Security

Netflix Gives Account Holders the Ability To Kick Freeloaders (arstechnica.com) 30

Netflix has introduced a new account management page called "Manage Access and Devices" that gives users the ability to remove access privileges from specific devices. The feature is available on the web and in the streaming service's Android and iOS apps. Ars Technica reports: Previously, users could see a list of devices that had recently accessed their accounts, and they could revoke access to all devices simultaneously, but they could not revoke access on a case-by-case basis. Each item in the list of devices will include an IP address-based location, a device type, and the user profile that most recently accessed Netflix from that device.

Netflix describes it as a security feature, in that it's useful to users who don't share their passwords at all. For example, you now have a way to clean up after yourself if you stayed at an Airbnb and signed into your Netflix account on the smart TV there but forgot to sign out before you left. Further, the page could help you identify if someone has gained access to your account via a compromised password.

Australia

Australia To Consider Banning Ransomware Payments (therecord.media) 86

Australia will consider banning ransomware payments in a bid to undermine the cybercriminal business model, a government minister said on Sunday. From a report: Clare O'Neil, the minister for home affairs and cybersecurity, confirmed to Australia's public broadcaster ABC that the government was looking at criminalizing extortion payments as part of the government's cyber strategy. The announcement follows several large security incidents affecting the country, including most significantly the data breach of Medibank, one of the country's largest health insurance providers.

Earlier this month Medibank stated it would not be making a ransom payment after hackers gained access to the data of 9.7 million current and former customers, including 1.8 million international customers living abroad. All of the data which the criminals accessed "could have been taken," the company said. This includes sensitive health care claims data for around 480,000 individuals, including information about drug addiction treatments and abortions. O'Neil's interview followed the AFP's commissioner Reece Kershaw announcing that they had identified the individual perpetrators of the Medibank hack, and that a group based in Russia was to blame.
Further reading: After Ransomware Gang Releases Sensitive Medical Data, Australia Vows Consequences.
Communications

Apple Launches Emergency SOS via Satellite in US and Canada (zdnet.com) 41

Apple on Tuesday announced that Emergency SOS via satellite is officially available to iPhone 14 users in the US and Canada. Next month, Apple will launch Emergency SOS via satellite in France, Germany, Ireland, and the UK. Apple is enabling the feature on all iPhone 14 models that are running iOS 16.1, which was released near the end of October. From a report: If you have the feature, you'll see a new section detailing your phone's new capability of connecting to satellites, and offering a demo mode for you to get a feel for what the process is like should you ever have to use it. For those unfamiliar, Emergency SOS via Satellite will allow an iPhone 14 owner to contact emergency services when in an area without cellular or Wi-Fi coverage. The feature is triggered by calling 911 when "SOS" is shown at the top of the iPhone's screen where the cellular coverage bars are normally visible. Once you're connected to a satellite, you'll either directly exchange messages with a local dispatcher if they accept text messages, or talk with local emergency services using an Apple-trained emergency specialist as a go-between.
Security

A Simple Android Lock Screen Bypass Bug Landed a Researcher $70,000 (techcrunch.com) 20

Google has paid out $70,000 to a security researcher for privately reporting an "accidental" security bug that allowed anyone to unlock Google Pixel phones without knowing its passcode. From a report: The lock screen bypass bug, tracked as CVE-2022-20465, is described as a local escalation of privilege bug because it allows someone, with the device in their hand, to access the device's data without having to enter the lock screen's passcode. Hungary-based researcher David Schutz said the bug was remarkably simple to exploit but took Google about five months to fix.

Schutz discovered anyone with physical access to a Google Pixel phone could swap in their own SIM card and enter its preset recovery code to bypass the Android's operating system's lock screen protections. In a blog post about the bug, published now that the bug is fixed, Schutz described how he found the bug accidentally, and reported it to Google's Android team.

