The Ohio Supreme Court has unanimously overruled a judgment of the Ohio Second District Court of Appeals and moved that there must be "direct" physical loss or physical damage in the company's computer software for insurance policy coverage. From a report: In the three-year court proceedings between the greater Dayton medical billing software maker EMOI and its insurance service provider Lansing, Michigan-based Owners Insurance Company, the latter asserted that the insurance contract unambiguously stated only "direct physical loss" or "direct physical damage" to media would be covered under the insurance policy.

The court in its final ruling gave the rationale that a computer might have physical electronic components that are "tangible" in nature but the information stored there has no "physical presence"; thus a ransomware attack on the company software has no coverage under the company's insurance policy. The judgment against EMOI concludes that a software developer can't use its property insurance to cover losses. A district judge had dismissed EMOI's case against Owners, which the developer brought forth just months after the attack. But the appellate court in November 2021 had ruled in favor of EMOI stating that the claimant could sue the insurance company for allegedly treating its claim in bad faith by failing to properly examine "the various types of damage that can occur to media such as software."

Netgear has fixed a high-severity vulnerability affecting multiple WiFi router models and advised customers to update their devices to the latest available firmware as soon as possible. BleepingComputer reports: The flaw impacts multiple Wireless AC Nighthawk, Wireless AX Nighthawk (WiFi 6), and Wireless AC router models. Although Netgear did not disclose any information about the component affected by this bug or its impact, it did say that it is a pre-authentication buffer overflow vulnerability. The impact of a successful buffer overflow exploitation can range from crashes following denial of service to arbitrary code execution, if code execution is achieved during the attack. Attackers can exploit this flaw in low-complexity attacks without requiring permissions or user interaction. In a security advisory published on Wednesday, Netgear said it "strongly recommends that you download the latest firmware as soon as possible." A list of vulnerable routers and the patched firmware versions can be found here.

HandBrake, the popular free and open source video transcoder, has been updated to version 1.6.0. This major point upgrade is notable for facilitating AV1 video encoding for the first time in a general release. Moreover, those with Intel Quick Sync Video (QSV) enabled processors, and those with Intel Arc GPUs will be able to encode AV1 video with hardware acceleration. From a report: HandBrake 1.6.0 can encode AV1 videos on any of its supported systems. In the current release its SVT-AV1 encoder offers the widest support, encoding on your processor through software. However, those with Intel QSV supporting CPUs or discrete Arc graphics can use the QSV-AV1 encoder for hardware accelerated processing. QSV isn't supported if your CPU is an 'F' suffixed model (i.e. it doesn't have an iGPU), or it is older than the Skylake generation. If you are lucky enough to have multiple QSV accelerators in your system, support for Intel Deep Link Hyper Encode should accelerate processing further. While AMD and Nvidia have AV1 encoders available for their latest GPUs, they currently aren't integrated with HandBrake. AV1 video is set to become the dominant codec across app-based streaming services and the wider internet, offering attractions such as; an open and royalty-free architecture, improved compression enabling efficient 8K video streaming, and support for the newest HDR standards.

For the fourth time since 2007, an internal audit shows the Department of Homeland Security isn't deactivating access cards in the hands of ex-employees, leaving its secure facilities vulnerable to intruders. From a report: A new report by Homeland Security's Office of Inspector General shows that the department is systemically failing to revoke tens of thousands of "personal identity verification" cards that allow staff to enter sensitive, secure facilities and access internal data networks, despite being warned about the problem for 15 years. The issue is made worse, the report continues, by the fact that Homeland Security's internal record-keeping is so shoddy that it was impossible to determine how many ex-staffers have working access cards they aren't supposed to.

Like many modern office workers, Homeland Security hands out office-unlocking keycards to its employees to make sure strangers can't wander in off the street. And, like most workplaces, the department is supposed to follow a standard policy: When an employee is no longer an employee, for whatever reason, their card is to be promptly deactivated. Unlike most employers, though, Homeland Security is a component of the U.S. Intelligence Community, meaning these credit card-sized badges have a "grave potential for misuse if lost, stolen, or compromised," according to the inspector general report. Unfortunately for the department -- and potentially the homeland -- the OIG's latest audit found that's exactly what's happening, and on a vast scale.

