Gaming giant Ubisoft has confirmed a cybersecurity incident that led to the mass-reset of company passwords, but has declined to say what the incident actually was. From a report: In a brief statement, Ubisoft said: "Last week, Ubisoft experienced a cyber security incident that caused temporary disruption to some of our games, systems, and services. Our IT teams are working with leading external experts to investigate the issue. As a precautionary measure we initiated a company-wide password reset. Also, we can confirm that all our games and services are functioning normally and that at this time there is no evidence any player personal information was accessed or exposed as a by-product of this incident," the statement said. The France-headquartered video game company is best known for its Assassin's Creed and Far Cry brands. According to the company's latest earnings report from October, Ubisoft had 117 million active players.

Ordinary Russians face another major blow to their everyday lives due to the backlash to President Vladimir Putin's invasion of Ukraine. On the same day, two major web-security companies have decided to quit selling to them, making Russians' internet use more vulnerable to Kremlin snooping, hacking and other cybercrimes. From a report: The departure of the two companies, Avast, a $6 billion antivirus provider based in the Czech Republic, and Utah-based website-certification firm DigiCert, will further isolate the country of 145 million people. "We are horrified at Russia's aggression against Ukraine, where the lives and livelihoods of innocent people are at severe risk, and where all freedoms have come under attack," Avast CEO Ondrej Vlcek wrote on Thursday. Vlcek said the company was including Belarus in the withdrawal of services, and was continuing to pay the full salaries of employees in Russia and Ukraine, many of whom it was helping to relocate. "We do not take this decision lightly," Vlcek wrote. "We've offered our products in Russia for nearly 20 years and users in this country are an important part of our global community." While Avast joins other antivirus companies, including NortonLifeLock and ESET, in halting sales, Russians will still be able to get antivirus protection from Moscow-based Kaspersky and other providers within the country. The departure of DigiCert could prove more significant. DigiCert is one of the world's biggest providers of website certificates, which aim to prove that when a person visits a site it's owned by the entity they expected.

Code Verify is a new browser extension from WhatsApp parent company Meta that aims to improve the security of WhatsApp's web version, the company has announced. From a report: The extension works by verifying that the contents of WhatsApp's web version haven't been tampered with. The aim is to make it a lot more difficult for a would-be attacker to compromise data or the privacy of WhatsApp's end-to-end encrypted messages when using the browser-based version of the service. The extension follows the launch of WhatsApp's multi-device beta last year. This aims to make using the messaging service from devices other than your primary phone easier and more seamless. Since the feature's launch, WhatsApp says it's seen an increase in people accessing its service through web browsers, which present new security challenges compared to an app. There's nothing particularly new about the security methods underpinning Code Verify. Ultimately it's just comparing a hash of the code running in your browser, with a hash held by trusted third-party Cloudflare.

Russia has created its own trusted TLS certificate authority (CA) to solve website access problems that have been piling up after sanctions prevent certificate renewals. From a report: The sanctions imposed by western companies and governments are preventing Russian sites from renewing existing TLS certificates, causing browsers to block access to sites with expired certificates. [...] The Russian state has envisioned a solution in a domestic certificate authority for the independent issuing and renewal of TLS certificates. "It will replace the foreign security certificate if it is revoked or expires. The Ministry of Digital Development will provide a free domestic analogue.

The service is provided to legal entities -- site owners upon request within 5 working days," explains the Russian public services portal, Gosuslugi (translated). However, for new Certificate Authorities (CA) to be trusted by web browsers, they first needed to be vetted by various companies, which can take a long time. Currently, the only web browsers that recognize Russia's new CA as trustworthy are the Russia-based Yandex browser and Atom products, so Russian users are told to use these instead of Chrome, Firefox, Edge, etc.

Microsoft appears to be adding a tabbed interface to the top of File Explorer, as Insiders testing the latest Windows 11 preview build have discovered the feature in a hidden state. From a report: First spotted by Windows Insider Rafael Rivera on Twitter, once enabled, tabs will appear along the top of the File Explorer app, allowing users to have multiple folders open in one window. Tabs in File Explorer has been a highly requested feature among the Windows community for years at this point. Microsoft almost delivered the feature via its canceled "Sets" UX, which saw the introduction of tabs in every app window, including File Explorer. But when Sets was killed off, so was the idea of tabs in File Explorer. But now, Tabs in File Explorer appears to be making a return, and it works exactly like you'd expect. This feature is yet to be officially announced by Microsoft, and since this is currently only in the Dev Channel, it's possible that Microsoft could cancel the feature before it ships, though we think that's unlikely.