News

India Lifts Download Ban On VLC (techcrunch.com) 11

India has lifted the download ban on VLC, more than nine months after it mysteriously blocked the official website of the popular media playback software in the South Asian market. From a report: VideoLAN, the popular software's developer, filed a legal notice last month seeking an explanation from the nation's IT and Telecom ministries for the block order. The Ministry of Electronics and IT has removed its ban on the website of VLC media player, New Delhi-based advocacy group Internet Freedom Foundation, which provided legal support to VideoLAN, said on Monday. VideoLAN confirmed the order. Indian telecom operators began blocking VideoLAN's official website, where it lists links to downloading VLC, in February of this year, VideoLAN president and lead developer Jean-Baptiste Kempf told TechCrunch in an earlier interview. India is one of the largest markets for VLC.
Encryption

'Cryptography's Future Will Be Quantum-Safe. Here's How' (quantamagazine.org) 17

Fearing the possibility of encryption-cracking quantum computers, Quanta magazine reports that researchers are "scrambling to produce new,'post-quantum' encryption scheme." Earlier this year, the National Institute of Standards and Technology revealed four finalists in its search for a post-quantum cryptography standard. Three of them use "lattice cryptography" — a scheme inspired by lattices, regular arrangements of dots in space.

Lattice cryptography and other post-quantum possibilities differ from current standards in crucial ways. But they all rely on mathematical asymmetry. The security of many current cryptography systems is based on multiplication and factoring: Any computer can quickly multiply two numbers, but it could take centuries to factor a cryptographically large number into its prime constituents. That asymmetry makes secrets easy to encode but hard to decode.... A quirk of factoring makes it vulnerable to attack by quantum computers.... Originally developed in the 1990s, [lattice cryptography] relies on the difficulty of reverse-engineering sums of points...

Of course, it's always possible that someone will find a fatal flaw in lattice cryptography... Cryptography works until it's cracked. Indeed, earlier this summer one promising post-quantum cryptography scheme was cracked using not a quantum computer, but an ordinary laptop.

At a recent panel discussion on post-quantum cryptography, Adi Shamir (the S in RSA), expressed concern that NIST's proposed solutions are predominantly based on lattice cryptography. "In some sense, we are putting all eggs in the same basket, but that is the best we have....

"The best advice for young researchers is to stay away from lattice-based post-quantum crypto," Shamir added. "What we really lack are entirely different ideas which will turn out to be secure. So any great idea for a new basis for public-key cryptography which is not using lattices will be greatly appreciated."
Education

Survey Reveals the Most-Regretted (and Least-Regretted) College Majors (cnbc.com) 140

A report from the Georgetown's Center on Education and the Workforce found that Bachelor's degree holders generally earn 84% more than those with just a high school diploma, reports CNBC.

"Still, 44% of all job seekers with college degrees regret their field of study." Journalism, sociology, communications and education all topped the list of most-regretted college majors, according to ZipRecruiter's survey of more than 1,500 college graduates who were looking for a job. "When you are barely managing to pay your bills, your paycheck might become more important." Of graduates who regretted their major, most said that, if they could go back, they would now choose computer science or business administration instead.

All in, the top-paying college majors earn $3.4 million more than the lowest-paying majors over a lifetime.

Graduates entering the workforce with good career prospects and high starting salaries are the most satisfied with their field of study, job site ZipRecruiter also found. Computer science majors, with an average annual starting salary of almost $100,000, were the happiest overall, according to ZipRecruiter. Students who majored in criminology, engineering, nursing, business and finance also felt very good about their choices.

Programming

NVIDIA Security Team: 'What if We Just Stopped Using C?' (adacore.com) 239

This week the Adacore blog shared a story about the NVIDIA Security Team: Like many other security-oriented teams in our industry today, they were looking for a measurable answer to the increasingly hostile cybersecurity environment and started questioning their software development and verification strategies. "Testing security is pretty much impossible. It's hard to know if you're ever done," said Daniel Rohrer, VP of Software Security at NVIDIA.

In my opinion, this is the most important point of the case study — that test-oriented software verification simply doesn't work for security. Once you come out of the costly process of thoroughly testing your software, you can have a metric on the quality of the features that you provide to the users, but there's not much you can say about security.

Rohrer continues, "We wanted to emphasize provability over testing as a preferred verification method." Fortunately, it is possible to prove mathematically that your code behaves in precise accordance with its specification. This process is known as formal verification, and it is the fundamental paradigm shift that made NVIDIA investigate SPARK, the industry-ready solution for software formal verification.

