Four power substations in Washington State were attacked on Christmas Day, disrupting service to thousands of residents, just weeks after gunfire at electricity facilities in North Carolina prompted an investigation by the FBI. From a report: Law enforcement agencies are now investigating at least eight attacks on power stations in four states in the past month that have underscored the vulnerability of the nation's power grid. It remains unknown if they were connected. In the most recent incidents outside of Tacoma, Washington, thousands were left without power after vandals forced their way into four substations and damaged equipment, in one case leading to a fire, according to the Pierce County Sheriff's Department. In all, 14,000 people were left without power from that attacks on substations owned by Tacoma Public Utilities and Puget Sound Energy, according to the sheriff's office, which said most power has since been restored.

Mozilla recently fixed a bug that was first reported 18 years ago in Firebox 1.0, reports How-to Geek: Bug 290125 was first reported on April 12, 2005, only a few days before the release of Firefox 1.0.3, and outlined an issue with how Firefox rendered text with the ::first-letter CSS pseudo-element. The author said, "when floating left a :first-letter (to produce a dropcap), Gecko ignores any declared line-height and inherits the line-height of the parent box. [...] Both Opera 7.5+ and Safari 1.0+ correctly handle this."

The initial problem was that the Mac version of Firefox handled line heights differently than Firefox on other platforms, which was fixed in time for Firefox 3.0 in 2007. The issue was then re-opened in 2014, when it was decided in a CSS Working Group meeting that Firefox's special handling of line heights didn't meet CSS specifications and was causing compatibility problems. It led to some sites with a large first letter in blocks of text, like The Verge and The Guardian, render incorrectly in Firefox compared to other browsers.

The issue was still marked as low priority, so progress continued slowly, until it was finally marked as fixed on December 20, 2022. Firefox 110 should include the updated code, which is expected to roll out to everyone in February 2023.

The Zero Day Initiative, a zero-day security research firm, announced a new Linux kernel security bug that allows authenticated remote users to disclose sensitive information and run code on vulnerable Linux kernel versions. ZDNet reports: Originally, the Zero Day Initiative ZDI rated it a perfect 10 on the 0 to 10 common Vulnerability Scoring System scale. Now, the hole's "only" a 9.6....

The problem lies in the Linux 5.15 in-kernel Server Message Block (SMB) server, ksmbd. The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the kernel context. This new program, which was introduced to the kernel in 2021, was developed by Samsung. Its point was to deliver speedy SMB3 file-serving performance....

Any distro using the Linux kernel 5.15 or above is potentially vulnerable. This includes Ubuntu 22.04, and its descendants; Deepin Linux 20.3; and Slackware 15.

Ars Technica reports on a dangerously "wormable" Windows vulnerability that allowed attackers to execute malicious code with no authentication required — a vulnerability that was present "in a much broader range of network protocols, giving attackers more flexibility than they had when exploiting the older vulnerability." Microsoft fixed CVE-2022-37958 in September during its monthly Patch Tuesday rollout of security fixes. At the time, however, Microsoft researchers believed the vulnerability allowed only the disclosure of potentially sensitive information. As such, Microsoft gave the vulnerability a designation of "important." In the routine course of analyzing vulnerabilities after they're patched, IBM security researcher Valentina Palmiotti discovered it allowed for remote code execution in much the way EternalBlue did [the flaw used to detonate WannaCry]. Last week, Microsoft revised the designation to critical and gave it a severity rating of 8.1, the same given to EternalBlue....

One potentially mitigating factor is that a patch for CVE-2022-37958 has been available for three months. EternalBlue, by contrast, was initially exploited by the NSA as a zero-day. The NSA's highly weaponized exploit was then released into the wild by a mysterious group calling itself Shadow Brokers. The leak, one of the worst in the history of the NSA, gave hackers around the world access to a potent nation-state-grade exploit. Palmiotti said there's reason for optimism but also for risk: "While EternalBlue was an 0-Day, luckily this is an N-Day with a 3 month patching lead time," said Palmiotti.
There's still some risk, Palmiotti tells Ars Technica. "As we've seen with other major vulnerabilities over the years, such as MS17-010 which was exploited with EternalBlue, some organizations have been slow deploying patches for several months or lack an accurate inventory of systems exposed to the internet and miss patching systems altogether."