Does the Nintendo's larger and more vivid Switch suffer from the image-burn in that has crippled several devices with such display? An unusual and unexpected comprehensive test hasoffered some answers. InputMag: After 3,600 hours of subjecting an OLED Switch to the the same image -- one that was ripped from The Legend of Zelda: Breathe of the Wild -- Wulff Den, a YouTuber who specializes in gaming videos, concluded that the device is finally, surprisingly, showing faint signs of burn-in. As reported by ArsTecnica, the damage is minor -- on a white screen, like the Switch's main menu, there was a faint "blue ghosting," that appeared following the six-month experiment. But as, Wulff Den himself points out, "It's still a little subtle. It's not anything that I would do an RMA request for." The experiment began as soon as the OLED Switch was released, when Wulff Den decided to find out whether users would have to worry about burn-in. The YouTuber left his OLED Switch on, displaying the same image and set to its full brightness, without any interruptions aside from the occasional check-in. After 1,800 hours, or three months, the project yielded negligible effects -- white pixels were slightly dimmer but Wullf Den noted he most likely wouldn't have noticed, if not for relentlessly monitoring the changes during his test.

Last week Nvidia confirmed that it had been the victim of an internal hack, though it claimed no customer information was compromised. Now we're seeing one of the first effects of the hack on end-users: Nvidia GPU driver packages with malware hidden inside. PCWorld: While it was always possible for malefactors to host links pretending to be drivers in the hopes of installing viruses, trojans, and other nasty stuff on a user's PC, this situation is more concerning. The hackers appear to have leaked Nvidia's official code signing certificates, a means by which users (and Microsoft) can verify that a downloaded program comes from the publisher it says it's from. That's allowing files containing a host of popular malware suites to be posted and downloaded, bypassing Windows Defender's built-in executable verification and slipping past anti-virus software. BleepingComputer reports that two now-expired (but still usable) verification codes have been compromised and used to deliver remote access trojans. Another example, using the Nvidia verification to sign a fake Windows driver, was also spotted.

An anonymous reader quotes a report from CNN: A Chinese government-backed hacking group has breached local government agencies in at least six US states in the last 10 months as part of a persistent information-gathering operation, investigators at cybersecurity firm Mandiant said Tuesday. The wide range of state agencies targeted include "health, transportation, labor (including unemployment benefit systems), higher education, agriculture, and court networks and systems," the FBI and US Cybersecurity and Infrastructure Security Agency (CISA) said in a separate, private advisory to state governments obtained by CNN. For agencies in two states, the hackers broke into networks using a critical software flaw that was revealed in December just as the Biden administration was scrambling to respond to the flaw's discovery, according to Mandiant.

The hackers' motives aren't clear, but their victims are "consistent with an espionage operation," the firm said. The list of state agencies affected by the hacking could grow as the investigation continues. CISA on December 10 publicly warned that Log4J -- software used by big tech firms around the world -- had a vulnerability that hackers could easily exploit to gain further access to computer systems. Hundreds of millions of computers around the world ran the vulnerable software, US officials later estimated. For weeks, US officials urged companies to update their software; the White House hosted a meeting in January with tech executives to try to address the root problem of software that is not secure by design. Within hours of the CISA advisory, the Chinese hackers had begun using the Log4J flaw to break into the two US state agencies, according to Mandiant.

Agencies in four other states were hacked via other means. In one state, Mandiant said, the hackers accessed personal data on some Americans, including names, email addresses and mobile phone numbers. Mandiant declined to name the US states or agencies affected. While the hackers' ultimate objectives are unclear, state agencies could provide a wealth of useful information to foreign spies, whether data related to elections or government contracting. Mandiant blamed the hacking campaign on a group that the Justice Department has linked with China's civilian intelligence agency. That hacking group, according to a US indictment unsealed in September 2020, has been linked to attempts to breach hundreds of organizations around the world, from hardware makers to pro-democracy politicians in Hong Kong.

Apple said on Tuesday it has filed a lawsuit against Israeli cyber firm NSO Group and its parent company OSY Technologies for alleged surveillance and targeting of U.S. Apple users with its Pegasus spyware. From a report: The iPhone maker said it is also seeking to ban NSO Group from using any Apple software, services or devices to prevent further abuse. Apple is the latest in a string of companies and governments to come after NSO, the maker of the Pegasus hacking tool that watchdog groups say targeted human rights workers and journalists.

Cognitive Dissident writes: Ars Technica is reporting a major new vulnerability in Linux. Named "Dirty Pipeline" it involves abuse of 'pipes' at the shell level as you might guess.

