Today, application security provider Promon released the results of a survey of 311 cybersecurity professionals taken at this year's Black Hat Europe expo earlier this month. Sixty-six percent of the respondents claim to have experienced burnout this year. The survey also found that 51% reported working more than four hours per week over their contracted hours. VentureBeat reports: Over 50% responded that workload was the biggest source of stress in their positions, followed by 19% who cited management issues, 12% pointing to difficult relationships with colleagues, and 11% suggesting it was due to inadequate access to the required tools. Just 7% attributed stress to being underpaid. Above all, the research highlights that cybersecurity analysts are expected to manage an unmanageable workload to keep up with threat actors, which forces them to work overtime and adversely effects their mental health.

This research comes not only as the cyber skills gap continues to grow, but also as organizations continue to single out individuals and teams as responsible for breaches. Most (88%) security professionals report they believe a blame culture exists somewhat in the industry, with 38% in the U.S. seeing such a culture as "heavily prevalent." With so many security professionals being held responsible for breaches, it's no surprise that many resort to working overtime to try and keep their organizations safe -- at great cost to their own mental health.

Federal prosecutors have charged six people for allegedly operating websites that launched millions of powerful distributed denial-of-service attacks on a wide array of victims on behalf of millions of paying customers. From a report: The sites promoted themselves as booter or stressor services designed to test the bandwidth and performance of customers' networks. Prosecutors said in court papers that the services were used to direct massive amounts of junk traffic at third-party websites and Internet connections customers wanted to take down or seriously constrain. Victims included educational institutions, government agencies, gaming platforms, and millions of individuals. Besides charging six defendants, prosecutors also seized 48 Internet domains associated with the services.

"These booter services allow anyone to launch cyberattacks that harm individual victims and compromise everyone's ability to access the Internet," Martin Estrada, US attorney for the Central District of California, said in a statement. "This week's sweeping law enforcement activity is a major step in our ongoing efforts to eradicate criminal conduct that threatens the Internet's infrastructure and our ability to function in a digital world." The services offered user interfaces that were essentially the same except for cosmetic differences. The screenshot below shows the web panel offered by orphicsecurityteam.com as of February 28. It allowed users to enter an IP address of a target, the network port, and the specific type of attack they wanted. The panel allowed users to pick various methods to amplify their attacks. Amplification involved bouncing a relatively small amount of specially crafted data at a third-party server in a way that caused the server to pummel the intended victim with payloads that were as much as 10,000 times bigger.

Microsoft has quietly banned cryptocurrency mining from its online services, and says it did so to protect all customers of its clouds. From a report: The Windows and Azure titan slipped the prohibition into an update of its Universal License Terms for Online Services that came into effect on December 1. That document covers any "Microsoft-hosted service to which Customer subscribes under a Microsoft volume licensing agreement," and on The Register's reading, mostly concerns itself with Azure.

Microsoft's Summary of Changes to the license states: "Updated Acceptable Use Policy to clarify that mining cryptocurrency is prohibited without prior Microsoft approval." Within the license itself there's hardly any more info. A section headed "Acceptable Use Policy" states: "Neither Customer, nor those that access an Online Service through Customer, may use an Online Service: to mine cryptocurrency without Microsoft's prior written approval."

The U.S. National Security Agency is warning that Chinese government-backed hackers are exploiting a zero-day vulnerability in two widely used Citrix networking products to gain access to targeted networks. From a report: The flaw, tracked as CVE-2022-27518, affects Citrix ADC, an application delivery controller, and Citrix Gateway, a remote access tool, and are both popular in enterprise networks. The critical-rated vulnerability allows an unauthenticated attacker to remotely run malicious code on vulnerable devices -- no passwords needed. Citrix also says the flaw is being actively exploited by threat actors. "We are aware of a small number of targeted attacks in the wild using this vulnerability," Peter Lefkowitz, chief security and trust officer at Citrix, said in a blog post. "Limited exploits of this vulnerability have been reported." Citrix hasn't specified which industries the targeted organizations are in or how many have been compromised.