Thanks to Slashdot reader joshuark for sharing the article.

Justin Garrison works at Amazon Web Services on the Kubernetes team (and was senior systems engineer on several animated films).

This week he spotted a new milestone for Linux in the 2022 StackOverflow developer survey: [Among the developers surveyed] Linux as a primary operating system had been steadily climbing for the past 5 years. 2018 through 2021 saw steady growth with 23.2%, 25.6%, 26.6%, 25.3%, and finally in 2022 the usage was 40.23%. Linux usage was more than macOS in 2021, but only by a small margin. 2022 it is now 9% more than macOS.
Their final stats for "professional use" operating system:

• Windows: 48.82%
• Linux-based: 39.89%
• MacOs: 32.97%

But Garrison's blog post notes that that doesn't include the million-plus people all the Linux-based cloud development environments (like GitHub Workspaces) — not to mention the 15% of WSL users on Windows and all the users of Docker (which uses a Linux VM).

"It's safe to say more people use Linux as part of their development workflow than any other operating system."

North Korean hackers have stolen an estimated 1.5 trillion won ($1.2 billion) in cryptocurrency and other virtual assets in the past five years, more than half of it this year alone, South Korea's spy agency said Thursday. From a report: Experts and officials say North Korea has turned to crypto hacking and other illicit cyber activities as a source of badly needed foreign currency to support its fragile economy and fund its nuclear program following harsh U.N. sanctions and the COVID-19 pandemic. South Korea's main spy agency, the National Intelligence Service, said North Korea's capacity to steal digital assets is considered among the best in the world because of the country's focus on cybercrimes since U.N. economic sanctions were toughened in 2017 in response to its nuclear and missile tests.

The U.N. sanctions imposed in 2016-17 ban key North Korean exports such as coal, textiles and seafood and also led member states to repatriate North Korean overseas workers. Its economy suffered further setbacks after it imposed some of the world's most draconian restrictions against the pandemic. The NIS said state-sponsored North Korean hackers are estimated to have stolen 1.5 trillion won ($1.2 billion) in virtual assets around the world since 2017, including about 800 billion won ($626 million) this year alone. It said more than 100 billion won ($78 million) of the total came from South Korea.

LastPass revealed today that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident. BleepingComputer reports: This follows a previous update issued last month when the company's CEO, Karim Toubba, only said that the threat actor gained access to "certain elements" of customer information. Today, Toubba added that the cloud storage service is used by LastPass to store archived backups of production data. The attacker gained access to Lastpass' cloud storage using "cloud storage access key and dual storage container decryption keys" stolen from its developer environment.

"The threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service," Toubba said today. "The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data."

Fortunately, the encrypted data is secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user's master password. According to Toubba, the master password is never known to LastPass, it is not stored on Lastpass' systems, and LastPass does not maintain it. Customers were also warned that the attackers might try to brute force their master passwords to gain access to the stolen encrypted vault data. However, this would be very difficult and time-consuming if you've been following password best practices recommended by LastPass. If you do, "it would take millions of years to guess your master password using generally-available password-cracking technology," Toubba added. "Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass' Zero Knowledge architecture."

slack_justyb writes: A rather exotic feature in Xorg and Xwayland is being proposed to have the default value turned off going forward in Fedora 38 due to its use in attacks (CVE-2014-8095, CVE-2014-8099, CVE-2014-8103. . . to name a few). The feature allows servers running on one endianess to byte-swap to allow clients of a different endianess to connect to it. This was more common in the 1980s when X servers ran on big-endian and clients would connect who were little-endian.