An anonymous reader quotes a report from SecurityWeek: As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for eavesdropping on a targeted user's conversations, according to a team of researchers from several universities in the United States. The attack method, named EarSpy, is described in a paper published just before Christmas by researchers from Texas A&M University, Temple University, New Jersey Institute of Technology, Rutgers University, and the University of Dayton. EarSpy relies on the phone's ear speaker -- the speaker at the top of the device that is used when the phone is held to the ear -- and the device's built-in accelerometer for capturing the tiny vibrations generated by the speaker.

The researchers discovered that attacks such as EarSpy are becoming increasingly feasible due to the improvements made by smartphone manufacturers to ear speakers. They conducted tests on the OnePlus 7T and the OnePlus 9 smartphones -- both running Android -- and found that significantly more data can be captured by the accelerometer from the ear speaker due to the stereo speakers present in these newer models compared to the older model OnePlus phones, which did not have stereo speakers. The experiments conducted by the academic researchers analyzed the reverberation effect of ear speakers on the accelerometer by extracting time-frequency domain features and spectrograms. The analysis focused on gender recognition, speaker recognition, and speech recognition.

In the gender recognition test, whose goal is to determine whether the target is male or female, the EarSpy attack had a 98% accuracy. The accuracy was nearly as high, at 92%, for detecting the speaker's identity. When it comes to actual speech, the accuracy was up to 56% for capturing digits spoken in a phone call. "[This] accuracy still exhibits five times greater accuracy than a random guess, which implies that vibration due to the ear speaker induced a reasonable amount of distinguishable impact on accelerometer data," the researchers said.

Last week, LastPass announced that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident. "While the company insists that your login information is still secure, some cybersecurity experts are heavily criticizing its post, saying that it could make people feel more secure than they actually are and pointing out that this is just the latest in a series of incidents that make it hard to trust the password manager," reports The Verge. Here's an excerpt from the report: LastPass' December 22nd statement was "full of omissions, half-truths and outright lies," reads a blog post from Wladimir Palant, a security researcher known for helping originally develop AdBlock Pro, among other things. Some of his criticisms deal with how the company has framed the incident and how transparent it's being; he accuses the company of trying to portray the August incident where LastPass says "some source code and technical information were stolen" as a separate breach when he says that in reality the company "failed to contain" the breach. He also highlights LastPass' admission that the leaked data included "the IP addresses from which customers were accessing the LastPass service," saying that could let the threat actor "create a complete movement profile" of customers if LastPass was logging every IP address you used with its service.

Another security researcher, Jeremi Gosney, wrote a long post on Mastodon explaining his recommendation to move to another password manager. "LastPass's claim of 'zero knowledge' is a bald-faced lie," he says, alleging that the company has "about as much knowledge as a password manager can possibly get away with." LastPass claims its "zero knowledge" architecture keeps users safe because the company never has access to your master password, which is the thing that hackers would need to unlock the stolen vaults. While Gosney doesn't dispute that particular point, he does say that the phrase is misleading. "I think most people envision their vault as a sort of encrypted database where the entire file is protected, but no -- with LastPass, your vault is a plaintext file and only a few select fields are encrypted."

Palant also notes that the encryption only does you any good if the hackers can't crack your master password, which is LastPass' main defense in its post: if you use its defaults for password length and strengthening and haven't reused it on another site, "it would take millions of years to guess your master password using generally-available password-cracking technology" wrote Karim Toubba, the company's CEO. "This prepares the ground for blaming the customers," writes Palant, saying that "LastPass should be aware that passwords will be decrypted for at least some of their customers. And they have a convenient explanation already: these customers clearly didn't follow their best practices." However, he also points out that LastPass hasn't necessarily enforced those standards. Despite the fact that it made 12-character passwords the default in 2018, Palant says, "I can log in with my eight-character password without any warnings or prompts to change it."