Back in 2018, a Proof-of-Concept (POC) exercise was conducted. Two low-level security-sensitive applications were converted from C to SPARK in only three months. After an evaluation of the return on investment, the team concluded that even with the new technology ramp-up (training, experimentation, discovery of new tools, etc.), gains in application security and verification efficiency offered an attractive trade-off. They realized major improvements in the security robustness of both applications (See NVIDIA's Offensive Security Research D3FC0N talk for more information on the results of the evaluation).

As the results of the POC validated the initial strategy, the use of SPARK spread rapidly within NVIDIA. There are now over fifty developers trained and numerous components implemented in SPARK, and many NVIDIA products are now shipping with SPARK components.

Encryption

Introducing Shufflecake: Plausible Deniability For Multiple Hidden Filesystems on Linux (kudelskisecurity.com) 90

Thursday the Kudelski Group's cybersecurity division released "a tool for Linux that allows creation of multiple hidden volumes on a storage device in such a way that it is very difficult, even under forensic inspection, to prove the existence of such volumes."

"Each volume is encrypted with a different secret key, scrambled across the empty space of an underlying existing storage medium, and indistinguishable from random noise when not decrypted." Even if the presence of the Shufflecake software itself cannot be hidden — and hence the presence of secret volumes is suspected — the number of volumes is also hidden. This allows a user to create a hierarchy of plausible deniability, where "most hidden" secret volumes are buried under "less hidden" decoy volumes, whose passwords can be surrendered under pressure. In other words, a user can plausibly "lie" to a coercive adversary about the existence of hidden data, by providing a password that unlocks "decoy" data.

Every volume can be managed independently as a virtual block device, i.e. partitioned, formatted with any filesystem of choice, and mounted and dismounted like a normal disc. The whole system is very fast, with only a minor slowdown in I/O throughput compared to a bare LUKS-encrypted disk, and with negligible waste of memory and disc space.

You can consider Shufflecake a "spiritual successor" of tools such as Truecrypt and Veracrypt, but vastly improved. First of all, it works natively on Linux, it supports any filesystem of choice, and can manage up to 15 nested volumes per device, so to make deniability of the existence of these partitions really plausible.

"The reason why this is important versus "simple" disc encryption is best illustrated in the famous XKCD comic 538," quips Slashdot reader Gaglia (in the original submission. But the big announcement from Kudelski Security Research calls it "a tool aimed at helping people whose freedom of expression is threatened by repressive authorities or dangerous criminal organizations, in particular: whistleblowers, investigative journalists, and activists for human rights in oppressive regimes.

"Shufflecake is FLOSS (Free/Libre, Open Source Software). Source code in C is available and released under the GNU General Public License v3.0 or superior.... The current release is still a non-production-ready prototype, so we advise against using it for really sensitive operations. However, we believe that future work will sensibly improve both security and performance, hopefully offering a really useful tool to people who live in constant danger of being interrogated with coercive methods to reveal sensitive information.
Google

Google Says Surveillance Vendor Targeted Samsung Phones With Zero-Days (techcrunch.com) 5

Google says it has evidence that a commercial surveillance vendor was exploiting three zero-day security vulnerabilities found in newer Samsung smartphones. From a report: The vulnerabilities, discovered in Samsung's custom-built software, were used together as part of an exploit chain to target Samsung phones running Android. The chained vulnerabilities allow an attacker to gain kernel read and write privileges as the root user, and ultimately expose a device's data. Google Project Zero security researcher Maddie Stone said in a blog post that the exploit chain targets Samsung phones with a Exynos chip running a specific kernel version. Samsung phones are sold with Exynos chips primarily across Europe, the Middle East, and Africa, which is likely where the targets of the surveillance are located.

Stone said Samsung phones running the affected kernel at the time include the S10, A50, and A51. The flaws, since patched, were exploited by a malicious Android app, which the user may have been tricked into installing from outside of the app store. The malicious app allows the attacker to escape the app sandbox designed to contain its activity, and access the rest of the device's operating system. Only a component of the exploit app was obtained, Stone said, so it isn't known what the final payload was, even if the three vulnerabilities paved the way for its eventual delivery.

