A proposal to force cellphone companies to block certain spam texts is gaining momentum. From a report: California Attorney General Rob Bonta has expressed his support for a proposal by the Federal Communications Commission (FCC) to put an end to illegal and malicious texts. By doing so, he joined attorneys general from the other 49 states and Washington D.C., who had all previously expressed their support of the proposal. In a letter signed by all 51 attorneys general to the FCC, supporting them in their hopes to require cellular providers to block illegal text messages from invalid or unused numbers, as well as blocking any phone numbers found on a "do not originate" list, numbers which have previously been proved to have been used for fraudulent activity.

The Securities and Exchange Commission is stepping up scrutiny of the work that audit firms are doing for cryptocurrency companies, concerned that investors may be getting a false sense of reassurance from the firms' reports, a senior official at the regulator said. From a report: "We're warning investors to be very wary of some of the claims that are being made by crypto companies," Paul Munter, the SEC's acting chief accountant, said in an interview. Increased scrutiny has led at least one audit firm to drop crypto clients, in some cases soon after producing reports on the companies' assets and liabilities. Crypto companies are eager to get the blessing of an auditor to reassure their skittish clients.

The Wall Street watchdog is looking closely at how crypto companies are portraying their reports from audit firms, according to Mr. Munter. Many of these companies are closely held or based offshore, and so unlikely to fall within the regulator's remit. The SEC is effectively sending a warning to audit firms, which don't want to run afoul of their regulator, as well as putting investors on alert. "We are increasing our understanding of what's going on in the marketplace," Mr. Munter said. "If we find fact patterns that we think are troublesome, we will consider a referral to the division of enforcement." The regulator is worried particularly about so-called proof-of-reserves reports, which aim to show that the crypto company has sufficient assets to cover customers' funds.

An Android banking malware named 'Godfather' has been targeting users in 16 countries, attempting to steal account credentials for over 400 online banking sites and cryptocurrency exchanges. From a report: The malware generates login screens overlaid on top of the banking and crypto exchange apps' login forms when victims attempt to log in to the site, tricking the user into entering their credentials on well-crafted HTML phishing pages.

The Godfather trojan was discovered by Group-IB analysts, who believe it is the successor of Anubis, a once widely-used banking trojan that gradually fell out of use due to its inability to bypass newer Android defenses. ThreatFabric first discovered Godfather in March 2021, but it has undergone massive code upgrades and improvements since then. Also, Cyble published a report yesterday highlighting a rise in the activity of Godfather, pushing an app that mimics a popular music tool in Turkey, downloaded 10 million times via Google Play.

An anonymous reader quotes a report from Ars Technica: One of the Kremlin's most active hacking groups targeting Ukraine recently tried to hack a large petroleum refining company located in a NATO country. The attack is a sign that the group is expanding its intelligence gathering as Russia's invasion of its neighboring country continues. The attempted hacking occurred on August 30 and was unsuccessful, researchers with Palo Alto Networks' Unit 42 said on Tuesday. The hacking group -- tracked under various names including Trident Ursa, Gamaredon, UAC-0010, Primitive Bear, and Shuckworm -- has been attributed by Ukraine's Security Service to Russia's Federal Security Service.

In the past 10 months, Unit 42 has mapped more than 500 new domains and 200 samples and other bread crumbs Trident Ursa has left behind in spear phishing campaigns attempting to infect targets with information-stealing malware. The group mostly uses emails with Ukrainian-language lures. More recently, however, some samples show that the group has also begun using English-language lures. "We assess that these samples indicate that Trident Ursa is attempting to boost their intelligence collection and network access against Ukrainian and NATO allies," company researchers wrote. Among the filenames used in the unsuccessful attack were: MilitaryassistanceofUkraine.htm, Necessary_military_assistance.rar, and List of necessary things for the provision of military humanitarian assistance to Ukraine.lnk. Tuesday's report didn't name the targeted petroleum company or the country where the facility was located. In recent months, Western-aligned officials have issued warnings that the Kremlin has set its sights on energy companies in countries opposing Russia's war on Ukraine.