An anonymous reader quotes a report from TechCrunch: A recent study finds that software engineers who use code-generating AI systems are more likely to cause security vulnerabilities in the apps they develop. The paper, co-authored by a team of researchers affiliated with Stanford, highlights the potential pitfalls of code-generating systems as vendors like GitHub start marketing them in earnest. The Stanford study looked specifically at Codex, the AI code-generating system developed by San Francisco-based research lab OpenAI. (Codex powers Copilot.) The researchers recruited 47 developers -- ranging from undergraduate students to industry professionals with decades of programming experience -- to use Codex to complete security-related problems across programming languages including Python, JavaScript and C.

Codex was trained on billions of lines of public code to suggest additional lines of code and functions given the context of existing code. The system surfaces a programming approach or solution in response to a description of what a developer wants to accomplish (e.g. "Say hello world"), drawing on both its knowledge base and the current context. According to the researchers, the study participants who had access to Codex were more likely to write incorrect and "insecure" (in the cybersecurity sense) solutions to programming problems compared to a control group. Even more concerningly, they were more likely to say that their insecure answers were secure compared to the people in the control.

Megha Srivastava, a postgraduate student at Stanford and the second co-author on the study, stressed that the findings aren't a complete condemnation of Codex and other code-generating systems. The study participants didn't have security expertise that might've enabled them to better spot code vulnerabilities, for one. That aside, Srivastava believes that code-generating systems are reliably helpful for tasks that aren't high risk, like exploratory research code, and could with fine-tuning improve in their coding suggestions. "Companies that develop their own [systems], perhaps further trained on their in-house source code, may be better off as the model may be encouraged to generate outputs more in-line with their coding and security practices," Srivastava said. The co-authors suggest vendors use a mechanism to "refine" users' prompts to be more secure -- "akin to a supervisor looking over and revising rough drafts of code," reports TechCrunch. "They also suggest that developers of cryptography libraries ensure their default settings are secure, as code-generating systems tend to stick to default values that aren't always free of exploits."

TikTok will no longer be allowed on any device managed by the US House of Representatives. Ars Technica reports: On Tuesday, the House's Chief Administrative Office announced the ban of the popular video-sharing app, a move that comes just a week after legislation that would bar TikTok from all federal devices was introduced. Congresspersons and their staffers will not be able to download the app on managed devices, the CAO's Office of Cybersecurity said in an email seen by Reuters. The mobile app is a "high risk to users due to a number of security risks," the email said. "If you have the TikTok app on your House mobile device, you will be contacted to remove it," the email continued.

Potential federal bans aside, TikTok is already at least partially banned from government-owned devices in 19 states. And the federal omnibus spending bill passed last week will put the kibosh on TikTok when it comes to all federally managed smartphones and devices.

Hackers stole data belonging to multiple electric utilities in an October ransomware attack on a US government contractor that handles critical infrastructure projects across the country, according to a memo describing the hack obtained by CNN. From the report: Federal officials have closely monitored the incident for any potential broader impact on the US power sector while private investigators have combed the dark web for the stolen data, according to the memo sent this month to power company executives by the North American grid regulator's cyberthreat sharing center. The previously unreported incident is a window into how ransomware attacks on critical US companies are handled behind the scenes as lawyers and federal investigators quietly spring into action to determine the extent of the damage.

The ransomware attack hit Chicago-based Sargent & Lundy, an engineering firm that has designed more than 900 power stations and thousands of miles of power systems and that holds sensitive data on those projects. The firm also handles nuclear security issues, working with the departments of Defense, Energy and other agencies "to strengthen nuclear deterrence" and keep weapons of mass destruction out of terrorists' hands, according to its website. Two people familiar with the investigation of the Sargent & Lundy hack told CNN that the incident was contained and remediated, and didn't appear to have a broader impact on other power-sector firms. There is no sign that data stolen from Sargent & Lundy, which includes "model files" and "transmission data" the firm uses for utility projects, is on the dark web, according to the memo from the Electricity Information Sharing and Analysis Center.

