L.Kynes shares a report from CSO Online: At a time when almost all software contains open source code, at least one known open source vulnerability was detected in 84% of all commercial and proprietary code bases examined by researchers at application security company Synopsys. In addition, 48% of all code bases analyzed by Synopsys researchers contained high-risk vulnerabilities, which are those that have been actively exploited, already have documented proof-of-concept exploits, or are classified as remote code execution vulnerabilities. The vulnerability data -- along with information on open source license compliance -- was included in Synopsys' 2023 Open Source Security and Risk Analysis (OSSRA) report (PDF), put together by the company's Cybersecurity Research Center (CyRC). "Of the 1,703 codebases that Synopsys audited in 2022, 96% of them contained open source," adds L.Kynes, citing the report. "Aerospace, aviation, automotive, transportation, logistics; EdTech; and Internet of Things are three of the 17 industry sectors included in the report that had open source in 100% of their audited codebases. In the remaining verticals, over 92% of the codebases contained open source."

Canada's second-largest telecom, TELUS is investigating a potential data breach after a threat actor shared samples online of what appears to be employee data. BleepingComputer reports: The threat actor subsequently posted screenshots that apparently show private source code repositories and payroll records held by the company. TELUS has so far not found evidence of corporate or retail customer data being stolen and continues to monitor the potential incident. On February 17, a threat actor put up what they claim to be TELUS' employee list (comprising names and email addresses) for sale on a data breach forum. "TELUS employes [sic] from a very recent breach. We have over 76K unique emails and on top of this, we have internal information associated with each employee scraped from Telus' API," states the forum post.

While BleepingComputer has been unable to confirm the veracity of threat actor's claims just yet, the small sample set posted by the seller does have valid names and email addresses corresponding to present-day TELUS employees, particularly software developers and technical staff. By Tuesday, February 21, the same threat actor had created another forum post -- this time offering to sell TELUS' private GitHub repositories, source code, as well as the company's payroll records. The seller further boasts that the stolen source code contains the company's "sim-swap-api" that will purportedly enable adversaries to carry out SIM swap attacks.

An anonymous reader quotes a report from Motherboard, written by Joseph Cox: On Wednesday, I phoned my bank's automated service line. To start, the bank asked me to say in my own words why I was calling. Rather than speak out loud, I clicked a file on my nearby laptop to play a sound clip: "check my balance," my voice said. But this wasn't actually my voice. It was a synthetic clone I had made using readily available artificial intelligence technology. "Okay," the bank replied. It then asked me to enter or say my date of birth as the first piece of authentication. After typing that in, the bank said "please say, 'my voice is my password.'" Again, I played a sound file from my computer. "My voice is my password," the voice said. The bank's security system spent a few seconds authenticating the voice. "Thank you," the bank said. I was in.

I couldn't believe it -- it had worked. I had used an AI-powered replica of a voice to break into a bank account. After that, I had access to the account information, including balances and a list of recent transactions and transfers. Banks across the U.S. and Europe use this sort of voice verification to let customers log into their account over the phone. Some banks tout voice identification as equivalent to a fingerprint, a secure and convenient way for users to interact with their bank. But this experiment shatters the idea that voice-based biometric security provides foolproof protection in a world where anyone can now generate synthetic voices for cheap or sometimes at no cost. I used a free voice creation service from ElevenLabs, an AI-voice company. Now, abuse of AI-voices can extend to fraud and hacking. Some experts I spoke to after doing this experiment are now calling for banks to ditch voice authentication altogether, although real-world abuse at this time could be rare. A Lloyds Bank spokesperson said in a statement that "Voice ID is an optional security measure, however we are confident that it provides higher levels of security than traditional knowledge-based authentication methods, and that our layered approach to security and fraud prevention continues to provide the right level of protection for customers' accounts, while still making them easy to access when needed."

