Google is issuing fixes for two vulnerabilities in its Chrome web browser, including one flaw that is already being exploited in the wild. From a report: The emergency updates the company issued this week impact the almost 3 billion users of its Chrome browser as well as those using other Chromium-based browsers, such as Microsoft Edge, Brave and Vivaldi. It is the third such emergency update Google has had to issue for Chrome this year. One of the flaws is a type confusion vulnerability tracked as CVE-2022-1364, a high-severity, zero-day bug that is actively being used by attackers. With a type confusion flaw, a program will allocate a resource like a pointer or object using one type but later will access the resource using another, incompatible type. In some languages, like C and C++, the vulnerability can result in out-of-bounds memory access. This incompatibility can cause a browser to crash or trigger logical errors. However, if exploited, it could enable a hacker to execute arbitrary code.

The Git team has issued an update to fix a bug in Git for Windows that "affects multi-user hardware where untrusted parties have write access to the same hard disk," reports The Register. Specifically, the update is concerned with CVE-2022-24765. From the report: Arguably, if an "untrusted party" has write access to a hard disk, then all bets are off when it comes to the nooks and crannies of a PC anyway. In this case, the miscreants would only need to create the folder c:\.git, "which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory," according to NIST. The result is that Git would use the config in the directory.

NIST went on to list potentially vulnerable products, which included Visual Studio. "Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash." The Git team was little blunter about the vulnerability, and warned that "Merely having a Git-aware prompt that runs 'git status' (or 'git diff') and navigating to a directory which is supposedly not a Git worktree, or opening such a directory in an editor or IDE such as VS Code or Atom, will potentially run commands defined by that other user." [...] To deal with the issue, the Git team recommends an update. Alternatively, a user could create that .git folder themselves and remove read/write access as workaround or "define or extend 'GIT_CEILING_DIRECTORIES' to cover the parent directory of the user profile," according to NIST.

wiredmikey writes: The U.S government is sounding a loud alarm after discovering new custom tools capable of full system compromise and disruption of ICS/SCADA devices and servers. A joint advisory from the Department of Energy, CISA, NSA and the FBI warned that unidentified APT actors have created specialized tools capable of causing major damage to PLCs from Schneider Electric and OMRON Corp. and servers from open-source OPC Foundation. Privately owned ICS security firm Dragos issued a separate notice documenting what is now the seventh known industrial control system (ICS)-specific malware. "[This] is a modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment," the company said.

Gergely Orosz: We are in the middle of the longest outage Atlassian has had. Close to 400 companies and anywhere from 50,000 to 400,000 users had no access to JIRA, Confluence, OpsGenie, JIRA Status page, and other Atlassian Cloud services. The outage is its 9th day, having started on Monday, 4th of April. Atlassian estimates many impacted customers will be unable to access their services for another two weeks. At the time of writing, 45% of companies have seen their access restored. For most of this outage, Atlassian has gone silent in communications across their main channels such as Twitter or the community forums. It took until Day 9 for executives at the company to acknowledge the outage.

While the company stayed silent, outage news started trending in niche communities. In these forums, people tried to guess causes of the outage, wonder why there is full radio silence, and many took to mocking the company for how it is handling the situation. Atlassian did no better with communicating with customers during this time. Impacted companies received templated emails and no answers to their questions. After I tweeted about this outage, several Atlassian customers turned to me to vent about the situation, and hope I can offer more details. Customers claimed how the company's statements made it seem they received support, which they, in fact, did not. Several customers hoped I could help get the attention of the company which had not given them any details, beyond telling them to wait weeks until their data is restored.

An anonymous reader quotes a report from Wired: More than half a decade has passed since the notorious Russian hackers known as Sandworm targeted an electrical transmission station north of Kyiv a week before Christmas in 2016, using a unique, automated piece of code to interact directly with the station's circuit breakers and turn off the lights to a fraction of Ukraine's capital. That unprecedented specimen of industrial control system malware has never been seen again -- until now: In the midst of Russia's brutal invasion of Ukraine, Sandworm appears to be pulling out its old tricks.