The chief executive of one of Europe's biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become "uninsurable" as the disruption from hacks continues to grow. From a report: Insurance executives have been increasingly vocal in recent years about systemic risks, such as pandemics and climate change, that test the sector's ability to provide coverage. For the second year in a row, natural catastrophe-related claims are expected to top $100 billion. But Mario Greco, chief executive at insurer Zurich, told the Financial Times that cyber was the risk to watch. "What will become uninsurable is going to be cyber," he said. "What if someone takes control of vital parts of our infrastructure, the consequences of that?"

Recent attacks that have disrupted hospitals, shut down pipelines and targeted government departments have all fed concern about this expanding risk among industry executives. Focusing on the privacy risk to individuals was missing the bigger picture, Greco added: "First off, there must be a perception that this is not just data ... this is about civilisation. These people can severely disrupt our lives." Spiralling cyber losses in recent years have prompted emergency measures by the sector's underwriters to limit their exposure. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses.

Raymond Chen, writing for Microsoft DevBlogs: In the mid-1980's, Microsoft produced an expansion card for the IBM PC and PC XT, known as the Mach 10. In addition to occupying an expansion slot, it also replaced your CPU: You unplugged your old and busted 4.77 MHz 8088 CPU and plugged into the now-empty socket a special adapter that led via a ribbon cable back to the Mach 10 card. On the Mach 10 card was the new hotness: A 9.54 MHz 8086 CPU. This gave you a 2x performance upgrade for a lot less money than an IBM PC AT. The Mach 10 also came with a mouse port, so you could add a mouse without having to burn an additional expansion slot. Sidebar: The product name was stylized as MACH [PDF] in some product literature. The Mach 10 was a flop.

Undaunted, Microsoft partnered with a company called Portable Computer Support Group to produce the Mach 20, released in 1987. You probably remember the Portable Computer Support Group for their disk cache software called Lightning. The Mach 20 took the same basic idea as the Mach 10, but to the next level: As before, you unplugged your old 4.77 MHz 8088 CPU and replaced it with an adapter that led via ribbon cable to the Mach 20 card, which you plugged into an expansion slot. This time, the Mach 20 had an 8 MHz 80286 CPU, so you were really cooking with gas now. And, like the Mach 10, it had a mouse port built in. According to a review in Info World, it retailed for $495. The Mach 20 itself had room for expansion: it had an empty socket for an 80287 floating point coprocessor. One daughterboard was the Mach 20 Memory Plus Expanded Memory Option, which gave you an astonishing 3.5 megabytes of RAM, and it was high-speed RAM since it wasn't bottlenecked by the ISA bus on the main motherboard. The other daughterboard was the Mach 20 Disk Plus, which lets you connect 5 1/4 or 3 1/2 floppy drives.

A key detail is that all these expansions connected directly to the main Mach 20 board, so that they didn't consume a precious expansion slot. The IBM PC came with five expansion slots, and they were in high demand. You needed one for the hard drive controller, one for the floppy drive controller, one for the video card, one for the printer parallel port, one for the mouse. Oh no, you ran out of slots, and you haven't even gotten to installing a network card or expansion RAM yet! You could try to do some consolidation by buying so-called multifunction cards, but still, the expansion card crunch was real. But why go to all this trouble to upgrade your IBM PC to something roughly equivalent to an IBM PC AT? Why not just buy an IBM PC AT in the first place? Who would be interested in this niche upgrade product?

Four power substations in Washington State were attacked on Christmas Day, disrupting service to thousands of residents, just weeks after gunfire at electricity facilities in North Carolina prompted an investigation by the FBI. From a report: Law enforcement agencies are now investigating at least eight attacks on power stations in four states in the past month that have underscored the vulnerability of the nation's power grid. It remains unknown if they were connected. In the most recent incidents outside of Tacoma, Washington, thousands were left without power after vandals forced their way into four substations and damaged equipment, in one case leading to a fire, according to the Pierce County Sheriff's Department. In all, 14,000 people were left without power from that attacks on substations owned by Tacoma Public Utilities and Puget Sound Energy, according to the sheriff's office, which said most power has since been restored.

