The Internet

The Ever-Expanding Job of Preserving the Internet's Backpages 22

A quarter of a century after it began collecting web pages, the Internet Archive is adapting to new challenges. From a report: Within the walls of a beautiful former church in San Francisco's Richmond district, racks of computer servers hum and blink with activity. They contain the internet. Well, a very large amount of it. The Internet Archive, a non-profit, has been collecting web pages since 1996 for its famed and beloved Wayback Machine. In 1997, the collection amounted to 2 terabytes of data. Colossal back then, you could fit it on a $50 thumb drive now.

Today, the archive's founder Brewster Kahle tells me, the project is on the brink of surpassing 100 petabytes -- approximately 50,000 times larger than in 1997. It contains more than 700bn web pages. The work isn't getting any easier. Websites today are highly dynamic, changing with every refresh. Walled gardens like Facebook are a source of great frustration to Kahle, who worries that much of the political activity that has taken place on the platform could be lost to history if not properly captured. In the name of privacy and security, Facebook (and others) make scraping difficult.
Censorship

VLC-Developer VideoLAN Sends Legal Notice To Indian Ministries Over Ban (techcrunch.com) 12

VideoLAN, the developer and operator of popular media player VLC, has filed a legal notice to India's IT and Telecom ministries, alleging that the Indian bodies failed to notify the software developer prior to blocking the website and did not afford it a chance for an explanation. From a report: Indian telecom operators have been blocking VideoLAN's website, where it lists links to downloading VLC, since February of this year, VideoLan president and lead developer Jean-Baptiste Kempf told TechCrunch in an earlier interview. India is one of the largest markets for VLC. "Most major ISPs [internet service providers] are banning the site, with diverse techniques," he said of the blocking in India. The telecom operators began blocking the VideoLan website on February 13 of this year, when the site saw a drop of 80% in traffic from the South Asian market, he said. Now, VideoLAN, in assistance with local advocacy group Internet Freedom Foundation, is using legal means to get answers and redressal. It has sought a copy of the blocking order for banning VideoLAN website in India and an opportunity to defend the case through a virtual hearing. In the notice, VideoLAN argues that the way Indian ministries have enforced the ban on the website, they violate their own local laws.
Iphone

Apple Will Be Forced To Use New Charger After EU Votes for USB-C (bloomberg.com) 314

Members of the European Parliament voted to force companies such as Apple to adapt products that don't already feature a standard USB-C charger to use one. This would include iPhones, in Apple's case. From a report: A total of 602 lawmakers voted for the plan on Tuesday, with 13 against, and eight abstaining. The deal, provisionally agreed in June between the commission and the European Union's 27 countries, still needs to get the final sign-off from the EU member states. The rules are likely to be written into law at the beginning of 2023.
Spam

FCC Threatens To Block Calls From Carriers For Letting Robocalls Run Rampant (theverge.com) 78

The Federal Communications Commission is threatening to block calls from voice service providers that have yet to take meaningful action against illegal robocalls. The Verge reports: On Monday, the FCC announced that it was beginning the process to remove providers from the agency's Robocall Mitigation Database for failing to fully implement STIR/SHAKEN anti-robocall protocols into their networks. If the companies fail to meet these requirements over the next two weeks, compliant providers will be forced to block their calls. "This is a new era. If a provider doesn't meet its obligations under the law, it now faces expulsion from America's phone networks. Fines alone aren't enough," FCC Chairwoman Jessica Rosenworcel said in a statement on Monday. "Providers that don't follow our rules and make it easy to scam consumers will now face swift consequences."

The FCC's orders target seven carriers, including Akabis, Cloud4, Global UC, Horizon Technology Group, Morse Communications, Sharon Telephone Company, and SW Arkansas Telecommunications and Technology. "These providers have fallen woefully short and have now put at risk their continued participation in the U.S. communications system," Loyaan A. Egal, FCC acting chief of the enforcement standards, said in a Monday statement. "While we'll review their responses, we will not accept superficial gestures given the gravity of what is at stake."

