Microsoft has released an out-of-band update to nudge laggards toward Windows 11 amid a migration pace that company executives would undoubtedly prefer is rather faster. From a report: The software giant is offering an option of upgrading to Windows 11 as an out of box experience to its Windows 10 22H2 installed base, the main aim being to smooth their path forward to the latest operating system. "On November 30, 2022, an out-of-band update was released to improve the Windows 10, version 2004, 20H2, 21H1, 21H2, and 22H2 out-of-box experience (OOBE). It provides eligible devices with the option to upgrade to Windows 11 as part of the OOBE process. This update will be available only when an OOBE update is installed."

The update, KB5020683, applies only to Windows 10 Home and Professional versions 2004, 20H2, 21H1, 22H2. There are some pre-requisites that Microsoft has listed here before users can make the move to Windows 11. The operating system was released on October 5 last year but shifting stubborn consumers onto this software has proved challenging for top brass at Microsoft HQ in Redmond. According to Statcounter, a web analytics service that has tracking code installed on 1.5 million websites and records a page view for each, some 16.12 percent of Windows users had installed Windows 11 in November, higher than the 15.44 percent in the prior month, but likely still not close to the figures that Microsoft was hoping for.

Axios reports: "Although a quantum computer isn't expected until 2030, at the earliest, updating current encryption standards will take just as long," writes Axios, "creating a high-stakes race filled with unanswerable questions for national security and cybersecurity officials alike." As scientists, academics and international policymakers attended the first-ever Quantum World Congress conference in Washington this week, alarmism around the future of secure data was undercut by foundational questions of what quantum computing will mean for the world. "We don't even know what we don't know about what quantum can do," said Michael Redding, chief technology officer at Quantropi, during a panel about cryptography at the Quantum World Congress....

Some governments are believed to have already started stealing enemies' encrypted secrets now, so they can unlock them as soon as quantum computing is available. "It's the single-largest economic national-security issue we have ever faced as a Western society," said Denis Mandich, chief technology officer at Qrypt and a former U.S. intelligence official, at this week's conference. "We don't know what happens if they actually decrypt, operationalize and monetize all the data that they already have."

"A group of about 20 quality assurance testers at Activision Blizzard's Albany location won their bid for a union Friday afternoon," reports the Washington Post: The workers join the Game Workers Alliance, a union at the gaming company that already includes testers from Wisconsin-based Raven Software. Amanda Laven, a Blizzard Albany quality assurance tester, said that the union vote comes just about a year after the testers first began collecting signatures for a union. "We knew we were gonna win, but it's still extremely exciting and gratifying, especially because tomorrow marks the first anniversary of when we started organizing," Laven said.

The testers are the lowest paid workers at Blizzard Albany, formerly called Vicarious Visions, a studio known for its work on the Guitar Hero and Crash Bandicoot franchises. The Game Workers Alliance is the first union at a major video game company in the U.S., and Friday's news marks the union's second significant win in an industry that has historically not organized....

The Blizzard Albany testers took their cues from seeing testers at Call of Duty-maker Raven petition the company and gather signatures. On May 28, Raven testers won their bid to unionize. They're currently undergoing bargaining efforts for a contract.

An anonymous reader quotes a report from BleepingComputer: A previously undocumented data wiper named CryWiper is masquerading as ransomware, but in reality, destroys data beyond recovery in attacks against Russian mayor's offices and courts. CryWiper was first discovered by Kaspersky this fall, where they say the malware was used in an attack against a Russian organization. [...] CryWiper is a 64-bit Windows executable named 'browserupdate.exe' written in C++, configured to abuse many WinAPI function calls. Upon execution, it creates scheduled tasks to run every five minutes on the compromised machine.

Next, it contacts a command and control server (C2) with the name of the victim's machine. The C2 responds with either a "run" or "do not run" command, determining whether the wiper will activate or stay dormant. Kaspersky reports seeing execution delays of 4 days (345,600 seconds) in some cases, likely added in the code to help confuse the victim as to what caused the infection. CryWiper will stop critical processes related to MySQL, MS SQL database servers, MS Exchange email servers, and MS Active Directory web services to free locked data for destruction.