The Consumer Financial Protection Bureau, one of the U.S. agencies that regulates the financial industry, said: "The CFPB is concerned with data security, and companies are on notice that they'll be held accountable for shoddy practices. We expect that any firm follow the law, regardless of technology used."

The cyber-insurance market, battered by a rash of pandemic-era ransomware attacks, is making a comeback. Price hikes are moderating, new carriers and fresh sources of capital are emerging, and companies can better afford coverage. From a report: Cyber-insurance pricing increased 10% from a year earlier in January, a fraction of the 110% annual increase reported in the first quarter of 2022, preliminary data from insurance broker Marsh McLennan show. If those trends continue, prices could be set to decline, said Tom Reagan, Marsh's cyber practice leader. The reversal would follow a wave of digital intrusions that dominated the work-from-home era and forced insurers to recalibrate both how they write policies and their risk appetites. Those attacks also pushed their clients to adopt stronger cybersecurity measures. The brutal conditions in the market have let up since then, with claim frequency declining in the fourth quarter of 2022 even as severity remained elevated, according to Marsh.

"What we're left with is a very, very, very different market than what we went into two or three years ago," said Paul Bantick, the global head of cyber risks at London-based insurer Beazley. "We have a mature market that has stood up against a huge test." The risks posed by cyber criminals are still enormous. Ransomware attacks against industrial organizations increased by 87% in 2022 from the year before, while the US Treasury Department said financial institutions flagged nearly $1.2 billion in likely ransomware-related payments in 2021. Recent high-profile breaches at financial services firm ION Trading UK and a major Asian data center emphasized the grim risk posed by hackers. Even so, the total amount extorted from ransomware victims in 2022 dropped to $456.8 million from $765.6 million the year before, according to data from Chainalysis.

Bruce66423 writes: The encrypted-messaging app Signal has said it would stop providing services in the UK if a new law undermined encryption. If forced to weaken the privacy of its messaging system under the Online Safety Bill, the organisation "would absolutely, 100% walk" Signal president Meredith Whittaker told the BBC. The government said its proposal was not "a ban on end-to-end encryption". The bill, introduced by Boris Johnson, is currently going through Parliament. Critics say companies could be required by Ofcom to scan messages on encrypted apps for child sexual abuse material or terrorism content under the new law. This has worried firms whose business is enabling private, secure communication.

Staff working at the European Commission have been ordered to remove the TikTok app from their phones and corporate devices. The BBC reports: The commission said it was implementing the measure to "protect data and increase cybersecurity." EU spokeswoman Sonya Gospodinova said the corporate management board of the European Commission, the EU's executive arm, had made the decision for security reasons. "The measure aims to protect the Commission against cybersecurity threats and actions which may be exploited for cyberattacks against the corporate environment of the commission," she said. The ban also means that European Commission staff cannot use TikTok on personal devices that have official apps installed.

The commission says it has around 32,000 permanent and contract employees. They must remove the app as soon as possible and no later than March 15. For those who do not comply by the set deadline, the corporate apps -- such as the commission email and Skype for Business -- will no longer be available. [...] TikTok, owned by Chinese company ByteDance, has faced allegations that it harvests users' data and hands it to the Chinese government.

In an episode that underscores the vulnerability of global computer networks, hackers got ahold of login credentials for data centers in Asia used by some of the world's biggest businesses, a potential bonanza for spying or sabotage, according to a cybersecurity research firm. From a report: The previously unreported data caches involve emails and passwords for customer-support websites for two of the largest data center operators in Asia: Shanghai-based GDS Holdings and Singapore-based ST Telemedia Global Data Centres, according to Resecurity, which provides cybersecurity services and investigates hackers. About 2,000 customers of GDS and STT GDC were affected. Hackers have logged into the accounts of at least five of them, including China's main foreign exchange and debt trading platform and four others from India, according to Resecurity, which said it infiltrated the hacking group. It's not clear what -- if anything -- the hackers did with the other logins. The information included credentials in varying numbers for some of the world's biggest companies, including Alibaba Group Holding, Amazon, Apple, BMW, Goldman Sachs, Huawei, Microsoft, and Walmart, according to the security firm and hundreds of pages of documents that Bloomberg reviewed.