Programming

NSA Urges Organizations To Shift To Memory Safe Programming Languages (nsa.gov) 196

In an press release published earlier today, the National Security Agency (NSA) says it will be making a strategic shift to memory safe programming languages. The agency is advising organizations explore such changes themselves by utilizing languages such as C#, Go, Java, Ruby, or Swift. From the report: The "Software Memory Safety" Cybersecurity Information Sheet (PDF) highlights how malicious cyber actors can exploit poor memory management issues to access sensitive information, promulgate unauthorized code execution, and cause other negative impacts. "Memory management issues have been exploited for decades and are still entirely too common today," said Neal Ziring, Cybersecurity Technical Director. "We have to consistently use memory safe languages and other protections when developing software to eliminate these weaknesses from malicious cyber actors."

Microsoft and Google have each stated that software memory safety issues are behind around 70 percent of their vulnerabilities. Poor memory management can lead to technical issues as well, such as incorrect program results, degradation of the program's performance over time, and program crashes. NSA recommends that organizations use memory safe languages when possible and bolster protection through code-hardening defenses such as compiler options, tool options, and operating system configurations.
The full report is available here (PDF).
Windows

Windows 11's Task Manager is Getting a Search Box To Help You Find Misbehaving Apps (theverge.com) 98

Microsoft has started testing a new search and filtering system for the Task Manager on Windows 11. It will allow Windows users to easily search for a misbehaving app and end its process or quickly create a dump file, enable efficiency mode, and more. From a report: "This is the top feature request from our users to filter / search for processes," explains the Windows Insider team in a blog post. "You can filter either using the binary name, PID or publisher name. The filter algorithm matches the context keyword with all possible matches and displays them on the current page." You'll be able to use the alt + F keyboard shortcut to jump to the filter box in the Task Manager, and results will be filtered into single or groups of processes that you can monitor or take action on. Alongside the new search and filter functionality, Microsoft is also adding the ability to pick between light or dark themes in the Task Manager. Themes will also be applied fully throughout Task Manager, with some updates to its UI to fit more closely with Microsoft's overall Fluent work.
Privacy

Mysterious Company With Government Ties Plays Key Internet Role (washingtonpost.com) 67

whoever57 writes: Would you trust your communications to a company that has links to a spyware company and claims that its address is a UPS store in Toronto? You probably already do. Washington Post reports: An offshore company that is trusted by the major web browsers and other tech companies to vouch for the legitimacy of websites has connections to contractors for U.S. intelligence agencies and law enforcement, according to security researchers, documents and interviews. Google's Chrome, Apple's Safari, nonprofit Firefox and others allow the company, TrustCor Systems, to act as what's known as a root certificate authority, a powerful spot in the internet's infrastructure that guarantees websites are not fake, guiding users to them seamlessly.

The company's Panamanian registration records show that it has the identical slate of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which public contracting records and company documents show has sold communication interception services to U.S. government agencies for more than a decade. One of those TrustCor partners has the same name as a holding company managed by Raymond Saulino, who was quoted in a 2010 Wired article as a spokesman for Packet Forensics. Saulino also surfaced in 2021 as a contact for another company, Global Resource Systems, that caused speculation in the tech world when it briefly activated and ran more than 100 million previously dormant IP addresses assigned decades earlier to the Pentagon. The Pentagon reclaimed the digital territory months later, and it remains unclear what the brief transfer was about, but researchers said the activation of those IP addresses could have given the military access to a huge amount of internet traffic without revealing that the government was receiving it.
whoever57 has also shared a unpaywalled link to the story.
Security

Lenovo Driver Goof Poses Security Risk for Users of 25 Notebook Models (arstechnica.com) 46

More than two dozen Lenovo notebook models are vulnerable to malicious hacks that disable the UEFI secure-boot process and then run unsigned UEFI apps or load bootloaders that permanently backdoor a device, researchers warned on Wednesday. From a report: At the same time that researchers from security firm ESET disclosed the vulnerabilities, the notebook maker released security updates for 25 models, including ThinkPads, Yoga Slims, and IdeaPads. Vulnerabilities that undermine the UEFI secure boot can be serious because they make it possible for attackers to install malicious firmware that survives multiple operating system reinstallations.