IT

After Chess, Cheating Rows Rock Poker and Fishing (bbc.com) 105

AmiMoJo writes: First it was chess -- now top-level US poker and match fishing have been dogged by their own claims of cheating. A casino is investigating after one player stunned poker fans by making an audacious bet to win a huge pot. Meanwhile, two fishermen have been accused of stuffing their catches with lead weights in order to win a tournament held on Lake Erie, Ohio. And world chess officials are probing whether a teen talent cheated in face-to-face matches -- something he denies. A row erupted following a high-stakes game held at the Hustler Casino in Los Angeles on Thursday night. Robbi Jade Lew stunned the table by appearing to successfully call a semi-bluff by her opponent Garrett Adelstein. Lew called an all-in bet by her opponent, risking her chips with an underwhelming hand, apparently convinced her opponent was bluffing and scooping a pot that had grown to $269,000. Pundits commentating during the livestreamed match expressed their incredulity at the gambit, while Adelstein gave his competitor an icy stare.
Security

Hackers Leak 500GB Trove of Data Stolen During LAUSD Ransomware Attack (techcrunch.com) 32

Hackers have released a cache of data stolen during a cyberattack against the Los Angeles Unified School District (LAUSD) in what appears to be the biggest education breach in recent years. From a report: Vice Society, a Russian-speaking group that last month claimed responsibility for the ransomware attack that disrupted the LAUSD's access to email, computer systems and applications, published the data stolen from the school district over the weekend. The group had previously set an October 4 deadline to pay an unspecified ransom demand.

The stolen data was posted to Vice Society's dark web leak site and appears to contain personal identifying information, including passport details, Social Security numbers and tax forms. While TechCrunch has not yet reviewed the full trove, the published data also contains confidential information including contract and legal documents, financial reports containing bank account details, health information including COVID-19 test data, previous conviction reports and psychological assessments of students. Vice Society, a group known for targeting schools and the education sector, included a message with the published data that said the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the government agency assisting the school in responding to the breach, "wasted our time."

Bug

Pentagon Is Far Too Tight With Its Security Bug Bounties (theregister.com) 23

Discovering and reporting critical security flaws that could allow foreign spies to steal sensitive US government data or launch cyberattacks via the Department of Defense's IT systems doesn't carry a high reward. The Register reports: The Pentagon, in its most recent week-long Hack US program conducted with HackerOne, paid out $75,000 in bug bounties and another $35,000 in bonuses and awards to ethical hackers who disclosed critical- and high-severity vulnerabilities in Uncle Sam's networks. [...] According to bug bounty platform HackerOne and the DoD, the Hack US initiative received 648 submissions from 267 security researchers who uncovered 349 security holes. Information disclosure flaws were the most commonly reported vulnerabilities, followed by improper access controls and SQL injection.

The Pentagon didn't say how many bug hunters received rewards, or how much they each earned. However, in announcing the contest earlier this year, it pledged to pay $500 or more for high-severity flaws, $1,000 for critical holes, and as much as $5,000 for specific achievements, such as $3,000 for the best finding for *.army.mil. Meanwhile, Microsoft paid $13.7 million in bug rewards spread out over 335 researchers last year, with a $200,000 Hyper-V Bounty payout as its biggest prize. And Google awarded $8.7 million during 2021. [...] It's also worth noting that the DoD's pilot vulnerability disclosure program, which ended in April, didn't pay any monetary rewards. So at least Hack US, with its paid (albeit measly) bug bounties, is a step up from that.
"The most successful bug bounty programs strike an even balance between monetary and social benefits," Google's Eduardo Vela, who leads the Product Security Response Team, told The Register.

"For bug hunters, there must be a monetary incentive to get them to participate -- but, there's also value in creating a space where folks can get together, connect with one another, and hack as a team. Bringing together the top bug hunters requires both -- one without the other is not enough."
Security

Covert CIA Websites Could Have Been Found By an 'Amateur,' Research Finds (theguardian.com) 22

An anonymous reader quotes a report from the Guardian: The CIA used hundreds of websites for covert communications that were severely flawed and could have been identified by even an "amateur sleuth," according to security researchers. The flaws reportedly led to the death of more than two dozen US sources in China in 2011 and 2012 and also reportedly led Iran to execute or imprison other CIA assets. The new research was conducted by security experts at the Citizen Lab at the University of Toronto, which started investigating the matter after it received a tip from reporter Joel Schectmann at Reuters.