Trident Ursa's hacking techniques are simple but effective. The group uses multiple ways to conceal the IP addresses and other signatures of its infrastructure, phishing documents with low detection rates among anti-phishing services, and malicious HTML and Word documents. Unit 42 researchers wrote: "Trident Ursa remains an agile and adaptive APT that does not use overly sophisticated or complex techniques in its operations. In most cases, they rely on publicly available tools and scripts -- along with a significant amount of obfuscation -- as well as routine phishing attempts to successfully execute their operations..." Tuesday's report provides a list of cryptographic hashes and other indicators organizations can use to determine if Trident Ursa has targeted them. It also provides suggestions for ways to protect organizations against the group.

An anonymous reader shares a report: On the last episode of "Will Anker ever tell us what's actually going on with its security cameras rather than lying and covering its tracks," we told you how Eufy's customer support team is now quietly providing some of the answers to the questions that the company had publicly ignored about its smart home camera security. Now, Anker is finally taking a stab at a public explanation, in a new blog post titled "To our eufy Security Customers and Partners." Unfortunately, it contains no apology, and doesn't begin to address why anyone would be able to view an unencrypted stream in VLC Media Player on the other side of the country, from a supposedly always-local, always-end-to-end-encrypted camera.

Okta, a leading provider of authentication services and Identity and Access Management (IAM) solutions, says that its private GitHub repositories were hacked this month. From a report: According to a 'confidential' email notification sent by Okta and seen by BleepingComputer, the security incident involves threat actors stealing Okta's source code. BleepingComputer has obtained a 'confidential' security incident notification that Okta has been emailing to its 'security contacts' as of a few hours ago. We have confirmed that multiple sources, including IT admins, have been receiving this email notification. Earlier this month, GitHub alerted Okta of suspicious access to Okta's code repositories, states the notification. "Upon investigation, we have concluded that such access was used to copy Okta code repositories," writes David Bradbury, the company's Chief Security Officer (CSO) in the email.

An anonymous reader shares a report: With a flat fee of $70 for trips into Manhattan and a guaranteed stream of passengers, a ride to and from New York's John F. Kennedy International Airport is one of the more lucrative journeys for the city's cab drivers. But federal prosecutors say two 48-year-old Queens men found another way to profit from the crowd of taxis waiting long hours for passengers at the airport, conspiring with Russians to hack the dispatch system and allow drivers to cut ahead in line for a $10 payment.

The two men, Daniel Abayev and Peter Leyman, were arrested Tuesday and charged with conspiracy to commit computer intrusions for hacking into the system from November 2019 to November 2020. Prosecutors said the pair worked with Russian nationals to access the system through various methods, including bribing someone to insert a flash drive into computers that allowed them to enter the system via Wifi and stealing tablets connected to the dispatch operation. They then used their access to move certain taxis to the front of the line for $10 each, allowing drivers to bypass a holding lot that frequently required hours-long waits before they were dispatched to a terminal, and waived the fee for drivers who recruited others, according to prosecutors.

Esper: The world's biggest tech companies have lost confidence in one of the Internet's behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products. Starting in Chrome version 111 for desktops, the browser will no longer trust certificates issued by TrustCor Systems. The same change is coming to Android, but unlike Chrome for desktops, Android's root certificate store can't be updated independently of the OS, meaning it'll take some time for the certificate changes to roll out. Thankfully, that may no longer be the case in Android 14, as Google is preparing to implement updatable root certificates in the next release.

Sports betting company DraftKings revealed last week that more than 67,000 customers had their personal information exposed following a credential attack in November. BleepingComputer reports: In credential stuffing attacks, automated tools are used to make a massive number of attempts to sign into accounts using credentials (user/password pairs) stolen from other online services. [...] In a data breach notification filed with the Main Attorney General's office, DraftKings disclosed that the data of 67,995 people was exposed in last month's incident. The company said the attackers obtained the credentials needed to log into the customers' accounts from a non-DraftKings source.

"In the event an account was accessed, among other things, the attacker could have viewed the account holder's name, address, phone number, email address, last four digits of payment card, profile photo, information about prior transactions, account balance, and last date of password change," the breach notification reads. "At this time, there is currently no evidence that the attackers accessed your Social Security number, driver's license number or financial account number. While bad actors may have viewed the last four digits of your payment card, your full payment card number, expiration date, and your CVV are not stored in your account."