Short for Unified Extensible Firmware Interface, UEFI is the software that bridges a computer's device firmware with its operating system. As the first piece of code to run when virtually any modern machine is turned on, it's the first link in the security chain. Because the UEFI resides in a flash chip on the motherboard, infections are difficult to detect and remove. Typical measures such as wiping the hard drive and reinstalling the OS have no meaningful impact because the UEFI infection will simply reinfect the computer afterward. ESET said the vulnerabilities -- tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432 -- "allow disabling UEFI Secure Boot or restoring factory default Secure Boot databases (incl. dbx): all simply from an OS." Secure boot uses databases to allow and deny mechanisms. The DBX database, in particular, stores cryptographic hashes of denied keys. Disabling or restoring default values in the databases makes it possible for an attacker to remove restrictions that would normally be in place.

IT

Gmail Will No Longer Allow Users To Revert Back To Its Old Design 72

Google has announced that it's making the new Gmail interface the standard experience for users. From a report: The company first released the new interface earlier this year but allowed users to revert back to the original view. Starting this month, users will no longer have the option to go back to the old interface. "The integrated view with Gmail, Chat, Spaces, and Meet on the left side of the window will also become standard for users who have turned on Chat," the company said in a blog post. "Through quick settings, you can customize this new interface to include the apps most important to you, whether it's Gmail by itself or a combination of Gmail, Chat, Spaces, and Meet."
Businesses

Swiss Re Proposes Government Bail Out as Cybercrime Insurance Costs Spike (theregister.com) 27

As insurance companies struggle to stay afloat amid rising cyber claims, Swiss Re has recommended a public-private partnership insurance scheme with one option being a government-backed fund to help fill the coverage gap. From a report: Global cyber insurance premiums hit $10 billion in 2021, according to Swiss Re's estimates. In a study published this week, the insurance giant forecasted 20 percent annual growth to 2025, with premiums rising to $23 billion over the next few years.

Meanwhile, annual cyberattack-related losses total about $945 billion globally, and about 90 of that risk remains uninsured, according to insurance researchers at the Geneva Association. While Forrester estimates a typical data breach costs an average $2.4 million for investigation and recovery, only 55 percent of companies currently have cyber insurance policies. Additionally, less than 20 percent have coverage limits in excess of $600,000, which the analyst firm cites as the median ransomware demand in 2021. "The market needs to mature further to ensure enough insurance protection is available," John Coletti, head cyber reinsurance at Swiss Re, told The Register. "Our industry has a key role to play by addressing three issues: improving data and modeling, increasing contract consistency and clarity and identifying new sources of capital."

Microsoft

Microsoft is Showing Ads in the Windows 11 Sign-Out Menu (bleepingcomputer.com) 151

Microsoft is now promoting some of its products in the sign-out flyout menu that shows up when clicking the user icon in the Windows 11 start menu. BleepingComputer: This new Windows 11 "feature" was discovered by Windows enthusiast Albacore, who shared several screenshots of advertisement notifications in the Accounts flyout. The screenshots show that Microsoft promotes the OneDrive file hosting service and prods users to create or complete their Microsoft accounts.

Those reacting to this on social media had an adverse reaction to Redmond's decision to display promotional messages in the start menu. Some said that Windows 11 is "getting worse in each and every update it gets," while others added that this is a weird choice given that "half of the Start Menu is for recommendations" anyway. BleepingComputer has also tried replicating this on multiple Windows 11 systems, but we didn't get any ads. This hints at an A/B testing experiment trying to gauge the success of such a "feature" on devices running Windows Insider builds or the company pushing such ads to a limited set of customers.

Programming

Stack Overflow CEO Shares Plans for Certification Programs, Opinions on No-Code Programming (zdnet.com) 52

"We serve about 100 million monthly visitors worldwide," says the CEO of Stack Overflow, "making us one of the most popular websites in the world. I think we are in the top 50 of all websites in the world by traffic."

In a new interview, he says the site's been accessed about 50 billion times over the past 14 years — and then shares his thoughts on the notion that programmers could be replaced by no-code, low-code, or AI-driven pair programming: A: Over the years, there have many, many tools, trying to democratize software development. That's a very positive thing. I actually love the fact that programming is becoming easier to do with these onramps. I was speaking at Salesforce recently, and they've got people in sales organizations writing workflows, and that's low code. You've got all these folks who are not software engineers that are creating their own automations and applications.