The group said it was not publishing a full detailed technical report of its findings to avoid putting CIA assets or employees at risk. But its limited findings raise serious doubts about the intelligence agency's handling of safety measures. Using just a single website and publicly available material, Citizen Lab said it identified a network of 885 websites that it attributed "with high confidence" as having been used by the CIA. It found that the websites purported to be concerned with news, weather, healthcare and other legitimate websites. "Knowing only one website, it is likely that while the websites were online, a motivated amateur sleuth could have mapped out the CIA network and attributed it to the US government," Citizen Lab said in a statement.

The websites were active between 2004 and 2013 and were probably not used by the CIA recently, but Citizen Lab said a subset of the websites were sill linked to active intelligence employees or assets, including a foreign contractor and a current state department employee. Citizen Lab added: "The reckless construction of this infrastructure by the CIA reportedly led directly to the identification and execution of assets, and undoubtedly risked the lives of countless other individuals. Our hope is that this research and our limited disclosure process will lead to accountability for this reckless behavior."
CIA spokesperson Tammy Kupperman Thorp said: "CIA takes its obligations to protect the people who work with us extremely seriously and we know that many of them do so bravely, at great personal risk. The notion that CIA would not work as hard as possible to safeguard them is false."
Security

High-Severity Microsoft Exchange 0-Day Under Attack Threatens 220,000 Servers (arstechnica.com) 42

An anonymous reader quotes a report from Ars Technica: Microsoft late Thursday confirmed the existence of two critical vulnerabilities in its Exchange application that have already compromised multiple servers and pose a serious risk to an estimated 220,000 more around the world. The currently unpatched security flaws have been under active exploit since early August, when Vietnam-based security firm GTSC discovered customer networks had been infected with malicious webshells and that the initial entry point was some sort of Exchange vulnerability. The mystery exploit looked almost identical to an Exchange zero-day from 2021 called ProxyShell, but the customers' servers had all been patched against the vulnerability, which is tracked as CVE-2021-34473. Eventually, the researchers discovered the unknown hackers were exploiting a new Exchange vulnerability.

Wednesday's GTSC post said the attackers are exploiting the zero-day to infect servers with webshells, a text interface that allows them to issue commands. These webshells contain simplified Chinese characters, leading the researchers to speculate the hackers are fluent in Chinese. Commands issued also bear the signature of the China Chopper, a webshell commonly used by Chinese-speaking threat actors, including several advanced persistent threat groups known to be backed by the People's Republic of China. GTSC went on to say that the malware the threat actors eventually install emulates Microsoft's Exchange Web Service. It also makes a connection to the IP address 137[.]184[.]67[.]33, which is hardcoded in the binary. Independent researcher Kevin Beaumont said the address hosts a fake website with only a single user with one minute of login time and has been active only since August. The malware then sends and receives data that's encrypted with an RC4 encryption key that's generated at runtime. Beaumont went on to say that the backdoor malware appears to be novel, meaning this is the first time it has been used in the wild.
People running on-premises Exchange servers "should apply a blocking rule that prevents servers from accepting known attack patterns," reports Ars. The rule can be found in Microsoft's advisory.

"For the time being, Microsoft also recommends people block HTTP port 5985 and HTTPS port 5986, which attackers need to exploit CVE-2022-41082."
Encryption

NYPD Considers Using Encryption To Block Public From Radio Scanner Broadcasts (gizmodo.com) 126

An anonymous reader quotes a report from Gizmodo: The NYPD says it wants to reimagine its current police communication system and transition to encrypted messages by 2024, according to a recent amNY report confirmed by Gizmodo. While law enforcement has spent years fighting to make encryption less accessible for everyday people, police think they need a little more privacy. Critics worry a turn towards encryption by law enforcement could reduce transparency, hamstring the news media, and potentially jeopardize the safety of protestors looking to stay a step ahead.

According to amNY, the NYPD's new plan would allow law enforcement officers discretion on whether or not to publicly disclose newsworthy incidents. That means the NYPD essentially would get to dictate the truth unchallenged in a number of potentially sensitive local stories. The report suggests police are floating the idea of letting members of the news media monitor certain radio transmissions through an NYPD-controlled mobile app. There's a catch though. According to the report, the app would send radio information with a delay. Users may also have to pay a subscription fee to use the service, the paper said.

