Google

Google is Bringing Passkey Support To Android and Chrome (googleblog.com) 63

Android Developers Blog: Passkeys are a significantly safer replacement for passwords and other phishable authentication factors. They cannot be reused, don't leak in server breaches, and protect users from phishing attacks. Passkeys are built on industry standards and work across different operating systems and browser ecosystems, and can be used for both websites and apps. Passkeys follow already familiar UX patterns, and build on the existing experience of password autofill. For end-users, using one is similar to using a saved password today, where they simply confirm with their existing device screen lock such as their fingerprint. Passkeys on users' phones and computers are backed up and synced through the cloud to prevent lockouts in the case of device loss. Additionally, users can use passkeys stored on their phone to sign in to apps and websites on other nearby devices.

Today's announcement is a major milestone in our work with passkeys, and enables two key capabilities: Users can create and use passkeys on Android devices, which are securely synced through the Google Password Manager. Developers can build passkey support on their sites for end-users using Chrome via the WebAuthn API, on Android and other supported platforms. To try this today, developers can enroll in the Google Play Services beta and use Chrome Canary. Both features will be generally available on stable channels later this year. Our next milestone in 2022 will be an API for native Android apps. Passkeys created through the web API will work seamlessly with apps affiliated with the same domain, and vice versa. The native API will give apps a unified way to let the user pick either a passkey or a saved password. Seamless, familiar UX for both passwords and passkeys helps users and developers gradually transition to passkeys.

For the end-user, creating a passkey requires just two steps: (1) confirm the passkey account information, and (2) present their fingerprint, face, or screen lock when prompted. Signing in is just as simple: (1) The user selects the account they want to sign in to, and (2) presents their fingerprint, face, or screen lock when prompted. A passkey on a phone can also be used to sign in on a nearby device. For example, an Android user can now sign in to a passkey-enabled website using Safari on a Mac. Similarly, passkey support in Chrome means that a Chrome user, for example on Windows, can do the same using a passkey stored on their iOS device. Since passkeys are built on industry standards, this works across different platforms and browsers - including Windows, macOS and iOS, and ChromeOS, with a uniform user experience.

Privacy

Toyota Discloses Data Leak After Access Key Exposed On GitHub (bleepingcomputer.com) 9

An anonymous reader quotes a report from BleepingComputer: Toyota Motor Corporation is warning that customers' personal information may have been exposed after an access key was publicly available on GitHub for almost five years. Toyota T-Connect is the automaker's official connectivity app that allows owners of Toyota cars to link their smartphone with the vehicle's infotainment system for phone calls, music, navigation, notifications integration, driving data, engine status, fuel consumption, and more. Toyota discovered recently that a portion of the T-Connect site source code was mistakenly published on GitHub and contained an access key to the data server that stored customer email addresses and management numbers. This made it possible for an unauthorized third party to access the details of 296,019 customers between December 2017 and September 15, 2022, when access to the GitHub repository was restricted.

On September 17, 2022, the database's keys were changed, purging all potential access from unauthorized third parties. The announcement explains that customer names, credit card data, and phone numbers have not been compromised as they weren't stored in the exposed database. Toyota blamed a development subcontractor for the error but recognized its responsibility for the mishandling of customer data and apologized for any inconvenience caused. The Japanese automaker concludes that while there are no signs of data misappropriation, it cannot rule out the possibility of someone having accessed and stolen the data. For this reason, all users of T-Connect who registered between July 2017 and September 2022 are advised to be vigilant against phishing scams and avoid opening email attachments from unknown senders claiming to be from Toyota.

Security

Germany's Cybersecurity Chief Faces Dismissal, Reports Say (reuters.com) 33

German Interior Minister Nancy Faeser wants to dismiss the country's cybersecurity chief due to possible contacts with people involved with Russian security services, German media reported late on Sunday, citing government sources. Reuters reports: Arne Schoenbohm, president of the BSI federal information security agency, could have had such contacts through the Cyber Security Council of Germany, various outlets reported. Schoenbohm was a founder of the association, which counts as a member a German company that is a subsidiary of a Russian cybersecurity firm founded by a former KGB employee, they wrote. "These accusations must be decisively investigated," said Konstantin von Notz, the head of the parliamentary oversight committee for Germany's intelligence agencies.
Security