Mozilla recently fixed a bug that was first reported 18 years ago in Firebox 1.0, reports How-to Geek: Bug 290125 was first reported on April 12, 2005, only a few days before the release of Firefox 1.0.3, and outlined an issue with how Firefox rendered text with the ::first-letter CSS pseudo-element. The author said, "when floating left a :first-letter (to produce a dropcap), Gecko ignores any declared line-height and inherits the line-height of the parent box. [...] Both Opera 7.5+ and Safari 1.0+ correctly handle this."

The initial problem was that the Mac version of Firefox handled line heights differently than Firefox on other platforms, which was fixed in time for Firefox 3.0 in 2007. The issue was then re-opened in 2014, when it was decided in a CSS Working Group meeting that Firefox's special handling of line heights didn't meet CSS specifications and was causing compatibility problems. It led to some sites with a large first letter in blocks of text, like The Verge and The Guardian, render incorrectly in Firefox compared to other browsers.

The issue was still marked as low priority, so progress continued slowly, until it was finally marked as fixed on December 20, 2022. Firefox 110 should include the updated code, which is expected to roll out to everyone in February 2023.

The Zero Day Initiative, a zero-day security research firm, announced a new Linux kernel security bug that allows authenticated remote users to disclose sensitive information and run code on vulnerable Linux kernel versions. ZDNet reports: Originally, the Zero Day Initiative ZDI rated it a perfect 10 on the 0 to 10 common Vulnerability Scoring System scale. Now, the hole's "only" a 9.6....

The problem lies in the Linux 5.15 in-kernel Server Message Block (SMB) server, ksmbd. The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the kernel context. This new program, which was introduced to the kernel in 2021, was developed by Samsung. Its point was to deliver speedy SMB3 file-serving performance....

Any distro using the Linux kernel 5.15 or above is potentially vulnerable. This includes Ubuntu 22.04, and its descendants; Deepin Linux 20.3; and Slackware 15.

Ars Technica reports on a dangerously "wormable" Windows vulnerability that allowed attackers to execute malicious code with no authentication required — a vulnerability that was present "in a much broader range of network protocols, giving attackers more flexibility than they had when exploiting the older vulnerability." Microsoft fixed CVE-2022-37958 in September during its monthly Patch Tuesday rollout of security fixes. At the time, however, Microsoft researchers believed the vulnerability allowed only the disclosure of potentially sensitive information. As such, Microsoft gave the vulnerability a designation of "important." In the routine course of analyzing vulnerabilities after they're patched, IBM security researcher Valentina Palmiotti discovered it allowed for remote code execution in much the way EternalBlue did [the flaw used to detonate WannaCry]. Last week, Microsoft revised the designation to critical and gave it a severity rating of 8.1, the same given to EternalBlue....

One potentially mitigating factor is that a patch for CVE-2022-37958 has been available for three months. EternalBlue, by contrast, was initially exploited by the NSA as a zero-day. The NSA's highly weaponized exploit was then released into the wild by a mysterious group calling itself Shadow Brokers. The leak, one of the worst in the history of the NSA, gave hackers around the world access to a potent nation-state-grade exploit. Palmiotti said there's reason for optimism but also for risk: "While EternalBlue was an 0-Day, luckily this is an N-Day with a 3 month patching lead time," said Palmiotti.
There's still some risk, Palmiotti tells Ars Technica. "As we've seen with other major vulnerabilities over the years, such as MS17-010 which was exploited with EternalBlue, some organizations have been slow deploying patches for several months or lack an accurate inventory of systems exposed to the internet and miss patching systems altogether."

Thanks to Slashdot reader joshuark for sharing the article.

Justin Garrison works at Amazon Web Services on the Kubernetes team (and was senior systems engineer on several animated films).

This week he spotted a new milestone for Linux in the 2022 StackOverflow developer survey: [Among the developers surveyed] Linux as a primary operating system had been steadily climbing for the past 5 years. 2018 through 2021 saw steady growth with 23.2%, 25.6%, 26.6%, 25.3%, and finally in 2022 the usage was 40.23%. Linux usage was more than macOS in 2021, but only by a small margin. 2022 it is now 9% more than macOS.
Their final stats for "professional use" operating system:

• Windows: 48.82%
• Linux-based: 39.89%
• MacOs: 32.97%

But Garrison's blog post notes that that doesn't include the million-plus people all the Linux-based cloud development environments (like GitHub Workspaces) — not to mention the 15% of WSL users on Windows and all the users of Docker (which uses a Linux VM).

