Spam

FCC Threatens To Block Calls From Carriers For Letting Robocalls Run Rampant (theverge.com) 78

The Federal Communications Commission is threatening to block calls from voice service providers that have yet to take meaningful action against illegal robocalls. The Verge reports: On Monday, the FCC announced that it was beginning the process to remove providers from the agency's Robocall Mitigation Database for failing to fully implement STIR/SHAKEN anti-robocall protocols into their networks. If the companies fail to meet these requirements over the next two weeks, compliant providers will be forced to block their calls. "This is a new era. If a provider doesn't meet its obligations under the law, it now faces expulsion from America's phone networks. Fines alone aren't enough," FCC Chairwoman Jessica Rosenworcel said in a statement on Monday. "Providers that don't follow our rules and make it easy to scam consumers will now face swift consequences."

The FCC's orders target seven carriers, including Akabis, Cloud4, Global UC, Horizon Technology Group, Morse Communications, Sharon Telephone Company, and SW Arkansas Telecommunications and Technology. "These providers have fallen woefully short and have now put at risk their continued participation in the U.S. communications system," Loyaan A. Egal, FCC acting chief of the enforcement standards, said in a Monday statement. "While we'll review their responses, we will not accept superficial gestures given the gravity of what is at stake."

IT

After Chess, Cheating Rows Rock Poker and Fishing (bbc.com) 105

AmiMoJo writes: First it was chess -- now top-level US poker and match fishing have been dogged by their own claims of cheating. A casino is investigating after one player stunned poker fans by making an audacious bet to win a huge pot. Meanwhile, two fishermen have been accused of stuffing their catches with lead weights in order to win a tournament held on Lake Erie, Ohio. And world chess officials are probing whether a teen talent cheated in face-to-face matches -- something he denies. A row erupted following a high-stakes game held at the Hustler Casino in Los Angeles on Thursday night. Robbi Jade Lew stunned the table by appearing to successfully call a semi-bluff by her opponent Garrett Adelstein. Lew called an all-in bet by her opponent, risking her chips with an underwhelming hand, apparently convinced her opponent was bluffing and scooping a pot that had grown to $269,000. Pundits commentating during the livestreamed match expressed their incredulity at the gambit, while Adelstein gave his competitor an icy stare.
Security

Hackers Leak 500GB Trove of Data Stolen During LAUSD Ransomware Attack (techcrunch.com) 32

Hackers have released a cache of data stolen during a cyberattack against the Los Angeles Unified School District (LAUSD) in what appears to be the biggest education breach in recent years. From a report: Vice Society, a Russian-speaking group that last month claimed responsibility for the ransomware attack that disrupted the LAUSD's access to email, computer systems and applications, published the data stolen from the school district over the weekend. The group had previously set an October 4 deadline to pay an unspecified ransom demand.

The stolen data was posted to Vice Society's dark web leak site and appears to contain personal identifying information, including passport details, Social Security numbers and tax forms. While TechCrunch has not yet reviewed the full trove, the published data also contains confidential information including contract and legal documents, financial reports containing bank account details, health information including COVID-19 test data, previous conviction reports and psychological assessments of students. Vice Society, a group known for targeting schools and the education sector, included a message with the published data that said the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the government agency assisting the school in responding to the breach, "wasted our time."

Bug

Pentagon Is Far Too Tight With Its Security Bug Bounties (theregister.com) 23

Discovering and reporting critical security flaws that could allow foreign spies to steal sensitive US government data or launch cyberattacks via the Department of Defense's IT systems doesn't carry a high reward. The Register reports: The Pentagon, in its most recent week-long Hack US program conducted with HackerOne, paid out $75,000 in bug bounties and another $35,000 in bonuses and awards to ethical hackers who disclosed critical- and high-severity vulnerabilities in Uncle Sam's networks. [...] According to bug bounty platform HackerOne and the DoD, the Hack US initiative received 648 submissions from 267 security researchers who uncovered 349 security holes. Information disclosure flaws were the most commonly reported vulnerabilities, followed by improper access controls and SQL injection.