Russian-Speaking Hackers Knock Multiple US Airport Websites Offline (cnn.com) 41

More than a dozen public-facing airport websites, including those for some of the nation's largest airports, appeared inaccessible Monday morning, and Russian-speaking hackers claimed responsibility. From a report: No immediate signs of impact to actual air travel were reported, suggesting the issue may be an inconvenience for people seeking travel information. "Obviously, we're tracking that, and there's no concern about operations being disrupted," Kiersten Todt, Chief of Staff of the US Cybersecurity and Infrastructure Security Agency (CISA), said Monday at a security conference in Sea Island, Georgia. The 14 websites include the one for Atlanta's Hartsfield-Jackson International Airport. An employee there told CNN there were no operational impacts. The Los Angeles International Airport website was offline earlier but appeared to be restored shortly before 9 a.m. Eastern.
Social Networks

Your Boss Can Monitor Your Activities Without Special Software (seattletimes.com) 54

"Your boss probably has enough data about your digital activities to get a snapshot of your workday — without using any special monitoring software...." reports the Washington Post.

"Workers should be aware that many online work apps offer data about their daily activities...." Commonly used network-connected apps such as Zoom, Slack and Microsoft Office give managers the ability to find everything from the number of video meetings in which you've actively participated, to how much you chatted online with co-workers and the number of documents you saved to the cloud....

At the beginning of 2022, global demand for employee monitoring software increased 65 percent from 2019, according to internet security and digital rights firm Top10VPN. But popular work apps also offer data. On Microsoft 365, an account administrator can pull data — though it may not be easy and would be tracked in compliance logs — on how many emails workers sent, how many files they saved on a shared drive and how many messages they sent as well as video meetings they participated in on the messaging and video tool Microsoft Teams. Google Workspace, Google's suite of work tools, allows administrators, for security and audit purposes, to see how many emails a user sent and received, how many files they saved and accessed on Google Drive, and when a user started a video meeting, from where they joined meetings, and who was in a meeting. Select administrators on both services can also access the content of emails and calendar items.

On paid Slack accounts, managers can see how many days users have been active and how many messages they've sent over a set period of time. Zoom allows account administrators to see how many meetings users participated in, the length of the meetings, and whether users enabled their camera and microphone during them. And if employees have company-issued phones or use office badges or tech that requires them to sign in at the office, managers can track phone usage and office attendance.

To be sure, several software companies say their reports are not for employee evaluation and surveillance. Microsoft has stated that using technology to monitor employees is counterproductive and suggested that some managers may have "productivity paranoia." In the help section of its website, Slack states that the analytics data it offers should be "used for understanding your whole team's use of Slack, not evaluating an individual's performance."

"Several workplace experts agree on one thing: The data doesn't properly represent a worker's productivity," the article concludes.

"Activities such as in-person mentoring, taking time to brainstorm, sketching out a plan or using offline software won't appear in the data. And measuring quantity might discount the quality of one's work or interactions."
Security

Pro-Russian 'Hacktivists' Temporarily Disrupted Some US State Government Web Sites (cnn.com) 20

"Russian-speaking hackers on Wednesday claimed responsibility for knocking offline state government websites in Colorado, Kentucky and Mississippi, among other states," reports CNN, calling it "the latest example of apparent politically motivated hacking following Russia's invasion of Ukraine.... The websites in Colorado, Kentucky and Mississippi were sporadically available Wednesday morning and afternoon as administrators appeared to try to bring them online." The Kentucky Board of Elections' website, which posts information on how to register to vote, was also temporarily offline on Wednesday, but it was not immediately clear what caused that outage. The board of elections' website is also managed by the Kentucky government, though the hackers did not specifically list the board as a target.... Websites like that of the Kentucky Board of Elections are not directly involved in the casting or counting of votes, but they can provide useful information for voters....

The hacking group claiming responsibility for Wednesday's website outage is known as Killnet and stepped up their activity after Russia's February invasion of Ukraine to target organizations in NATO countries. They are a loose band of so-called "hacktivists" — politically motivated hackers who support the Kremlin but whose ties to that government are unknown. The group also claimed responsibility for briefly downing a US Congress website in July, and for cyberattacks on organizations in Lithuania after the Baltic country blocked the shipment of some goods to the Russian enclave of Kaliningrad in June....

