely used BMC from data center solutions provider Quanta Cloud Technology, better known as QCT, remained unpatched against the vulnerability as recently as last month. As if QCT's inaction wasn't enough, the company's current posture also remains baffling. After Eclypsium privately reported its findings to QCT, the solutions company responded that it had finally fixed the vulnerability. But rather than publish an advisory and make a patch public -- as just about every company does when fixing a critical vulnerability -- it told Eclypsium it was providing updates privately on a customer-by-customer basis. As this post was about to go live, "CVE-2019-6260," the industry's designation to track the vulnerability, didn't appear on QCT's website. [...] "[T]hese types of attacks have remained possible on BMCs that were using firmware QCT provided as recently as last month," writes Ars' Dan Goodin in closing. "QCT's decision not to publish a patched version of its firmware or even an advisory, coupled with the radio silence with reporters asking legitimate questions, should be a red flag. Data centers or data center customers working with this company's BMCs should verify their firmware's integrity or contact QCT's support team for more information."

New submitter Grokew writes: "GoodWill ransomware group propagates very unusual demands in exchange for the decryption key," reports CloudSEK. "The Robin Hood-like group is forcing its victims to donate to the poor and provides financial assistance to the patients in need."

["Once infected, the GoodWill ransomware worm encrypts documents, photos, videos, databases, and other important files and renders them inaccessible without the decryption key," reports CloudSEK.] In order for the victims to obtain the decryption keys, they must provide proof of donating to the homeless, sharing a meal with the less fortunate, and pay a debt of someone who can't afford it. [The decryption kit includes the main decryption tool, password file and a video tutorial on how to recover all important files. It's only given to infected users after the three activities are verified by the ransomware operators, who appear to be operating out of India.]

Inside of hard disk drives are platters which hold all your data; these are all manufactured by one company in Japan called Showa Denko which has announced it expects to "realize near-line HDD having storage capacity of more than 30TB" by the end of 2023. From a report: Deciphering that statement, we'd assume it will provide platters with a storage capacity of more than 3TB, sometime in 2023, to partners such as Toshiba, Seagate and Western Digital, who will then produce the hard disk drives, targeting hyperscalers and data centers operators. We'd expect some of them to end up in NAS and 3.5-inch external hard drives, but that won't be the main target markets, as performance is likely to be optimized for nearline usage.

Showa Denko has now started shipment of the platters that will go into new 26TB Ultrastar DC HC670 UltraSMR hard disk drives announced by Western Digital only a few days ago. A 2.6TB platter -- which uses energy-assisted magnetic recording and shingled magnetic recording -- also marks an important milestone as it hits the symbolic 1TB/in^2 density. Showa Denko's announcement comes as a surprise as Toshiba recently suggested 30TB drives (rather than higher capacities) would not come until 2024. A 30TB model would comprise of 11 platters with 2.73TB capacities each, a slight improvement on the 2.6TB capacity that are on the way. Given the fact that 26TB HDDs have now been announced in the first half of 2022, there's a remote chance that we could see 30TB drives before the end of the year or (as the saying goes), depending on market conditions.

Google is highlighting how Chromebooks can work in "zero trust" corporate environments with its new Chrome Enterprise Connectors Framework. From a report: The new integration system is designed to make the Chrome browser and Chrome OS devices easier for IT departments to implement with existing security, endpoint, and authentication solutions as well as bother management solutions. Google Chrome OS exec John Solomon describes the new tools as a "plug and play" solution that lets other companies helm Chrome OS management functions like remote-wiping a Chromebook using BlackBerry Unified Endpoint Management or flagging malware downloads with Splunk. These types of management functions previously worked through the Google Admin console. Managing and enrolling Chrome OS devices in the enterprise will still rely on Google tools like Google Admin and Chrome Browser Cloud Management. But new tools like Chrome OS Data Controls give enterprises more options to allow or lock down actions like printing, screen capture, copy / paste, and other potential data loss situations. It might even give IT a better handle on buggy Chrome OS updates and is currently available through the Trusted Tester program.

