joshuark shares a report: Microsoft's Windows 10 operating system already disables by default SMB (Server Message Block) version 1, the 30-year-old file-sharing protocol. Now the company is doing the same with Windows 11 Home Dev Channel test builds, announced officials on April 19. SMB1 is considered outdated and not secure. However, some users with very old equipment may be in for a surprise if their Windows 11 laptops can't connect to an old networked hard drive, as officials said in a blog post about the SMB1 phase out plan. "There is no edition of Windows 11 Insider that has any part of SMB1 enabled by default anymore. At the next major release of Windows 11, that will be the default behavior as well," said Ned Pyle, Principal Program Manager. "Like always, this doesn't affect in-place upgrades of machines where you were already using SMB1. SMB1 is not gone here, an admin can still intentionally reinstall it," Pyle added.

European Union lawmakers have taken a step closer to agreeing rules to standardize how a range of mobile gadgetry is charged. From a report: Today MEPs in the European Parliament's internal market and consumer protection (IMCO) committee adopted their position on a Commission proposal announced last fall, ahead of a full vote by the parliament next month to confirm how it will negotiate with Member State governments on the detail of the legislation. The Council adopted its position on the common charger proposal back in January. The IMCO committee voted 43:2 in favor of a negotiation position that will push to standardize charger ports for a range of mobile devices on USB Type-C, including smartphones, tablets, handheld games consoles, e-readers, digital cameras, electronic toys and more -- with MEPs voting to expand the original proposal to cover laptops, among other additional products.

FaceTime users are getting bombarded with group calls from numbers they've never seen before, often as many as 20 times in short succession during late hours of the night. From a report: Griefers behind the pranks call as many as 31 numbers at a time. When a person receiving one of the calls hangs up, a different number will immediately call back. FaceTime doesn't have the ability to accept only FaceTime calls coming from people in the user's address book. It also requires that all numbers in a group call must be manually blocked for the call to be stopped. "I got my first facetime spam starting 4 days ago," one user reported to an Apple support forum earlier this month. "It has been non-stop, over 300 numbers blocked so far. My 3 year old daughter has been accidentally answering them and going on video without a t-shirt on." The high volume of callbacks appears to be the result of other people receiving the call dialing everyone back when the initial call fails shortly after answering. As more and more people receive follow-on calls, they too begin making callbacks. Apple provides surprisingly few ways for users to stop the nuisance calls. As noted earlier, users can block numbers, but this requires manually blocking each individual person on the group call. That's not an effective solution for people receiving dozens of group calls, often to a different group of people in a short period of time, often in the wee hours.

The smart home company Insteon has vanished. The entire company seems to have abruptly shut down just before the weekend, breaking users' cloud-dependent smart-home setups without warning. From a report: Users say the service has been down for three days now despite the company status page saying, "All Services Online." The company forums are down, and no one is replying to users on social media. As Internet of Things reporter Stacey Higginbotham points out, high-ranking Insteon executives, including CEO Rob Lilleness, have scrubbed the company from their LinkedIn accounts. In the time it took to write this article, Lilleness also removed his name and picture from his LinkedIn profile. It seems like that is the most communication longtime Insteon customers are going to get.

Insteon is (or, more likely, "was") a smart home company that produced a variety of Internet-connected lights, thermostats, plugs, sensors, and of course, the Insteon Hub. At the core of the company was Insteon's proprietary networking protocol, which was a competitor to more popular and licensable alternatives like Z-Wave and Zigbee. Insteon's "unique and patented dual-mesh technology" used both a 900 MHz wireless protocol and powerline networking, which the company said created a more reliable network than wireless alone. The Insteon Hub would bridge all your gear to the Internet and enable use of the Insteon app.

Lenovo has released security updates for more than 100 laptop models to fix critical vulnerabilities that make it possible for advanced hackers to surreptitiously install malicious firmware that can be next to impossible to remove or, in some cases, to detect. Ars Technica reports: Three vulnerabilities affecting more than 1 million laptops can give hackers the ability to modify a computer's UEFI. Short for Unified Extensible Firmware Interface, the UEFI is the software that bridges a computer's device firmware with its operating system. As the first piece of software to run when virtually any modern machine is turned on, it's the initial link in the security chain. Because the UEFI resides in a flash chip on the motherboard, infections are difficult to detect and even harder to remove.