On Tuesday, the Ukrainian Computer Emergency Response Team (CERT-UA) and the Slovakian cybersecurity firm ESET issued advisories that the Sandworm hacker group, confirmed to be Unit 74455 of Russia's GRU military intelligence agency, had targeted high-voltage electrical substations in Ukraine using a variation on a piece of malware known as Industroyer or Crash Override. The new malware, dubbed Industroyer2, can interact directly with equipment in electrical utilities to send commands to substation devices that control the flow of power, just like that earlier sample. It signals that Russia's most aggressive cyberattack team attempted a third blackout in Ukraine, years after its historic cyberattacks on the Ukrainian power grid in 2015 and 2016, still the only confirmed blackouts known to have been caused by hackers.

ESET and CERT-UA say the malware was planted on target systems within a regional Ukrainian energy firm on Friday. CERT-UA says that the attack was successfully detected in progress and stopped before any actual blackout could be triggered. But an earlier, private advisory from CERT-UA last week, first reported by MIT Technology Review today, stated that power had been temporarily switched off to nine electrical substations. Both CERT-UA and ESET declined to name the affected utility. But more than 2 million people live in the area it serves, according to Farid Safarov, Ukraine's deputy minister of energy. [...] The revelation of Sandworm's attempted blackout attack provides more evidence that Russia's invasion of Ukraine has been accompanied by a new wave of cyberattacks on the country's networks and critical infrastructure, though with only mixed success.

Dell employees in the Netherlands will be able to work four days a week from this month, a director of Dell Technologies Netherlands has confirmed to The Register. From the report: The news comes just weeks before what is touted to be the biggest ever 4-day working week trial begins in the UK. Isabel Moll, newly appointed vice president and general manager at Dell Netherlands, told us the part-time pilot has already been rolled out by the Dutch and Argentinian operations. "On April 1 we welcomed our first starter, and we're currently in the late phases of the interviewing process with [another]. We're hoping to welcome many other candidates in the near future, once the word spreads more and more." She noted that the scheme was also open to existing employees, with pay corresponding to hours worked.

Speaking to local financial news daily Financieele Dagblad, Dell GM Moll described the April Argentinian and Dutch pilot as addressing both the issues of scarcity in the labor market and a way to bring in a more diverse group, including women and younger people, who are no longer interested in working until "they drop" or have other obligations. She said such people often end up leaving the sector, to its detriment, or use their technical skills in other sectors which have less intensive hours, telling the paper: "Working harder won't pay off, because the pond is empty..."

Russian military hackers tried and failed to attack Ukraine's energy infrastructure last week, the country's government and a major cybersecurity company said Tuesday. From a report: The attack was designed to infiltrate computers connected to multiple substations, then delete all files, which would shut that infrastructure down, according to Ukraine's summary of the incident. ESET, a Slovakia-based cybersecurity company working to help secure Ukrainian infrastructure, said in a summary of the attack that it was conducted by the same arm of Russia's military intelligence agency, GRU, that had previously successfully executed similar attacks in 2014 and 2015. In both of those incidents, some residents of Kyiv temporarily lost power. This attack had been planned for at least two weeks, ESET said. Since Russia began its invasion in February, Ukraine hasn't been hit by any attacks as visibly destructive as those previous hacks of Kyiv energy companies. But Ukraine has faced multiple so-called "wiper" attacks, including ones that have targeted computers in Ukraine's government, financial institutions and internet service providers. Those attacks also look to mass-delete files from hacked computers.

U.S. and European authorities said on Tuesday they had seized RaidForums, a popular website used by hackers to buy and sell stolen data, and the United States also unsealed charges against the website's founder and chief administrator Diego Santos Coelho. From a report: Coelho, 21, of Portugal, was arrested in the United Kingdom on Jan. 31, and remains in custody while the United States seeks his extradition to stand trial in the U.S. District Court for the Eastern District of Virginia, the U.S. Justice Department said. The department said it had obtained court approval to seize three different domain names that hosted the RaidForums website: raidforums.com, Rf.ws and Raid.lol. Among the types of data that were available for sale on the site included stolen bank routing and account numbers, credit card information, log-in credentials and social security numbers.