In the past few years, ransomware attacks have crippled schools, hospitals, city governments, and pipelines. Yet, despite the heavy toll such incidents have on both the public and private sectors, government officials have only a limited understanding of ransomware attacks and how cryptocurrencies are being used to collect payment, according to a new report from the Senate Homeland Security and Governmental Affairs Committee. From a report: "Cryptocurrencies -- which allow criminals to quickly extort huge sums of money, can be anonymized, and do not have consistently enforced compliance with regulations, especially for foreign-based attackers -- have further enabled cybercriminals to commit disruptive ransomware attacks that threaten our national and economic security," said Michigan Senator Gary Peters, the committee's chair, in a statement. "My report shows that the federal government lacks the necessary information to deter and prevent these attacks, and to hold foreign adversaries and cybercriminals accountable for perpetrating them."

Part of the issue is in reporting: The federal government doesn't have a standardized place for victims to log ransomware attacks, which typically encrypt data until a ransom is paid in cryptocurrency. Both the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have websites where victims can report incidents, and some people report the attacks directly to their local FBI field offices -- all of which can leave people unsure of where to turn and lead to different agencies having records of different incidents. Financial regulators, including the Treasury Department's Financial Crimes Enforcement Network, also gather some data on ransomware, particularly around payments, but it's also far from comprehensive. A new law passed by Congress in March, as part of a broad government funding bill, will soon require operators of "critical infrastructure" to report to CISA within 72 hours when they've been the victims of a "substantial cyber incident," and within 24 hours of paying a ransom, but the provision hasn't yet gone into effect, pending regulatory decisions by CISA.

Swiss-based encrypted email provider ProtonMail today announced a restructuring of its privacy-first services, bringing them under a new unifying brand name: Proton. "Today, we are undertaking our biggest step forward in the movement for an internet that respects your privacy. The new, updated Proton offers one account, many services, and one privacy-by-default ecosystem. You can now enjoy unified protection with a modernized look and feel. Evolving into a unified Proton reflects our growth from an end-to-end encrypted email provider to an entire privacy ecosystem, allowing us to deliver even more benefits to the Proton community and make privacy accessible to everyone," the company said. MacRumors adds: Previously, users could only subscribe to each service the company offered individually. Going forward, the new Proton offers one account to access all the services offered in the company's privacy-by-default ecosystem, including Proton Mail, Proton VPN, Proton Calendar, and Proton Drive, all of which can be accessed from proton.me. All Proton services remain available as a free tier, with more advanced features and more storage available via paid plans. The free Proton tier includes up to 1GB of storage and one Proton email address, as well as access to Proton's encrypted Calendar and VPN services. Further reading: Proton Is Trying to Become Google -- Without Your Data.

A new website that published leaked emails from several leading proponents of Britain's exit from the European Union is tied to Russian hackers, according to a Google cybersecurity official and the former head of UK foreign intelligence. From a report: The website - titled "Very English Coop d'Etat" - says it has published private emails from former British spymaster Richard Dearlove, leading Brexit campaigner Gisela Stuart, pro-Brexit historian Robert Tombs, and other supporters of Britain's divorce from the EU, which was finalized in January 2020. The site contends that they are part of a group of hardline pro-Brexit figures secretly calling the shots in the United Kingdom. "I am well aware of a Russian operation against a Proton account which contained emails to and from me," said Dearlove, referring to the privacy-focused email service ProtonMail.

An anonymous reader shares a report: In late 2019, the government of New South Wales in Australia rolled out digital driver's licenses. The new licenses allowed people to use their iPhone or Android device to show proof of identity and age during roadside police checks or at bars, stores, hotels, and other venues. ServiceNSW, as the government body is usually referred to, promised it would "provide additional levels of security and protection against identity fraud, compared to the plastic [driver's license]" citizens had used for decades.