Two of the vulnerabilities -- tracked as CVE-2021-3971 and CVE-2021-3972 -- reside in UEFI firmware drivers intended for use only during the manufacturing process of Lenovo consumer notebooks. Lenovo engineers inadvertently included the drivers in the production BIOS images without being properly deactivated. Hackers can exploit these buggy drivers to disable protections, including UEFI secure boot, BIOS control register bits, and protected range register, which are baked into the serial peripheral interface (SPI) and designed to prevent unauthorized changes to the firmware it runs. After discovering and analyzing the vulnerabilities, researchers from security firm ESET found a third vulnerability, CVE-2021-3970. It allows hackers to run malicious firmware when a machine is put into system management mode, a high-privilege operating mode typically used by hardware manufacturers for low-level system management. "All three of the Lenovo vulnerabilities discovered by ESET require local access, meaning that the attacker must already have control over the vulnerable machine with unfettered privileges," notes Ars Technica's Dan Goodin. "The bar for that kind of access is high and would likely require exploiting one or more critical other vulnerabilities elsewhere that would already put a user at considerable risk."

Still, it's worth looking to see if you have an affected model and, if so, patch your computer as soon as possible.

Bosses are hellbent on getting their staff back into the office. It's just that the rules don't necessarily apply to them. Bloomberg reports: While 35% of non-executive employees are in the office five days a week, only 19% of executives can say the same thing, according to a survey conducted by Future Forum, a research consortium supported by the Slack messaging channel. Of the percentage of employees who move to work, more than half say they would like to have at least some flexibility, and non-executive workers generally say that work-life balance is much worse than that of their bosses. Moreover, the disparity is increasing. In the fourth quarter of 2021, non-executive employees were approximately 1.3 times more likely than their bosses to be completely in the office. Now, the probability is almost twice as high, and the proportion of non-executives working from the office five days a week is the highest since the survey began in June 2020, according to the more than 10,000 administrative workers surveyed in the United States, Australia and France, Germany, Japan and the United Kingdom.

The gap points to a double standard in back-to-office messaging: executives, from Bank of America Corp. to Alphabet Inc.'s Google, urge their workers to return in part to increase face-to-face collaboration, but the bosses themselves are somewhat exempt. Companies are also trying to justify long-term office leases or state-of-the-art locations like Apple Park in Cupertino, California. [...] As the back-to-office policy debate evolves, Future Forum recommends flexible schedules and location to retain top talent, even if it means breaking cultural traditions and developing new workflows. "People being in the office gives the illusion of control, but it's just an illusion," [Brian Elliott, executive director of Future Forum] said. "It doesn't mean they're being productive."

Former eBay security director Jim Baugh will plead guilty to running a bizarre 2019 cyberstalking campaign against a couple who ran a website critical of the company, Bloomberg reported Tuesday, citing a person familiar with the matter. From a report: Baugh had been scheduled to face trial in late May. In a court filing on Tuesday, his defense attorney, William Fick, asked a federal judge in Boston to allow Baugh to change his plea via videoconference. Five other former eBay employees have already admitted to roles in a cross-country campaign designed to intimidate Ina and David Steiner of Natick, Mass. Several were expected to testify against Baugh. Another eBay employee, former global resiliency director David Harville is scheduled to face trial in May. Ina Steiner's reporting about eBay on the couple's site eCommerce Bytes upset the company's then-Chief Executive Officer Devin Wenig, whose compensation package she revealed. "Take her down," Wenig texted his then-communications chief Steve Wymer, according to prosecutors.

An anonymous reader shares a report: Users of privacy-focused search engine DuckDuckGo have been unable to site search the domains of some well-known pirated media sites recently, as reported by TorrentFreak on Friday. This follows a News Punch article last month calling out DuckDuckGo for "purging" independent media sources from search results, and naming them "Google Lite." DuckDuckGo's CEO Gabriel Weinberg called the News Punch piece "completely made up" in a Twitter thread over the weekend to respond to the public and address both issues.