David Spirk, the chief data officer for America's Department of Defense, "called for the Pentagon to make urgent investments to defend against potential espionage from quantum computers" that could crack the encryption on sensitive data, Bloomberg reports: "I don't think that there's enough senior leaders getting their heads around the implications of quantum," Spirk said. "Like AI, I think that's a new wave of compute that when it arrives is going to be a pretty shocking moment to industry and government alike."

"We have to pick up pace because we have competitors who are also attempting to accelerate," he added.

Spirk's comments come amid warnings that U.S. adversaries, particularly China, are aggressively pursuing advanced technologies that could radically accelerate the pace of modern warfare. China is investing in AI and quantum sciences as part of its plan to become an innovation superpower, according to the Pentagon's latest annual report to Congress on China's military power. China is "at or near the lead on numerous science fields," including AI and quantum, it said. The National Security Agency, meanwhile, said last year that the adversarial use of a quantum computer "could be devastating" to the U.S. and its national security systems. The NSA said it could take 20 years or more to roll out new post-quantum cryptography that would resist such code-cracking.

Tim Gorman, a spokesperson at the Pentagon, said the Department of Defense was taking post-quantum cryptography seriously and coordinating with Congress and across government agencies. He added there was "a significant effort" underway.

A January presidential memo further charged agencies with establishing a timeline for transitioning to quantum resistant cryptography.

"Enabling developer productivity has become a key vector in every organization's success," writes Matt Asay at InfoWorld — not a nice-to-have feature but a must-have.

"Which is why, perhaps ironically, the best way to set your developers free may actually be to fetter their freedom." The more developers mattered, the more everyone wanted to cater to their needs with new software tools, new open source projects, new cloud services, etc. This meant lots of new developer choice and associated freedom, but that wasn't necessarily an unalloyed good. As RedMonk analyst Steven O'Grady noted in 2017, "The good news is that this developer-driven fragmentation has yielded an incredible array of open source software. The bad news is that, even for developers, managing this fragmentation is challenging."

Can one have too much choice? Yep.

It's long been known in consumer retail, for example, that when there is too much choice, "consumers are less likely to buy anything at all, and if they do buy, they are less satisfied with their selection." Turns out this isn't just a matter of breakfast cereals or clothing. It also applies to developers building enterprise software. InfoWorld's Scott Carey writes that "complexity is killing software developers." He's right. But what can be done?

In a conversation with Weaveworks CEO Alexis Richardson, he related how self-service development platforms are reemerging to help developers make sense of all that open source and cloud choice. By giving developers "a standard, pre-approved environment in which the effort to create an app from an idea is minimal," he explained, it allows them to "focus on innovation not plumbing."
"Done right, a little bit of constraint goes a long way..." Asay argues, touting the benefits of PaaS (platform as a service) self-service development platforms. ("Enterprises that want to give their developers the freedom the cloud affords can couple it with just enough constraint to make that freedom useful....")

Asay argues that "However you approach it, the point is to stop thinking about freedom and control as impossibly opposed. Smart enterprises are figuring out ways to enable their developers using self-service platforms. Maybe you should, too."

An anonymous reader quotes a report from Ars Technica: Since its launch, the Raspberry Pi OS (and most operating systems based on it) has shipped with a default "pi" user account, making it simpler to boot up a Pi and start working without needing to hook up the device to a monitor or go through a multi-step setup process. But as of today, that's changing -- new installs of the Raspberry Pi OS are shedding that default user account for both security and regulatory reasons.

Raspberry Pi Foundation software engineer Simon Long explains the thinking in this blog post. "[The "pi" user account] could potentially make a brute-force attack slightly easier, and in response to this, some countries are now introducing legislation to forbid any Internet-connected device from having default login credentials," he writes. This move will improve the Pi operating system's security.