Officials at the FBI and CISA reiterated this week that any efforts by hackers to breach election infrastructure are "unlikely to result in largescale disruptions or prevent voting."

Government Technology supplies some context: Amsterdam-based threat intelligence technology and services provider EclecticIQ's Threat Research team said in a blog post that Killnet appears to only have the capacity to launch DDoS attacks with short-term impact, and falls short of dealing lasting damage to victims' network infrastructure. "Analysts believe that Killnet supporters are novice users with zero or limited experience with DDoS attacks, based on an analysis of Telegram messaging data and open-source reporting," EclecticIQ wrote.
CNN described Killnet's typical attacks as "crude hacks that temporarily knock websites offline but don't do further damage to infrastructure.

"Killnet thrives off of public attention and bravado, and cybersecurity experts have to strike a balance between being mindful of Killnet's online antics and not hyping a low-level threat."
Medicine

Ransomware Attack Delays Patient Care at Several Hospitals Across the US (nbcnews.com) 30

"One of the largest hospital chains in the U.S. was hit with a suspected ransomware cyberattack this week," reports NBC News, "leading to delayed surgeries, hold ups in patient care and rescheduled doctor appointments across the country." CommonSpirit Health, ranked as the fourth-largest health system in the country by Becker's Hospital Review, said Tuesday that it had experienced "an IT security issue" that forced it to take certain systems offline. While CommonSpirit declined to share specifics, a person familiar with its remediation efforts confirmed to NBC News that it had sustained a ransomware attack.

CommonSpirit, which has more than 140 hospitals in the U.S., also declined to share information on how many of its facilities were experiencing delays. Multiple hospitals, however, including CHI Memorial Hospital in Tennessee, some St. Luke's hospitals in Texas, and Virginia Mason Franciscan Health in Seattle all have announced they were affected.

One Texas woman, who spoke to NBC News on the condition of anonymity to protect her family's medical privacy, said that she and her husband had arrived at a CommonSpirit-affiliated hospital on Wednesday for long-scheduled major surgery, only for his doctor to recommend delaying it until the hospital's technical issues were resolved.

The surgeon "told me it could potentially delay post-op care, and he didn't want to risk it," she said.

Wednesday the company confirmed that "We have taken certain systems offline."
Encryption

VPN, Tor Use Increases in Iran After Internet 'Curfews' (cnbc.com) 22

Iran's government is trying to limit internet access, reports CNBC — while Iranians are trying a variety of technologies to bypass the blocks: Outages first started hitting Iran's telecommunications networks on September 19, according to data from internet monitoring companies Cloudflare and NetBlocks, and have been ongoing for the last two and a half weeks. Internet monitoring groups and digital rights activists say they're seeing "curfew-style" network disruptions every day, with access being throttled from around 4 p.m. local time until well into the night. Tehran blocked access to WhatsApp and Instagram, two of the last remaining uncensored social media services in Iran. Twitter, Facebook, YouTube and several other platforms have been banned for years.

As a result, Iranians have flocked to VPNs, services that encrypt and reroute their traffic to a remote server elsewhere in the world to conceal their online activity. This has allowed them to restore connections to restricted websites and apps. On September 22, a day after WhatsApp and Instagram were banned, demand for VPN services skyrocketed 2,164% compared to the 28 days prior, according to figures from Top10VPN, a VPN reviews and research site. By September 26, demand peaked at 3,082% above average, and it has continued to remain high since, at 1,991% above normal levels, Top10VPN said....

Mahsa Alimardani, a researcher at free speech campaign group Article 19, said a contact she's been communicating with in Iran showed his network failing to connect to Google, despite having installed a VPN. "This is new refined deep packet inspection technology that they've developed to make the network extremely unreliable," she said. Such technology allows internet service providers and governments to monitor and block data on a network. Authorities are being much more aggressive in seeking to thwart new VPN connections, she added....

VPNs aren't the only techniques citizens can use to circumvent internet censorship. Volunteers are setting up so-called Snowflake proxy servers, or "proxies," on their browsers to allow Iranians access to Tor — software that routes traffic through a "relay" network around the world to obfuscate their activity.