Next, the malware deletes shadow copies on the compromised machine to prevent the easy restoration of the wiped files. CryWiper also modifies the Windows Registry to prevent RDP connections, likely to hinder intervention and incident response from remote IT specialists. Finally, the wiper will corrupt all enumerated files except for ".exe", ".dll", "lnk", ".sys", ".msi", and its own ".CRY", while also skipping System, Windows, and Boot directories to prevent rendering the computer completely unusable. After this step, CryWiper will generate ransom notes named 'README.txt,' asking for 0.5 Bitcoin (approximately $8,000) in exchange for a decrypter. Unfortunately, this is a false promise, as the corrupted data cannot be restored.

An anonymous reader quotes a report from TechCrunch: The Cuba ransomware gang extorted more than $60 million in ransom payments from victims between December 2021 and August 2022, a joint advisory from CISA and the FBI has warned. The latest advisory is a follow-up to a flash alert (PDF) released by the FBI in December 2021, which revealed that the gang had earned close to $44 million in ransom payments after attacks on more than 49 entities in five critical infrastructure sectors in the United States. Since, the Cuba ransomware gang has brought in an additional $60 million from attacks against 100 organizations globally, almost half of the $145 million it demanded in ransom payments from these victims. "Since the release of the December 2021 FBI Flash, the number of U.S. entities compromised by Cuba ransomware has doubled, with ransoms demanded and paid on the increase," the two federal agencies said on Thursday.

Cuba ransomware actors, which have been active since 2019, continue to target U.S. entities in critical infrastructure, including financial services, government facilities, healthcare and public health, critical manufacturing and information technology. [...] FBI and CISA added that the ransomware gang has modified its tactics, techniques and procedures since the start of the year and has been linked to the RomCom malware, a custom remote access trojan for command and control, and the Industrial Spy ransomware. The advisory notes that the group -- which cybersecurity company Profero previously linked to Russian-speaking hackers -- typically extorts victims by threatening to leak stolen data. While this data was typically leaked on Cuba's dark web leak site, it began selling stolen data on Industrial Spy's online market in May this year. CISA and the FBI are urging at-risk organizations to prioritize patching known exploited vulnerabilities, to train employees to spot and report phishing attacks and to enable and enforce phishing-resistant multi-factor authentication.

A security flaw on the Florida Department of Revenue website exposed at least hundreds of taxpayers' Social Security numbers and bank account numbers, a security researcher found. From a report: Kamran Mohsin said the security flaw -- now fixed -- allowed him, or anyone else who was logged in to the state's business tax registration website, to access, modify and delete the personal data of business owners whose information is on file with the state's tax authority by modifying the part of the web address that contains the taxpayers' application number. Mohsin said that application numbers are sequential, allowing anyone to enumerate taxpayers' information by incrementing the application number by a single digit. Mohsin said there were more than 713,000 applications in the system, which the department did not dispute when reached for comment.

"Rust is awesome, for certain things. But think twice before picking it up for a startup that needs to move fast," Matt Welsh, co-founder and chief executive of Fixie.ai and former Google engineering director, writes in a blog post. From the post: I hesitated writing this post, because I don't want to start, or get into, a holy war over programming languages. (Just to get the flame bait out of the way, Visual Basic is the best language ever!) But I've had a number of people ask me about my experience with Rust and whether they should pick up Rust for their projects. So, I'd like to share some of the pros and cons that I see of using Rust in a startup setting, where moving fast and scaling teams is really important. Right up front, I should say that Rust is very good at what it's designed to do, and if your project needs the specific benefits of Rust (a systems language with high performance, super strong typing, no need for garbage collection, etc.) then Rust is a great choice. But I think that Rust is often used in situations where it's not a great fit, and teams pay the price of Rust's complexity and overhead without getting much benefit.