Now, 30 months later, security researchers have shown that it's trivial for just about anyone to forge fake identities using the digital driver's licenses, or DDLs. The technique allows people under drinking age to change their date of birth and for fraudsters to forge fake identities. The process takes well under an hour, doesn't require any special hardware or expensive software, and will generate fake IDs that pass inspection using the electronic verification system used by police and participating venues. All of this, despite assurances that security was a key priority for the newly created DDL system. "To be clear, we do believe that if the Digital Driver's Licence was improved by implementing a more secure design, then the above statement made on behalf of ServiceNSW would indeed be true, and we would agree that the Digital Driver's Licence would provide additional levels of security against fraud compared to the plastic driver's licence," Noah Farmer, the researcher who identified the flaws, wrote in a post published last week.

Today is the 15th birthday of Google Maps Street View, Google's project to take ground-level, 360-degree photographs of the entire world. To celebrate, the company is rolling out a few new features. From a report: First up, Google is bringing historical Street View data to iOS and Android phones. The feature has long existed on desktop browsers, where you can click into Street View mode and then time travel through Google's image archives. When you tap on a place to see Street View imagery, a "see more dates" button will appear next to the current age of the photo, letting you browse all the photos for that area going back to 2007. Google says the feature will release "starting today on Android and iOS globally," though, like all Google product launches, it will take some time to fully roll out.

If you'd like to help Google with its plan to photograph the entire world, the company is launching "Street View Studio." Google calls this "a new platform with all the tools you need to publish 360 image sequences quickly and in bulk." The Street View app is still around for people who want to build a 360 photosphere from a regular smartphone camera, but Google imagines Street View Studio as a tool for people with consumer 360 cameras. Google has a store-style page that lists compatible 360 cameras; the options range from sub-$200 fisheye cameras to the $3,600, ball-shaped Insta360 Pro, which looks like something out of Star Wars.

Riding the wave of enthusiasm for no-code/low-code solutions, Microsoft today announced Power Pages, a standalone product within the company's Power Platform portfolio for creating business websites. Power Pages previously existed as a component within Power Apps called Power Apps portals, but it's been broken out and redesigned with a new user experience. From a report: "As a new, standalone product, Power Pages empowers anyone, regardless of their technical background, with an effective platform to create data-powered, modern, and secure websites," Sangya Singh, vice president of power portals at Microsoft, said in a blog post. "In addition to being low-code, Power Pages extends far beyond portals former capabilities to enable organizations of any size to securely build websites with exciting new aesthetic features and advanced capabilities for customization with pro-dev extensibility."

There's no shortage of web design startups on the market. But Microsoft is touting Power Pages' integrations with its existing services as the key differentiator. For example, Power Pages ties in with Visual Studio Code, GitHub, the Power Platform command line interface and Azure DevOps to let more advanced users automate development workflows (e.g. by downloading and uploading projects) and leverage CI/CD practices. Power Pages also allows users to implement role-based access controls and web app firewalls via Azure, and to collect and share business info with site visitors via Microsoft's Dataverse platform.

Microsoft is planning to support third-party widgets inside Windows 11 later this year. At its annual Build developer conference today, the software giant says it will open up access to Windows 11 widgets to developers as companions to their win32 or PWA apps. From a report: Currently, the Windows 11 widgets system is restricted to native widgets created by Microsoft, and the selection is rather limited. Microsoft has built widgets for its Outlook and To Do apps, but the rest are largely web-powered ones that present the weather, entertainment feeds, or news in the dedicated widgets panel for Windows 11.

"We're energized by the customer feedback on Widgets to date, people are enjoying the quick access to content most important to them in a way that is seamless without breaking their flow," says Panos Panay, head of devices and Windows. "Beginning later this year you'll be able to start building Widgets as companion experiences for your Win32 and PWA apps on Windows 11, powered by the Adaptive Cards platform."