The Pentagon didn't say how many bug hunters received rewards, or how much they each earned. However, in announcing the contest earlier this year, it pledged to pay $500 or more for high-severity flaws, $1,000 for critical holes, and as much as $5,000 for specific achievements, such as $3,000 for the best finding for *.army.mil. Meanwhile, Microsoft paid $13.7 million in bug rewards spread out over 335 researchers last year, with a $200,000 Hyper-V Bounty payout as its biggest prize. And Google awarded $8.7 million during 2021. [...] It's also worth noting that the DoD's pilot vulnerability disclosure program, which ended in April, didn't pay any monetary rewards. So at least Hack US, with its paid (albeit measly) bug bounties, is a step up from that.
"The most successful bug bounty programs strike an even balance between monetary and social benefits," Google's Eduardo Vela, who leads the Product Security Response Team, told The Register.

"For bug hunters, there must be a monetary incentive to get them to participate -- but, there's also value in creating a space where folks can get together, connect with one another, and hack as a team. Bringing together the top bug hunters requires both -- one without the other is not enough."
Security

Covert CIA Websites Could Have Been Found By an 'Amateur,' Research Finds (theguardian.com) 22

An anonymous reader quotes a report from the Guardian: The CIA used hundreds of websites for covert communications that were severely flawed and could have been identified by even an "amateur sleuth," according to security researchers. The flaws reportedly led to the death of more than two dozen US sources in China in 2011 and 2012 and also reportedly led Iran to execute or imprison other CIA assets. The new research was conducted by security experts at the Citizen Lab at the University of Toronto, which started investigating the matter after it received a tip from reporter Joel Schectmann at Reuters.

The group said it was not publishing a full detailed technical report of its findings to avoid putting CIA assets or employees at risk. But its limited findings raise serious doubts about the intelligence agency's handling of safety measures. Using just a single website and publicly available material, Citizen Lab said it identified a network of 885 websites that it attributed "with high confidence" as having been used by the CIA. It found that the websites purported to be concerned with news, weather, healthcare and other legitimate websites. "Knowing only one website, it is likely that while the websites were online, a motivated amateur sleuth could have mapped out the CIA network and attributed it to the US government," Citizen Lab said in a statement.

The websites were active between 2004 and 2013 and were probably not used by the CIA recently, but Citizen Lab said a subset of the websites were sill linked to active intelligence employees or assets, including a foreign contractor and a current state department employee. Citizen Lab added: "The reckless construction of this infrastructure by the CIA reportedly led directly to the identification and execution of assets, and undoubtedly risked the lives of countless other individuals. Our hope is that this research and our limited disclosure process will lead to accountability for this reckless behavior."
CIA spokesperson Tammy Kupperman Thorp said: "CIA takes its obligations to protect the people who work with us extremely seriously and we know that many of them do so bravely, at great personal risk. The notion that CIA would not work as hard as possible to safeguard them is false."
Security

High-Severity Microsoft Exchange 0-Day Under Attack Threatens 220,000 Servers (arstechnica.com) 42

An anonymous reader quotes a report from Ars Technica: Microsoft late Thursday confirmed the existence of two critical vulnerabilities in its Exchange application that have already compromised multiple servers and pose a serious risk to an estimated 220,000 more around the world. The currently unpatched security flaws have been under active exploit since early August, when Vietnam-based security firm GTSC discovered customer networks had been infected with malicious webshells and that the initial entry point was some sort of Exchange vulnerability. The mystery exploit looked almost identical to an Exchange zero-day from 2021 called ProxyShell, but the customers' servers had all been patched against the vulnerability, which is tracked as CVE-2021-34473. Eventually, the researchers discovered the unknown hackers were exploiting a new Exchange vulnerability.

Wednesday's GTSC post said the attackers are exploiting the zero-day to infect servers with webshells, a text interface that allows them to issue commands. These webshells contain simplified Chinese characters, leading the researchers to speculate the hackers are fluent in Chinese. Commands issued also bear the signature of the China Chopper, a webshell commonly used by Chinese-speaking threat actors, including several advanced persistent threat groups known to be backed by the People's Republic of China. GTSC went on to say that the malware the threat actors eventually install emulates Microsoft's Exchange Web Service. It also makes a connection to the IP address 137[.]184[.]67[.]33, which is hardcoded in the binary. Independent researcher Kevin Beaumont said the address hosts a fake website with only a single user with one minute of login time and has been active only since August. The malware then sends and receives data that's encrypted with an RC4 encryption key that's generated at runtime. Beaumont went on to say that the backdoor malware appears to be novel, meaning this is the first time it has been used in the wild.
People running on-premises Exchange servers "should apply a blocking rule that prevents servers from accepting known attack patterns," reports Ars. The rule can be found in Microsoft's advisory.