My primary experience from Rust comes from working with it for a little more than 2 years at a previous startup. This project was a cloud-based SaaS product that is, more-or-less, a conventional CRUD app: it is a set of microservices that provide a REST and gRPC API endpoint in front of a database, as well as some other back-end microservices (themselves implemented in a combination of Rust and Python). Rust was used primarily because a couple of the founders of the company were Rust experts. Over time, we grew the team considerably (increasing the engineering headcount by nearly 10x), and the size and complexity of the codebase grew considerably as well. As the team and codebase grew, I felt that, over time, we were paying an increasingly heavy tax for continuing to use Rust. Development was sometimes sluggish, launching new features took longer than I would have expected, and the team was feeling a real productivity hit from that early decision to use Rust. Rewriting the code in another language would have, in the long run, made development much more nimble and sped up delivery time, but finding the time for the major rewrite work would have been exceedingly difficult.

So we were kind of stuck with Rust unless we decided to bite the bullet and rewrite a large amount of the code. Rust is supposed to be the best thing since sliced bread, so why was it not working so well for us? [...] Despite being some of the smartest and most experienced developers I had worked with, many people on the team (myself included) struggled to understand the canonical ways to do certain things in Rust, how to grok the often arcane error messages from the compiler, or how to understand how key libraries worked (more on this below). We started having weekly "learn Rust" sessions for the team to help share knowledge and expertise. This was all a significant drain on the team's productivity and morale as everyone felt the slow rate of development. As a comparison point of what it looks like to adopt a new language on a software team, one of my teams at Google was one of the first to switch entirely from C++ to Go, and it took no more than about two weeks before the entire 15-odd-person team was quite comfortably coding in Go for the first time.

An anonymous reader quotes a report from Ars Technica: Hive Social, a social media platform that has seen meteoric growth since Elon Musk took over Twitter, abruptly shut down its service on Wednesday after a security advisory warned the site was riddled with vulnerabilities that exposed all data stored in user accounts. "The issues we reported allow any attacker to access all data, including private posts, private messages, shared media and even deleted direct messages," the advisory, published on Wednesday by Berlin-based security collective Zerforschung, claimed. "This also includes private email addresses and phone numbers entered during login." The post went on to say that after the researchers privately reported the vulnerabilities last Saturday, many of the flaws they reported remained unpatched. They headlined their post "Warning: do not use Hive Social." Hive Social responded by pulling down its entire service. "The Hive team has become aware of security issues that affect the stability of our application and the safety of our users," company officials wrote. "Fixing these issues will require temporarily turning off our servers for a couple of days while we fix this for a better and safer experience."

Technical details are being withheld to prevent the active exploitation of them by malicious hackers. According to Business Insider, Hive Social's user base has doubled in the last few weeks, going from about 1 million to 2 million as of last week. The site is only being staffed by two people, "neither of whom had much of a background in security," reports Ars.

Last year, Google announced Android Open Source Project (AOSP) support for Rust, and today the company provided an update, while highlighting the decline in memory safety vulnerabilities. 9to5Google reports: Google says the "number of memory safety vulnerabilities have dropped considerably over the past few years/releases."; Specifically, the number of annual memory safety vulnerabilities fell from 223 to 85 between 2019 and 2022. They are now 35% of Android's total vulnerabilities versus 76% four years ago. In fact, "2022 is the first year where memory safety vulnerabilities do not represent a majority of Android's vulnerabilities."

That count is for "vulnerabilities reported in the Android security bulletin, which includes critical/high severity vulnerabilities reported through our vulnerability rewards program (VRP) and vulnerabilities reported internally." During that period, the amount of new memory-unsafe code entering Android has decreased: "Android 13 is the first Android release where a majority of new code added to the release is in a memory safe language. "

Rust makes up 21% of all new native code in Android 13, including the Ultra-wideband (UWB) stack, DNS-over-HTTP3, Keystore2, Android's Virtualization framework (AVF), and "various other components and their open source dependencies." Google considers it significant that there have been "zero memory safety vulnerabilities discovered in Android's Rust code" so far across Android 12 and 13. Google's blog post today also talks about non-memory-safety vulnerabilities, and its future plans: "... We're implementing userspace HALs in Rust. We're adding support for Rust in Trusted Applications. We've migrated VM firmware in the Android Virtualization Framework to Rust. With support for Rust landing in Linux 6.1 we're excited to bring memory-safety to the kernel, starting with kernel drivers.