An anonymous reader shares a report: While not every user is actively monitoring hardware resource usage when gaming, enthusiasts and reviewers often turn the stats on to see how certain games and other applications are being handled by the hardware. During such a test run, CapFrameX, which developed a useful frametime analysis tool, noticed a weird anomaly when gauging the performance of the Ryzen 7 5800X3D on Lara Croft Shadow of the Tomb Raider (SotTR). The processor usage reported on Windows 11 is seemingly unusually low in one of the scenes in the game which is typically known to be quite intense on the CPU. Only one out the 16 threads seem to be reporting the correct usage whereas all the other threads are under 10% utilization. CapFrameX notes the issue though it isn't sure what could be causing it: " The core usage reporting on Window 11 is completely broken. Should be >80% for SotTR + this particular scene and settings. What happened? Did the recent update change the timer behavior?"

Zola, a wedding planning startup that allows couples to create websites, budgets and gift registries, has confirmed that hackers gained access to user accounts but has denied a breach of its systems. From a report: The incident first came to light over the weekend after Zola customers took to social media to report that their accounts had been hijacked. Some reported that hackers had depleted funds held in their Zola accounts, while others said they had thousands of dollars charged to their credit cards and gift cards. In a statement given to TechCrunch, Zola spokesperson Emily Forrest confirmed that accounts had been breached as a result of a credential stuffing attack, where existing sets of exposed or breached usernames and passwords are used to access accounts on different websites that share the same set of credentials. [...] Zola declined to say how many users were affected by the breach and declined to answer our questions regarding the lack of two-factor authentication (2FA) currently offered to users, which helps to protect accounts against credential stuffing attacks.

After nearly 20 years, Hollywood Designer 6.0 is "very stable and mature", write its developers — envisioning both hobbyist and professional users (with its support for modern graphics-editing features like filter effects and vector graphics) in its massive new evolution.

Long-time Slashdot reader Mike Bouma explains: Airsoft Softwair has released Hollywood Designer 6.0, "a full-blown multimedia authoring system that runs on top of Hollywood and can be used to create all sorts of multimedia-based applications, for example presentations, slide shows, games, and applications. Thanks to Hollywood, all multimedia applications created using Hollywood Designer can be exported as stand-alone executables for the following systems: AmigaOS3, AmigaOS4, WarpOS, MorphOS, AROS, Windows, macOS, Linux, Android, and iOS."

The current version of Hollywood is v9.1 with various updated add-ons. To see earlier versions of Hollywood 9.0 & Designer 5.0 in action have a look at Kas1e's short demonstration on AmigaOS4 / AmigaOne X5000.

As Pwn2Own Vancouver comes to a close, a whopping $1,115,000 has been awarded by Trend Micro and Zero Day Initiative. The 15th anniversary edition saw 17 "contestants" attacking 21 targets, reports Hot Hardware — though "the biggest payouts were for serious exploits against Microsoft's Teams utility." While Teams isn't technically a part of Windows, it does come bundled with all new installs of Windows 11, which means that these exploits are practically Windows exploits. Hector "p3rr0" Peralta, Masato Kinugawa, and STAR Labs each earned $150,000 for major exploits of the utility.

Windows 11 itself wasn't spared, though. Marcin Wiazowski and STAR Labs each earned $40,000 for privilege escalation exploits on Microsoft's operating system on day one, and on day two, TO found a similar bug for a $40,000 payout of his own. Day three saw no less than three more fresh exploits against Windows 11, all in the serious privilege escalation category; all three winners pocketed another $40,000....

Other targets attacked at Pwn2Own 2022 included Mozilla Firefox (hacked), Apple Safari (hacked), and Ubuntu Desktop (hacked)... Of course, details of the hacks aren't made public, because they're zero-days, after all. That means that they haven't been patched yet, so releasing details of the exploits could allow malicious actors to make use of the bugs. Details will be revealed 3 months from now, during which time Microsoft, Tesla, Apple, and others should have their software all sewn up.
With all the points totalled, the winner was Singapore-based cybersecurity company Star Labs, which was officially crowned "Master of Pwn" on Saturday. "They won $270,000 and 27 points during the contest," explains the official Twitter feed for Zero Day Initiative (the judges for the event).