After detecting the attack, DraftKings reset the affected accounts' passwords and said it implemented additional fraud alerts. It also restored the funds withdrawn as a result of the credential attack, refunding up to $300,000 identified as stolen during the incident, as DraftKings President and Cofounder Paul Liberman said in November. The common denominator for user accounts that got hijacked seems to be an initial $5 deposit followed by a password change, enabling two-factor authentication (2FA) on a different phone number and then withdrawing as much as possible from the victims' linked bank accounts. While DraftKings has not shared additional info on how the attackers stole funds, BleepingComputer has since learned that the attack was conducted by a threat actor selling stolen accounts with deposit balances on an online marketplace for $10 to $35. The sales included instructions on how the buyers could make $5 deposits and withdraw all of the money from hijacked DraftKings user accounts. "After DraftKings announced the credential stuffing attack, they locked down the breached accounts, with the threat actors warning that their campaign was no longer working," adds the report.

"The company is now advising customers never to use the same password for multiple online services, never share their credentials with third-party platforms, turn on 2FA on their accounts immediately, and remove banking details or unlink their bank accounts to block future fraudulent withdrawal requests."

An anonymous reader quotes a report from Ars Technica: Federal prosecutors have charged two men with allegedly taking part in a spree of swatting attacks against more than a dozen owners of compromised Ring home security cameras and using that access to livestream the police response on social media. Kya Christian Nelson, 21, of Racine, Wisconsin, and James Thomas Andrew McCarty, 20, of Charlotte, North Carolina, gained access to 12 Ring cameras after compromising the Yahoo Mail accounts of each owner, prosecutors alleged in an indictment filed Friday in the Central District of California. In a single week starting on November 7, 2020, prosecutors said, the men placed hoax emergency calls to the local police departments of each owner that were intended to draw an armed response, a crime known as swatting.

On November 8, for instance, local police in West Covina, California, received an emergency call purporting to come from a minor child reporting that her parents had been drinking and shooting guns inside the minor's home. When police arrived at the residence, Nelson allegedly accessed the residence's Ring doorbell and used it to verbally threaten and taunt the responding officers. The indictment alleges the men helped carry out 11 similar swatting incidents during the same week, occurring in Flat Rock, Michigan; Redding, California; Billings, Montana; Decatur, Georgia; Chesapeake, Virginia; Rosenberg, Texas; Oxnard, California; Darien, Illinois; Huntsville, Alabama; North Port, Florida; and Katy, Texas.

Prosecutors alleged that the two men and a third unnamed accomplice would first obtain the login credentials of Yahoo accounts and then determine if each account owner had a Ring account that could control a doorbell camera. The men would then use their access to gather the names and other information of the account holders. The defendants then placed the hoax emergency calls and waited for armed officers to respond. It's not clear how the defendants allegedly obtained the Yahoo account credentials. A separate indictment filed in November in the District of Arizona alleged that McCarty participated in swatting attacks on at least 18 individuals. Both men are charged with one count of conspiracy to intentionally access computers without authorization. Nelson was also charged with two counts of intentionally accessing without authorization a computer and two counts of aggravated identity theft. If convicted, both men face a maximum penalty of five years in prison. Nelson faces an additional maximum penalty of at least seven years on the remaining charges.

Google Workspace is rolling out a new security update on Gmail, adding end-to-end encryption that aims to provide an added layer of security when sending emails and attachments on the web. From a report: The update is still in the beta stages, but eligible Workspace customers with Enterprise Plus, Education Standard, and Education Plus accounts can fill out an application to test the program through Google's support center. Once the encryption update has been completed, Gmail Workspace customers will find that any sensitive information or data delivered cannot be decrypted by Google's servers.

According to the support center, the application window will be open until January 20, 2023, and once users have accessed the feature, they will be able to choose to turn on the additional encryption by selecting the padlock button when drafting their email. But once activated, some features will be disabled, including emojis, signatures, and Smart Compose. The encryption feature will be monitored and managed by users' administrators and comes after Google started working to add more encryption features to Gmail. The report notes that client-side encryption, or CSE, "is already available for Google Drive, including in apps like Google Docs, Sheets, and Slides. It's also in Google Meet, and is in the beta stage for Google Calendar."