Microsoft has once again been caught allowing its legitimate digital certificates to sign malware in the wild, a lapse that allows the malicious files to pass strict security checks designed to prevent them from running on the Windows operating system. ArsTechnica: Multiple threat actors were involved in the misuse of Microsoft's digital imprimatur, which they used to give Windows and endpoint security applications the impression malicious system drivers had been certified as safe by Microsoft. That has led to speculation that there may be one or more malicious organizations selling malicious driver-signing as a service. In all, researchers have identified at least nine separate developer entities that abused the certificates in recent months.

The abuse was independently discovered by four third-party security companies, which then privately reported it to Microsoft. On Tuesday, during Microsoft's monthly Patch Tuesday, the company confirmed the findings and said it has determined the abuse came from several developer accounts and that no network breach has been detected. The software maker has now suspended the developer accounts and implemented blocking detections to prevent Windows from trusting the certificates used to sign the compromised certificates. "Microsoft recommends that all customers install the latest Windows updates and ensure their anti-virus and endpoint detection products are up to date with the latest signatures and are enabled to prevent these attacks," company officials wrote.

An anonymous reader quotes a report from KrebsOnSecurity: On Dec. 10, 2022, the relatively new cybercrime forum Breached featured a bombshell new sales thread: The user database for InfraGard, including names and contact information for tens of thousands of InfraGard members. The FBI's InfraGard program is supposed to be a vetted Who's Who of key people in private sector roles involving both cyber and physical security at companies that manage most of the nation's critical infrastructures -- including drinking water and power utilities, communications and financial services firms, transportation and manufacturing companies, healthcare providers, and nuclear energy firms. "InfraGard connects critical infrastructure owners, operators, and stakeholders with the FBI to provide education, networking, and information-sharing on security threats and risks," the FBI's InfraGard fact sheet reads.

KrebsOnSecurity contacted the seller of the InfraGard database, a Breached forum member who uses the handle "USDoD" and whose avatar is the seal of the U.S. Department of Defense. USDoD said they gained access to the FBI's InfraGard system by applying for a new account using the name, Social Security Number, date of birth and other personal details of a chief executive officer at a company that was highly likely to be granted InfraGard membership. The CEO in question -- currently the head of a major U.S. financial corporation that has a direct impact on the creditworthiness of most Americans -- did not respond to requests for comment. USDoD told KrebsOnSecurity their phony application was submitted in November in the CEO's name, and that the application included a contact email address that they controlled -- but also the CEO's real mobile phone number. "When you register they said that to be approved can take at least three months," USDoD said. "I wasn't expected to be approve[d]." But USDoD said that in early December, their email address in the name of the CEO received a reply saying the application had been approved. While the FBI's InfraGard system requires multi-factor authentication by default, users can choose between receiving a one-time code via SMS or email. "If it was only the phone I will be in [a] bad situation," USDoD said. "Because I used the person['s] phone that I'm impersonating."

USDoD said the InfraGard user data was made easily available via an Application Programming Interface (API) that is built into several key components of the website that help InfraGard members connect and communicate with each other. USDoD said after their InfraGard membership was approved, they asked a friend to code a script in Python to query that API and retrieve all available InfraGard user data. "InfraGard is a social media intelligence hub for high profile persons," USDoD said. "They even got [a] forum to discuss things." USDoD acknowledged that their $50,000 asking price for the InfraGard database may be a tad high, given that it is a fairly basic list of people who are already very security-conscious. Also, only about half of the user accounts contain an email address, and most of the other database fields -- like Social Security Number and Date of Birth -- are completely empty. [...] While the data exposed by the infiltration at InfraGard may be minimal, the user data might not have been the true end game for the intruders. USDoD said they were hoping the imposter account would last long enough for them to finish sending direct messages as the CEO to other executives using the InfraGuard messaging portal.