The NYPD confirmed its planning a "systems upgrade" in the coming years in an email to Gizmodo. "The NYPD is undergoing a systems upgrade that is underway and that will be complete after 2024," a spokesperson for the Deputy Commissioner of Public Information said. "This infrastructure upgrade allows the NYPD to transmit in either an encrypted or non-encrypted format," the NYPD said. "Some parts of the city have had the necessary equipment installed and the Department will begin testing the technology in these areas later this year. We are currently evaluating encryption best practices and will communicate new policies and procedures as we roll out this upgraded technology." The spokesperson claimed the department intends to listen to and consider the needs of the news media during the transition process.
"The entire public safety news coverage system depends on scanners, and if scanners and scanner traffic are no longer available to newsrooms then news reporting about crime, fire -- it's going to be very hit or miss," CaliforniansAware General Counsel Terry Francke told the Reporters Committee in a blog post.

"Cutting off the media from getting emergency transmissions represents the clearest regression of the NYPD policy of transparency in its history," New York Press Photographers Association President Bruce Cotler said in an interview with amNY. "We believe shutting down radio transmissions is a danger to the public and to the right of the public to know about important events."

Gizmodo notes that New York joins a growing list of cities considering encrypting radio communications. "Denver, Baltimore, Virginia Beach, Sioux City, Iowa, and Racine, Wisconsin have all moved to implement the technology in recent years."
Security

Games Are Starting To Require a Phone Number To Play (polygon.com) 62

According to Polyon, players will be required to link a phone number to their Battle.net accounts if they want to play Overwatch 2. "The same two-factor step, called SMS Protect, will also be used on all Call of Duty: Modern Warfare 2 accounts when that game launches, and new Call of Duty: Modern Warfare accounts," the report adds. From the report: Blizzard Entertainment announced SMS Protect and other safety measures ahead of Overwatch 2's release. Blizzard said it implemented these controls because it wanted to "protect the integrity of gameplay and promote positive behavior in Overwatch 2." Overwatch 2 is free to play, unlike its predecessor. Without SMS Protect, Blizzard reasoned that there is no barrier to toxic players or trolls creating a new account if an existing one is sanctioned. SMS Protect, therefore, ties that account to something valuable -- in this case a player's mobile phone.

SMS Protect is a security feature that has two purposes: to keep players accountable for what Blizzard calls "disruptive behavior," and to protect accounts if they're hacked. It requires all Overwatch 2 players to attach a unique phone number to their account. Blizzard said SMS Protect will target cheaters and harassers; if an account is banned, it'll be harder for them to return to Overwatch 2. You can't just enter any old phone number -- you actually have to have access to a phone receiving texts to that number to get into your account.

Overwatch 2 lead software engineer Bill Warnecke told Forbes that, even if accounts are no longer tied to Overwatch's box price -- because the game is now free-to-play -- Blizzard still wants players to make an "investment" in upholding a safe game. "The key idea behind SMS Protect is to have an investment on behalf of the owner of that account and add some limitations or restrictions behind how you might have an account," Warnecke said. "There's no exclusions or kind of loopholes around the system."
The report notes that Blizzard has refunded one player after they contacted customer support and said they didn't have a mobile phone, but it's unclear if this policy will apply more broadly.
AMD

Rewritten OpenGL Drivers Make AMD's GPUs 'Up To 72%' Faster in Some Pro Apps (arstechnica.com) 23

Most development effort in graphics drivers these days, whether you're talking about Nvidia, Intel, or AMD, is focused on new APIs like DirectX 12 or Vulkan, increasingly advanced upscaling technologies, and specific improvements for new game releases. But this year, AMD has also been focusing on an old problem area for its graphics drivers: OpenGL performance. From a report: Over the summer, AMD released a rewritten OpenGL driver that it said would boost the performance of Minecraft by up to 79 percent (independent testing also found gains in other OpenGL games and benchmarks, though not always to the same degree). Now those same optimizations are coming to AMD's officially validated GPU drivers for its Radeon Pro-series workstation cards, providing big boosts to professional apps like Solidworks and Autodesk Maya. "The AMD Software: PRO Edition 22.Q3 driver has been tested and approved by Dell, HP, and Lenovo for stability and is available through their driver downloads," the company wrote in its blog post. "AMD continues to work with software developers to certify the latest drivers." Using a Radeon Pro W6800 workstation GPU, AMD says that its new drivers can improve Solidworks rendering speeds by up to 52 or 28 percent at 4K and 1080p resolutions, respectively. Autodesk Maya performance goes up by 34 percent at 4K or 72 percent at the default resolution. The size of the improvements varies based on the app and the GPU, but AMD's testing shows significant, consistent improvements across the board on the Radeon Pro W6800, W6600, and W6400 GPUs, improvements that AMD says will help those GPUs outpace analogous Nvidia workstation GPUs like the RTX A5000 and A2000 and the Nvidia T600.
China