A blog post from Zero Day Initiative describes all 21 attacks, including six successful attacks against Windows, three successful attacks against Teams — and four against Ubuntu Desktop.

Sentinel Labs provides malware/threat intelligence analysis for the enterprise cybersecurity platform SentinelOne.

Thursday they reported on "a supply-chain attack against the Rust development community that we refer to as 'CrateDepression'." On May 10th, 2022, the Rust Security Response Working Group released an advisory announcing the discovery of a malicious crate hosted on the Rust dependency community repository. The malicious dependency checks for environment variables that suggest a singular interest in GitLab Continuous Integration (CI) pipelines.

Infected CI pipelines are served a second-stage payload. We have identified these payloads as Go binaries built on the red-teaming framework, Mythic. Given the nature of the victims targeted, this attack would serve as an enabler for subsequent supply-chain attacks at a larger-scale relative to the development pipelines infected. We suspect that the campaign includes the impersonation of a known Rust developer to poison the well with source code that relies on the typosquatted malicious dependency and sets off the infection chain.... In an attempt to fool rust developers, the malicious crate typosquats against the well known rust_decimal package used for fractional financial calculations....

The malicious package was initially spotted by an avid observer and reported to the legitimate rust_decimal github account.... Both [Linux and macOs] variants serve as an all-purpose backdoor, rife with functionality for an attacker to hijack an infected host, persist, log keystrokes, inject further stages, screencapture, or simply remotely administer in a variety of ways....

Software supply-chain attacks have gone from a rare occurrence to a highly desirable approach for attackers to 'fish with dynamite' in an attempt to infect entire user populations at once. In the case of CrateDepression, the targeting interest in cloud software build environments suggests that the attackers could attempt to leverage these infections for larger scale supply-chain attacks.

"In the last six months, we observed a 254% increase in activity from a Linux trojan called XorDdos," writes the Microsoft 365 Defender Research Team. It's a trojan combining denial-of-service functionality with XOR-based encryption for communication.

Microsoft calls it part of "the trend of malware increasingly targeting Linux-based operating systems, which are commonly deployed on cloud infrastructures and Internet of Things devices." And ZDNet describes the trojan "one of the most active Linux-based malware families of 2021, according to Crowdstrike." XorDdos conducts automated password-guessing attacks across thousands of Linux servers to find matching admin credentials used on Secure Shell (SSH) servers... Once credentials are gained, the botnet uses root privileges to install itself on a Linux device and uses XOR-based encryption to communicate with the attacker's command and control infrastructure.

While DDoS attacks are a serious threat to system availability and are growing in size each year, Microsoft is worried about other capabilities of these botnets. "We found that devices first infected with XorDdos were later infected with additional malware such as the Tsunami backdoor, which further deploys the XMRig coin miner," Microsoft notes... Microsoft didn't see XorDdos directly installing and distributing the Tsunami backdoor, but its researchers think XorDdos is used as a vector for follow-on malicious activities...

XorDdoS can perform multiple DDoS attack techniques, including SYN flood attacks, DNS attacks, and ACK flood attacks.
Microsoft's team warns that the trojan's evasion capabilities "include obfuscating the malware's activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis.

"We observed in recent campaigns that XorDdos hides malicious activities from analysis by overwriting sensitive files with a null byte. It also includes various persistence mechanisms to support different Linux distributions."