The Xorg and Xwayland implementation of this feature has gone largely untested, the number of Fedora users that use it are virtually zero, and considering the number of attack vectors this has presented historically, setting the default to deny clients that require this seems the better way to do.

This change will be to the xorg-x11-server and xorg-x11-server-Xwayland packages and those needing the feature turned back will need to add "AllowSwappedClients" "on" to their xorg.conf.d file in the "ServerFlags" section. Xwayland users will need to pass the +byteswappedclients flag, however, the compositor will need to be able to handle this flag which at this time GNOME does not.

A proposal to force cellphone companies to block certain spam texts is gaining momentum. From a report: California Attorney General Rob Bonta has expressed his support for a proposal by the Federal Communications Commission (FCC) to put an end to illegal and malicious texts. By doing so, he joined attorneys general from the other 49 states and Washington D.C., who had all previously expressed their support of the proposal. In a letter signed by all 51 attorneys general to the FCC, supporting them in their hopes to require cellular providers to block illegal text messages from invalid or unused numbers, as well as blocking any phone numbers found on a "do not originate" list, numbers which have previously been proved to have been used for fraudulent activity.

The Securities and Exchange Commission is stepping up scrutiny of the work that audit firms are doing for cryptocurrency companies, concerned that investors may be getting a false sense of reassurance from the firms' reports, a senior official at the regulator said. From a report: "We're warning investors to be very wary of some of the claims that are being made by crypto companies," Paul Munter, the SEC's acting chief accountant, said in an interview. Increased scrutiny has led at least one audit firm to drop crypto clients, in some cases soon after producing reports on the companies' assets and liabilities. Crypto companies are eager to get the blessing of an auditor to reassure their skittish clients.

The Wall Street watchdog is looking closely at how crypto companies are portraying their reports from audit firms, according to Mr. Munter. Many of these companies are closely held or based offshore, and so unlikely to fall within the regulator's remit. The SEC is effectively sending a warning to audit firms, which don't want to run afoul of their regulator, as well as putting investors on alert. "We are increasing our understanding of what's going on in the marketplace," Mr. Munter said. "If we find fact patterns that we think are troublesome, we will consider a referral to the division of enforcement." The regulator is worried particularly about so-called proof-of-reserves reports, which aim to show that the crypto company has sufficient assets to cover customers' funds.

An Android banking malware named 'Godfather' has been targeting users in 16 countries, attempting to steal account credentials for over 400 online banking sites and cryptocurrency exchanges. From a report: The malware generates login screens overlaid on top of the banking and crypto exchange apps' login forms when victims attempt to log in to the site, tricking the user into entering their credentials on well-crafted HTML phishing pages.

The Godfather trojan was discovered by Group-IB analysts, who believe it is the successor of Anubis, a once widely-used banking trojan that gradually fell out of use due to its inability to bypass newer Android defenses. ThreatFabric first discovered Godfather in March 2021, but it has undergone massive code upgrades and improvements since then. Also, Cyble published a report yesterday highlighting a rise in the activity of Godfather, pushing an app that mimics a popular music tool in Turkey, downloaded 10 million times via Google Play.

An anonymous reader quotes a report from Ars Technica: One of the Kremlin's most active hacking groups targeting Ukraine recently tried to hack a large petroleum refining company located in a NATO country. The attack is a sign that the group is expanding its intelligence gathering as Russia's invasion of its neighboring country continues. The attempted hacking occurred on August 30 and was unsuccessful, researchers with Palo Alto Networks' Unit 42 said on Tuesday. The hacking group -- tracked under various names including Trident Ursa, Gamaredon, UAC-0010, Primitive Bear, and Shuckworm -- has been attributed by Ukraine's Security Service to Russia's Federal Security Service.