An anonymous reader quotes a report from Scientific American: New research, published in the journal Physiological Entomology, suggests that the palm-sized Joro spider, which swarmed North Georgia by the millions last September, has a special resilience to the cold. This has led scientists to suggest that the 3-inch (7.6 centimeters) bright-yellow-striped spiders -- whose hatchlings disperse by fashioning web parachutes to fly as far as 100 miles (161 kilometers) -- could soon dominate the Eastern Seaboard. Since the spider hitchhiked its way to the northeast of Atlanta, Georgia, inside a shipping container in 2014, its numbers and range have expanded steadily across Georgia, culminating in an astonishing population boom last year that saw millions of the arachnids drape porches, power lines, mailboxes and vegetable patches across more than 25 state counties with webs as thick as 10 feet (3 meters) deep, Live Science previously reported.

Common to China, Taiwan, Japan and Korea, the Joro spider is part of a group of spiders known as "orb weavers" because of their highly symmetrical, circular webs. The spider gets its name from Jorgumo, a Japanese spirit, or Ykai, that is said to disguise itself as a beautiful woman to prey upon gullible men. True to its mythical reputation, the Joro spider is stunning to look at, with a large, round, jet-black body cut across with bright yellow stripes, and flecked on its underside with intense red markings. But despite its threatening appearance and its fearsome standing in folklore, the Joro spider's bite is rarely strong enough to break through the skin, and its venom poses no threat to humans, dogs or cats unless they are allergic. That's perhaps good news, as the spiders are destined to spread far and wide across the continental U.S., researchers say.

The scientists came to this conclusion after comparing the Joro spider to a close cousin, the golden silk spider, which migrated from tropical climates 160 years ago to establish an eight-legged foothold in the southern United States. By tracking the spiders' locations in the wild and monitoring their vitals as they subjected caught specimens to freezing temperatures, the researchers found that the Joro spider has about double the metabolic rate of its cousin, along with a 77% higher heart rate and a much better survival rate in cold temperatures. Additionally, Joro spiders exist in most parts of their native Japan -- warm and cold -- which has a very similar climate to the U.S. and sits across roughly the same latitude. [...] While most invasive species tend to destabilize the ecosystems they colonize, entomologists are so far optimistic that the Joro spider could actually be beneficial, especially in Georgia where, instead of lovesick men, they kill off mosquitos, biting flies and another invasive species -- the brown marmorated stink bug, which damages crops and has no natural predators. In fact, the researchers say that the Joro is much more likely to be a nuisance than a danger, and that it should be left to its own devices.

In mid-February, hackers gained access to computers belonging to current and former employees at nearly two dozen major natural gas suppliers and exporters, including Chevron, Cheniere Energy and Kinder Morgan, according to research shared exclusively with Bloomberg News. From the report: The attacks targeted companies involved with the production of liquefied natural gas, or LNG, and they were the first stage in an effort to infiltrate an increasingly critical sector of the energy industry, according to Gene Yoo, chief executive officer of Los Angeles-based Resecurity, which discovered the operation. They occurred on the eve of Russia's invasion of Ukraine, when energy markets were already roiled by tight supplies.

Resecurity's investigation began last month when the firm's researchers spotted a small number of hackers, including one linked to a wave of attacks in 2018 against European organizations that Microsoft attributed to Strontium, the company's nickname for a hacking group associated with Russia's GRU military intelligence service. The hackers were looking to pay top dollar on the dark web for access to personal computers belonging to workers at large natural gas companies in the U.S., which were used as a back door into company networks, Yoo said. The researchers located the hackers' servers and found a vulnerability in the software, which allowed them to obtain files from the machines and see what the attackers had already done, Yoo said.

Academic researchers have devised a new working exploit that commandeers Amazon Echo smart speakers and forces them to unlock doors, make phone calls and unauthorized purchases, and control furnaces, microwave ovens, and other smart appliances. joshuark shares a report: The attack works by using the device's speaker to issue voice commands. As long as the speech contains the device wake word (usually "Alexa" or "Echo") followed by a permissible command, the Echo will carry it out, researchers from Royal Holloway University in London and Italy's University of Catania found. Even when devices require verbal confirmation before executing sensitive commands, it's trivial to bypass the measure by adding the word "yes" about six seconds after issuing the command. Attackers can also exploit what the researchers call the "FVV," or full voice vulnerability, which allows Echos to make self-issued commands without temporarily reducing the device volume.