IEEE Spectrum: In 2000, at a trade fair in Germany, an obscure Singapore company called Trek 2000 unveiled a solid-state memory chip encased in plastic and attached to a Universal Serial Bus (USB) connector. The gadget, roughly the size of a pack of chewing gum, held 8 megabytes of data and required no external power source, drawing power directly from a computer when connected. It was called the ThumbDrive. That device, now known by a variety of names -- including memory stick, USB stick, flash drive, as well as thumb drive -- changed the way computer files are stored and transferred. Today it is familiar worldwide. The thumb drive was an instant hit, garnering hundreds of orders for samples within hours. Later that year, Trek went public on the Singapore stock exchange, and in four months -- from April through July 2000 -- it manufactured and sold more than 100,000 ThumbDrives under its own label.

Before the invention of the thumb drive, computer users stored and transported their files using floppy disks. Developed by IBM in the 1960s, first 8-inch and later 5 1/4-inch and 3 1/2-inch floppy disks replaced cassette tapes as the most practical portable storage media. Floppy disks were limited by their relatively small storage capacity -- even double-sided, double-density disks could store only 1.44 MB of data. During the 1990s, as the size of files and software increased, computer companies searched for alternatives. Personal computers in the late 1980s began incorporating CD-ROM drives, but initially these could read only from prerecorded disks and could not store user-generated data. The Iomega Zip Drive, called a "superfloppy" drive and introduced in 1994, could store up to 750 MB of data and was writable, but it never gained widespread popularity, partly due to competition from cheaper and higher-capacity hard drives.

Computer users badly needed a cheap, high-capacity, reliable, portable storage device. The thumb drive was all that -- and more. It was small enough to slip in a front pocket or hang from a keychain, and durable enough to be rattled around in a drawer or tote without damage. With all these advantages, it effectively ended the era of the floppy disk. But Trek 2000 hardly became a household name. And the inventor of the thumb drive and Trek's CEO, Henn Tan, did not become as famous as other hardware pioneers like Robert Noyce, Douglas Engelbart, or Steve Jobs. Even in his home of Singapore, few people know of Tan or Trek. Why aren't they more famous? After all, mainstream companies including IBM, TEAC, Toshiba, and, ultimately, Verbatim licensed Trek's technology for their own memory stick devices. And a host of other companies just copied Tan without permission or acknowledgment.

Keylogger-like behavior has some Corsair K100 keyboard customers concerned. Several users have reported their peripheral randomly entering text into their computer that they previously typed days or weeks ago. However, Corsair told Ars Technica that the behavior is a bug, not keylogging, and it's possibly related to the keyboard's macro recording feature. From a report: A reader tipped us off to an ongoing thread on Corsair's support forum that a user started in August. The user claimed that their K100 started typing on its own while they use it with a MacBook Pro, gaming computer, and KVM switch. "Every couple of days, the keyboard has started randomly typing on its own while I am working on the MacBook. It usually seems to type messages that I previously typed on the gaming PC and it won't stop until I unplug the keyboard and plug it back in," the user, "brendenguy," wrote.

Ten users seemingly responded to the thread (we can't verify the validity of each claim or account, but Corsair confirmed this is a known issue), reporting similar experiences. [...] Corsair confirmed to Ars that it's received "several" reports of the K100 acting like this but affirmed that "there's no hardware function on the keyboard that operates as a key logger." The company didn't immediately respond to follow-up questions about how many keyboards were affected. "Corsair keyboards unequivocally do not log user input in any way and do not have the ability to log individual keystrokes," Corsair's rep told Ars Technica.

"Today San Francisco has what is perhaps the most deserted major downtown in America," reports the New York Times. "On any given week, office buildings are at about 40 percent of their prepandemic occupancy..." [T]he vacancy rate has jumped to 24 percent from 5 percent since 2019. Occupancy of the city's offices is roughly 7 percentage points below that of those in the average major American city, according to Kastle, the building security firm.

