Big Web Security Firms Ditch Russia, Leaving Internet Users Open To More Kremlin Snooping (forbes.com) 16
WhatsApp's New Browser Extension is Aimed at Making Web Chats More Secure (theverge.com) 24
Russia Creates Its Own TLS Certificate Authority To Bypass Sanctions (bleepingcomputer.com) 59
The service is provided to legal entities -- site owners upon request within 5 working days," explains the Russian public services portal, Gosuslugi (translated). However, for new Certificate Authorities (CA) to be trusted by web browsers, they first needed to be vetted by various companies, which can take a long time. Currently, the only web browsers that recognize Russia's new CA as trustworthy are the Russia-based Yandex browser and Atom products, so Russian users are told to use these instead of Chrome, Firefox, Edge, etc.
Microsoft is Finally Bringing Tabs To File Explorer on Windows 11 (windowscentral.com) 65
YouTuber Leaves OLED Switch on for 3,600 Hours To Test Image Burn-in (inputmag.com) 54
Stolen Nvidia Certificates Used To Hide Malware in Driver Downloads (pcworld.com) 32
Cybersecurity Firm Says Chinese Hackers Breached Six US State Agencies (cnn.com) 19
The hackers' motives aren't clear, but their victims are "consistent with an espionage operation," the firm said. The list of state agencies affected by the hacking could grow as the investigation continues. CISA on December 10 publicly warned that Log4J -- software used by big tech firms around the world -- had a vulnerability that hackers could easily exploit to gain further access to computer systems. Hundreds of millions of computers around the world ran the vulnerable software, US officials later estimated. For weeks, US officials urged companies to update their software; the White House hosted a meeting in January with tech executives to try to address the root problem of software that is not secure by design. Within hours of the CISA advisory, the Chinese hackers had begun using the Log4J flaw to break into the two US state agencies, according to Mandiant.
Agencies in four other states were hacked via other means. In one state, Mandiant said, the hackers accessed personal data on some Americans, including names, email addresses and mobile phone numbers. Mandiant declined to name the US states or agencies affected. While the hackers' ultimate objectives are unclear, state agencies could provide a wealth of useful information to foreign spies, whether data related to elections or government contracting. Mandiant blamed the hacking campaign on a group that the Justice Department has linked with China's civilian intelligence agency. That hacking group, according to a US indictment unsealed in September 2020, has been linked to attempts to breach hundreds of organizations around the world, from hardware makers to pro-democracy politicians in Hong Kong.
Apple Files Lawsuit Against NSO Group, Saying US Citizens Were Targets (reuters.com) 19
Linux Has Been Bitten By Its Most High-Severity Vulnerability in Years (arstechnica.com) 110
The name Dirty Pipe is meant to both signal similarities to Dirty Cow and provide clues about the new vulnerability's origins. "Pipe" refers to a pipeline, a Linux mechanism for one OS process to send data to another process. In essence, a pipeline is two or more processes that are chained together so that the output text of one process (stdout) is passed directly as input (stdin) to the next one. Tracked as CVE-2022-0847, the vulnerability came to light when a researcher for website builder CM4all was troubleshooting a series of corrupted files that kept appearing on a customer's Linux machine. After months of analysis, the researcher finally found that the customer's corrupted files were the result of a bug in the Linux kernel.
Millions of Palm-Sized, Flying Spiders Could Invade the East Coast (scientificamerican.com) 53
Common to China, Taiwan, Japan and Korea, the Joro spider is part of a group of spiders known as "orb weavers" because of their highly symmetrical, circular webs. The spider gets its name from Jorgumo, a Japanese spirit, or Ykai, that is said to disguise itself as a beautiful woman to prey upon gullible men. True to its mythical reputation, the Joro spider is stunning to look at, with a large, round, jet-black body cut across with bright yellow stripes, and flecked on its underside with intense red markings. But despite its threatening appearance and its fearsome standing in folklore, the Joro spider's bite is rarely strong enough to break through the skin, and its venom poses no threat to humans, dogs or cats unless they are allergic. That's perhaps good news, as the spiders are destined to spread far and wide across the continental U.S., researchers say.