In the past 10 months, Unit 42 has mapped more than 500 new domains and 200 samples and other bread crumbs Trident Ursa has left behind in spear phishing campaigns attempting to infect targets with information-stealing malware. The group mostly uses emails with Ukrainian-language lures. More recently, however, some samples show that the group has also begun using English-language lures. "We assess that these samples indicate that Trident Ursa is attempting to boost their intelligence collection and network access against Ukrainian and NATO allies," company researchers wrote. Among the filenames used in the unsuccessful attack were: MilitaryassistanceofUkraine.htm, Necessary_military_assistance.rar, and List of necessary things for the provision of military humanitarian assistance to Ukraine.lnk. Tuesday's report didn't name the targeted petroleum company or the country where the facility was located. In recent months, Western-aligned officials have issued warnings that the Kremlin has set its sights on energy companies in countries opposing Russia's war on Ukraine.

Trident Ursa's hacking techniques are simple but effective. The group uses multiple ways to conceal the IP addresses and other signatures of its infrastructure, phishing documents with low detection rates among anti-phishing services, and malicious HTML and Word documents. Unit 42 researchers wrote: "Trident Ursa remains an agile and adaptive APT that does not use overly sophisticated or complex techniques in its operations. In most cases, they rely on publicly available tools and scripts -- along with a significant amount of obfuscation -- as well as routine phishing attempts to successfully execute their operations..." Tuesday's report provides a list of cryptographic hashes and other indicators organizations can use to determine if Trident Ursa has targeted them. It also provides suggestions for ways to protect organizations against the group.

An anonymous reader shares a report: On the last episode of "Will Anker ever tell us what's actually going on with its security cameras rather than lying and covering its tracks," we told you how Eufy's customer support team is now quietly providing some of the answers to the questions that the company had publicly ignored about its smart home camera security. Now, Anker is finally taking a stab at a public explanation, in a new blog post titled "To our eufy Security Customers and Partners." Unfortunately, it contains no apology, and doesn't begin to address why anyone would be able to view an unencrypted stream in VLC Media Player on the other side of the country, from a supposedly always-local, always-end-to-end-encrypted camera.

Okta, a leading provider of authentication services and Identity and Access Management (IAM) solutions, says that its private GitHub repositories were hacked this month. From a report: According to a 'confidential' email notification sent by Okta and seen by BleepingComputer, the security incident involves threat actors stealing Okta's source code. BleepingComputer has obtained a 'confidential' security incident notification that Okta has been emailing to its 'security contacts' as of a few hours ago. We have confirmed that multiple sources, including IT admins, have been receiving this email notification. Earlier this month, GitHub alerted Okta of suspicious access to Okta's code repositories, states the notification. "Upon investigation, we have concluded that such access was used to copy Okta code repositories," writes David Bradbury, the company's Chief Security Officer (CSO) in the email.

An anonymous reader shares a report: With a flat fee of $70 for trips into Manhattan and a guaranteed stream of passengers, a ride to and from New York's John F. Kennedy International Airport is one of the more lucrative journeys for the city's cab drivers. But federal prosecutors say two 48-year-old Queens men found another way to profit from the crowd of taxis waiting long hours for passengers at the airport, conspiring with Russians to hack the dispatch system and allow drivers to cut ahead in line for a $10 payment.

The two men, Daniel Abayev and Peter Leyman, were arrested Tuesday and charged with conspiracy to commit computer intrusions for hacking into the system from November 2019 to November 2020. Prosecutors said the pair worked with Russian nationals to access the system through various methods, including bribing someone to insert a flash drive into computers that allowed them to enter the system via Wifi and stealing tablets connected to the dispatch operation. They then used their access to move certain taxis to the front of the line for $10 each, allowing drivers to bypass a holding lot that frequently required hours-long waits before they were dispatched to a terminal, and waived the fee for drivers who recruited others, according to prosecutors.