More ominous for the city is that its downtown business district — the bedrock of its economy and tax base — revolves around a technology industry that is uniquely equipped and enthusiastic about letting workers stay home indefinitely. In the space of a few months, Jeremy Stoppelman, the chief executive of Yelp, went from running a company that was rooted in the city to vacating Yelp's longtime headquarters and allowing its roughly 4,400 employees to work from anywhere in their country.

"I feel like I've seen the future," he said.

Decisions like that, played out across thousands of remote and hybrid work arrangements, have forced office owners and the businesses that rely on them to figure out what's next. This has made the San Francisco area something of a test case in the multibillion-dollar question of what the nation's central business districts will look like when an increased amount of business is done at home.... The city's chief economist, Ted Egan, has warned about a looming loss of tax revenue as vacancies pile up. Brokers have tried to counter that narrative by talking up a "flight to quality" in which companies upgrade to higher-end space. Business groups and city leaders hope to recast the urban core as a more residential neighborhood built around people as well as businesses but leave out that office rents would probably have to plunge for those plans to be viable.

Below the surface of spin is a downtown that is trying to adapt to what amounts to a three-day workweek.... On Wednesdays, offices in San Francisco are at roughly 50 percent of their prepandemic levels; on Fridays, they're not even at 30 percent.... In a typical downturn, the turnaround is a fairly simple equation of rents falling far enough to attract new tenants and the economy improving fast enough to stimulate new demand. But now there's a more existential question of what the point of a city's downtown even is.

Microsoft has quietly banned cryptocurrency mining from its online services, and says it did so to protect all customers of its clouds. The Register reports: The Windows and Azure titan slipped the prohibition into an update of its Universal License Terms for Online Services that came into effect on December 1. That document covers any "Microsoft-hosted service to which Customer subscribes under a Microsoft volume licensing agreement," and on The Register's reading, mostly concerns itself with Azure. Microsoft's Summary of Changes to the license states: "Updated Acceptable Use Policy to clarify that mining cryptocurrency is prohibited without prior Microsoft approval." Within the license itself there's hardly any more info.

A section headed "Acceptable Use Policy" states: "Neither Customer, nor those that access an Online Service through Customer, may use an Online Service: to mine cryptocurrency without Microsoft's prior written approval." Microsoft appears not to have publicized this decision beyond the Summary of Changes page and, in recent hours, in an advisory to partners titled: "Important actions partners need to take to secure the partner ecosystem." That document states "the Acceptable Use Policy has been updated to explicitly prohibit mining for cryptocurrencies across all Microsoft Online Services unless written pre-approval is granted by Microsoft," and adds: "We suggest seeking written pre-approval from Microsoft before using Microsoft Online Services for mining cryptocurrencies, regardless of the term of a subscription." Microsoft told The Register it made the change because "crypto currency mining can cause disruption or even impairment to Online Services and its users and can often be linked to cyber fraud and abuse attacks such as unauthorized access to and use of customer resources."

"We made this change to further protect our customers and mitigate the risk of disrupting or impairing services in the Microsoft Cloud." Permission to mine crypto "may be considered for Testing and Research for security detections."

Today, application security provider Promon released the results of a survey of 311 cybersecurity professionals taken at this year's Black Hat Europe expo earlier this month. Sixty-six percent of the respondents claim to have experienced burnout this year. The survey also found that 51% reported working more than four hours per week over their contracted hours. VentureBeat reports: Over 50% responded that workload was the biggest source of stress in their positions, followed by 19% who cited management issues, 12% pointing to difficult relationships with colleagues, and 11% suggesting it was due to inadequate access to the required tools. Just 7% attributed stress to being underpaid. Above all, the research highlights that cybersecurity analysts are expected to manage an unmanageable workload to keep up with threat actors, which forces them to work overtime and adversely effects their mental health.

This research comes not only as the cyber skills gap continues to grow, but also as organizations continue to single out individuals and teams as responsible for breaches. Most (88%) security professionals report they believe a blame culture exists somewhat in the industry, with 38% in the U.S. seeing such a culture as "heavily prevalent." With so many security professionals being held responsible for breaches, it's no surprise that many resort to working overtime to try and keep their organizations safe -- at great cost to their own mental health.