The U.S. Department of Defense secured an exposed server on Monday that was spilling internal U.S. military emails to the open internet for the past two weeks, TechCrunch reported Tuesday. From a report: The exposed server was hosted on Microsoft's Azure government cloud for Department of Defense customers, which uses servers that are physically separated from other commercial customers and as such can be used to share sensitive but unclassified government data. [...] But a misconfiguration left the server without a password, allowing anyone on the internet access to the sensitive mailbox data inside using only a web browser, just by knowing its IP address.

[...] The server was packed with internal military email messages, dating back years, some of which contained sensitive personnel information. One of the exposed files included a completed SF-86 questionnaire, which are filled out by federal employees seeking a security clearance and contain highly sensitive personal and health information for vetting individuals before they are cleared to handle classified information.

Crypto exchange Coinbase has confirmed that it was briefly compromised by the same attackers that targeted Twilio, Cloudflare, DoorDash, and more than a hundred other organizations last year. From a report: In a post-mortem of the incident published over the weekend, Coinbase said that the so-called '0ktapus' hackers stole the login credentials of one of its employees in an attempt to remotely gain access to the company's systems. 0ktapus is a hacking group that has targeted more than 130 organizations in 2022 as part of an ongoing effort to steal the credentials of thousands of employees, often by impersonating Okta log-in pages. That figure of 130 organizations is now likely much higher, as a leaked Crowdstrike report seen by TechCrunch claims that the gang is now targeting several tech and video game companies.

Google has released optimization features designed to improve battery life and memory usage on machines running the latest version of its Chrome desktop web browser. From a report: Chrome's new Energy Saver and Memory Saver modes were first announced in December last year alongside the release of Chrome 108, and now as noted by Android Police, the two optimization utilities are starting to roll out globally onto Chrome 110 desktops for Mac, Windows, and Chromebooks.

Memory Saver mode essentially snoozes Chrome tabs that aren't currently in use to free up RAM for more intensive tasks and create a smoother browsing experience. Don't worry if you're a tab hoarder though, as these inactive tabs are still visible and can be reloaded at any time to pick up where you left off. Your most used websites can also be marked as exempt from Memory Saver to ensure they're always running at the maximum possible performance.

New submitter calicuse writes: Microsoft's Outlook spam filters appear to be broken for many users today. I woke up to more than 20 junk messages in my Focused Inbox in Outlook this morning, and spam emails have kept breaking through on an hourly basis today. Many Outlook users in Europe have also spotted the same thing, with some heading to Twitter to complain about waking up to an inbox full of spam messages. Most of the messages that are making it into Outlook users' inboxes are very clearly spam. Today's issues are particularly bad, after weeks of the Outlook spam filter progressively deteriorating for me personally.

An anonymous reader shares a report: Did you force your PC to install Windows 11 despite it not meeting the official requirements? Microsoft might start nagging you for doing that -- or at least reminding you that what you've done is against the intended use of its operating system. The January 2023 Windows 11 update is pestering folks who forced the update on their PCs with a persistent watermark on the desktop warning that system requirements haven't been met. The story is circulating among Windows blogs, though I found a couple of instances of folks complaining about the watermark on the official Microsoft support forums.

The watermark says "system requirements not met" and is emblazoned on the desktop's lower right hand corner if the operating system notices that it's running on hardware that doesn't meet the minimum requirements. It's possible the culprit is the dedicated security processor, or TPM 2.0 (Trusted Platform Module) chip, used by services like BitLocker and Windows Hello. Microsoft requires this module before upgrading. It's why many PCs were rendered un-upgradeable when Windows 11 was announced. Most new CPUs and motherboards have capability for it built into them, but the feature wasn't a guaranteed inclusion prior to the Windows 11 launch.