Suspected Chinese Hackers Tampered With Widely Used Canadian Chat Program, Researchers Say (reuters.com) 11

Suspected Chinese hackers tampered with widely used software distributed by a small Canadian customer service company, another example of a "supply chain compromise" made infamous by the hack on U.S. networking company SolarWinds. From a report: U.S. cybersecurity firm CrowdStrike will say in an upcoming blog post seen by Reuters that it had discovered malicious software being distributed by Vancouver-based Comm100, which provides customer service products, such as chat bots and social media management tools, to a range of clients around the globe. The scope and scale of the hack wasn't immediately clear. In a message, Comm100 said it had fixed its software earlier Thursday and that more details would soon be forthcoming. The company did not immediately respond to follow-up requests for information. CrowdStrike researchers believe the malicious software was in circulation for a couple of days but wouldn't say how many companies had been affected, divulging only that "entities across a range of industries" were hit.
IT

USB Kills Off SuperSpeed Branding as It Tries To Simplify Its Ubiquitous Connector (theverge.com) 41

The SuperSpeed USB branding is no more thanks to a new set of guidelines currently being rolled out by the USB Implementers Forum (USB-IF), the body that manages and maintains the USB standard. From a report: It's part of a rebranding initiative that the organization kicked off last year with the introduction of a new series of packaging, port, and cable logos. But with its latest set of branding and logo guidelines it's going even further, simplifying its legacy branding and signaling the end of the decade-old SuperSpeed branding. If the name doesn't ring any bells, then that's probably because you (like most other people) simply referred to it by its USB 3 version number. Alongside it, the USB-IF is also ditching USB4 as a consumer-facing brand name.
Chrome

Google Delays the Death of Manifest V2 Extensions To 2024 (ghacks.net) 23

AmiMoJo writes: Google announced an extension of the deadline to remove support for Manifest V2 extensions in the company's Chrome browser and the open source Chromium core. The change does not impact the core decision of removing support for Manifest V2 extensions in favor of Manifest V3. Dubbed, the adblocker killer initially, due to limitations imposed on content blocking and other types of browser extensions, Google made concessions that allows content blockers to run on Chrome after the final switch is made. Extensions are still limited in comparison to Manifest V2, especially if multiple that use filtering functionality are run simultaneously, or if lots of filters are activated in a single extension. Google's initial plan was to stop supporting Manifest V2 extensions in Chrome by June 2023. For most users, support would run out in January 2023, but an Enterprise policy would enable users to extend the deadline by six months.
Microsoft

Microsoft Says Two New Exchange Zero-Day Bugs Under Active Attack, But No Immediate Fix (techcrunch.com) 12

Microsoft has confirmed two unpatched Exchange Server zero-day vulnerabilities are being exploited by cybercriminals in real-world attacks. From a report: Vietnamese cybersecurity company GTSC, which first discovered the flaws part of its response to a customer's cybersecurity incident, in August 2022, said the two zero-days have been used in attacks on their customers' environments dating back to early-August 2022. Microsoft's Security Response Center (MRSC) said in a blog post late on Thursday that the two vulnerabilities were identified as CVE-2022-41040, a server-side request forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution on a vulnerable server when PowerShell is accessible to the attacker. "At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users' systems," the technology giant confirmed. Microsoft noted that an attacker would need authenticated access to the vulnerable Exchange Server, such as stolen credentials, to successfully exploit either of the two vulnerabilities, which impact on-premise Microsoft Exchange Server 2013, 2016 and 2019. Microsoft hasn't shared any further details about the attacks and declined to answer our questions. Security firm Trend Micro gave the two vulnerabilities severity ratings of 8.8 and 6.3 out of 10.
AI

Software Robots Are Gaining Ground In White-Collar Office World (bloomberg.com) 23

"First they came for factory jobs. Then they showed up in service industries. Now, machines are making inroads into the kind of white-collar office work once thought to be the exclusive preserve of humans," write Alexandre Tanzi and Reade Pickert via Bloomberg. An anonymous reader shares an excerpt from the report: It's not just corporate giants, capable of spending millions of dollars to develop their own technologies, that are getting in on the act. One feature of the new automation wave is that companies like Kizen have popped up to make it affordable even for smaller firms. Based in Austin, Texas, Kizen markets an automated assistant called Zoe, which can perform tasks for sales teams like carrying out initial research and qualifying leads. Launched a year ago, it's already sold more than 400,000 licenses. "Our smallest customer pays us $10 a month and our largest customer pays us $9.5 million a year,'' says John Winner, Kizen's chief executive officer. There are plenty of other ambitious companies cashing in on the trend, and posting steep increases in revenue -- like UiPath Inc., a favorite of star investment manager Cathie Wood, as well as Appian Corp. and EngageSmart Inc. Alongside the growth of AI and what economists call "robotic process automation" -- essentially, when software performs certain tasks previously done by humans -- old-school automation is still going strong too.

The number of robots sold in North America hit a new record in the first quarter of 2022, according to the Association for Advancing Automation. The World Economic Forum predicts that by 2025, machines will be working as many hours as humans. What all of this innovation means for the world's workers is one of the key open questions in economics. The upbeat view says it's tasks that get automated, not entire jobs -- and if the mundane ones can be handled by computers or robots, that should free up employees for more challenging and satisfying work. The downside risk: occupations from sales reps to administrative support, could begin to disappear -- without leaving obvious alternatives for the people who earned a living from them. That adds another employment threat for white-collar workers who may already be vulnerable right now to an economic downturn, largely because so many got hired in the boom of the past couple of years.

KC Harvey Environmental, a consultancy based in Bozeman, Montana that works with businesses and governments on environmental issues, is one of Kizen's clients. It uses the software to automate document control -- for example, archiving and delivering new contracts to the right places and people. "A new project probably took our accounting group and project management team a day," says Rio Franzman, KC Harvey's chief operating officer. "This now probably streamlines it down to about an hour." The firm employs about 100 people and "we didn't lose any'' as a result of automation, he says. "What it did allow is for the reallocation of time and resources to more meaningful tasks." KC Harvey is now working with Kizen to bring AI into its marketing, too, with a partly automated newsletter among other projects. Some of the biggest firms at the forefront of automation also say they've been able to do it without cutting jobs.

Engineering giant Siemens AG says it's automated all kinds of production and back-office tasks at its innovative plant in Amberg, Germany, where it makes industrial computers, while keeping staffing steady at around 1,350 employees over several decades. The firm has developed a technology known as "digital twinning," which builds virtual versions of everything from specific products to administrative processes. Managers can then run simulations and stress-tests to see how things can be made better. "We're not going to automate people out of the process," says Barbara Humpton, CEO of Siemens USA. "By optimizing automation systems, and by using digital tools and AI, workers have increased productivity at Amberg by more than 1,000%." [...] Whatever the outcome, it's unlikely to allay the deep unease that the idea of automation triggers among workers who feel their jobs are vulnerable. With the rise of AI, that group increasingly includes white-collar employees.

Security

Mystery Hackers Are 'Hyperjacking' Targets for Insidious Spying (wired.com) 32

For decades, security researchers warned about techniques for hijacking virtualization software. Now one group has put them into practice. From a report: For decades, virtualization software has offered a way to vastly multiply computers' efficiency, hosting entire collections of computers as "virtual machines" on just one physical machine. And for almost as long, security researchers have warned about the potential dark side of that technology: theoretical "hyperjacking" and "Blue Pill" attacks, where hackers hijack virtualization to spy on and manipulate virtual machines, with potentially no way for a targeted computer to detect the intrusion. That insidious spying has finally jumped from research papers to reality with warnings that one mysterious team of hackers has carried out a spree of "hyperjacking" attacks in the wild.