"For the time being, Microsoft also recommends people block HTTP port 5985 and HTTPS port 5986, which attackers need to exploit CVE-2022-41082."
Encryption

NYPD Considers Using Encryption To Block Public From Radio Scanner Broadcasts (gizmodo.com) 126

An anonymous reader quotes a report from Gizmodo: The NYPD says it wants to reimagine its current police communication system and transition to encrypted messages by 2024, according to a recent amNY report confirmed by Gizmodo. While law enforcement has spent years fighting to make encryption less accessible for everyday people, police think they need a little more privacy. Critics worry a turn towards encryption by law enforcement could reduce transparency, hamstring the news media, and potentially jeopardize the safety of protestors looking to stay a step ahead.

According to amNY, the NYPD's new plan would allow law enforcement officers discretion on whether or not to publicly disclose newsworthy incidents. That means the NYPD essentially would get to dictate the truth unchallenged in a number of potentially sensitive local stories. The report suggests police are floating the idea of letting members of the news media monitor certain radio transmissions through an NYPD-controlled mobile app. There's a catch though. According to the report, the app would send radio information with a delay. Users may also have to pay a subscription fee to use the service, the paper said.

The NYPD confirmed its planning a "systems upgrade" in the coming years in an email to Gizmodo. "The NYPD is undergoing a systems upgrade that is underway and that will be complete after 2024," a spokesperson for the Deputy Commissioner of Public Information said. "This infrastructure upgrade allows the NYPD to transmit in either an encrypted or non-encrypted format," the NYPD said. "Some parts of the city have had the necessary equipment installed and the Department will begin testing the technology in these areas later this year. We are currently evaluating encryption best practices and will communicate new policies and procedures as we roll out this upgraded technology." The spokesperson claimed the department intends to listen to and consider the needs of the news media during the transition process.
"The entire public safety news coverage system depends on scanners, and if scanners and scanner traffic are no longer available to newsrooms then news reporting about crime, fire -- it's going to be very hit or miss," CaliforniansAware General Counsel Terry Francke told the Reporters Committee in a blog post.

"Cutting off the media from getting emergency transmissions represents the clearest regression of the NYPD policy of transparency in its history," New York Press Photographers Association President Bruce Cotler said in an interview with amNY. "We believe shutting down radio transmissions is a danger to the public and to the right of the public to know about important events."

Gizmodo notes that New York joins a growing list of cities considering encrypting radio communications. "Denver, Baltimore, Virginia Beach, Sioux City, Iowa, and Racine, Wisconsin have all moved to implement the technology in recent years."
Security

Games Are Starting To Require a Phone Number To Play (polygon.com) 62

According to Polyon, players will be required to link a phone number to their Battle.net accounts if they want to play Overwatch 2. "The same two-factor step, called SMS Protect, will also be used on all Call of Duty: Modern Warfare 2 accounts when that game launches, and new Call of Duty: Modern Warfare accounts," the report adds. From the report: Blizzard Entertainment announced SMS Protect and other safety measures ahead of Overwatch 2's release. Blizzard said it implemented these controls because it wanted to "protect the integrity of gameplay and promote positive behavior in Overwatch 2." Overwatch 2 is free to play, unlike its predecessor. Without SMS Protect, Blizzard reasoned that there is no barrier to toxic players or trolls creating a new account if an existing one is sanctioned. SMS Protect, therefore, ties that account to something valuable -- in this case a player's mobile phone.

SMS Protect is a security feature that has two purposes: to keep players accountable for what Blizzard calls "disruptive behavior," and to protect accounts if they're hacked. It requires all Overwatch 2 players to attach a unique phone number to their account. Blizzard said SMS Protect will target cheaters and harassers; if an account is banned, it'll be harder for them to return to Overwatch 2. You can't just enter any old phone number -- you actually have to have access to a phone receiving texts to that number to get into your account.