"It's safe to say more people use Linux as part of their development workflow than any other operating system."

North Korean hackers have stolen an estimated 1.5 trillion won ($1.2 billion) in cryptocurrency and other virtual assets in the past five years, more than half of it this year alone, South Korea's spy agency said Thursday. From a report: Experts and officials say North Korea has turned to crypto hacking and other illicit cyber activities as a source of badly needed foreign currency to support its fragile economy and fund its nuclear program following harsh U.N. sanctions and the COVID-19 pandemic. South Korea's main spy agency, the National Intelligence Service, said North Korea's capacity to steal digital assets is considered among the best in the world because of the country's focus on cybercrimes since U.N. economic sanctions were toughened in 2017 in response to its nuclear and missile tests.

The U.N. sanctions imposed in 2016-17 ban key North Korean exports such as coal, textiles and seafood and also led member states to repatriate North Korean overseas workers. Its economy suffered further setbacks after it imposed some of the world's most draconian restrictions against the pandemic. The NIS said state-sponsored North Korean hackers are estimated to have stolen 1.5 trillion won ($1.2 billion) in virtual assets around the world since 2017, including about 800 billion won ($626 million) this year alone. It said more than 100 billion won ($78 million) of the total came from South Korea.

LastPass revealed today that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident. BleepingComputer reports: This follows a previous update issued last month when the company's CEO, Karim Toubba, only said that the threat actor gained access to "certain elements" of customer information. Today, Toubba added that the cloud storage service is used by LastPass to store archived backups of production data. The attacker gained access to Lastpass' cloud storage using "cloud storage access key and dual storage container decryption keys" stolen from its developer environment.

"The threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service," Toubba said today. "The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data."

Fortunately, the encrypted data is secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user's master password. According to Toubba, the master password is never known to LastPass, it is not stored on Lastpass' systems, and LastPass does not maintain it. Customers were also warned that the attackers might try to brute force their master passwords to gain access to the stolen encrypted vault data. However, this would be very difficult and time-consuming if you've been following password best practices recommended by LastPass. If you do, "it would take millions of years to guess your master password using generally-available password-cracking technology," Toubba added. "Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass' Zero Knowledge architecture."

slack_justyb writes: A rather exotic feature in Xorg and Xwayland is being proposed to have the default value turned off going forward in Fedora 38 due to its use in attacks (CVE-2014-8095, CVE-2014-8099, CVE-2014-8103. . . to name a few). The feature allows servers running on one endianess to byte-swap to allow clients of a different endianess to connect to it. This was more common in the 1980s when X servers ran on big-endian and clients would connect who were little-endian.

The Xorg and Xwayland implementation of this feature has gone largely untested, the number of Fedora users that use it are virtually zero, and considering the number of attack vectors this has presented historically, setting the default to deny clients that require this seems the better way to do.

This change will be to the xorg-x11-server and xorg-x11-server-Xwayland packages and those needing the feature turned back will need to add "AllowSwappedClients" "on" to their xorg.conf.d file in the "ServerFlags" section. Xwayland users will need to pass the +byteswappedclients flag, however, the compositor will need to be able to handle this flag which at this time GNOME does not.

A proposal to force cellphone companies to block certain spam texts is gaining momentum. From a report: California Attorney General Rob Bonta has expressed his support for a proposal by the Federal Communications Commission (FCC) to put an end to illegal and malicious texts. By doing so, he joined attorneys general from the other 49 states and Washington D.C., who had all previously expressed their support of the proposal. In a letter signed by all 51 attorneys general to the FCC, supporting them in their hopes to require cellular providers to block illegal text messages from invalid or unused numbers, as well as blocking any phone numbers found on a "do not originate" list, numbers which have previously been proved to have been used for fraudulent activity.