An anonymous reader quotes a report from TechCrunch: Apple has confirmed that an iPhone software update it released two weeks ago fixed a zero-day security vulnerability that it now says was actively exploited. The update, iOS 16.1.2, landed on November 30 and rolled out to all supported iPhones -- including iPhone 8 and later -- with unspecified "important security updates."

In a disclosure to its security updates page on Tuesday, Apple said the update fixed a flaw in WebKit, the browser engine that powers Safari and other apps, which if exploited could allow malicious code to run on the person's device. The bug is called a zero-day because the vendor is given zero days notice to fix the vulnerability. Apple said security researchers at Google's Threat Analysis Group, which investigates nation state-backed spyware, hacking and cyberattacks, discovered and reported the WebKit bug.

Apple said in its Tuesday disclosure that it is aware that the vulnerability was exploited "against versions of iOS released before iOS 15.1," which was released in October 2021. As such, and for those who have not yet updated to iOS 16, Apple also released iOS and iPadOS 15.7.2 to fix the WebKit vulnerability for users running iPhones 6s and later and some iPad models. The bug is tracked as CVE-2022-42856, or WebKit 247562. It's not clear for what reason Apple withheld details of the bug for two weeks.

Software quality issues may have cost the U.S. economy $2.41 trillion in 2022. From a report: This statistic is unearthed in Synopsys's 'The Cost of Poor Software Quality in the US: A 2022 Report.' The report's findings reflect that as of 2022, the cost of poor software quality in the U.S. -- which includes cyberattacks due to existing vulnerabilities, complex issues involving the software supply chain, and the growing impact of rapidly accumulating technical debt -- have led to a build-up of historic software deficiencies. Co-sponsored by Synopsys, the report was produced by the Consortium for Information & Software Quality (CISQ), an organization developing international standards to automate software quality measurement and promoting the development and maintenance of secure, reliable, and trustworthy software.

The report highlights several key areas of CPSQ growth, including:
Cybercrime losses due to a rising number of software vulnerabilities. Losses rose 64% from 2020 to 2021 and are on track for a further 42% increase from 2021 to 2022. The quantity and cost of cybercrime incidents have been on the rise for over a decade, and now account for a sum equivalent to the world's third-largest economy after the U.S. and China.
Software supply chain problems with underlying third-party components are up significantly. This year's report shows that the number of failures due to weaknesses in open-source software components accelerated by an alarming 650% from 2020 to 2021.
Technical debt has become the largest obstacle to making changes in existing code bases. Technical debt refers to software development rework costs from the accumulation of deficiencies leaving data and systems potentially vulnerable. This year's report illustrates that deficiencies aren't being resolved, leading technical debt to increase to approximately $1.52 trillion.

An anonymous reader shares a report: According to a recent IDC forecast, the PC and tablet markets are expected to shrink. Shipments for tablets and PCs will decline almost 12% in 2022, the research firm reported, and are expected to decline further in 2023. But excess inventory is already forcing suppliers to heavily discount products and shift from the premium segment to more mid-range products, the analysts said. On the other hand, the report states that tablet and PC shipments will continue to remain above pre-pandemic levels. But uncertain economic conditions will threaten inventory and increase market saturation next year.

"The reality is that both PC and tablet makers will struggle in the coming months as not only are volumes expected to decline, but so will average selling prices," Jitesh Ubrani, IDC's research manager for mobility and consumer device trackers, said in a release. In October of this year, IDC reported that tablet shipments were down 8.8%, signaling the fifth straight quarter of the tablet market's decline. This market contraction followed two years of massive growth, which can be mostly attributed to economic factors.

A little-known phone monitoring app called Xnspy has stolen data from tens of thousands of iPhones and Android devices, the majority whose owners are unaware that their data has been compromised. From a report: Xnspy is one of many so-called stalkerware apps sold under the guise of allowing a parent to monitor their child's activities, but are explicitly marketed for spying on a spouse or domestic partner's devices without their permission. Its website boasts, "to catch a cheating spouse, you need Xnspy on your side," and, "Xnspy makes reporting and data extraction simple for you."