Overwatch 2 lead software engineer Bill Warnecke told Forbes that, even if accounts are no longer tied to Overwatch's box price -- because the game is now free-to-play -- Blizzard still wants players to make an "investment" in upholding a safe game. "The key idea behind SMS Protect is to have an investment on behalf of the owner of that account and add some limitations or restrictions behind how you might have an account," Warnecke said. "There's no exclusions or kind of loopholes around the system."
The report notes that Blizzard has refunded one player after they contacted customer support and said they didn't have a mobile phone, but it's unclear if this policy will apply more broadly.
AMD

Rewritten OpenGL Drivers Make AMD's GPUs 'Up To 72%' Faster in Some Pro Apps (arstechnica.com) 23

Most development effort in graphics drivers these days, whether you're talking about Nvidia, Intel, or AMD, is focused on new APIs like DirectX 12 or Vulkan, increasingly advanced upscaling technologies, and specific improvements for new game releases. But this year, AMD has also been focusing on an old problem area for its graphics drivers: OpenGL performance. From a report: Over the summer, AMD released a rewritten OpenGL driver that it said would boost the performance of Minecraft by up to 79 percent (independent testing also found gains in other OpenGL games and benchmarks, though not always to the same degree). Now those same optimizations are coming to AMD's officially validated GPU drivers for its Radeon Pro-series workstation cards, providing big boosts to professional apps like Solidworks and Autodesk Maya. "The AMD Software: PRO Edition 22.Q3 driver has been tested and approved by Dell, HP, and Lenovo for stability and is available through their driver downloads," the company wrote in its blog post. "AMD continues to work with software developers to certify the latest drivers." Using a Radeon Pro W6800 workstation GPU, AMD says that its new drivers can improve Solidworks rendering speeds by up to 52 or 28 percent at 4K and 1080p resolutions, respectively. Autodesk Maya performance goes up by 34 percent at 4K or 72 percent at the default resolution. The size of the improvements varies based on the app and the GPU, but AMD's testing shows significant, consistent improvements across the board on the Radeon Pro W6800, W6600, and W6400 GPUs, improvements that AMD says will help those GPUs outpace analogous Nvidia workstation GPUs like the RTX A5000 and A2000 and the Nvidia T600.
China

Suspected Chinese Hackers Tampered With Widely Used Canadian Chat Program, Researchers Say (reuters.com) 11

Suspected Chinese hackers tampered with widely used software distributed by a small Canadian customer service company, another example of a "supply chain compromise" made infamous by the hack on U.S. networking company SolarWinds. From a report: U.S. cybersecurity firm CrowdStrike will say in an upcoming blog post seen by Reuters that it had discovered malicious software being distributed by Vancouver-based Comm100, which provides customer service products, such as chat bots and social media management tools, to a range of clients around the globe. The scope and scale of the hack wasn't immediately clear. In a message, Comm100 said it had fixed its software earlier Thursday and that more details would soon be forthcoming. The company did not immediately respond to follow-up requests for information. CrowdStrike researchers believe the malicious software was in circulation for a couple of days but wouldn't say how many companies had been affected, divulging only that "entities across a range of industries" were hit.
IT

USB Kills Off SuperSpeed Branding as It Tries To Simplify Its Ubiquitous Connector (theverge.com) 41

The SuperSpeed USB branding is no more thanks to a new set of guidelines currently being rolled out by the USB Implementers Forum (USB-IF), the body that manages and maintains the USB standard. From a report: It's part of a rebranding initiative that the organization kicked off last year with the introduction of a new series of packaging, port, and cable logos. But with its latest set of branding and logo guidelines it's going even further, simplifying its legacy branding and signaling the end of the decade-old SuperSpeed branding. If the name doesn't ring any bells, then that's probably because you (like most other people) simply referred to it by its USB 3 version number. Alongside it, the USB-IF is also ditching USB4 as a consumer-facing brand name.
Chrome