Security

Utility Security Is So Bad, US DoE Offers Rate Cuts To Improve It (theregister.com) 18

The US Department of Energy has proposed regulations to financially reward cybersecurity modernization at power plants by offering rate deals for everything from buying new hardware to paying for outside help. The Register reports: In a notice of proposed rulemaking published earlier this week (which nullified a similar 2021 plan), the DoE said the time was right "to establish rules for incentive-based rate treatments" for utilities making investments in cybersecurity technology. The DoE said these included products and services, and information like plans, policies, procedures and other info related to cybersecurity tech. [...] In addition to stimulating voluntary security improvements, the proposed policy also encourages utilities to join cyber threat information sharing programs, and mandates regular reports for the duration of incentives.

The DoE's proposal includes a long list of things it said would be eligible for incentive-based rate treatments. While it's too long to include here, the DoE's language about what it will allow means it could essentially include anything that could "materially improve cybersecurity," be that a product, service or info-sharing program. The DoE said that hardware incentives would have a five-year depreciation period, while activities would cease to be incentivized once they become mandatory. As for how the rewards would be applied, the proposal specifies two methods: A return on equity (RoE) of 200 base points (2 percent) that would be applied to transmission rates, and a cost-recovery deferral that would allow them to amortize equipment purchased and treated as a regulatory asset.

Facebook

Facebook Warns 1 Million Users Whose Logins Were Stolen By Scam Mobile Apps (theverge.com) 15

Meta is warning Facebook users about hundreds of apps on Apple and Google's app stores that were specifically designed to steal login credentials to the social network app. From a report: The company says it's identified over 400 malicious apps disguised as games, photo editors, and other utilities and that it's notifying users who "may have unknowingly self-compromised their accounts by downloading these apps and sharing their credentials." According to Bloomberg, a million users were potentially affected. In its post, Meta says that the apps tricked people into downloading them with fake reviews and promises of useful functionality (both common tactics for other scam apps that are trying to take your money rather than your login info). But upon opening some of the apps, users were prompted to log in with Facebook before they could actually do anything -- if they did, the developers were able to steal their credentials.
Security

Game Firm 2K Says Users Info Stolen (arstechnica.com) 2

Game company 2K has warned users to remain on the lookout for suspicious activity across their accounts following a breach last month that allowed a threat actor to obtain email addresses, names, and other sensitive information provided to 2K's support team. From a report: The breach occurred on September 19, when the threat actor illegally obtained system credentials belonging to a vendor 2K uses to run its help desk platform. 2K warned users a day later that the threat actor used unauthorized access to send some users emails that contained malicious links. The company warned users not to open any emails sent by its online support address or click on any links in them. If users already clicked on links, 2K urged them to change all passwords stored in their browsers. On Thursday, after an outside party completed a forensic investigation, 2K sent an unknown number of users an email warning them that the threat actor was able to obtain some of the personal information they supplied to help desk personnel.
Security

Binance-linked Blockchain Hit By $570 Million Crypto Hack, Binance Says (reuters.com) 34

A blockchain linked to Binance, the world's largest crypto exchange, has been hit by a $570 million hack, a Binance spokesperson said on Friday, the latest in a series of hacks to hit the crypto sector this year. From a report: Binance CEO Changpeng Zhao said in a tweet that tokens were stolen from a blockchain "bridge" used in the BNB Chain, which was known as Binance Smart Chain until February. Blockchain bridges are tools used to transfer cryptocurrencies between different applications. Zhao said the hackers stole around $100 million worth of crypto. BNB Chain later said in a blog post that a total of 2 million of the cryptocurrency BNB - worth around $570 million - was withdrawn by the hacker.
Data Storage

Big Tech, Banks, Government Departments Shred Millions of Storage Devices They Could Reuse (ft.com) 80

Companies such as Amazon and Microsoft, as well as banks, police services and government departments, shred millions of data-storing devices each year, the Financial Times has learnt through interviews with more than 30 people who work in and around the decommissioning industry and via dozens of freedom of information requests. From the report: This is despite a growing chorus of industry insiders who say there is another, better option to safely dispose of data: using computer software to securely wipe the devices before selling them on the secondary market. "From a data security perspective, you do not need to shred," says Felice Alfieri, a European Commission official who co-authored a report about how to make data centres more sustainable and is promoting "data deletion" over device destruction. Underpinning the reluctance to move away from shredding is the fear that data could leak, triggering fury from customers and huge fines from regulators.

Last month, the US Securities and Exchange Commission fined Morgan Stanley $35mn for an "astonishing" failure to protect customer data, after the bank's decommissioned servers and hard drives were sold on without being properly wiped by an inexperienced company it had contracted. This was on top of a $60mn fine in 2020 and a $60mn class action settlement reached earlier this year. Some of the hardware containing bank data ended up being auctioned online. While the incident stemmed from a failure to wipe the devices before selling them on, the bank now mandates that every one of its data-storing devices is destroyed -- the vast majority on site. This approach is widespread. One employee at Amazon Web Services, who spoke on condition of anonymity, explained that the company shreds every single data-storing device once it is deemed obsolete, usually after three to five years of use: "If we let one [piece of data] slip through, we lose the trust of our customers." A person with knowledge of Microsoft's data disposal operations says the company shreds everything at its 200-plus Azure data centres.

Software

The Thorny Problem of Keeping the Internet's Time (newyorker.com) 95

An obscure software system synchronizes the network's clocks. Who will keep it running? From a report: To solve the problem of time synchronization on the arpanet, computer scientist David Mills built what programmers call a protocol -- a collection of rules and procedures that creates a lingua franca for disparate devices. The arpanet was experimental and capricious: electronics failed regularly, and technological misbehavior was common. His protocol sought to detect and correct for those misdeeds, creating a consensus about the time through an ingenious system of suspicion. Mills prided himself on puckish nomenclature, and so his clock-synchronizing system distinguished reliable "truechimers" from misleading "falsetickers." An operating system named Fuzzball, which he designed, facilitated the early work. Mills called his creation the Network Time Protocol, and N.T.P. soon became a key component of the nascent Internet. Programmers followed its instructions when they wrote timekeeping code for their computers. By 1988, Mills had refined N.T.P. to the point where it could synchronize the clocks of connected computers that had been telling vastly differing times to within tens of milliseconds -- a fraction of a blink of an eye. "I always thought that was sort of black magic," Vint Cerf, a pioneer of Internet infrastructure, told me.

Today, we take global time synchronization for granted. It is critical to the Internet, and therefore to civilization. Vital systems -- power grids, financial markets, telecommunications networks -- rely on it to keep records and sort cause from effect. N.T.P. works in partnership with satellite systems, such as the Global Positioning System (G.P.S.), and other technologies to synchronize time on our many online devices. The time kept by precise and closely aligned atomic clocks, for instance, can be broadcast via G.P.S. to numerous receivers, including those in cell towers; those receivers can be attached to N.T.P. servers that then distribute the time across devices linked together by the Internet, almost all of which run N.T.P. (Atomic clocks can also directly feed the time to N.T.P. servers.) The protocol operates on billions of devices, coÃrdinating the time on every continent. Society has never been more synchronized.

Security

Former Amazon Worker Gets Probation For Massive Capital One Hack (apnews.com) 76

A former Seattle tech worker convicted of several charges related to a massive hack of Capital One bank and other companies in 2019 was sentenced Tuesday to time served and five years of probation. From a report: U.S. District Judge Robert S. Lasnik said sentencing former Amazon software engineer Paige Thompson to time in prison would have been particularly difficult on her "because of her mental health and transgender status," the Department of Justice said in a statement.

U.S. Attorney Nick Brown said his office was "very disappointed" with the sentencing decision, adding prosecutors had asked for Thompson to serve seven years in prison. "This is not what justice looks like," Brown said in the statement. In June, a Seattle jury found her guilty of wire fraud, unauthorized access to a protected computer and damaging a protected computer. The jury acquitted her of other charges, including access device fraud and aggravated identity theft.

The Internet

The Ever-Expanding Job of Preserving the Internet's Backpages 22

A quarter of a century after it began collecting web pages, the Internet Archive is adapting to new challenges. From a report: Within the walls of a beautiful former church in San Francisco's Richmond district, racks of computer servers hum and blink with activity. They contain the internet. Well, a very large amount of it. The Internet Archive, a non-profit, has been collecting web pages since 1996 for its famed and beloved Wayback Machine. In 1997, the collection amounted to 2 terabytes of data. Colossal back then, you could fit it on a $50 thumb drive now.