Before, even if you assigned a good password to the "pi" account, attackers could still assume with a reasonable degree of certainty that most Raspberry Pi boards were using the "pi" username. Many Pi OS-based operating systems also ship with the default "pi" user account enabled and are completely passwordless, requiring extra steps to assign the account a password in the first place. The flip side is that the change could break some software and scripts, particularly those that are hard-coded to use the "pi" user account and home folder. "[T]he Raspberry Pi OS now boots into a dedicated setup mode the first time you start it up instead of running the setup wizard as an app in the normal desktop environment," adds Ars. "And that setup wizard now prompts you to create a username and password rather than simply assigning a password to the default 'pi' user account. To aid with setup, the wizard can now pair Bluetooth keyboards and mice without requiring you to plug in a USB accessory first."

The new version of the Pi OS also includes experimental support for the Wayland display server protocol, but Long says most people should ignore it for now since it's explicitly labeled as "experimental."

OneHundredAndTen writes: It would seem that a majority of managers have decided to launch a campaign of threats to force people back into the office. From the report: About 77% of managers said they'd be willing to implement "severe consequences" -- including firing workers or cutting pay and benefits -- on those who refuse to return to the office, according to a recent survey by employment background check company GoodHire of 3,500 American managers.

Microsoft has rolled out a new security feature called Smart App Control with Windows 11. From a report: "Smart App Control is a major enhancement to the Windows 11 security model that prevents users from running malicious applications on Windows devices that default blocks untrusted or unsigned applications," Microsoft vice president David Weston explains. "It goes beyond previous built-in browser protections and is woven directly into the core of the OS at the process level. Using code signing along with AI, our new Smart App Control only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud. Model inference occurs 24 hours a day on the latest threat intelligence that provides trillions of signals." Smart App Control is interesting because it will be enabled by default on new Windows PCs in the future. But if you upgrade to whatever version of Windows 11 that enables this feature on an existing install, you will have to use Reset this PC to reset Windows 11 and clean install it. That is, I believe, unprecedented.

Talent shortages, geopolitical disruption, currency fluctuations and inflation aren't expected to have an impact on IT investments in 2022. In fact, research firm Gartner forecasts a four percent increase in worldwide IT spending this year amid all the turmoil. From a report: "Contrary to what we saw at the start of 2020, CIOs are accelerating IT investments as they recognize the importance of flexibility and agility in responding to disruption," said John-David Lovelock, research vice president at Gartner. As such, Gartner anticipates heavy spending on IT services including analytics, cloud computing and security. [...] Collective spending across all IT categories totaled nearly $4.3 trillion in 2021. This year, organizations are expected to shell out more than $4.4 trillion. Growth in categories like IT services and software is forecasted to increase by 6.8 percent and 9.8 percent, respectively. In 2023, the software category could see double-digit growth thanks to experimental end-consumer experiences and supply chain optimizations.

An anonymous reader quotes a report from Ars Technica: Facebook today reported an increase in attacks on accounts run by Ukraine military personnel. In some cases, attackers took over accounts and posted "videos calling on the Army to surrender," but Facebook said it blocked sharing of the videos. Specifically, Facebook owner Meta's Q1 2022 Adversarial Threat Report said it has "seen a further spike in compromise attempts aimed at members of the Ukrainian military by Ghostwriter," a hacking campaign that "typically targets people through email compromise and then uses that to gain access to their social media accounts across the Internet." Ghostwriter has been linked to the Belarusian government.

"Since our last public update [on February 27], this group has attempted to hack into the Facebook accounts of dozens of Ukrainian military personnel," Meta wrote today. Ghostwriter successfully hacked into the accounts in "a handful of cases" in which "they posted videos calling on the Army to surrender as if these posts were coming from the legitimate account owners. We blocked these videos from being shared." In its February 27 update, Meta said it detected Ghostwriter's "attempts to target people on Facebook to post YouTube videos portraying Ukrainian troops as weak and surrendering to Russia, including one video claiming to show Ukrainian soldiers coming out of a forest while flying a white flag of surrender." Meta said it had "taken steps to secure accounts that we believe were targeted by this threat actor" and "blocked phishing domains these hackers used to try to trick people in Ukraine into compromising their online accounts." But Ghostwriter continued its operations and hacked into accounts of Ukrainian military personnel, as previously mentioned.

Separately, Facebook recently removed a network of Russian accounts that were trying to silence Ukrainians by reporting "fictitious policy violations." "Under our Inauthentic Behavior policy against mass reporting, we removed a network in Russia for abusing our reporting tools to repeatedly report people in Ukraine and in Russia for fictitious policy violations of Facebook policies in an attempt to silence them," Meta said today. Providing more detail in its quarterly report, Meta said the removed network included 200 accounts operated from Russia. "The individuals behind it coordinated to falsely report people for various violations, including hate speech, bullying, and inauthenticity, in an attempt to have them and their posts removed from Facebook. The majority of these fictitious reports focused on people in Ukraine and Russia, but the network also reported users in Israel, the United States, and Poland," the report said.

An anonymous reader shares a report: Cloud gaming isn't for everyone, but it's getting easier to tell if it's for you because Nvidia and Google are now letting you try their virtual gaming PCs for free. Following Google's recent announcement that any Stadia developer will be able to offer an instantly accessible free trial of their game without needing to log into a Google account, Nvidia's GeForce Now is now pushing reduced-friction demos as well -- starting with Chorus, Ghostrunner, Inscryption, Diplomacy Is Not an Option and The Riftbreaker: Prologue. Typically, you'd need to log into an Nvidia account, then log in again to a Steam, Epic Games, or Ubisoft account to play one of these demos on GeForce Now, and you'd have to search for them as well. Now, the Nvidia account is all you'll need. Demos will automatically appear in a new "Instant Play Free Demos" row and won't require the second login.

Security researchers have uncovered a long-running malicious campaign from hackers associated with the Chinese government who are using VLC Media Player to launch a custom malware loader. BleepingComputer reports: The campaign appears to serve espionage purposes and has targeted various entities involved in government, legal, and religious activities, as well as non-governmental organizations (NGOs) on at least three continents. This activity has been attributed to a threat actor tracked as Cicada (a.k.a. menuPass, Stone Panda, Potassium, APT10, Red Apollo) that has been active for more than 15 years, since at least 2006.

Brigid O Gorman of Symantec Threat Hunter Team told BleepingComputer that the attacker uses a clean version of VLC with a malicious DLL file in the same path as the media player's export functions. The technique is known as DLL side-loading and it is widely used by threat actors to load malware into legitimate processes to hide the malicious activity. Apart from the custom loader, which O Gorman said Symantec does not have a name but has been seen in previous attacks attributed to Cicada/APT10, the adversary also deployed a WinVNC server to gain remote control over victim systems. The attacker also executed the Sodamaster backdoor on compromised networks, a tool believed to be used exclusively by the Cicada threat group since at least 2020.

Sodamaster runs in the system memory (fileless) and is equipped to evade detection by looking in the registry for clues of a sandbox environment or by delaying its execution. The malware can also collect details about the system, search for running processes, and download and execute various payloads from the command and control server. [...] The attackers' dwell time on the networks of some of the discovered victims lasted for as long as nine months, the researchers note in a report today.

The Federal Bureau of Investigation has disclosed it carried out an operation in March to mass-remove malware from thousands of compromised routers that formed a massive botnet controlled by Russian intelligence. From a report: The operation was authorized by courts in California and Pennsylvania, allowing the FBI to copy and remove the so-called Cyclops Blink malware from infected Asus and WatchGuard routers across the U.S., severing the devices from the servers that remotely control and send instructions to the wider botnet. The Justice Department announced the March operation on Wednesday, describing it as "successful," but warned that device owners should still take immediate action to prevent reinfection.