Stalkerware apps, also known as spouseware, are surreptitiously planted by someone with physical access to a person's phone, bypassing the on-device security protections, and are designed to stay hidden from home screens, which makes them difficult to detect. Once installed, these apps will silently and continually upload the contents of a person's phone, including their call records, text messages, photos, browsing history and precise location data, allowing the person who planted the app near-complete access to their victim's data. But new findings show many stalkerware apps are riddled with security flaws and are exposing the data stolen from victims' phones. Xnspy is no different.

Microsoft's Chromium-based Edge browser was an improvement over the initial version of Edge in many ways, including its support for Windows 7 and Windows 8. But the end of the road is coming: Microsoft has announced that Edge will end support for Windows 7 and Windows 8 in mid-January of 2023, shortly after those operating systems stop getting regular security updates. From a report: Support will also end for Microsoft Edge Webview2, which can use Edge's rendering engine to embed webpages in non-Edge apps. The end-of-support date for Edge coincides with the end of security update support for both Windows 7 and Windows 8 on January 10, and the end of Google Chrome support for Windows 7 and 8 in version 110. Because the underlying Chromium engine in both Chrome and Edge is open source, Microsoft could continue supporting Edge in older Windows versions if it wanted, but the company is using both end-of-support dates to justify a clean break for Edge.

"Employees have gotten more — not less — engaged over the past three years since remote work became the norm for many knowledge workers," argues an assistant professor of management from the business school at the University of Texas at Austin. He'd teamed up with a software company providing analytics to large corporations to measure the number of spontaneously-happening individual remote meetings: Given the anecdotal evidence of workers recently disengaging or quiet quitting, we had originally predicted that one of the easiest ways to observe this effect would be a continual decrease in the number of times remote or hybrid coworkers were engaging — or meeting — with each other. However, we found quite the opposite.

To more deeply explore the nature of how remote collaboration is changing over time, we gathered metadata from all Zoom, Microsoft Teams, and Webex meetings (involving webcams on and/or off) from 10 large global organizations (seven of which are Fortune 500 firms) spanning a variety of fields, including technology, health care, energy, and financial services. Specifically, we compared six-week snapshots of raw meeting counts from April through mid-May in 2020 following the Covid-19 lockdowns, and the same set of six weeks in 2021 and 2022.... This dataset resulted in a total of more than 48 million meetings for more than half a million employees....

In 2020, 17% of meetings were one-on-one, but in 2022, 42% of meetings were one-on-one... In 2020, only 17% of one-on-one meetings were unscheduled, but in 2022, 66% of one-on-one meetings were unscheduled. Furthermore, the growth in one-on-one meetings between 2020 and 2022 was almost solely due to the increase in unscheduled meetings (whereas scheduled meetings remained relatively constant)... The combination of these findings presents an interesting picture: not that remote workers seem to be becoming less engaged, but rather — at least with respect to meetings — they are becoming more engaged with their colleagues.

This data also suggests that remote interactions are shifting to more closely mirror in-person interactions. Whereas there have been substantial concerns that employees are missing out on the casual and spontaneous rich interactions that happen in-person, these findings indicate that remote employees may be beginning to compensate for the loss of those interactions by increasingly having impromptu meetings remotely.

An anonymous reader quotes a report from Ars Technica: Following Google's beta rollout of the feature in October, passkeys are now hitting Chrome stable M108. "Passkey" is built on industry standards and backed by all the big platform vendors -- Google, Apple, Microsoft -- along with the FIDO Alliance. Google's latest blog says: "With the latest version of Chrome, we're enabling passkeys on Windows 11, macOS, and Android." The Google Password Manager on Android is ready to sync all your passkeys to the cloud, and if you can meet all the hardware requirements and find a supporting service, you can now sign-in to something with a passkey. [...]