To observers, it seemed as if DuckDuckGo had de-indexed searches for copyright-flouting media download sites like The Pirate Bay and Fmovies, and even a site search for the open-source tool youtube-dl came up empty. TorrentFreak later updated its report citing a company spokesperson blaming the issue on Bing search data, which DuckDuckGo relies upon. Weinberg insisted the company is not purging any results and said that site search results are not appearing due to the site operator error "Anyone can verify this by searching for an outlet and see it come up in results," Weinberg tweeted.

Many users have started to report that they are seeing suggestions -- such as grammar and spelling fixes -- to improve their writing when using Google Docs. The company made the announcement about this earlier this month. From a report: A purple squiggly line will appear under suggestions to help make your writing more concise, inclusive, active, or to warn you away from inappropriate words. These new Google suggestions have long been available via third-party services like Grammarly, which is able to integrate with Google Docs and aims to help improve the quality of your writing. Depending on the quality of Google's native suggestions, it could vastly reduce the need for these third-party services. Does it count as "sherlocking" when someone other than Apple does it? The catch is that Google isn't rolling out these assistive writing features to all of its Workspace plans. It says the "Tone and Style" suggestions will be available for "Business Standard, Business Plus, Enterprise Standard, Enterprise Plus, [and] Education Plus" subscribers.

Researchers in Beijing have set a new quantum secure direct communication (QSDC) world record of 102.2 km (64 miles), smashing the previous mark of 18 km (11 miles), The Eurasian Times reported. Engadget reports: Transmission speeds were extremely slow at 0.54 bits per second, but still good enough for text message and phone call encryption over a distance of 30 km (19 miles), wrote research lead Long Guilu in Nature. The work could eventually lead to hack-proof communication, as any eavesdropping attempt on a quantum line can be instantly detected. QSDC uses the principal of entanglement to secure networks. Quantum physics dictates that entangled particles are linked, so that if you change the property of one by measuring it, the other will instantly change, too -- effectively making hacking impossible. In theory, the particles stay linked even if they're light-years apart, so such systems should work over great distances.

The same research team set the previous fiber record, and devised a "novel design of physical system with a new protocol" to achieve the longer distance. They simplified it by eliminating the "complicated active compensation subsystem" used in the previous model. "This enables an ultra-low quantum bit error rate (QBER) and the long-term stability against environmental noises." As a result, the system can withstand much more so-called channel loss that makes it impossible to decode encrypted messages. That in turn allowed them to extend the fiber from 28.3km to the record 102.2 km distance. "The experiment shows that intercity quantum secure direct communication through the fiber is feasible with present-day technology," the team wrote in Nature.

An anonymous reader quotes a report from Axios: The average American received roughly 42 spam texts just in the month of March, according to new data from RoboKiller, an app that blocks spam calls and texts. Spammers like using text messages because of their high open rates -- and are now even mimicking targets' own phone numbers to get them to click malicious links, the New York Times reported. "Just like with robocalls, it's extremely easy to deploy [spam texts] in enormous volume and hide your identity," Will Maxson, assistant director of the FTC's division of marketing practices, told Axios. "There's a large number of actors all over the world trying to squeeze spam into the network from almost an infinite number of entry points all the time."

It's not just texts. Every form of spam is on the rise. There were more spam calls last month than in any of the previous six months, per YouMail's Robocall Index. Spam emails rose by 30% from 2020 to 2021, according to a January report from the Washington Post. There was an unprecedented increase in social media scams last year, according to data from the Federal Trade Commission. Many scams were related to bogus cryptocurrency investments.

Experts attribute the sharp increase in spam to the pandemic. People's increased reliance on digital communications turned them into ready targets. The Federal Communications Commission saw a nearly 146% increase in the number of complaints about unwanted text messages in 2020. Americans reported losing $131 million to fraud schemes initiated by text in 2021, a jump over 50% from the year before, according to data from the FTC.