The scientists came to this conclusion after comparing the Joro spider to a close cousin, the golden silk spider, which migrated from tropical climates 160 years ago to establish an eight-legged foothold in the southern United States. By tracking the spiders' locations in the wild and monitoring their vitals as they subjected caught specimens to freezing temperatures, the researchers found that the Joro spider has about double the metabolic rate of its cousin, along with a 77% higher heart rate and a much better survival rate in cold temperatures. Additionally, Joro spiders exist in most parts of their native Japan -- warm and cold -- which has a very similar climate to the U.S. and sits across roughly the same latitude. [...] While most invasive species tend to destabilize the ecosystems they colonize, entomologists are so far optimistic that the Joro spider could actually be beneficial, especially in Georgia where, instead of lovesick men, they kill off mosquitos, biting flies and another invasive species -- the brown marmorated stink bug, which damages crops and has no natural predators. In fact, the researchers say that the Joro is much more likely to be a nuisance than a danger, and that it should be left to its own devices.
Hackers Targeted US LNG Producers in Run-Up To Ukraine War (bloomberg.com) 9
Resecurity's investigation began last month when the firm's researchers spotted a small number of hackers, including one linked to a wave of attacks in 2018 against European organizations that Microsoft attributed to Strontium, the company's nickname for a hacking group associated with Russia's GRU military intelligence service. The hackers were looking to pay top dollar on the dark web for access to personal computers belonging to workers at large natural gas companies in the U.S., which were used as a back door into company networks, Yoo said. The researchers located the hackers' servers and found a vulnerability in the software, which allowed them to obtain files from the machines and see what the attackers had already done, Yoo said.
Attackers Can Force Amazon Echos To Hack Themselves With Self-Issued Commands (arstechnica.com) 32
Because the hack uses Alexa functionality to force devices to make self-issued commands, the researchers have dubbed it "AvA," short for Alexa vs. Alexa. It requires only a few seconds of proximity to a vulnerable device while it's turned on so an attacker can utter a voice command instructing it to pair with an attacker's Bluetooth-enabled device. As long as the device remains within radio range of the Echo, the attacker will be able to issue commands. The attack "is the first to exploit the vulnerability of self-issuing arbitrary commands on Echo devices, allowing an attacker to control them for a prolonged amount of time," the researchers wrote in a paper [PDF] published two weeks ago. "With this work, we remove the necessity of having an external speaker near the target device, increasing the overall likelihood of the attack."
Fraud Is Flourishing on Zelle. The Banks Say It's Not Their Problem. (nytimes.com) 63
Nearly 18 million Americans were defrauded through scams involving digital wallets and person-to-person payment apps in 2020, according to Javelin Strategy & Research, an industry consultant. "Organized crime is rampant," said John Buzzard, Javelin's lead fraud analyst. "A couple years ago, we were just starting to talk about it" on apps like Zelle and Venmo, Mr. Buzzard said. "Now, it's common and everywhere." The banks are aware of the widespread fraud on Zelle. When Mr. Faunce called Wells Fargo to report the crime, the customer service representative told him, "A lot of people are getting scammed on Zelle this way." Getting ripped off for $500 was "actually really good," Mr. Faunce said the rep told him, because "many people were getting hit for thousands of dollars."
Gig App Gathering Data for US Military, Others Prompts Safety Concerns (wsj.com) 8
What that and other Ukrainian gig workers were doing was harvesting data for a U.S. Defense Department-funded research project. Descartes Labs, a government contractor that works with U.S. military and intelligence agencies, hired Premise to have its gig workers gauge how accurately the company's satellite algorithms were performing, the people said. Could they, for example, accurately tell barley from wheat in photos taken from space? Descartes's work was funded by DARPA, a research arm of the Pentagon, a Defense Department spokesperson said. Descartes declined to comment. Based in San Francisco, Premise is one of a number of companies offering a service that uses iPhone and Android smartphones around the world as tools for gathering intelligence and commercial information from afar, sometimes without the users knowing specifically who they are working for. The business model of companies like Premise has prompted questions about the safety and propriety of enlisting such people for government work --especially in potential or active conflict zones.