Vulnerabilities in mobile apps exposed Hyundai and Genesis car models after 2012 to remote attacks that allowed unlocking and even starting the vehicles. BleepingComputer reports: Security researchers at Yuga Labs found the issues and explored similar attack surfaces in the SiriusXM "smart vehicle" platform used in cars from other makers (Toyota, Honda, FCA, Nissan, Acura, and Infinity) that allowed them to "remotely unlock, start, locate, flash, and honk" them. At this time, the researchers have not published detailed technical write-ups for their findings but shared some information on Twitter, in two separate threads.

The mobile apps of Hyundai and Genesis, named MyHyundai and MyGenesis, allow authenticated users to start, stop, lock, and unlock their vehicles. After intercepting the traffic generated from the two apps, the researchers analyzed it and were able to extract API calls for further investigation. They found that validation of the owner is done based on the user's email address, which was included in the JSON body of POST requests. Next, the analysts discovered that MyHyundai did not require email confirmation upon registration. They created a new account using the target's email address with an additional control character at the end. Finally, they sent an HTTP request to Hyundai's endpoint containing the spoofed address in the JSON token and the victim's address in the JSON body, bypassing the validity check. To verify that they could use this access for an attack on the car, they tried to unlock a Hyundai car used for the research. A few seconds later, the car unlocked. The multi-step attack was eventually baked into a custom Python script, which only needed the target's email address for the attack.

Yuga Labs analysts found that the mobile apps for Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota, use SiriusXM technology to implement remote vehicle management features. They inspected the network traffic from Nissan's app and found that it was possible to send forged HTTP requests to the endpoint only by knowing the target's vehicle identification number (VIN). The response to the unauthorized request contained the target's name, phone number, address, and vehicle details. Considering that VINs are easy to locate on parked cars, typically visible on a plate where the dashboard meets the windshield, an attacker could easily access it. These identification numbers are also available on specialized car selling websites, for potential buyers to check the vehicle's history. In addition to information disclosure, the requests can also carry commands to execute actions on the cars. [...] Before posting the details, Yuga Labs informed both Hyundai and SiriusXM of the flaws and associated risks. The two vendors have fixed the vulnerabilities.

The Australian parliament has approved a bill to amend the country's privacy legislation, significantly increasing the maximum penalties to AU$50 million for companies and data controllers who suffered large-scale data breaches. From a report: The financial penalty introduced by the new bill is set to whichever is greater: AU$50 million, three times the value of any benefit obtained through the misuse of information, and 30% of a company's adjusted turnover in the relevant period.

Previously, the penalty for severe data exposures was AU$2.22 million, considered wholly inadequate to incentivize companies to improve their data security mechanisms. The new bill comes in response to a series of recent cyberattacks against Australian companies, including ransomware and network breaches, resulting in the exposure of highly sensitive data for millions of people in the country. "The Albanese Labor government has wasted no time in responding to recent major data breaches. We have announced, introduced, and delivered legislation in just over a month," reads the media announcement. "These new, larger penalties send a clear message to large companies that they must do better to protect the data they collect."

Firefox developer Mozilla is making a rare foray into the world of mergers and acquisitions, with news that it has snapped up recently-shuttered California-based productivity startup Pulse. From a report: Terms of the deal haven't been disclosed, but the deal is tantamount to an "acqui-hire," with Mozilla looking to deploy the Pulse team across an array of machine learning (ML) projects. "We're acquiring Pulse for the incredible team they have built," Mozilla chief product officer Steve Teixeira told TechCrunch. "As we look to continue to improve user experiences across all of our products, ML will be a core part of that."

Founded out of Menlo Park in 2019, Pulse in its initial guise was a "virtual office" platform called Loop Team, but after honing the idea for a couple of years it pivoted and rebranded last November. Pulse, essentially, was an automated status-updating tool that used signals based on pre-configured integrations and preferences set by the user. For example, users could synchronize Pulse with their calendar and Slack, setting rules to stipulate what their status and corresponding emoji should be based on keywords in their calendar event title. If their schedule for a particular time says "hair appointment" from 12-1pm, then the person's Slack status update might display a scissors emoji alongside the word "haircut." Or, it might say "birthday" alongside a cake emoji if that's what is in their calendar.