Slashdot reader John Smith 2294 is an IT consultant and system administrator "who started in the days of DEC VAX/VMS," now maintaining networks for small to medium businesses and non-profits. And they're sharing a concern with Slashdot.

"I object to Windows 11 insisting on an outlook.com / Microsoft Account OS login." Sure there are workarounds, but user action or updates can undo them. So I will not be using Windows 11 for science or business any more.... I will be using Win10 refurbs for as long as they are available, and then Mac Mini refurbs and Linux. My first Linux Mint user has been working happily for two months now and I have not heard a word from them.

So, as an IT Admin responsible for business or education networks of 20 users or more, will you be using Windows 11 on your networks or, like me, is this the end of the road for Windows for you too?
I'd thought their concern would be about Windows is sending user data to third parties. But are these really big enough reasons for system adminstrators to be avoiding Windows 11 altogether?

Share your thoughts and experiences in the comments. Should production networks avoid Windows 11?

"All right, we're going to begin this hour with a question on many people's minds these days, amid all these major developments in the field of artificial intelligence. And that question is this: How long until the machines replace us, take our jobs?"

That's the beginning of a segment broadcast on CBS's morning-television news show (with the headline, "Will artificial intelligence erase jobs?") Some excerpts:


"As artificial intelligence gets better.... job security is only supposed to get worse. And in reports like this one, of the top jobs our AI overlords plan to kill, coding or computing programming is often on the list. So with the indulgence of Sam Zonka, a coder and instructor at the General Assembly coding school in New York, I decided to test the idea of an imminent AI takeover -- by seeing if the software could code for someone who knows as little about computers as me -- eliminating the need to hire someone like him."

Gayle King: "So all this gobbledy-gook on the screen. That's what people who sit in these classrooms learn?"

"And I for one was prepared to be amazed. But take a look at the results. About as basic as a basic web site can be."

King: What do you think? You're the professional.
Zonka: Ehh.

[Microsoft CEO Satya Nadella also spoke to CBS right before the launch of its OpenAI-powered Bing search engine, arguing that AI will create more satisfaction in current jobs as well as more net new jobs -- and even helping the economy across the board. "My biggest worry," Nadella says, "is we need some new technology that starts driving real productivity. It's time for some real innovation.]

King: Do you think it'll drive up wages?
Nadella: I do believe it will drive up wages, because productivity and wages are related.


At the end of the report, King tells his co-anchors "In the long term, the research suggests Nadella is correct. In the long term, more jobs, more money. It's in the short-term that all the pain happens."

The report also features an interview with MIT economist David Autor, saying he believes the rise of AI "does indeed mean millions of jobs are going to change in our lifetime. And what's scary is we're just not sure how.... He points out, for example, that more than 60% of the types of jobs people are doing today didn't even exist in the 1940s -- while many of the jobs that did exist have been replaced."

There was also a quote from Meredith Whittaker (co-founder of the AI Now Institute and former FTC advisor), who notes that AI systems "don't replace human labor. They just require different forms of labor to sort of babysit them to train them, to make sure they're working well. Whose work will be degraded and whose house in the Hamptons will get another wing? I think that's the fundamental question when we look at these technologies and ask questions about work."

Later King tells his co-anchors that Whittaker's suggestion was for workers to organize to try to shape how AI system are implemented in their workplace.

But at an open house for the General Assembly code camp, coder Zonka says on a scale of 1 to 10, his worry about AI was only a 2. "The problem is that I'm not entirely sure if the AI that would replace me is 10 years from now, 20 years from now, or 5 years from now."

So after speaking to all the experts, King synthesized what he'd learned. "Don't necessarily panic. You see these lists of all the jobs that are going to be eliminated. We're not very good at making those predictions. Things happen in different ways than we expect. And you could actually find an opportunity to make more money, if you figure out how you can complement the machine as opposed to getting replaced by the machine."