Because the hack uses Alexa functionality to force devices to make self-issued commands, the researchers have dubbed it "AvA," short for Alexa vs. Alexa. It requires only a few seconds of proximity to a vulnerable device while it's turned on so an attacker can utter a voice command instructing it to pair with an attacker's Bluetooth-enabled device. As long as the device remains within radio range of the Echo, the attacker will be able to issue commands. The attack "is the first to exploit the vulnerability of self-issuing arbitrary commands on Echo devices, allowing an attacker to control them for a prolonged amount of time," the researchers wrote in a paper [PDF] published two weeks ago. "With this work, we remove the necessity of having an external speaker near the target device, increasing the overall likelihood of the attack."

Zelle, the payments platform used by millions of customers, is a popular target of scammers. But banks have been reluctant to make fraud victims whole -- despite owning the system. From a report: Consumers love payment apps like Zelle because they're free, fast and convenient. Created in 2017 by America's largest banks to enable instant digital money transfers, Zelle comes embedded in banking apps and is now by far the country's most widely used money transfer service. Last year, people sent $490 billion through Zelle, compared with $230 billion through Venmo, its closest rival. Zelle's immediacy has also made it a favorite of fraudsters. Other types of bank transfers or transactions involving payment cards typically take at least a day to clear. But once crooks scare or trick victims into handing over money via Zelle, they can siphon away thousands of dollars in seconds. There's no way for customers -- and in many cases, the banks themselves -- to retrieve the money.

Nearly 18 million Americans were defrauded through scams involving digital wallets and person-to-person payment apps in 2020, according to Javelin Strategy & Research, an industry consultant. "Organized crime is rampant," said John Buzzard, Javelin's lead fraud analyst. "A couple years ago, we were just starting to talk about it" on apps like Zelle and Venmo, Mr. Buzzard said. "Now, it's common and everywhere." The banks are aware of the widespread fraud on Zelle. When Mr. Faunce called Wells Fargo to report the crime, the customer service representative told him, "A lot of people are getting scammed on Zelle this way." Getting ripped off for $500 was "actually really good," Mr. Faunce said the rep told him, because "many people were getting hit for thousands of dollars."

Briefly banned in Ukraine, U.S. mobile-phone app Premise does defense work globally and has faced contributor safety issues. From a report: In 2019, Ukrainian users of a U.S.-based mobile-phone app offering paid, short-term tasks got what sounded like a straightforward assignment: Go into rural Ukraine and take smartphone photos of certain fields and farms around Odessa and Kyiv. But for one contributor, the job turned out to be anything but ordinary when one of the fields turned out to lie next to a military checkpoint. The contributor was chased off by armed soldiers, according to people familiar with the matter. The app's owner, Premise Data, said it immediately deleted the task from its platform after learning of the military checkpoint.

What that and other Ukrainian gig workers were doing was harvesting data for a U.S. Defense Department-funded research project. Descartes Labs, a government contractor that works with U.S. military and intelligence agencies, hired Premise to have its gig workers gauge how accurately the company's satellite algorithms were performing, the people said. Could they, for example, accurately tell barley from wheat in photos taken from space? Descartes's work was funded by DARPA, a research arm of the Pentagon, a Defense Department spokesperson said. Descartes declined to comment. Based in San Francisco, Premise is one of a number of companies offering a service that uses iPhone and Android smartphones around the world as tools for gathering intelligence and commercial information from afar, sometimes without the users knowing specifically who they are working for. The business model of companies like Premise has prompted questions about the safety and propriety of enlisting such people for government work --especially in potential or active conflict zones.

Samsung on Monday confirmed that the company recently suffered a cyberattack, but said that it doesn't anticipate any impact on its business or customers. From a report: Last week, South American hacking group Lapsus$ claimed it had stolen 190GB of confidential data, including source code, from the South Korean tech giant's servers. The group also posted snapshots of the alleged data online. Samsung has now confirmed in a statement, without naming the hacking group, that there was a security breach, but it asserted that no personal information of customers was compromised.

Business Insider reports: Serhiy Storchaka, a Ukrainian developer, is the second-most prolific recent contributor to Python and tenth-most prolific of all time, according to Lukasz Langa, the Python Software Foundation's developer in residence, based in Poznan, Poland... Storchaka faced an impossible choice as Russia invaded his country. Like many young male programmers in Ukraine, he decided to stay....

Storchaka lives outside of Konotop, a city in northeastern Ukraine which is occupied by Russian forces. He tweeted on February 26, "Russian tanks were on the road 2km from my house, and Russian armored vehicles were passing by my windows. Most likely, I will find myself in the occupied zone, where the law does not apply...."