Google Delays the Death of Manifest V2 Extensions To 2024 (ghacks.net) 23

AmiMoJo writes: Google announced an extension of the deadline to remove support for Manifest V2 extensions in the company's Chrome browser and the open source Chromium core. The change does not impact the core decision of removing support for Manifest V2 extensions in favor of Manifest V3. Dubbed, the adblocker killer initially, due to limitations imposed on content blocking and other types of browser extensions, Google made concessions that allows content blockers to run on Chrome after the final switch is made. Extensions are still limited in comparison to Manifest V2, especially if multiple that use filtering functionality are run simultaneously, or if lots of filters are activated in a single extension. Google's initial plan was to stop supporting Manifest V2 extensions in Chrome by June 2023. For most users, support would run out in January 2023, but an Enterprise policy would enable users to extend the deadline by six months.
Microsoft

Microsoft Says Two New Exchange Zero-Day Bugs Under Active Attack, But No Immediate Fix (techcrunch.com) 12

Microsoft has confirmed two unpatched Exchange Server zero-day vulnerabilities are being exploited by cybercriminals in real-world attacks. From a report: Vietnamese cybersecurity company GTSC, which first discovered the flaws part of its response to a customer's cybersecurity incident, in August 2022, said the two zero-days have been used in attacks on their customers' environments dating back to early-August 2022. Microsoft's Security Response Center (MRSC) said in a blog post late on Thursday that the two vulnerabilities were identified as CVE-2022-41040, a server-side request forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution on a vulnerable server when PowerShell is accessible to the attacker. "At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users' systems," the technology giant confirmed. Microsoft noted that an attacker would need authenticated access to the vulnerable Exchange Server, such as stolen credentials, to successfully exploit either of the two vulnerabilities, which impact on-premise Microsoft Exchange Server 2013, 2016 and 2019. Microsoft hasn't shared any further details about the attacks and declined to answer our questions. Security firm Trend Micro gave the two vulnerabilities severity ratings of 8.8 and 6.3 out of 10.
AI

Software Robots Are Gaining Ground In White-Collar Office World (bloomberg.com) 23

"First they came for factory jobs. Then they showed up in service industries. Now, machines are making inroads into the kind of white-collar office work once thought to be the exclusive preserve of humans," write Alexandre Tanzi and Reade Pickert via Bloomberg. An anonymous reader shares an excerpt from the report: It's not just corporate giants, capable of spending millions of dollars to develop their own technologies, that are getting in on the act. One feature of the new automation wave is that companies like Kizen have popped up to make it affordable even for smaller firms. Based in Austin, Texas, Kizen markets an automated assistant called Zoe, which can perform tasks for sales teams like carrying out initial research and qualifying leads. Launched a year ago, it's already sold more than 400,000 licenses. "Our smallest customer pays us $10 a month and our largest customer pays us $9.5 million a year,'' says John Winner, Kizen's chief executive officer. There are plenty of other ambitious companies cashing in on the trend, and posting steep increases in revenue -- like UiPath Inc., a favorite of star investment manager Cathie Wood, as well as Appian Corp. and EngageSmart Inc. Alongside the growth of AI and what economists call "robotic process automation" -- essentially, when software performs certain tasks previously done by humans -- old-school automation is still going strong too.

The number of robots sold in North America hit a new record in the first quarter of 2022, according to the Association for Advancing Automation. The World Economic Forum predicts that by 2025, machines will be working as many hours as humans. What all of this innovation means for the world's workers is one of the key open questions in economics. The upbeat view says it's tasks that get automated, not entire jobs -- and if the mundane ones can be handled by computers or robots, that should free up employees for more challenging and satisfying work. The downside risk: occupations from sales reps to administrative support, could begin to disappear -- without leaving obvious alternatives for the people who earned a living from them. That adds another employment threat for white-collar workers who may already be vulnerable right now to an economic downturn, largely because so many got hired in the boom of the past couple of years.