A little more than one in five techies in Britain is aged 50 or older, and enticing more of that demographic to enter the world of information technology could help alleviate a perennial skills gap. From a report: This is according to research by the British Computer Society (BCS), which reckons just 22 percent (413,000) of the 1.9 million IT specialists in the local industry are at or past the half century mark. To fall in line with the average number of 50 year olds or older across all other employment areas (561,000) in the UK, an additional 148,000 people in that grouping are needed in the tech sector, the BCS claimed, basing its finding on data provided by the Office for National Statistics.

"We can only achieve the government's ambition for the UK to be the 'next Silicon Valley' by closing the digital skills gap and making this vital profession attractive to a far broader range of people," said Rashik Parmar MBE, CEO of the BCS. For those not aware, the UK government's latest harebrained scheme, outlined in the Autumn statement by Chancellor Jeremy Hunt, is to convert the island nation into "the next Silicon Valley". Sounds plausible? Oven-baked plan? No, we didn't think so either. The age factor was most pronounced in the north-east of the UK where just one in eight programmers/developers was 50 or over, the research found -- but didn't state why.

AmiMoJo writes: LastPass says unknown attackers breached its cloud storage using information stolen during a previous security incident from August 2022. The company added that, once in, the threat actors also managed to access customer data stored in the compromised storage service. "We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo," the company said. "We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers' information." Lastpass said it hired security firm Mandiant to investigate the incident and notified law enforcement of the attack. It also noted that customers' passwords have not been compromised and "remain safely encrypted due to LastPass's Zero Knowledge architecture."

Google researchers say they have linked a Barcelona, Spain-based IT company to the sale of advanced software frameworks that exploit vulnerabilities in Chrome, Firefox, and Windows Defender. From a report: Variston IT bills itself as a provider of tailor-made Information security solutions, including technology for embedded SCADA (supervisory control and data acquisition) and Internet of Things integrators, custom security patches for proprietary systems, tools for data discovery, security training, and the development of secure protocols for embedded devices.

According to a report from Google's Threat Analysis Group, Variston sells another product not mentioned on its website: software frameworks that provide everything a customer needs to surreptitiously install malware on devices they want to spy on. Researchers Clement Lecigne and Benoit Sevens said the exploit frameworks were used to exploit n-day vulnerabilities, which are those that have been patched recently enough that some targets haven't yet installed them. Evidence suggests, they added, that the frameworks were also used when the vulnerabilities were zero-days. The researchers are disclosing their findings in an attempt to disrupt the market for spyware, which they said is booming and poses a threat to various groups.

Android OEMs still don't provide the six years of updates you get with Apple phones, but some manufacturers are trying to close that gap. From a report: OnePlus is adding an extra year to its smartphone update promise and is now offering four years of major OS updates and five years of security updates. Timeline-wise, this plan matches Samsung's, though Samsung offers monthly security updates and OnePlus doesn't. The company is still only promising security updates every other month, so it can't do too much bragging. Android-maker Google -- who you'd think would have the best update plan -- is in a distant third, with only three years of OS updates and five years of security updates.

Microsoft is offering Windows 11 users a preview of an update that fixes some gaming performance problems. The software maker originally warned of issues with lower than expected performance in some games earlier this month, after some Windows 11 users that had upgraded to the latest 2022 Update (22H2) noticed problems. From a report: "Some games and apps might experience lower than expected performance or stuttering on Windows 11, version 22H2," said Microsoft at the time. "Affected games and apps are inadvertently enabling GPU performance debugging features not meant to be used by consumers." While Microsoft didn't list the exact apps and games experiencing problems, the company did block the Windows 11 2022 Update for systems with affected games and recommended people not upgrade. That safeguard was removed around a week ago, and now Microsoft has issued a full fix. If you're running the Windows 11 2022 Update, you can check Windows Update and find a KB5020044 update preview that you can install.