The Washington Post reports that Amazon has over 1 million workers worldwide — and they want most of them to be back in the office at least three days a week: In a note to employees, chief executive Andy Jassy said that the length of the pandemic had given senior managers time to observe what workplace models work best. They concluded that being in person most of the time had distinct benefits, allowing employees to more easily share ideas, collaborate, train new hires and connect. "Invention is often sloppy. It wanders and meanders and marinates," Jassy wrote. "Serendipitous interactions help it, and there are more of those in-person than virtually."

Amazon is just the latest major company to adopt some version of a return-to-work policy that requires workers to show up at the office for a certain number of days. Walt Disney Co. recently told its staffers to appear in the office four days a week. The Washington Post requires workers based in D.C. to report to headquarters three days a week....

Earlier this month, data tracked by Kastle Systems said 50 percent of workers were now back at their desks — and some experts think that's as high as it will go.
GeekWire notes that Apple has already asked employees to come in three days a week, something Google also expects from most of its staff. GeekWire's article adds that local business organizations applauded Amazon's move, with the Bellevue Chamber, calling it "extraordinary news for the health and vitality in downtown." And the site also reports the various reasons Amazon's senior executives gave for favoring employees-in-the-office at least three days a week: "It's easier to learn, model, practice, and strengthen our culture when we're in the office together most of the time and surrounded by our colleagues."

"Collaborating and inventing is easier and more effective when we're in person. The energy and riffing on one another's ideas happen more freely."

"Learning from one another is easier in-person. Being able to walk a few feet to somebody's space and ask them how to do something or how they've handled a particular situation is much easier than Chiming or Slacking them."

"Teams tend to be better connected to one another when they see each other in person more frequently."

That thinking doubles down on a mindset that Jassy expressed before he took over as CEO in 2021 from Amazon founder Jeff Bezos. Jassy said in March 2021 that "invention" is hard to do virtually compared to people brainstorming together in person. "You just don't riff the same way," he said at the time, "so it's really changed the way that we've had to think about how we drive innovation, and how we solicit information from our builders and the types of meetings that we run."

Jassy said there will be a small minority of exceptions to the new return-to-office requirement and that Amazon plans to implement the change effective May 1.
The move takes effect May 1st.

An anonymous reader quotes a report from TechCrunch: Australian software giant Atlassian and Envoy, a startup that provides workplace management services, were at loggerheads on Thursday over a data breach that exposed the data of thousands of Atlassian employees. As first reported by Cyberscoop, a hacking group known as SiegedSec leaked data on Telegram this week that it claimed to have stolen from Atlassian. This data includes the names, email addresses, work departments and phone numbers of approximately 13,200 Atlassian employees, along with floor plans of Atlassian offices located in San Francisco and Sydney, Australia.

Atlassian was quick to point the finger of blame for the breach at Envoy, which the Sydney-headquartered company uses to organize its office spaces. "On February 15, 2023, we learned that data from Envoy, a third-party app that Atlassian uses to coordinate in-office resources, was compromised and published," Atlassian spokesperson Megan Sutton said in a statement shared with TechCrunch. "Atlassian product and customer data is not accessible via the Envoy app and therefore not at risk." Envoy, however, was just as quick to rebuff Atlassian's claims. Envoy spokesperson April Marks told TechCrunch that the startup is "not aware of any compromise to our systems," adding that initial research had shown that "a hacker gained access to an Atlassian employee's valid credentials to pivot and access the Atlassian employee directory and office floor plans held within Envoy's app."

Soon after the startup's denial, Atlassian changed its stance to align more closely with Envoy. Atlassian's Sutton told TechCrunch that the company's internal investigation since revealed that attackers had actually compromised Atlassian data from the Envoy app "using an Atlassian employee's credentials that had been mistakenly posted in a public repository by the employee." "As such, the hacking group had access to data visible via the employee account which included the published office floor plans and public Envoy profiles of other Atlassian employees and contractors," Sutton added. "The compromised employee's account was promptly disabled eliminating any further threat to Atlassian's Envoy data. Atlassian product and customer data is not accessible via the Envoy app and therefore not at risk." In a statement to TechCrunch, Envoy's Marks ruled out a breach on its end: "We found evidence in the logs of requests that confirms the hackers obtained valid user credentials from an Atlassian employee account and used that access to download the affected data from Envoy's app."