However, there is this trade-off. If you're making software easier to build, you're sacrificing things like customizability and a deeper understanding of how this code actually works. Back in the day, you might remember Microsoft FrontPage [an early HTML web page editor] as an example of that. You were limited to certain basic things, but you could get web work done. So similarly, these tools will work for general use cases. But, if they do that, without learning the fundamental principles of code, they will inevitably have some sort of a limit. For example, having to fix something that broke, I think they're going to be really dumbfounded.

Still, I think it's important, and I'm a believer. It's a great way to get people engaged, excited, and started. But you got to know what you're building. Access to sites like Stack Overflow help, but with more people learning as they're building, it's essential to make learning resources accessible at every stage of their journey....

Q: Is Stack Overflow considering any kind of certification? Particularly, as you just mentioned, since it's so easy now for people to step in and start programming. But then there's that big step from "Yes, I got it to work," but now "I have to maintain it for users using it in ways I never dreamed of."

A: "It's very much part of our vision for our company. We see Stack Overflow going from collective knowledge to collective learning. Having all the information is fine and dandy, but are you learning? Now, that we're part of Prosus's edtech division, we're very much looking forward to offering educational opportunities. Just as today, we can get knowledge to developers at the right place and time, we think we can deliver learning at just the right place and time. We believe we can make a huge impact with education and by potentially getting into the certification game.

Q: Some of the open-source nonprofits are moving into education as well. The Linux Foundation, in particular, has been moving here with the LF Training and Certification programs. Are you exploring that?

A: This is very much part of our vision....

Stack Overflow's CEO adds that the site's hot topics now include blockchain, machine learning, but especially technical cloud questions, "rising probably about 50% year over year over the past 10 years.... Related to this is an increase in interest in containerization and cloud-native services."
Privacy

AstraZeneca Password Lapse Exposed Patient Data (techcrunch.com) 16

An anonymous reader quotes a report from TechCrunch: Pharmaceutical giant AstraZeneca has blamed "user error" for leaving a list of credentials online for more than a year that exposed access to sensitive patient data. Mossab Hussein, chief security officer at cybersecurity startup SpiderSilk, told TechCrunch that a developer left the credentials for an AstraZeneca internal server on code sharing site GitHub in 2021. The credentials allowed access to a test Salesforce cloud environment, often used by businesses to manage their customers, but the test environment contained some patient data, Hussein said. Some of the data related to AZ&ME applications, which offers discounts to patients who need medications. TechCrunch provided details of the exposed credentials to AstraZeneca, and the GitHub repository containing the credentials was inaccessible hours later. In a statement, AstraZeneca spokesperson Patrick Barth told TechCrunch: "The protection of personal data is extremely important to us and we strive for the highest standards and compliance with all applicable rules and laws. Due to an [sic] user error, some data records were temporarily available on a developer platform. We stopped access to this data immediately after we have been [sic] informed. We are investigating the root cause as well as assessing our regulatory obligations."

It's unclear if anyone was able to access the data, or if any data was exfiltrated.
IT

Cherry's New Mechanical Switch Hails From '80s Terminal Keyboards (arstechnica.com) 35

Cherry, the original mechanical switch maker, is continuing to tap the mechanical keyboard community for new product ideas. From a report: Its new mechanical switch, the Cherry MX Black Clear-Top, is a nod to enthusiasts who would love to turn in their modern-day clacker for an old-school terminal keyboard with extra-smooth typing. Before Cherry's Thursday announcement of plans to release the MX Black Clear-Top, the switch was known to hobbyists as the Nixie switch.

Cherry made the switch in the 1980s for German office machine-maker Nixdorf Computer AG. The German switch maker was tasked with creating a version of its linear MX Black switch with "milky" upper housing, a 63.5 g actuation force rather than 60 g, and "the relatively rare solution at the time of having a diode integrated into the switch for n-key rollover," Cherry's announcement explained.The linear switch ended up being used primarily in Nixdorf's CT06-CT07/2 M Softkeys keyboards targeted at terminals, servers, and minicomputers.

Slashdot Top Deals