Now that this is actually up and running on Chrome 108 and a supported OS, you should be able to see the passkey screen under the "autofill" section of the Chrome settings (or try pasting chrome://settings/passkeys into the address bar). Next up we'll need more websites and services to actually support using a passkey instead of a password to sign in. Google Account support would be a good first step -- right now you can use a passkey for two-factor authentication with Google, but you can't replace your password yet. Everyone's go-to example of passkeys is the passkeys.io demo site, which we have a walkthrough of here.

Robots may be the future, but robotic arms are apparently no good at using an old and steadfast form of technology: the barcode. Barcodes can be hard to find and might be affixed to oddly shaped products, Amazon said in a press release Friday, something robots can't troubleshoot very well. As a result, the company says it has a plan to kill the barcode. From a report: Using pictures of items in Amazon warehouses and training a computer model, the e-commerce giant has developed a camera system that can monitor items flowing one-by-one down conveyor belts to make sure they match their images. Eventually, Amazon's AI experts and roboticists want to combine the technology with robots that identify items while picking them up and turning them around.

"Solving this problem, so robots can pick up items and process them without needing to find and scan a barcode, is fundamental," said Nontas Antonakos, an applied science manager in Amazon's computer vision group in Berlin. "It will help us get packages to customers more quickly and accurately." The system, called multi-modal identification, isn't going to fully replace barcodes soon. It's currently in use in facilities in Barcelona, Spain, and Hamburg, Germany, according to Amazon. Still, the company says it's already speeding up the time it takes to process packages there. The technology will be shared across Amazon's businesses, so it's possible you could one day see a version of it at a Whole Foods or another Amazon-owned chain with in-person stores.

A US government probe into how many mobile phones belonging to diplomats and government workers have been infected with spyware could "easily run to the hundreds," according to a member of the House Intelligence Committee. From a report: Jim Himes, a Democrat representative from Connecticut, told Bloomberg News that the Biden administration is "just beginning to get an inkling of the magnitude of the problem." He predicted that the probe could find that spyware was used against "hundreds" of federal personnel in "multiple countries." Himes was a lead author of a September letter calling on the federal government to better protect US diplomats overseas from spyware and publicly detail instances of such abuse. He received a letter last month written jointly by the Departments of Commerce and State that confirmed commercial spyware has targeted US government personnel serving overseas.

"Spyware technology has sort of moved beyond our ability to ensure that the communications of our diplomats are protected, or even the locations and contacts and photographs of our diplomats are protected. And that's obviously a huge vulnerability," he said. The official confirmation follows a Reuters report from last year that the iPhones of at least nine State Department employees were hacked with spyware developed by Israel's NSO Group. The employees were either based in Uganda or focused on issues related to the country, according to the report.

An anonymous reader quotes a report from the Associated Press: The leading hospital in India's capital limped back to normalcy on Wednesday after a cyberattack crippled its operations for nearly two weeks. Online registration of patients resumed Tuesday after the hospital was able to access its server and recover lost data. The hospital worked with federal authorities to restore the system and strengthen its defenses. It's unclear who conducted the Nov. 23 attack on the All India Institute of Medical Sciences or where it originated.

The attack was followed by a series of failed attempts to hack India's top medical research organization, the Indian Council of Medical Research. This raised further concerns about the vulnerability of India's health system to attacks at a time when the government is pushing hospitals to digitize their records. More than 173,000 hospitals have registered with a federal program to digitize health records since its launch in September 2021. The program assigns patients numbers that are linked to medical information stored by hospitals on their own servers or in cloud-based storage. Experts fear that hospitals may not have the expertise to ensure digital security.

"Digitizing an entire health care system without really safeguarding it can pretty much kill an entire hospital. It suddenly stops functioning," said Srinivas Kodali, a researcher with the Free Software Movement of India. That is what happened to the hospital in New Delhi. Healthcare workers couldn't access patient reports because the servers that store laboratory data and patient records had been hacked and corrupted. The hospital normally treats thousands of people a day, many of whom travel from distant places to access affordable care. Always crowded, queues at the hospital grew even longer and more chaotic. Sandeep Kumar, who accompanied his ill father, said the digital attack meant that appointments couldn't be booked online, and that doctors could do little when they saw patients because they couldn't access their medical history.