Insider was unable to contact Storchaka, but spoke with Langa... [A]s the military crisis worsened on Friday and over the weekend, the Python developer community rallied to help Storchaka's younger family members. Communicating with Storchaka's family through Google Translate, Langa managed to secure temporary housing for Storchaka's niece and best friend, aged 11. They crossed the border to Poland via bus with their mother, and met Langa, who drove over 300km to Warsaw to pick up keys and secure basic necessities for the family.
"Two little 11-year-old girls (my niece and her best friend) are now safe thanks to @llanga," Storchaka tweeted last Monday, adding "My sister and I are immensely grateful." (He'd been especially worried because their town was near one of Ukraine's nuclear power plants, "a strategic target".)

Business Insider points out Storchaka is just one of many Python core developers from Ukraine, and one of many Ukrainians working in its tech sector. Andrew Svetlov, another influential Python developer who specializes in asynchronous networking support, also remains in Ukraine.... Svetlov is in Kyiv, where Russian troops have surrounded the city....

"Neither of them wanted to leave their country, even in the face of the great risk this poses for them," Langa told Insider.

"Tech workers at The New York Times on Thursday voted in favor of certifying their union in a National Labor Relations Board election, making it one of the biggest tech unions in America," reports the New York Times: The workers voted in favor, 404 to 88, easily reaching the needed majority of the ballots that were cast. A win means the union, the Times Tech Guild, can begin negotiations for a contract with management. "We're just elated and really soaking in what this means, not only for us as tech workers at The Times and for The New York Times but also for the tech industry as a whole," said Nozlee Samadzadeh, a senior software engineer.

"I think this is going to be the start of a wave of organizing in the tech industry...."

The Times Tech Guild, which represents about 600 software engineers, product managers, designers, data analysts and other workers, asked The Times for voluntary recognition in April. The Times declined, so the matter went to a formal election through the labor board....

America's National Security Agency (NSA) released a new report "that gives all organizations the most current advice on how to protect their IT network infrastructures from cyberattacks," writes ZDNet: NSA's report 'Cybersecurity Technical Report (CTR): Network Infrastructure Security Guidance' is available freely for all network admins and CIOs to bolster their networks from state-sponsored and criminal cyberattacks. The report covers network design, device passwords and password management, remote logging and administration, security updates, key exchange algorithms, and important protocols such as Network Time Protocol, SSH, HTTP, and Simple Network Management Protocol (SNMP).

The U.S. Cybersecurity and Infrastructure Security Agency is encouraging tech leaders to view the NSA document as part of its new push for all organizations in the US and elsewhere to raise defenses after the recent disk wiper malware targeting Ukrainian organizations. The document, from NSA's cybersecurity directorate, encourages the adoption of 'zero trust' networks....

The new report follows NSA's guidance to help people and organizations choose virtual private networks (VPN). VPN hardware for securing connections between remote workers to corporate networks became a prime target during the pandemic.
Thanks to long-time Slashdot reader Klaxton for sharing the link!

"Much of the most widely used free and open source software is developed by only a handful of contributors," warns the Linux Foundation, in the executive summary for its massive new census of free and open source software application libraries. It was prepared in conjunction with Harvard's Laboratory for Innovation Science — and that's just one of its five high-level findings.

The census also notes "the increasing importance of individual developer account security," but also the persistence of legacy software, the need for a standardized naming schema for software components, and "complexities" around package versions. But there's also just a lot of data about package popularity, writes SD Times: The report, Census II, is a follow-up to Census I, which was conducted in 2015 to identify the packages in Debian Linux that were most critical to the operation and security of the kernel. According to the Linux Foundation, Census II allows for a more "complete picture of free and open source (FOSS) adoption."

"Understanding what FOSS packages are the most critical to society allows us to proactively support projects that warrant operations and security support," said Brian Behlendorf, executive director at Linux Foundation's Open Source Security Foundation (OpenSSF).
The census "aggregates data from over half a million observations of FOSS libraries used in production applications at thousands of companies," according to its executive summary. It argues that preserving FOSS will require this kind of data-sharing (about where and how FOSS packages are being used ) as well as coordination — including standardizing terminology — and of course, investment.

"The motivation behind publishing these findings is to not only inform, but also to inspire action by developers to improve their security practices and by end users to support the FOSS ecosystem and developers who need assistance." (It suggests companies companies could provide not just financial support but also the technical talent and their time.) The results take the form of eight Top 500 lists — four that include version numbers in the analysis and four that are version agnostic. Further, as mentioned above, we present npm and non-npm packages in separate lists... Although these lists provide valuable, important insights into the most widely used FOSS projects, it is important to also consider the level of security related to these projects. Therefore, in each list, we also include the "Tiered %" measure from the OpenSSF Best Practices Badging Program....