Today, the archive's founder Brewster Kahle tells me, the project is on the brink of surpassing 100 petabytes -- approximately 50,000 times larger than in 1997. It contains more than 700bn web pages. The work isn't getting any easier. Websites today are highly dynamic, changing with every refresh. Walled gardens like Facebook are a source of great frustration to Kahle, who worries that much of the political activity that has taken place on the platform could be lost to history if not properly captured. In the name of privacy and security, Facebook (and others) make scraping difficult.
Censorship

VLC-Developer VideoLAN Sends Legal Notice To Indian Ministries Over Ban (techcrunch.com) 12

VideoLAN, the developer and operator of popular media player VLC, has filed a legal notice to India's IT and Telecom ministries, alleging that the Indian bodies failed to notify the software developer prior to blocking the website and did not afford it a chance for an explanation. From a report: Indian telecom operators have been blocking VideoLAN's website, where it lists links to downloading VLC, since February of this year, VideoLan president and lead developer Jean-Baptiste Kempf told TechCrunch in an earlier interview. India is one of the largest markets for VLC. "Most major ISPs [internet service providers] are banning the site, with diverse techniques," he said of the blocking in India. The telecom operators began blocking the VideoLan website on February 13 of this year, when the site saw a drop of 80% in traffic from the South Asian market, he said. Now, VideoLAN, in assistance with local advocacy group Internet Freedom Foundation, is using legal means to get answers and redressal. It has sought a copy of the blocking order for banning VideoLAN website in India and an opportunity to defend the case through a virtual hearing. In the notice, VideoLAN argues that the way Indian ministries have enforced the ban on the website, they violate their own local laws.
Iphone

Apple Will Be Forced To Use New Charger After EU Votes for USB-C (bloomberg.com) 314

Members of the European Parliament voted to force companies such as Apple to adapt products that don't already feature a standard USB-C charger to use one. This would include iPhones, in Apple's case. From a report: A total of 602 lawmakers voted for the plan on Tuesday, with 13 against, and eight abstaining. The deal, provisionally agreed in June between the commission and the European Union's 27 countries, still needs to get the final sign-off from the EU member states. The rules are likely to be written into law at the beginning of 2023.
Spam

FCC Threatens To Block Calls From Carriers For Letting Robocalls Run Rampant (theverge.com) 78

The Federal Communications Commission is threatening to block calls from voice service providers that have yet to take meaningful action against illegal robocalls. The Verge reports: On Monday, the FCC announced that it was beginning the process to remove providers from the agency's Robocall Mitigation Database for failing to fully implement STIR/SHAKEN anti-robocall protocols into their networks. If the companies fail to meet these requirements over the next two weeks, compliant providers will be forced to block their calls. "This is a new era. If a provider doesn't meet its obligations under the law, it now faces expulsion from America's phone networks. Fines alone aren't enough," FCC Chairwoman Jessica Rosenworcel said in a statement on Monday. "Providers that don't follow our rules and make it easy to scam consumers will now face swift consequences."

The FCC's orders target seven carriers, including Akabis, Cloud4, Global UC, Horizon Technology Group, Morse Communications, Sharon Telephone Company, and SW Arkansas Telecommunications and Technology. "These providers have fallen woefully short and have now put at risk their continued participation in the U.S. communications system," Loyaan A. Egal, FCC acting chief of the enforcement standards, said in a Monday statement. "While we'll review their responses, we will not accept superficial gestures given the gravity of what is at stake."

IT

After Chess, Cheating Rows Rock Poker and Fishing (bbc.com) 105

AmiMoJo writes: First it was chess -- now top-level US poker and match fishing have been dogged by their own claims of cheating. A casino is investigating after one player stunned poker fans by making an audacious bet to win a huge pot. Meanwhile, two fishermen have been accused of stuffing their catches with lead weights in order to win a tournament held on Lake Erie, Ohio. And world chess officials are probing whether a teen talent cheated in face-to-face matches -- something he denies. A row erupted following a high-stakes game held at the Hustler Casino in Los Angeles on Thursday night. Robbi Jade Lew stunned the table by appearing to successfully call a semi-bluff by her opponent Garrett Adelstein. Lew called an all-in bet by her opponent, risking her chips with an underwhelming hand, apparently convinced her opponent was bluffing and scooping a pot that had grown to $269,000. Pundits commentating during the livestreamed match expressed their incredulity at the gambit, while Adelstein gave his competitor an icy stare.

Slashdot Top Deals