KC Harvey Environmental, a consultancy based in Bozeman, Montana that works with businesses and governments on environmental issues, is one of Kizen's clients. It uses the software to automate document control -- for example, archiving and delivering new contracts to the right places and people. "A new project probably took our accounting group and project management team a day," says Rio Franzman, KC Harvey's chief operating officer. "This now probably streamlines it down to about an hour." The firm employs about 100 people and "we didn't lose any'' as a result of automation, he says. "What it did allow is for the reallocation of time and resources to more meaningful tasks." KC Harvey is now working with Kizen to bring AI into its marketing, too, with a partly automated newsletter among other projects. Some of the biggest firms at the forefront of automation also say they've been able to do it without cutting jobs.

Engineering giant Siemens AG says it's automated all kinds of production and back-office tasks at its innovative plant in Amberg, Germany, where it makes industrial computers, while keeping staffing steady at around 1,350 employees over several decades. The firm has developed a technology known as "digital twinning," which builds virtual versions of everything from specific products to administrative processes. Managers can then run simulations and stress-tests to see how things can be made better. "We're not going to automate people out of the process," says Barbara Humpton, CEO of Siemens USA. "By optimizing automation systems, and by using digital tools and AI, workers have increased productivity at Amberg by more than 1,000%." [...] Whatever the outcome, it's unlikely to allay the deep unease that the idea of automation triggers among workers who feel their jobs are vulnerable. With the rise of AI, that group increasingly includes white-collar employees.

Security

Mystery Hackers Are 'Hyperjacking' Targets for Insidious Spying (wired.com) 32

For decades, security researchers warned about techniques for hijacking virtualization software. Now one group has put them into practice. From a report: For decades, virtualization software has offered a way to vastly multiply computers' efficiency, hosting entire collections of computers as "virtual machines" on just one physical machine. And for almost as long, security researchers have warned about the potential dark side of that technology: theoretical "hyperjacking" and "Blue Pill" attacks, where hackers hijack virtualization to spy on and manipulate virtual machines, with potentially no way for a targeted computer to detect the intrusion. That insidious spying has finally jumped from research papers to reality with warnings that one mysterious team of hackers has carried out a spree of "hyperjacking" attacks in the wild.

Today, Google-owned security firm Mandiant and virtualization firm VMware jointly published warnings that a sophisticated hacker group has been installing backdoors in VMware's virtualization software on multiple targets' networks as part of an apparent espionage campaign. By planting their own code in victims' so-called hypervisors --VMware software that runs on a physical computer to manage all the virtual machines it hosts -- the hackers were able to invisibly watch and run commands on the computers those hypervisors oversee. And because the malicious code targets the hypervisor on the physical machine rather than the victim's virtual machines, the hackers' trick multiplies their access and evades nearly all traditional security measures designed to monitor those target machines for signs of foul play.

"The idea that you can compromise one machine and from there have the ability to control virtual machines en masse is huge," says Mandiant consultant Alex Marvi. And even closely watching the processes of a target virtual machine, he says, an observer would in many cases see only "side effects" of the intrusion, given that the malware carrying out that spying had infected a part of the system entirely outside its operating system. Mandiant discovered the hackers earlier this year and brought their techniques to VMware's attention. Researchers say they've seen the group carry out their virtualization hacking -- a technique historically dubbed hyperjacking in a reference to "hypervisor hijacking" -- in fewer than 10 victims' networks across North America and Asia. Mandiant notes that the hackers, which haven't been identified as any known group, appear to be tied to China.

Security

Fast Company Hackers Sent Out Obscene Push Notifications To Apple News Users (engadget.com) 21

Hackers infiltrated Fast Company's push notifications to send out racial slurs on Tuesday night. They also stole a database that includes employees' emails, password hashes for some of them and unpublished drafts, among other information. Customer records are safe, though, most likely because they're kept in a separate database. Engadget reports: In a statement, Fast Company has told Engadget that its Apple News account was hacked and was used to send "obscene and racist" push notifications." It added that the breach was related to another hack that happened on Sunday afternoon and that it has gone as far as shutting down the whole FastCompany.com domain for now. [...] Apple has addressed the situation in tweet, confirming that the website has been hacked and that it has suspended Fast Company's account.