Web hosting giant GoDaddy says it suffered a breach where unknown attackers have stolen source code and installed malware on its servers after breaching its cPanel shared hosting environment in a multi-year attack. From a report: While GoDaddy discovered the security breach in early December 2022 following customer reports that their sites were being used to redirect to random domains, the attackers had access to the company's network for multiple years. "Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy," the hosting firm said in an SEC filing. The company says that previous breaches disclosed in November 2021 and March 2020 are also linked to this multi-year campaign. The November 2021 incident led to a data breach affecting 1.2 million Managed WordPress customers after attackers breached GoDaddy's WordPress hosting environment using a compromised password. They gained access to the email addresses of all impacted customers, their WordPress Admin passwords, sFTP and database credentials, and SSL private keys of a subset of active clients.

Disney+ Hotstar is suffered an outage for some users in India in the middle of a popular cricket match on Friday, drawing flak from customers at a time when the Disney crown jewel is already facing several setbacks in the South Asian market. From a report: It's unclear what prompted the glitch, which Hotstar acknowledged as "unforeseen technical issues" across its apps and web. Domain registrar records show that Hotstar renewed the domain name, Hotstar.com, on February 17. If Disney had briefly lost the ownership of the domain, it would take some time for the new change to reflect to all users.

Researchers have discovered a clever piece of malware that stealthily exfiltrates data and executes malicious code from Windows systems by abusing a feature in Microsoft Internet Information Services (IIS). From a report: IIS is a general-purpose web server that runs on Windows devices. As a web server, it accepts requests from remote clients and returns the appropriate response. In July 2021, network intelligence company Netcraft said there were 51.6 million instances of IIS spread across 13.5 million unique domains. IIS offers a feature called Failed Request Event Buffering that collects metrics and other data about web requests received from remote clients. Client IP addresses and port and HTTP headers with cookies are two examples of the data that can be collected. FREB helps administrators troubleshoot failed web requests by retrieving ones meeting certain criteria from a buffer and writing them to disk. The mechanism can help determine the cause of 401 or 404 errors or isolate the cause of stalled or aborted requests.

Criminal hackers have figured out how to abuse this FREB feature to smuggle and execute malicious code into protected regions of an already compromised network. The hackers can also use FREB to exfiltrate data from the same protected regions. Because the technique blends in with legitimate eeb requests, it provides a stealthy way to further burrow into the compromised network. The post-exploit malware that makes this possible has been dubbed Frebniis by researchers from Symantec, who reported on its use on Thursday. Frebniis first ensures FREB is enabled and then hijacks its execution by injecting malicious code into the IIS process memory and causing it to run. Once the code is in place, Frebniis can inspect all HTTP requests received by the IIS server.

Microsoft has outlined how users running Apple Silicon-based Macs can utilize Windows 11 in a new support document published today. The document explains how users running Mac devices with either M1 or M2 chips can use Windows 11, either via the cloud or using a local virtualization such as Parallels Desktop. From a report: Unfortunately, the document makes no mention of installing Windows 11 natively on Apple Silicon hardware. Apple's legacy Bootcamp application, which previously allowed Mac users to install Windows into its own bootable partition on a Mac, was removed when Apple transitioned to ARM processors. As of now, Microsoft points to Windows 365 as a potential solution for running Windows 11 on a Mac, using its enterprise service to stream a Windows 11 PC from the cloud. [...] For those users, Microsoft also mentions Parallels Desktop as a viable alternative. Version 18 of Parallels Desktop is now officially authorized to run Windows 11 on ARM on a Mac with M1 or M2 processors. This is the only way to officially run Windows 11 on ARM locally on a Mac with Apple Silicon.