An 18-year-old graduate student exploited a weakness in Indexed Finance's code and opened a legal conundrum that's still rocking the blockchain community. Then he disappeared. An excerpt from a report: On Oct. 14, in a house near Leeds, England, Laurence Day was sitting down to a dinner of fish and chips on his couch when his phone buzzed. The text was from a colleague who worked with him on Indexed Finance, a cryptocurrency platform that creates tokens representing baskets of other tokens -- like an index fund, but on the blockchain. The colleague had sent over a screenshot showing a recent trade, followed by a question mark. "If you didn't know what you were looking at, you might say, 'Nice-looking trade,'" Day says. But he knew enough to be alarmed: A user had bought up certain tokens at drastically deflated values, which shouldn't have been possible. Something was very wrong. Day jumped up, spilling his food on the floor, and ran into his bedroom to call Dillon Kellar, a co-founder of Indexed. Kellar was sitting in his mom's living room six time zones away near Austin, disassembling a DVD player so he could salvage one of its lasers. He picked up the phone to hear a breathless Day explaining that the platform had been attacked. "All I said was, 'What?'" Kellar recalls.

They pulled out their laptops and dug into the platform's code, with the help of a handful of acquaintances and Day's cat, Finney (named after Bitcoin pioneer Hal Finney), who perched on his shoulder in support. Indexed was built on the Ethereum blockchain, a public ledger where transaction details are stored, which meant there was a record of the attack. It would take weeks to figure out precisely what had happened, but it appeared that the platform had been fooled into severely undervaluing tokens that belonged to its users and selling them to the attacker at an extreme discount. Altogether, the person or people responsible had made off with $16 million worth of assets. Kellar and Day stanched the bleeding and repaired the code enough to prevent further attacks, then turned to face the public-relations nightmare. On the platform's Discord and Telegram channels, token-holders traded theories and recriminations, in some cases blaming the team and demanding compensation. Kellar apologized on Twitter to Indexed's hundreds of users and took responsibility for the vulnerability he'd failed to detect. "I f---ed up," he wrote. The question now was who'd launched the attack and whether they'd return the funds. Most crypto exploits are assumed to be inside jobs until proven otherwise. "The default is going to be, 'Who did this, and why is it the devs?'" Day says.

As he tried to sleep the morning after the attack, Day realized he hadn't heard from one particular collaborator. Weeks earlier, a coder going by the username "UmbralUpsilon" -- anonymity is standard in crypto communities -- had reached out to Day and Kellar on Discord, offering to create a bot that would make their platform more efficient. They agreed and sent over an initial fee. "We were hoping he might be a regular contributor," Kellar says. Given the extent of their chats, Day would have expected UmbralUpsilon to offer help or sympathy in the wake of the attack. Instead, nothing. Day pulled up their chat log and found that only his half of the conversation remained; UmbralUpsilon had deleted his messages and changed his username. "That got me out of bed like a shot," Day says.

Malicious hackers, some believed to be state-backed, are actively exploiting two unrelated vulnerabilities -- both with severity ratings of 9.8 out of a possible 10 -- in hopes of infecting sensitive enterprise networks with backdoors, botnet software, and other forms of malware. ArsTechnica: The ongoing attacks target unpatched versions of multiple product lines from VMware and of BIG-IP software from F5, security researchers said. Both vulnerabilities give attackers the ability to remotely execute malicious code or commands that run with unfettered root system privileges. The largely uncoordinated exploits appear to be malicious, as opposed to benign scans that attempt to identify vulnerable servers and quantify their number.

The Department of Justice announced today a policy shift in that it will no longer prosecute good-faith security research that would have violated the country's federal hacking law the Computer Fraud and Abuse Act (CFAA). Motherboard: The move is significant in that the CFAA has often posed a threat to security researchers who may probe or hack systems in an effort to identify vulnerabilities so they can be fixed. The revision of the policy means that such research should not face charges.

"Computer security research is a key driver of improved cybersecurity," Deputy Attorney General Lisa O. Monaco said in a statement published with the announcement. "The department has never been interested in prosecuting good-faith computer security research as a crime, and today's announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good." The policy itself reads that "the Department's goals for CFAA enforcement are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems."