Encryption

Amazon S3 Will Now Encrypt All New Data With AES-256 By Default 27

Amazon Simple Storage Service (S3) will now automatically encrypt all new objects added on buckets on the server side, using AES-256 by default. BleepingComputer reports: While the server-side encryption system has been available on AWS for over a decade, the tech giant has enabled it by default to bolster security. Administrators will not have to take any actions for the new encryption system to affect their buckets, and Amazon promises it won't have any negative performance impact. Administrators may leave the system to encrypt at the default 256-bit AES or choose one of the alternative methods, namely SSE-C or SSE-KMS.

The first option (SSE-C) gives bucket owners control of the keys, while the second (SSE-KMS) lets Amazon do the key management. However, bucket owners can set different permissions for each KMS key to maintain more granular control over the asset access system. To confirm that the changes have been applied to your buckets, admins can configure CloudTrail to log data events at no extra cost. Then perform a test object upload, and look in the event logs for the "SSEApplied": "Default_SSE_S3." field in the log for the uploaded file. To retroactively encrypt objects already in S3 buckets, follow this official guide.
"This change puts another security best practice into effect automatically -- with no impact on performance and no action required on your side," reads Amazon's announcement.

"S3 buckets that do not use default encryption will now automatically apply SSE-S3 as the default setting. Existing buckets currently using S3 default encryption will not change."
Security

FCC Wants Carriers To Notify You Sooner When There's a Data Breach (engadget.com) 9

The Federal Communications Commission isn't done dragging data breach policy into the modern era. From a report: The agency has proposed rules that would improve reporting for breaches at carriers. Most notably, the move would scrap a mandatory wait of seven business days before a telecom can warn customers about a security incident. Hackers would have a shorter window of opportunity to abuse your data without your knowledge, to put it another way.

The proposal would also clarify that carriers must notify the FCC, FBI and Secret Service of any reportable data breaches. Providers would likewise have to alert customers to inadvertent breaches, such as leaving account info exposed. The Commission is simultaneously asking for public input on whether or not breach alerts should include specific information to help people take action. such as the nature of the compromised data.

PlayStation (Games)

Using Your PS5 Vertically May Result in Hardware Failure (pcmag.com) 84

The PS5 looks to have a design fault that can take months to appear and only seems to happen if you use the console while it's in a vertical orientation. From a report: As Wololo reports, hardware repair specialists working on PS5 consoles that fail to boot are finding the problem is caused by the liquid metal thermal interface Sony used on the custom AMD Zen 2 CPU. When the PS5 is oriented in a vertical position, over time the liquid metal is moving and spilling out on to the components surrounding the CPU. This also means the liquid metal is no longer evenly spread across the chip it's meant to help cool.
Security

Rackspace Says Hackers Accessed Customer Data During Ransomware Attack (techcrunch.com) 10

Cloud computing giant Rackspace has confirmed hackers accessed customer data during last month's ransomware attack. From a report: The attack, which Rackspace first confirmed on December 6, impacted the company's hosted Exchange email environment, forcing the web giant to shut down the hosted email service following the incident. At the time, Rackspace said it was unaware "what, if any, data was affected." In its latest incident response update published on Friday, Rackspace admitted that the hackers gained access to the personal data of 27 customers. Rackspace said the hackers accessed PST files, typically used to store backup and archived copies of emails, calendar events and contacts from Exchange accounts and email inboxes.

Rackspace said about 30,000 customers used its hosted Exchange service -- which it will now discontinue -- at the time of the ransomware attack. "We have already communicated our findings to these customers proactively, and importantly, according to Crowdstrike, there is no evidence that the threat actor actually viewed, obtained, misused, or disseminated any of the 27 Hosted Exchange customers' emails or data in the PSTs in any way," said Rackspace. The company added that customers that haven't been contacted directly can "be assured" that their data was not accessed by attackers.

Security

Slack's Private GitHub Code Repositories Stolen Over Holidays (bleepingcomputer.com) 11

An anonymous reader quotes a report from Bleeping Computer: Slack suffered a security incident over the holidays affecting some of its private GitHub code repositories. The immensely popular Salesforce-owned IM app is used by an estimated 18 million users at workplaces and digital communities around the world. BleepingComputer has come across a security incident notice issued by Slack on December 31st, 2022. The incident involves threat actors gaining access to Slack's externally hosted GitHub repositories via a "limited" number of Slack employee tokens that were stolen. While some of Slack's private code repositories were breached, Slack's primary codebase and customer data remain unaffected, according to the company.

The wording from the notice [1, 2] published on New Year's eve is as follows: "On December 29, 2022, we were notified of suspicious activity on our GitHub account. Upon investigation, we discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository. Our investigation also revealed that the threat actor downloaded private code repositories on December 27. No downloaded repositories contained customer data, means to access customer data, or Slack's primary codebase."

Slack has since invalidated the stolen tokens and says it is investigating "potential impact" to customers. At this time, there is no indication that sensitive areas of Slack's environment, including production, were accessed. Out of caution, however, the company has rotated the relevant secrets. "Based on currently available information, the unauthorized access did not result from a vulnerability inherent to Slack. We will continue to investigate and monitor for further exposure," states Slack's security team. The good news, with regards to the most recent security update is that no action needs to be taken by customers, for now.

Security

CircleCI Warns Customers To Rotate 'Any and All Secrets' After Hack (techcrunch.com) 8

CircleCI, a company whose development products are popular with software engineers, has urged users to rotate their secrets following a breach of the company's systems. From a report: The San Francisco-headquartered DevOps company said in an advisory published late Wednesday it is currently investigating the security incident -- its most recent in recent years. "We wanted to make you aware that we are currently investigating a security incident, and that our investigation is ongoing," CircleCI CTO Rob Zuber. "At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well."

CircleCI, which claims its technology is used by more than a million software engineers, is advising users to rotate "any and all secrets" stored in CircleCI, including those stored in project environment variables or in contexts. Secrets are passwords or private keys that are used to connect and authenticate servers together. For projects using API tokens, CircleCI said it has invalidated these tokens and users will be required to replace them.

Encryption

Chinese Researchers Claim To Find Way To Break Encryption Using Quantum Computers (ft.com) 50

Computer security experts were struggling this week to assess a startling claim by Chinese researchers that they have found a way to break the most common form of online encryption [the link may be paywalled] using the current generation of quantum computers, years before the technology was expected to pose a threat. Financial Times: The method, outlined in a scientific paper [PDF] published in late December, could be used to break the RSA algorithm that underpins most online encryption using a quantum machine with only 372 qubits -- or quantum bits, a basic unit of quantum computing -- according to the claims from 24 researchers from a number of academic bodies and state laboratories. IBM has already said that its 433 qubit Osprey system, the most powerful quantum computer to have been publicly unveiled, will be made available to its customers early this year.

If correct, the research would mark a significant moment in the history of computer security, said Roger Grimes, a computer security expert and author. "It's a huge claim," he said. "It would mean that governments could crack other governments secrets. If it's true -- a big if -- it would be a secret like out of the movies, and one of the biggest things ever in computer science." Other experts said that while the theory outlined in the research paper appeared sound, trying to apply it in practice could well be beyond the reach of today's quantum technology. "As far as I can tell, the paper isn't wrong," said Peter Shor, the Massachusetts Institute of Technology scientist whose 1994 algorithm proving that a quantum machine could defeat online encryption helped to trigger a research boom in quantum computing. Shor's method requires machines with many hundreds of thousands, or even millions, of qubits, something that many experts believe is a decade or more away.

Privacy

WhatsApp Launches Proxy Support To Help Users Circumvent Internet Blocks (techcrunch.com) 5

WhatsApp is launching proxy support for its users all over the world, the company announced on Thursday. The support will allow users to maintain access to WhatsApp if their connection is blocked or disrupted. From a report: Choosing a proxy enables users to connect to WhatsApp through servers set up by volunteers and organizations around the world dedicated to helping people communicate freely. WhatsApp says connecting via proxy maintains the same level of privacy and security the app provides, and that personal messages will still be protected by end-to-end encryption. The company says messages will not be visible to anyone in between, not the proxy servers, WhatsApp or Meta.

"Our wish for 2023 is that these internet shutdowns never occur," WhatsApp wrote in a blog post. "Disruptions like we've seen in Iran for months on end deny people's human rights and cut people off from receiving urgent help. Though in case these shutdowns continue, we hope this solution helps people wherever there is a need for secure and reliable communication."

Security

Hundreds of WordPress Sites Infected By Recently Discovered Backdoor (arstechnica.com) 32

Malware that exploits unpatched vulnerabilities in 30 different WordPress plugins has infected hundreds if not thousands of sites and may have been in active use for years, according to a writeup published last week. Ars Technica reports: The Linux-based malware installs a backdoor that causes infected sites to redirect visitors to malicious sites, researchers from security firm Dr.Web said. It's also able to disable event logging, go into standby mode, and shut itself down. It gets installed by exploiting already-patched vulnerabilities in plugins that website owners use to add functionality like live chat or metrics-reporting to the core WordPress content management system. "If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts," Dr.Web researchers wrote. "As a result, when users click on any area of an attacked page, they are redirected to other sites."

Searches such as this one indicate that more than 1,300 sites contain the JavaScript that powers the backdoor. It's possible that some of those sites have removed the malicious code since the last scan. Still, it provides an indication of the reach of the malware. "If one or more vulnerabilities are successfully exploited, the targeted page is injected with a malicious JavaScript that is downloaded from a remote server," the Dr.Web writeup explained. "With that, the injection is done in such a way that when the infected page is loaded, this JavaScript will be initiated first -- regardless of the original contents of the page. At this point, whenever users click anywhere on the infected page, they will be transferred to the website the attackers need users to go to." The researchers found two versions of the backdoor: Linux.BackDoor.WordPressExploit.1 and Linux.BackDoor.WordPressExploit.2. They said the malware may have been in use for three years.

Portables (Apple)

MacBook Owners Have Two Months To Claim Up To $395 Over Butterfly Keyboard Woes 19

An anonymous reader shares a report: If you bought an Apple MacBook with an ill-fated butterfly keyboard and ended up having to replace either individual keycaps or the whole keyboard, you may be eligible to claim part of a $50 million settlement reached after a class-action lawsuit. The law firm handling the settlement has been emailing class members since mid-December but we wanted to highlight that the deadline for making a claim is fast approaching on March 6th, 2023. Claims can be submitted via the keyboardsettlement.com website, which says that the settlement class includes "all persons and entities in the United States" who purchased a butterfly-equipped MacBook, MacBook Air, or MacBook Pro between 2015 and 2019.
Chrome

Google Chrome Will End Support for Several Windows Versions in Days (mashable.com) 71

Computers using Windows 7 and Windows 8.1 will no longer get the latest version of Google Chrome, beginning with the latest version, Chrome 110, which will be launched on Feb. 7. From a report: The new version is designed to run on Windows 10 or later.ÂGoogle support announced the move in October 2022. As with most programs whose updates won't work on older operating systems, you can use the older version of Chrome, you just won't get the newer stuff Google is working on.
Games

EA Says It Can't Recover 60% of Players' Corrupted Madden Franchise Save Files 63

An anonymous reader shares a report: EA says that a temporary "data storage issue" led to the corruption of many Madden NFL 23 players' Connected Franchise Mode (CFM) save files last week. What's worse, the company now estimates it can recover fewer than half of those corrupted files from a backup. The issue started last Monday, December 26, when EA tweeted that it was "aware of players experiencing connection issues when trying to connect to CFM." That problem lasted until Wednesday, December 28, when EA announced that subsequent server maintenance meant that "users should now be able to play CFM without issue."

But users who attempted to log in to play online franchise games during a 22-hour period ranging from Wednesday afternoon to Thursday morning saw their franchise save data corrupted by the aforementioned "data storage issue," as EA confirmed over the weekend. And while EA says some of those corrupted save files can be recovered from a backup, it adds that the development team is "currently projecting around 40% of leagues to be recovered." Players that didn't log in during the outage period last week should be unaffected, EA says, adding that CFM is now "up and running" and is "safe to log in and play." But the company offered a similar message on Wednesday afternoon, just before the period that led players who logged in to lose their save files in the first place.
Piracy

Major Private Torrent Sites Have a Security Disaster to Fix Right Now 30

At least three major torrent sites are currently exposing intimate details of their operations to anyone with a web browser. TorrentFreak understands that the sites use a piece of software that grabs brand-new content from other sites before automatically uploading it to their own. A security researcher tried to raise the alarm but nobody will listen. From the report: To get their hands on the latest releases as quickly as possible, [private torrent sites, or private trackers as they're commonly known] often rely on outside sources that have access to so-called 0-Day content, i.e, content released today. The three affected sites seem to have little difficulty obtaining some of their content within minutes. At least in part, that's achieved via automation. When outside suppliers of content are other torrent sites, a piece of software called Torrent Auto Uploader steps in. It can automatically download torrents, descriptions, and associated NFO files from one site and upload them to another, complete with a new .torrent file containing the tracker's announce URL. The management page [here] has been heavily redacted because the content has the potential to identify at least one of the sites. It's a web interface, one that has no password protection and is readily accessible by anyone with a web browser. The same problem affects at least three different servers operated by the three sites in question.

Torrent Auto Uploader relies on torrent clients to transfer content. The three sites in question all use rTorrent clients with a ruTorrent Web UI. We know this because the researcher sent over a whole bunch of screenshots and supporting information which confirms access to the torrent clients as well as the Torrent Auto Uploader software. The image [here] shows redactions on the tracker tab for good reason. In a regular setup, torrent users can see the names of the trackers coordinating their downloads. This setup is no different except that these URLs reference three different trackers supplying the content to one of the three compromised sites.

Rather than publish a sequence of completely redacted screenshots, we'll try to explain what they contain. One begins with a GET request to another tracker, which responds with a torrent file. It's then uploaded to the requesting site which updates its SQL database accordingly. From there the script starts checking for any new entries on a specific RSS feed which is hidden away on another site that has nothing to do with torrents. The feed is protected with a passkey but that's only useful when nobody knows what it is. The same security hole also grants direct access to one of the sites tracker 'bots' through the panel that controls it. Then there's access to 'Staff Tools' on the same page which connect to other pages allowing username changes, uploader application reviews, and a list of misbehaving users that need to be monitored. That's on top of user profiles, the number of torrents they have active, and everything else one could imagine. Another screenshot featuring a torrent related to a 2022 movie reveals the URL of yet another third-party supplier tracker. Some basic queries on that URL lead to even more torrent sites. And from there, more, and more, and more -- revealing torrent passkeys for every single one on the way.
Software

Southwest Meltdown Shows Airlines Need Tighter Software Integration (wsj.com) 59

The Southwest Airlines meltdown that stranded thousands of passengers during one of the busiest travel weeks of the year exposed a major industry shortcoming: crew-scheduling technology that was largely built for a bygone era and is due for a major overhaul. From a report: Southwest relies on crew-assignment software called SkySolver, an off-the-shelf application that it has customized and updated, but is nearing the end of its life, according to the airline. The program was developed decades ago and is now owned by General Electric. During the winter storm, amid a huge volume of changes to crew schedules to work through, SkySolver couldn't handle the task of matching crew members and which flights they should work, executives of the Dallas-based carrier said.

Southwest's software wasn't designed to solve problems of that scale, Chief Operating Officer Andrew Watterson said Thursday, forcing the airline to revert to manual scheduling. Unlike some large rivals with hub-and-spoke networks, Southwest planes hopscotch from city to city, which may have been another complicating factor. Many carriers still rely on homegrown solutions, which largely were built on legacy mainframe computers, analysts say. Analysts and industry insiders say the airline industry is overdue for a massive technology overhaul that would take advantage of highly scalable cloud technologies and fully connect disparate sources of real-time data to better coordinate crews with aircraft. The airline sector has been among the slowest to adopt cloud-based and analytics technologies that could help solve complicated transportation network problems, those analysts say.

Windows

'Debloating Windows 10 With One Command and No Scripts' (gabrielsieben.tech) 101

An anonymous reader writes: Recently, I had to set up a Windows 10 computer for one specific application in a semi-embedded use case. Anything else that Windows does or comes with is unnecessary for this. While there are plenty of internet scripts and apps for de-bloating Windows, I have found the easiest (and little known) way to debloat Windows without running any internet scripts is as follows:

1. Open Powershell.
2. Type Get-AppxPackage | Remove-AppxPackage.
3. Ignore any error messages about packages that can't be removed, it's fine.

Will this work for everyone? No, of course not, but it's a great one-line, easily memorable tool for cleaning up a PC quickly for an industrial use case without any security risks.

IT

Seeking Exotic Remote Work Locations? More Than 40 Places Now Offer 'Digital Nomad' Visas (theconversation.com) 40

"Imagine starting your work day with a fresh coconut juice perched by your laptop as you gaze over the ocean or a tropical rainforest...." writes the Conversation.

"More than 40 nations or territories now offer "digital nomad" visas to attract those able to be employed in one country while living, and spending their income, in another." Fancy the beach? A bunch of exotic islands are on the list. Prefer tropical forests? Try Brazil or Costa Rica. Looking for history? There's Spain or Greece. Love Wim Hof-style ice-bathing? Iceland beckons.

Think of a "digital nomad" visa as a cross between a tourist and temporary migrant visa — a working-on-holiday visa. Instead of the visa giving you the right to work in the country, it's allowing you to stay so long as you're gainfully employed and bringing money into the local economy. How long you can stay varies, from 90 days in Aruba in the Caribbean to up to two years in the Cayman Islands. Most are for 12 months, with an option to renew. Some places, such as Latvia, restrict visas to employers registered in an OECD country. But generally the key requirement is that you can show you have no need to find local work and can meet minimum income requirements.

Generally, the visa conditions simplify taxation issues: you continue to pay your income tax in the country of your employer. But this varies. For example, in Greece (which offers a two-year renewable visa) you are exempt from paying local income tax only for the first six months.

A key driver of the digital nomad trend is the ability to maintain a career while ticking off other personal goals, particularly travel and the ability to experience a different way of life. Moving somewhere with a cheaper cost of living could be another motivation.

The article warns that "Living a long way away from family and friends and support networks is likely to be more challenging, no matter how idyllic your location.

"If you like predictable structure and routine, the uncertainty and inevitable inconveniences that arise may mean it isn't for you."
Transportation

The Shameful Open Secret Behind Southwest's Failure? Software Shortcomings (nytimes.com) 159

Computer programmer Zeynep Tufekci now writes about the impact of technology on society. In an opinion piece for the New York Times, Tufekci writes on "the shameful open secret" that earlier this week led Southwest airlines to suddenly cancel 5,400 flights in less than 48 hours. "The recent meltdown was avoidable, but it would have cost them."

Long-time Slashdot reader theodp writes that the piece "takes a crack at explaining 'technical debt' to the masses." Tufekci writes: Computers become increasingly capable and powerful by the year and new hardware is often the most visible cue for technological progress. However, even with the shiniest hardware, the software that plays a critical role inside many systems is too often antiquated, and in some cases decades old. This failing appears to be a key factor in why Southwest Airlines couldn't return to business as usual the way other airlines did after last week's major winter storm. More than 15,000 of its flights were canceled starting on Dec. 22, including more than 2,300 canceled this past Thursday — almost a week after the storm had passed.

It's been an open secret within Southwest for some time, and a shameful one, that the company desperately needed to modernize its scheduling systems. Software shortcomings had contributed to previous, smaller-scale meltdowns, and Southwest unions had repeatedly warned about it. Without more government regulation and oversight, and greater accountability, we may see more fiascos like this one, which most likely stranded hundreds of thousands of Southwest passengers — perhaps more than a million — over Christmas week.

And not just for a single company, as the problem is widespread across many industries.

"The reason we made it through Y2K intact is that we didn't ignore the problem," the piece argues. But in comparison, it points out, Southwest had already experienced another cancellation crisis in October of 2021 (while the president of the pilots' union "pointed out that the antiquated crew-scheduling technology was leading to cascading disruptions.") "In March, in its open letter to the company, the union even placed updating the creaking scheduling technology above its demands for increased pay."

Speaking about this week's outage, a Southwest spokesman concedes that "We had available crews and aircraft, but our technology struggled to align our resources due to the magnitude and scale of the disruptions."

But Tufekci concludes that "Ultimately, the problem is that we haven't built a regulatory environment where companies have incentives to address technical debt, rather than passing the burden on to customers, employees or the next management.... For airlines, it might mean holding them responsible for the problems their miserly approach causes to the flying public."
Microsoft

Microsoft's $200 Surface Earbuds Have Seemingly Been Abandoned (windowscentral.com) 32

Windows Central reports: The Surface Earbuds are a weird product in Microsoft's line of Surface devices. Now over two years old, and still available to buy at a close to launch price of $160, the Surface Earbuds might be the worst "Surface" branded device you can buy brand new right now. They launched at a time when the wireless earbuds space was heating up and offered less than the competition while charging more. Are they the best in audio quality? Definitely not. Are they the best designed? Most would argue that they aren't. Are they the most comfortable? That depends, but I know a lot of people claim they don't properly fit in their ears. Do they support wireless charging? Nope. Is the case premium? Mine scratches easily and the lid feels flimsy. Nothing about the product screams $160 premium earbuds.

[...] My sources have said that Microsoft was working on a successor to the Surface Earbuds, codenamed Ella, that was supposed to launch before the end of this year. We're now at the end of the year and that never happened. I hope they've simply been delayed and not canceled, though I wouldn't be surprised if they have. Microsoft's abandonment of the first Surface Earbuds should be a huge red flag for any potential buyers of a second-generation pair. Why should anyone buy them if Microsoft is going to abandon them the second they hit the market? This product segment is competitive, and there are many other brands that will commit to supporting their own wireless earbuds for longer.

Security

FBI Investigating 3Commas Data Breach (coindesk.com) 25

The FBI is investigating the 3Commas data breach, CoinDesk is reporting. From the report: The investigation comes after weeks of criticism from users of the Estonia-based crypto trading service, who say its CEO repeatedly brushed off warning signs that the platform had leaked user data. This week, 100,000 Binance and KuCoin API keys linked to 3Commas were leaked by an anonymous person. On Thursday, two 3Commas users told CoinDesk that they were contacted by agents from the FBI's Cincinnati Field Office in connection to the leak.

Over the last several months, dozens of 3Commas users found that the service had, without their consent, traded away funds on crypto exchanges they'd linked to it. Initially, 3Commas said that these users were most likely phished and insisted that the platform was safe. The API database leaker insinuated that the 3Commas keys had been sold by someone from within the company, but 3Commas CEO Yuriy Sorokin said in a statement on Thursday that "3Commas stresses that it has found no evidence during the internal investigation that any employee of 3Commas was somehow involved in attacks against the API data."

Spam

Google Voice Will Now Warn You About Potential Spam Calls (theverge.com) 28

Google has announced that it's adding a red "suspected spam caller" warning to Google Voice calls if it doesn't think they're legitimate. From a report: In a post on Thursday, the company says it's identifying spam "using the same advanced artificial intelligence" system as it does with its traditional phone app for Android. If the spam label appears, you'll also have the option of confirming that a call was spam -- in which case any future calls will be sent straight to your voicemail -- or clarifying that it wasn't, which will get rid of the label for future calls.

Google Voice has had the ability to automatically filter calls identified as spam to voicemail for years, and has also allowed you to screen calls before actually picking them up, but those options may not have been great if you're the type of person who gets a lot of important calls from unknown numbers. Google does say that you'll have to turn off the Filter Spam feature by going to Settings > Security > Filter spam if you want the automatic spam labeling.

Slashdot Top Deals