The Justice Department said that since the news first emerged about the rising threat of Cyclops Blink in February, thousands of compromised devices have been secured, but justified the court-ordered operation because the "majority" of infected devices were still compromised just weeks later in mid-March. Cyclops Blink is believed to be the successor to VPNFilter, a botnet largely neglected after it was exposed by security researchers in 2018 and later targeted by a U.S. government operation to disrupt its command and control servers. Both Cyclops Blink and VPNFilter are attributed to Sandworm, a group of hackers working for Russia's GRU, the country's military intelligence unit.

Thieves netting massive sums in cybercrime have limited options for laundering the funds. From a report: Many eyes in the crypto world are on a 42-character address on the Ethereum blockchain, which has unclear ownership and is currently home to the equivalent of about $600 million. Hackers stole the funds from players of online game "Axie Infinity" in a March 23 heist uncovered last week. The criminals have moved millions of dollars of assets in recent days, according to blockchain-monitoring tools, but the majority of funds remain in place, leaving victims and outside observers awaiting next moves. Crypto's transparency has turned money laundering into a perverse spectator sport. Transaction records on public blockchains give authorities a bird's-eye view of stolen funds equivalent to tens or hundreds of millions of dollars, often pilfered by targeting poorly secured software bridges that transfer assets between blockchains. The openness leaves successful cyber thieves facing a key question: How do you launder a nine-figure score?

"When there's a hack like that, everyone is watching the wallets," said Kimberly Grauer, director of research at Chainalysis, a blockchain-analytics firm. "So you better damn well know what you're going to do." The fate of the money stolen from "Axie Infinity" users, one of the largest such thefts, has become a topic of speculation. On Etherscan, a monitoring platform where users can see transactions to and from the address in question, commenters claiming to be victims, broke college students or Ukrainian refugees have posted messages asking the hackers to spread their newfound wealth. [...] Last week, blockchain analysts and amateur digital sleuths watched as ether worth about $20 million moved to crypto exchanges based in the Bahamas and Seychelles. On Monday, an additional $12 million of assets flowed into a mixer, which blends different cryptocurrencies to help obscure their sources. Mixers can have their own security compromises and are dependent on having enough crypto on hand to exchange illicit deposits for cleaner funds, said Mitchell Amador, chief executive of Immunefi, a bug-bounty platform focused on decentralized systems.

AMD has confirmed to Tom's Hardware that a bug in its GPU driver is, in fact, changing Ryzen CPU settings in the BIOS without permission. This condition has been shown to auto-overclock Ryzen CPUs without the user's knowledge. From the report: Reports of this issue began cropping up on various social media outlets recently, with users reporting that their CPUs had mysteriously been overclocked without their consent. The issue was subsequently investigated and tracked back to AMD's GPU drivers. AMD originally added support for automatic CPU overclocking through its GPU drivers last year, with the idea that adding in a Ryzen Master module into the Radeon Adrenalin GPU drivers would simplify the overclocking experience. Users with a Ryzen CPU and Radeon GPU could use one interface to overclock both. Previously, it required both the GPU driver and AMD's Ryzen Master software.

Overclocking a Ryzen CPU requires the software to manipulate the BIOS settings, just as we see with other software overclocking utilities. For AMD, this can mean simply engaging the auto-overclocking Precision Boost Overdrive (PBO) feature. This feature does all the dirty work, like adjusting voltages and frequency on the fly, to give you a one-click automatic overclock. However, applying a GPU profile in the AMD driver can now inexplicably alter the BIOS settings to enable automatic overclocking. This is problematic because of the potential ill effects of overclocking -- in fact, overclocking a Ryzen CPU automatically voids the warranty. AMD's software typically requires you to click a warning to acknowledge that you understand the risks associated with overclocking, and that it voids your warranty, before it allows you to overclock the system. Unfortunately, that isn't happening here. Until AMD issues a fix, "users have taken to using the Radeon Software Slimmer to delete the Ryzen Master SDK from the GPU driver, thus preventing any untoward changes to the BIOS settings," adds Tom's Hardware.