Esper: The world's biggest tech companies have lost confidence in one of the Internet's behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products. Starting in Chrome version 111 for desktops, the browser will no longer trust certificates issued by TrustCor Systems. The same change is coming to Android, but unlike Chrome for desktops, Android's root certificate store can't be updated independently of the OS, meaning it'll take some time for the certificate changes to roll out. Thankfully, that may no longer be the case in Android 14, as Google is preparing to implement updatable root certificates in the next release.

Sports betting company DraftKings revealed last week that more than 67,000 customers had their personal information exposed following a credential attack in November. BleepingComputer reports: In credential stuffing attacks, automated tools are used to make a massive number of attempts to sign into accounts using credentials (user/password pairs) stolen from other online services. [...] In a data breach notification filed with the Main Attorney General's office, DraftKings disclosed that the data of 67,995 people was exposed in last month's incident. The company said the attackers obtained the credentials needed to log into the customers' accounts from a non-DraftKings source.

"In the event an account was accessed, among other things, the attacker could have viewed the account holder's name, address, phone number, email address, last four digits of payment card, profile photo, information about prior transactions, account balance, and last date of password change," the breach notification reads. "At this time, there is currently no evidence that the attackers accessed your Social Security number, driver's license number or financial account number. While bad actors may have viewed the last four digits of your payment card, your full payment card number, expiration date, and your CVV are not stored in your account."

After detecting the attack, DraftKings reset the affected accounts' passwords and said it implemented additional fraud alerts. It also restored the funds withdrawn as a result of the credential attack, refunding up to $300,000 identified as stolen during the incident, as DraftKings President and Cofounder Paul Liberman said in November. The common denominator for user accounts that got hijacked seems to be an initial $5 deposit followed by a password change, enabling two-factor authentication (2FA) on a different phone number and then withdrawing as much as possible from the victims' linked bank accounts. While DraftKings has not shared additional info on how the attackers stole funds, BleepingComputer has since learned that the attack was conducted by a threat actor selling stolen accounts with deposit balances on an online marketplace for $10 to $35. The sales included instructions on how the buyers could make $5 deposits and withdraw all of the money from hijacked DraftKings user accounts. "After DraftKings announced the credential stuffing attack, they locked down the breached accounts, with the threat actors warning that their campaign was no longer working," adds the report.

"The company is now advising customers never to use the same password for multiple online services, never share their credentials with third-party platforms, turn on 2FA on their accounts immediately, and remove banking details or unlink their bank accounts to block future fraudulent withdrawal requests."

An anonymous reader quotes a report from Ars Technica: Federal prosecutors have charged two men with allegedly taking part in a spree of swatting attacks against more than a dozen owners of compromised Ring home security cameras and using that access to livestream the police response on social media. Kya Christian Nelson, 21, of Racine, Wisconsin, and James Thomas Andrew McCarty, 20, of Charlotte, North Carolina, gained access to 12 Ring cameras after compromising the Yahoo Mail accounts of each owner, prosecutors alleged in an indictment filed Friday in the Central District of California. In a single week starting on November 7, 2020, prosecutors said, the men placed hoax emergency calls to the local police departments of each owner that were intended to draw an armed response, a crime known as swatting.

On November 8, for instance, local police in West Covina, California, received an emergency call purporting to come from a minor child reporting that her parents had been drinking and shooting guns inside the minor's home. When police arrived at the residence, Nelson allegedly accessed the residence's Ring doorbell and used it to verbally threaten and taunt the responding officers. The indictment alleges the men helped carry out 11 similar swatting incidents during the same week, occurring in Flat Rock, Michigan; Redding, California; Billings, Montana; Decatur, Georgia; Chesapeake, Virginia; Rosenberg, Texas; Oxnard, California; Darien, Illinois; Huntsville, Alabama; North Port, Florida; and Katy, Texas.