An anonymous reader quotes a report from TechCrunch: Dropbox has announced plans to bring end-to-end encryption to its business users, and it's doing so through acquiring "key assets" from Germany-based cloud security company Boxcryptor. Terms of the deal were not disclosed. Dropbox is well-known for its cloud-based file back-up and sharing services, and while it does offer encryption for files moving between its servers and the destination, Dropbox itself has access to the keys and can technically view any content passing through. What Boxcryptor brings to the table is an extra layer of security via so-called "zero knowledge" encryption on the client side, giving the user full control over who is allowed to decrypt their data.

For many people, such as consumers storing family photos or music files, this level of privacy might not be a major priority. But for SMEs and enterprises, end-to-end encryption is a big deal as it ensures that no intermediary can access their confidential documents stored in the cloud -- it's encrypted before it even arrives. Moving forward, Dropbox said that it plans to bake Boxcryptor's features natively into Dropbox for business users. "In a blog post published today, Boxcryptor founders Andrea Pfundmeier and Robert Freudenreich say that their 'new mission' will be to embed Boxcryptor's technology into Dropbox," adds TechCrunch. "And after today, nobody will be able to create an account or buy any licenses from Boxcryptor -- it's effectively closing to new customers."

"But there are reasons why the news is being packaged the way it has. The company is continuing to support existing customers through the duration of their current contracts."

Anker's popular Eufy-branded security cameras appear to be sending some data to the cloud, even when cloud storage is disabled and local only storage settings are turned on. MacRumors reports: The information comes from security consultant Paul Moore, who last week published a video outlining the issue. According to Moore, he purchased a Eufy Doorbell Dual, which was meant to be a device that stored video recording on device. He found that Eufy is uploading thumbnail images of faces and user information to its cloud service when cloud functionality is not enabled. Moore demonstrates the unauthorized cloud uploading by allowing his camera to capture his image and turning off the Eufy HomeBase. The website is still able to access the content through cloud integration, though he had not signed up for cloud service, and it remains accessible even when the footage is removed from the Eufy app. It's important to note that Eufy does not appear to be automatically uploading full streaming video to the cloud, but rather taking captures of the video as thumbnails.

The thumbnails are used in the Eufy app to activate streaming video from the Eufy base station, allowing Eufy users to watch their videos when away from home, as well as for sending rich notifications. The problem is the thumbnails are uploaded to the cloud automatically even when the cloud functionality is not active, and Eufy also seems to be using facial recognition on the uploads. Some users have taken issue with the unauthorized cloud uploads because Eufy advertises local-only service and has been popular among those who want a more private camera solution. "No Clouds or Costs," reads the Eufy website. Moore suggests that Eufy is also able to link facial recognition data collected from two separate cameras and two separate apps to users, all without camera owners being aware.

Moore received a response from Eufy in which Eufy confirmed that it is uploading event lists and thumbnails to AWS, but said the data is not able to "leak to the public" because the URL is restricted, time limited, and requires account login. There is also another issue that Moore has highlighted, suggesting Eufy camera streams can be watched live using an app like VLC, but little information on the exploit is available at this time. Moore said that unencrypted Eufy camera content can be accessed without authentication, which is alarming for Eufy users. There's a dedicated Reddit thread where other Eufy users are reporting the same thing happening.

Dropbox has announced plans to bring end-to-end encryption to its business users, and it's doing so through acquiring "key assets" from Germany-based cloud security company Boxcryptor. Terms of the deal were not disclosed. From a report: Dropbox is well-known for its cloud-based file back-up and sharing services, and while it does offer encryption for files moving between its servers and the destination, Dropbox itself has access to the keys and can technically view any content passing through. What Boxcryptor brings to the table is an extra layer of security via so-called "zero knowledge" encryption on the client side, giving the user full control over who is allowed to decrypt their data.

For many people, such as consumers storing family photos or music files, this level of privacy might not be a major priority. But for SMEs and enterprises, end-to-end encryption is a big deal as it ensures that no intermediary can access their confidential documents stored in the cloud -- it's encrypted before it even arrives. Moving forward, Dropbox said that it plans to bake Boxcryptor's features natively into Dropbox for business users.