Good news for archivists, academics, researchers and journalists: Scraping publicly accessible data is legal, according to a U.S. appeals court ruling. From a report: The landmark ruling by the U.S. Ninth Circuit of Appeals is the latest in a long-running legal battle brought by LinkedIn aimed at stopping a rival company from scraping personal information from users' public profiles. The case reached the U.S. Supreme Court last year but was sent back to the Ninth Circuit for the original appeals court to re-review the case. In its second ruling on Monday, the Ninth Circuit reaffirmed its original decision and found that scraping data that is publicly accessible on the internet is not a violation of the Computer Fraud and Abuse Act, or CFAA, which governs what constitutes computer hacking under U.S. law.

The Ninth Circuit's decision is a major win for archivists, academics, researchers and journalists who use tools to mass collect, or scrape, information that is publicly accessible on the internet. Without a ruling in place, long-running projects to archive websites no longer online and using publicly accessible data for academic and research studies have been left in legal limbo. But there have been egregious cases of scraping that have sparked privacy and security concerns. Facial recognition startup Clearview AI claims to have scraped billions of social media profile photos, prompting several tech giants to file lawsuits against the startup. Several companies, including Facebook, Instagram, Parler, Venmo and Clubhouse have all had users' data scraped over the years.

Arqit says its encryption system can't be broken by quantum computers, but former employees and people outside the company question the relevance of its technology. The Wall Street Journal: A U.K. cybersecurity startup rocketed to a multibillion-dollar valuation when it listed publicly last fall on the promise of making encryption technology that would protect the defense industry, corporations and consumers alike from the prying eyes of next-generation computer systems. Founder and Chief Executive David Williams told investors at the time that his company, Arqit Quantum had an "impressive backlog" of revenue and was ready "for hyperscale growth." But Arqit has given investors an overly optimistic view of its future revenue and the readiness and workability of its signature encryption system, according to former employees and other people familiar with the company, and documents viewed by The Wall Street Journal.

While the company says it has a solution to a quantum-computing security challenge that U.S. intelligence last year said "could be devastating to national security systems and the nation," government cybersecurity experts in the U.S. and the U.K. have cast doubt on the utility of Arqit's system. Arqit's stock price reached its highest level to date of $38.06 on Nov. 30 and has since fallen, to $15.06 on April 14, amid a broad pullback of young tech stocks. When the company secured its Nasdaq listing last autumn, its revenue consisted of a handful of government grants and small research contracts, and its signature product was an early-stage prototype unable to encrypt anything in practical use, according to the people. The encryption technology the company hinges on -- a system to protect against next-generation quantum computers -- might never apply beyond niche uses, numerous people inside and outside the company warned, unless there were a major overhaul of internet protocols. Arqit disputed that its encryption system was only a prototype at the company's market debut. "This was a live production software release and not a demonstration or trial," said a company representative. "It was being used by enterprise customers on that day and subsequently for testing and integration purposes, because they need to build Arqit's software into their products."

Catalonia's regional leader accused the Spanish government on Monday of spying on its citizens after a rights group said his phone and dozens more belonging to Catalan pro-independence figures had been infected with spyware used by sovereign states. From a report: The Citizen Lab digital rights group found more than 60 people linked to the Catalan separatist movement, including several members of the European Parliament, other politicians, lawyers and activists, had been targeted with "Pegasus" spyware made by Israel's NSO Group after a failed independence bid. NSO, which markets the software as a law-enforcement tool, said Citizen Lab and Amnesty International, which was not involved in this investigation but has published previous studies about Pegasus, had produced inaccurate and unsubstantiated reports to target the company.

Decentralized finance project Beanstalk Farms suffered one of the largest-ever flash-loan exploits on Sunday, sending its price tumbling. From a report: The credit-focused, Ethereum-based stablecoin protocol suffered a total loss of around $182 million and the attacker got away with around $80 million of crypto tokens, according to blockchain security firm PeckShield, which had flagged the incident on Twitter. The project's native token BEAN fell about 75% from its $1 peg against the dollar, pricing from CoinGecko showed. The protocol's creators disclosed their identities on Beanstalk's Discord server, and said that they were not involved in the attack. "We are not aware of the identity of the individuals who were involved. Like all other investors in Beanstalk, we lost all of our deposited assets in the Silo, which was substantial," the founders wrote. It isn't yet clear whether investors who lost funds will be reimbursed -- or if so, how and to what extent. Unlike traditional lending, which requires a loan to be secured with a collateral or credit checks, DeFi smart contracts allow users to borrow huge sums of stablecoins in what are known as flash loans, without any form of security. Flash loans, where the entire process of borrowing and returning the loan happens in a single transaction on the blockchain, are fairly popular among arbitrage traders.