Contestants hacked the Samsung Galaxy S22 again during the second day of the consumer-focused Pwn2Own 2022 competition in Toronto, Canada. They also demoed exploits targeting zero-day vulnerabilities in routers, printers, smart speakers, and Network Attached Storage (NAS) devices from HP, NETGEAR, Synology, Sonos, TP-Link, Canon, Lexmark, and Western Digital. BleepingComputer reports: Security researchers representing the vulnerability research company Interrupt Labs were the ones to demonstrate a successful exploit against Samsung's flagship device on Wednesday. They executed an improper input validation attack and earned $25,000, 50% of the total cash award, because this was the third time the Galaxy S22 was hacked during the competition.

On the first day of Pwn2Own Toronto, the STAR Labs team and a contestant known as Chim demoed two other zero-day exploits as part of successful improper input validation attacks against the Galaxy S22. In all three cases, according to the contest rules, the devices ran the latest version of the Android operating system with all available updates installed.

The second day of Pwn2Own Toronto wrapped up with Trend Micro's Zero Day Initiative awarding $281,500 for 17 unique bugs across multiple categories. This brings the first two days of Pwn2Own total to $681,250 awarded for 46 unique zero-days, as ZDI's Head of Threat Awareness Dustin Childs revealed. The full schedule for Pwn2Own Toronto 2022's second day and the results for each challenge are available here. You can also find the complete schedule of the competition here.

An anonymous reader quotes a report from MacRumors: Apple yesterday announced that end-to-end encryption is coming to even more sensitive types of iCloud data, including device backups, messages, photos, and more, meeting the longstanding demand of both users and privacy groups who have rallied for the company to take the significant step forward in user privacy. iCloud end-to-end encryption, or what Apple calls "Advanced Data Protection," encrypts users' data stored in iCloud, meaning only a trusted device can decrypt and read the data. iCloud data in accounts with Advanced Data Protection can only be read by a trusted device, not Apple, law enforcement, or government entities.

While privacy groups and apps applaud Apple for the expansion of end-to-end encryption in iCloud, governments have reacted differently. In a statement to The Washington Post, the FBI, the largest intelligence agency in the world, said it's "deeply concerned with the threat end-to-end and user-only-access encryption pose." Speaking generally about end-to-end encryption like Apple's Advanced Data Protection feature, the bureau said that it makes it harder for the agency to do its work and that it requests "lawful access by design": "This hinders our ability to protect the American people from criminal acts ranging from cyber-attacks and violence against children to drug trafficking, organized crime, and terrorism," the bureau said in an emailed statement. "In this age of cybersecurity and demands for 'security by design,' the FBI and law enforcement partners need 'lawful access by design.'"

Former FBI official Sasha O'Connell also weighed in, telling The New York Times "it's great to see companies prioritizing security, but we have to keep in mind that there are trade-offs, and one that is often not considered is the impact it has on decreasing law enforcement access to digital evidence."

Lukasz Siewierski, a member of Google's Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. From a report: The post is just a list of the keys, but running each one through APKMirror or Google's VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart's Onn tablets. [...] Esper Senior Technical Editor Mishaal Rahman, as always, has been posting great info about this on Twitter. As he explains, having an app grab the same UID as the Android system isn't quite root access, but it's close and allows an app to break out of whatever limited sandboxing exists for system apps. These apps can directly communicate with (or, in the case of malware, spy on) other apps across your phone. Imagine a more evil version of Google Play Services, and you get the idea.

Google today announced two new performance settings in its Chrome browser: Memory Saver and Energy Saver. From a report: The Memory Saver mode promises to reduce Chrome's memory usage by up to 30% by putting inactive tabs to sleep. The tabs will simply reload when you need them again. The Energy Saver mode, meanwhile, limits background activity and visual effects for sites with animations and videos when your laptop's battery level drops below 20%.