Federal prosecutors have charged six people for allegedly operating websites that launched millions of powerful distributed denial-of-service attacks on a wide array of victims on behalf of millions of paying customers. From a report: The sites promoted themselves as booter or stressor services designed to test the bandwidth and performance of customers' networks. Prosecutors said in court papers that the services were used to direct massive amounts of junk traffic at third-party websites and Internet connections customers wanted to take down or seriously constrain. Victims included educational institutions, government agencies, gaming platforms, and millions of individuals. Besides charging six defendants, prosecutors also seized 48 Internet domains associated with the services.

"These booter services allow anyone to launch cyberattacks that harm individual victims and compromise everyone's ability to access the Internet," Martin Estrada, US attorney for the Central District of California, said in a statement. "This week's sweeping law enforcement activity is a major step in our ongoing efforts to eradicate criminal conduct that threatens the Internet's infrastructure and our ability to function in a digital world." The services offered user interfaces that were essentially the same except for cosmetic differences. The screenshot below shows the web panel offered by orphicsecurityteam.com as of February 28. It allowed users to enter an IP address of a target, the network port, and the specific type of attack they wanted. The panel allowed users to pick various methods to amplify their attacks. Amplification involved bouncing a relatively small amount of specially crafted data at a third-party server in a way that caused the server to pummel the intended victim with payloads that were as much as 10,000 times bigger.

Microsoft has quietly banned cryptocurrency mining from its online services, and says it did so to protect all customers of its clouds. From a report: The Windows and Azure titan slipped the prohibition into an update of its Universal License Terms for Online Services that came into effect on December 1. That document covers any "Microsoft-hosted service to which Customer subscribes under a Microsoft volume licensing agreement," and on The Register's reading, mostly concerns itself with Azure.

Microsoft's Summary of Changes to the license states: "Updated Acceptable Use Policy to clarify that mining cryptocurrency is prohibited without prior Microsoft approval." Within the license itself there's hardly any more info. A section headed "Acceptable Use Policy" states: "Neither Customer, nor those that access an Online Service through Customer, may use an Online Service: to mine cryptocurrency without Microsoft's prior written approval."

The U.S. National Security Agency is warning that Chinese government-backed hackers are exploiting a zero-day vulnerability in two widely used Citrix networking products to gain access to targeted networks. From a report: The flaw, tracked as CVE-2022-27518, affects Citrix ADC, an application delivery controller, and Citrix Gateway, a remote access tool, and are both popular in enterprise networks. The critical-rated vulnerability allows an unauthenticated attacker to remotely run malicious code on vulnerable devices -- no passwords needed. Citrix also says the flaw is being actively exploited by threat actors. "We are aware of a small number of targeted attacks in the wild using this vulnerability," Peter Lefkowitz, chief security and trust officer at Citrix, said in a blog post. "Limited exploits of this vulnerability have been reported." Citrix hasn't specified which industries the targeted organizations are in or how many have been compromised.

Microsoft has once again been caught allowing its legitimate digital certificates to sign malware in the wild, a lapse that allows the malicious files to pass strict security checks designed to prevent them from running on the Windows operating system. ArsTechnica: Multiple threat actors were involved in the misuse of Microsoft's digital imprimatur, which they used to give Windows and endpoint security applications the impression malicious system drivers had been certified as safe by Microsoft. That has led to speculation that there may be one or more malicious organizations selling malicious driver-signing as a service. In all, researchers have identified at least nine separate developer entities that abused the certificates in recent months.

The abuse was independently discovered by four third-party security companies, which then privately reported it to Microsoft. On Tuesday, during Microsoft's monthly Patch Tuesday, the company confirmed the findings and said it has determined the abuse came from several developer accounts and that no network breach has been detected. The software maker has now suspended the developer accounts and implemented blocking detections to prevent Windows from trusting the certificates used to sign the compromised certificates. "Microsoft recommends that all customers install the latest Windows updates and ensure their anti-virus and endpoint detection products are up to date with the latest signatures and are enabled to prevent these attacks," company officials wrote.