GitHub issued a security alert Friday.

GitHub's chief security officer wrote that on Tuesday, "GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm..."

We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems, because the tokens in question are not stored by GitHub in their original, usable formats. Following immediate investigation, we disclosed our findings to Heroku and Travis-CI on April 13 and 14...

Looking across the entire GitHub platform, we have high confidence that compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps. Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure.

We are sharing this today as we believe the attacks may be ongoing and action is required for customers to protect themselves.

The initial detection related to this campaign occurred on April 12 when GitHub Security identified unauthorized access to our npm production infrastructure using a compromised AWS API key. Based on subsequent analysis, we believe this API key was obtained by the attacker when they downloaded a set of private npm repositories using a stolen OAuth token from one of the two affected third-party OAuth applications described above. Upon discovering the broader theft of third-party OAuth tokens not stored by GitHub or npm on the evening of April 13, we immediately took action to protect GitHub and npm by revoking tokens associated with GitHub and npm's internal use of these compromised applications.

We believe that the two impacts to npm are unauthorized access to, and downloading of, the private repositories in the npm organization on GitHub.com and potential access to the npm packages as they exist in AWS S3 storage.

At this point, we assess that the attacker did not modify any packages or gain access to any user account data or credentials. We are still working to understand whether the attacker viewed or downloaded private packages.

npm uses completely separate infrastructure from GitHub.com; GitHub was not affected in this original attack. Though investigation continues, we have found no evidence that other GitHub-owned private repos were cloned by the attacker using stolen third-party OAuth tokens.

Once GitHub identified stolen third-party OAuth tokens affecting GitHub users, GitHub took immediate steps to respond and protect users. GitHub contacted Heroku and Travis-CI to request that they initiate their own security investigations, revoke all OAuth user tokens associated with the affected applications, and begin work to notify their own users.... GitHub is currently working to identify and notify all of the known-affected victim users and organizations that we discovered through our analysis across GitHub.com. These customers will receive a notification email from GitHub with additional details and next steps to assist in their own response within the next 72 hours. If you do not receive a notification, you and/or your organization have not been identified as affected.

You should, however, periodically review what OAuth applications you've authorized or are authorized to access your organization and prune anything that's no longer needed. You can also review your organization audit logs and user account security logs for unexpected or anomalous activity....

The security and trustworthiness of GitHub, npm, and the broader developer ecosystem is our highest priority. Our investigation is ongoing, and we will update this blog, and our communications with affected customers, as we learn more.

"Cryptocurrency has changed the game of cybercrime," argues Vice's Christian Devolu, in a new episode of their video series CRYPTOLAND. "Hackers and cybergangs have been locking down the data of large corporations, police departments, and even hospitals, and demanding ransom — and guess what they're asking for? Cryptocurrency!"

In short, argues an article accompanying the episode, cryptocurrency "gave birth to the ransomware epidemic."

Slashdot reader em1ly shares one highlight from the video: The team visits a school district in Missouri ["just one of around 1,000 U.S. schools hacked last year with ransomware"] that was the victim of a ransomware attack. ["Luckily, the school's backups were not impacted...."]
Another interesting observation from the article: When ransom payments do happen, companies like Chainalysis can track the Bitcoin through the blockchain, identifying the hackers' wallets and collaborating with law enforcement in an attempt to recover the funds or identify the hackers themselves.