Prosecutors alleged that the two men and a third unnamed accomplice would first obtain the login credentials of Yahoo accounts and then determine if each account owner had a Ring account that could control a doorbell camera. The men would then use their access to gather the names and other information of the account holders. The defendants then placed the hoax emergency calls and waited for armed officers to respond. It's not clear how the defendants allegedly obtained the Yahoo account credentials. A separate indictment filed in November in the District of Arizona alleged that McCarty participated in swatting attacks on at least 18 individuals. Both men are charged with one count of conspiracy to intentionally access computers without authorization. Nelson was also charged with two counts of intentionally accessing without authorization a computer and two counts of aggravated identity theft. If convicted, both men face a maximum penalty of five years in prison. Nelson faces an additional maximum penalty of at least seven years on the remaining charges.

Google Workspace is rolling out a new security update on Gmail, adding end-to-end encryption that aims to provide an added layer of security when sending emails and attachments on the web. From a report: The update is still in the beta stages, but eligible Workspace customers with Enterprise Plus, Education Standard, and Education Plus accounts can fill out an application to test the program through Google's support center. Once the encryption update has been completed, Gmail Workspace customers will find that any sensitive information or data delivered cannot be decrypted by Google's servers.

According to the support center, the application window will be open until January 20, 2023, and once users have accessed the feature, they will be able to choose to turn on the additional encryption by selecting the padlock button when drafting their email. But once activated, some features will be disabled, including emojis, signatures, and Smart Compose. The encryption feature will be monitored and managed by users' administrators and comes after Google started working to add more encryption features to Gmail. The report notes that client-side encryption, or CSE, "is already available for Google Drive, including in apps like Google Docs, Sheets, and Slides. It's also in Google Meet, and is in the beta stage for Google Calendar."

IEEE Spectrum: In 2000, at a trade fair in Germany, an obscure Singapore company called Trek 2000 unveiled a solid-state memory chip encased in plastic and attached to a Universal Serial Bus (USB) connector. The gadget, roughly the size of a pack of chewing gum, held 8 megabytes of data and required no external power source, drawing power directly from a computer when connected. It was called the ThumbDrive. That device, now known by a variety of names -- including memory stick, USB stick, flash drive, as well as thumb drive -- changed the way computer files are stored and transferred. Today it is familiar worldwide. The thumb drive was an instant hit, garnering hundreds of orders for samples within hours. Later that year, Trek went public on the Singapore stock exchange, and in four months -- from April through July 2000 -- it manufactured and sold more than 100,000 ThumbDrives under its own label.

Before the invention of the thumb drive, computer users stored and transported their files using floppy disks. Developed by IBM in the 1960s, first 8-inch and later 5 1/4-inch and 3 1/2-inch floppy disks replaced cassette tapes as the most practical portable storage media. Floppy disks were limited by their relatively small storage capacity -- even double-sided, double-density disks could store only 1.44 MB of data. During the 1990s, as the size of files and software increased, computer companies searched for alternatives. Personal computers in the late 1980s began incorporating CD-ROM drives, but initially these could read only from prerecorded disks and could not store user-generated data. The Iomega Zip Drive, called a "superfloppy" drive and introduced in 1994, could store up to 750 MB of data and was writable, but it never gained widespread popularity, partly due to competition from cheaper and higher-capacity hard drives.

Computer users badly needed a cheap, high-capacity, reliable, portable storage device. The thumb drive was all that -- and more. It was small enough to slip in a front pocket or hang from a keychain, and durable enough to be rattled around in a drawer or tote without damage. With all these advantages, it effectively ended the era of the floppy disk. But Trek 2000 hardly became a household name. And the inventor of the thumb drive and Trek's CEO, Henn Tan, did not become as famous as other hardware pioneers like Robert Noyce, Douglas Engelbart, or Steve Jobs. Even in his home of Singapore, few people know of Tan or Trek. Why aren't they more famous? After all, mainstream companies including IBM, TEAC, Toshiba, and, ultimately, Verbatim licensed Trek's technology for their own memory stick devices. And a host of other companies just copied Tan without permission or acknowledgment.