Samsung Confirms Galaxy Source Code Breach (zdnet.com) 17
Two Python Core Developers Remain in Ukraine (businessinsider.com) 72
Storchaka lives outside of Konotop, a city in northeastern Ukraine which is occupied by Russian forces. He tweeted on February 26, "Russian tanks were on the road 2km from my house, and Russian armored vehicles were passing by my windows. Most likely, I will find myself in the occupied zone, where the law does not apply...."
Insider was unable to contact Storchaka, but spoke with Langa... [A]s the military crisis worsened on Friday and over the weekend, the Python developer community rallied to help Storchaka's younger family members. Communicating with Storchaka's family through Google Translate, Langa managed to secure temporary housing for Storchaka's niece and best friend, aged 11. They crossed the border to Poland via bus with their mother, and met Langa, who drove over 300km to Warsaw to pick up keys and secure basic necessities for the family.
"Two little 11-year-old girls (my niece and her best friend) are now safe thanks to @llanga," Storchaka tweeted last Monday, adding "My sister and I are immensely grateful." (He'd been especially worried because their town was near one of Ukraine's nuclear power plants, "a strategic target".)
Business Insider points out Storchaka is just one of many Python core developers from Ukraine, and one of many Ukrainians working in its tech sector. Andrew Svetlov, another influential Python developer who specializes in asynchronous networking support, also remains in Ukraine.... Svetlov is in Kyiv, where Russian troops have surrounded the city....
"Neither of them wanted to leave their country, even in the face of the great risk this poses for them," Langa told Insider.
Tech Workers at New York Times Vote to Certify Union (nytimes.com) 181
"I think this is going to be the start of a wave of organizing in the tech industry...."
The Times Tech Guild, which represents about 600 software engineers, product managers, designers, data analysts and other workers, asked The Times for voluntary recognition in April. The Times declined, so the matter went to a formal election through the labor board....
New NSA Report: This is How You Should Be Securing Your Network (zdnet.com) 62
The U.S. Cybersecurity and Infrastructure Security Agency is encouraging tech leaders to view the NSA document as part of its new push for all organizations in the US and elsewhere to raise defenses after the recent disk wiper malware targeting Ukrainian organizations. The document, from NSA's cybersecurity directorate, encourages the adoption of 'zero trust' networks....
The new report follows NSA's guidance to help people and organizations choose virtual private networks (VPN). VPN hardware for securing connections between remote workers to corporate networks became a prime target during the pandemic.
Thanks to long-time Slashdot reader Klaxton for sharing the link!
Linux Foundation's 'Census II' of Open Source Libraries Urges Support, Security, and Standardization (sdtimes.com) 9
The census also notes "the increasing importance of individual developer account security," but also the persistence of legacy software, the need for a standardized naming schema for software components, and "complexities" around package versions. But there's also just a lot of data about package popularity, writes SD Times: The report, Census II, is a follow-up to Census I, which was conducted in 2015 to identify the packages in Debian Linux that were most critical to the operation and security of the kernel. According to the Linux Foundation, Census II allows for a more "complete picture of free and open source (FOSS) adoption."
"Understanding what FOSS packages are the most critical to society allows us to proactively support projects that warrant operations and security support," said Brian Behlendorf, executive director at Linux Foundation's Open Source Security Foundation (OpenSSF).
The census "aggregates data from over half a million observations of FOSS libraries used in production applications at thousands of companies," according to its executive summary. It argues that preserving FOSS will require this kind of data-sharing (about where and how FOSS packages are being used ) as well as coordination — including standardizing terminology — and of course, investment.
"The motivation behind publishing these findings is to not only inform, but also to inspire action by developers to improve their security practices and by end users to support the FOSS ecosystem and developers who need assistance." (It suggests companies companies could provide not just financial support but also the technical talent and their time.) The results take the form of eight Top 500 lists — four that include version numbers in the analysis and four that are version agnostic. Further, as mentioned above, we present npm and non-npm packages in separate lists... Although these lists provide valuable, important insights into the most widely used FOSS projects, it is important to also consider the level of security related to these projects. Therefore, in each list, we also include the "Tiered %" measure from the OpenSSF Best Practices Badging Program....