Boffins at two US universities have found that muting popular native video-conferencing apps fails to disable device microphones -- and that these apps have the ability to access audio data when muted, or actually do so. The research is described in a paper titled, "Are You Really Muted?: A Privacy Analysis of Mute Buttons in Video Conferencing App." The Register reports: Among the apps studied -- Zoom (Enterprise), Slack, Microsoft Teams/Skype, Cisco Webex, Google Meet, BlueJeans, WhereBy, GoToMeeting, Jitsi Meet, and Discord -- most presented only limited or theoretical privacy concerns. The researchers found that all of these apps had the ability to capture audio when the mic is muted but most did not take advantage of this capability. One, however, was found to be taking measurements from audio signals even when the mic was supposedly off. "We discovered that all of the apps in our study could actively query (i.e., retrieve raw audio) the microphone when the user is muted," the paper says. "Interestingly, in both Windows and macOS, we found that Cisco Webex queries the microphone regardless of the status of the mute button." They found that Webex, every minute or so, sends network packets "containing audio-derived telemetry data to its servers, even when the microphone was muted."

This telemetry data is not recorded sound but an audio-derived value that corresponds with the volume level of background activities. Nonetheless, the data proved sufficient for the researchers to construct an 82 per cent accurate background activity classifier to analyze the transmission and infer the likely activity among six possibilities -- e.g. cooking, cleaning, typing, etc. -- in the room where the app is active. Worse still from a security standpoint, while other apps encrypted their outgoing data stream before sending it to the operating system's socket interface, Webex did not. "Only in Webex were we able to intercept plaintext immediately before it is passed to the Windows network socket API," the paper says, noting that the app's monitoring behavior is inconsistent with the Webex privacy policy. The app's privacy policy states Cisco Webex Meetings does not "monitor or interfere with you your [sic] meeting traffic or content." After the researchers reached out about their findings, Cisco altered Webex so it no longer transmits microphone telemetry data. "Cisco is aware of this report, and thanks the researchers for notifying us about their research," said a Cisco spokesperson. "Webex uses microphone telemetry data to tell a user they are muted, referred to as the 'mute notification' feature. Cisco takes the security of its products very seriously, and this is not a vulnerability in Webex."

A new social engineering scam is making the rounds, and this one is particularly insidious: It tricks users into sending money to what they think is their own account to reverse a fraudulent charge. From a report: The FBI's Internet Crime Complaint Center issued the warning, which it said involves cybercriminals who have definitely done their homework. "In addition to knowing the victim's financial institution, the actors often had further information such as the victim's past addresses, social security number, and the last four digits of their bank accounts," the IC3 said.

The con starts off as many that target individuals do nowadays: With a text message. In this case it's not a phishing attempt, it's an attempt to ascertain whether the person receiving the message is susceptible to further manipulation. Posing as the target's bank, the message asks whether a large charge ($5,000 in the example the FBI gives) was legitimate and asks for a reply of YES or NO. Replying no leads to a follow-up text: "Our fraud specialist will be contacting you shortly. This is where social engineering comes in, and the FBI is painting a picture of a sophisticated operation. The "fraud specialists" contacting users reportedly "speak English without a discernible accent," and once they establish credibility with the victim they move on to "helping" them "reverse" the fake transaction.

It gets even more insidious here: The charges that are being refuted aren't bank charges directly: they are payments being made through an instant payment app like Venmo or CashApp. The fraudster never asks for a password or any information that might clue someone in that they're being strung along. Instead, the caller asks the victim to use their bank website or app to remove their email address from the digital payment app (thereby unlinking the app and bank account), which the fraudster then asks for. Next, the victim is asked to send the same amount as the fake payment to themselves using their own email address, which has already been added to an account the criminal controls.

Google is issuing fixes for two vulnerabilities in its Chrome web browser, including one flaw that is already being exploited in the wild. From a report: The emergency updates the company issued this week impact the almost 3 billion users of its Chrome browser as well as those using other Chromium-based browsers, such as Microsoft Edge, Brave and Vivaldi. It is the third such emergency update Google has had to issue for Chrome this year. One of the flaws is a type confusion vulnerability tracked as CVE-2022-1364, a high-severity, zero-day bug that is actively being used by attackers. With a type confusion flaw, a program will allocate a resource like a pointer or object using one type but later will access the resource using another, incompatible type. In some languages, like C and C++, the vulnerability can result in out-of-bounds memory access. This incompatibility can cause a browser to crash or trigger logical errors. However, if exploited, it could enable a hacker to execute arbitrary code.