Today, Google-owned security firm Mandiant and virtualization firm VMware jointly published warnings that a sophisticated hacker group has been installing backdoors in VMware's virtualization software on multiple targets' networks as part of an apparent espionage campaign. By planting their own code in victims' so-called hypervisors --VMware software that runs on a physical computer to manage all the virtual machines it hosts -- the hackers were able to invisibly watch and run commands on the computers those hypervisors oversee. And because the malicious code targets the hypervisor on the physical machine rather than the victim's virtual machines, the hackers' trick multiplies their access and evades nearly all traditional security measures designed to monitor those target machines for signs of foul play.

"The idea that you can compromise one machine and from there have the ability to control virtual machines en masse is huge," says Mandiant consultant Alex Marvi. And even closely watching the processes of a target virtual machine, he says, an observer would in many cases see only "side effects" of the intrusion, given that the malware carrying out that spying had infected a part of the system entirely outside its operating system. Mandiant discovered the hackers earlier this year and brought their techniques to VMware's attention. Researchers say they've seen the group carry out their virtualization hacking -- a technique historically dubbed hyperjacking in a reference to "hypervisor hijacking" -- in fewer than 10 victims' networks across North America and Asia. Mandiant notes that the hackers, which haven't been identified as any known group, appear to be tied to China.

Security

Fast Company Hackers Sent Out Obscene Push Notifications To Apple News Users (engadget.com) 21

Hackers infiltrated Fast Company's push notifications to send out racial slurs on Tuesday night. They also stole a database that includes employees' emails, password hashes for some of them and unpublished drafts, among other information. Customer records are safe, though, most likely because they're kept in a separate database. Engadget reports: In a statement, Fast Company has told Engadget that its Apple News account was hacked and was used to send "obscene and racist" push notifications." It added that the breach was related to another hack that happened on Sunday afternoon and that it has gone as far as shutting down the whole FastCompany.com domain for now. [...] Apple has addressed the situation in tweet, confirming that the website has been hacked and that it has suspended Fast Company's account.

At the moment, Fast Company's website loads a "404 Not Found" page. Before it was taken down, though, the bad actors managed to post a message detailing how they were able to infiltrate the publication, along with a link to a forum where stolen databases are made available for other users. They said that Fast Company had a default password for WordPress that was much too easy to crack and used it for a bunch of accounts, including one for an administrator. From there, they were able to grab authentication tokens, Apple News API keys, among other access information. The authentication keys, in turn, gave them the power to grab the names, email addresses and IPs of a bunch of employees.
In a statement, Fast Company said: "Fast Company's content management system account was hacked on Tuesday evening. As a result, two obscene and racist push notifications were sent to our followers in Apple News about a minute apart. The messages are vile and are not in line with the content and ethos of Fast Company. We are investigating the situation and have shut down FastCompany.com until the situation has been resolved. Tuesday's hack follows an apparently related hack of FastCompany.com that occurred on Sunday afternoon, when similar language appeared on the site's home page and other pages. We shut down the site that afternoon and restored it about two hours later. Fast Company regrets that such abhorrent language appeared on our platforms and in Apple News, and we apologize to anyone who saw it before it was taken down."
Encryption

UK Online Safety Bill Threatens Security, WhatsApp Chief Warns (ft.com) 32

The head of WhatsApp has warned UK ministers that moves to undermine encryption in a relaunched online safety bill would threaten the security of the government's own communications and embolden authoritarian regimes. From a report: In an interview with the Financial Times, Will Cathcart, who runs the Meta-owned messaging app, insisted that alternative techniques were available to protect children using WhatsApp, without having to abandon the underlying security technology that safeguards its more than 2bn users. The UK's bill, which the government argues will make the internet safer, has become a focus of global debate over whether companies such as Google, Meta and Twitter should be forced to proactively scan and remove harmful content on their networks.

Tech companies claim it is not technically possible for encrypted messaging apps to scan for material such as child pornography without undermining the security of the entire network, which prevents anyone -- including platform operators -- from reading users' messages. Cathcart said the UK's ultimate position on the issue would have a global impact. "If the UK decides that it is OK for a government to get rid of encryption, there are governments all around the world that will do exactly the same thing, where liberal democracy is not as strong, where there are different concerns that really implicate deep-seated human rights," he said, citing Hong Kong as a potential example.

Slashdot Top Deals