At the moment, Fast Company's website loads a "404 Not Found" page. Before it was taken down, though, the bad actors managed to post a message detailing how they were able to infiltrate the publication, along with a link to a forum where stolen databases are made available for other users. They said that Fast Company had a default password for WordPress that was much too easy to crack and used it for a bunch of accounts, including one for an administrator. From there, they were able to grab authentication tokens, Apple News API keys, among other access information. The authentication keys, in turn, gave them the power to grab the names, email addresses and IPs of a bunch of employees.
In a statement, Fast Company said: "Fast Company's content management system account was hacked on Tuesday evening. As a result, two obscene and racist push notifications were sent to our followers in Apple News about a minute apart. The messages are vile and are not in line with the content and ethos of Fast Company. We are investigating the situation and have shut down FastCompany.com until the situation has been resolved. Tuesday's hack follows an apparently related hack of FastCompany.com that occurred on Sunday afternoon, when similar language appeared on the site's home page and other pages. We shut down the site that afternoon and restored it about two hours later. Fast Company regrets that such abhorrent language appeared on our platforms and in Apple News, and we apologize to anyone who saw it before it was taken down."
Encryption

UK Online Safety Bill Threatens Security, WhatsApp Chief Warns (ft.com) 32

The head of WhatsApp has warned UK ministers that moves to undermine encryption in a relaunched online safety bill would threaten the security of the government's own communications and embolden authoritarian regimes. From a report: In an interview with the Financial Times, Will Cathcart, who runs the Meta-owned messaging app, insisted that alternative techniques were available to protect children using WhatsApp, without having to abandon the underlying security technology that safeguards its more than 2bn users. The UK's bill, which the government argues will make the internet safer, has become a focus of global debate over whether companies such as Google, Meta and Twitter should be forced to proactively scan and remove harmful content on their networks.

Tech companies claim it is not technically possible for encrypted messaging apps to scan for material such as child pornography without undermining the security of the entire network, which prevents anyone -- including platform operators -- from reading users' messages. Cathcart said the UK's ultimate position on the issue would have a global impact. "If the UK decides that it is OK for a government to get rid of encryption, there are governments all around the world that will do exactly the same thing, where liberal democracy is not as strong, where there are different concerns that really implicate deep-seated human rights," he said, citing Hong Kong as a potential example.

IT

Cloudflare Wants To Replace CAPTCHAs With Turnstile (techcrunch.com) 35

Ahead of its Connect conference in October, Cloudflare this week announced an ambitious new project called Turnstile, which seeks to do away with the CAPTCHAs used throughout the web to verify people are who they say they are. From a report: Available to site owners at no charge, Cloudflare customers or no, Turnstile chooses from a rotating suite of "browser challenges" to check that visitors to a webpage aren't, in fact, bots. CAPTCHAs, the challenge-response tests most of us have encountered when filling out forms, have been around for decades, and they've been relatively successfully at keeping bot traffic at bay. But the rise of cheap labor, bugs in various CAPTCHA flavors and automated solvers have begun to poke holes in the system. Several websites offer human- and AI-backed CAPTCHA-solving services for as low as $0.50 per thousand solved CAPTCHAs, and some researchers claim AI-based attacks can successfully solve CAPTCHAs used by the world's most popular websites.

Cloudflare itself was once a CAPTCHA user. But according to CTO John Graham-Cumming, the company was never quite satisfied with it -- if Cloudflare's public rallying cries hadn't made that clear. In a conversation with TechCrunch, Graham-Cumming listed what he sees as the many downsides of CAPTCHA technology, including poor accessibility (visual disabilities can make it impossible to solve a CAPTCHA), cultural bias (CAPTCHAs assume familiarity with objects like U.S. taxis) and the strains that CAPTCHAs place on mobile data plans. [...] Turnstile automatically chooses a browser challenge based on "telemetry and client behavior exhibited during a session," Cloudflare says, rather than factors like login cookies. After running non-interactive JavaScript challenges to gather signals about the visitor and browser environment and using AI models to detect features and visitors who've passed a challenge before, Turnstile fine-tunes the difficulty of the challenge to the specific request -- avoiding having users solve a puzzle.

Security

Microsoft Exchange Online Users Face a Key Security Deadline Saturday (protocol.com) 43

Microsoft is about to eliminate a method for logging into its Exchange Online email service that is widely considered vulnerable and outdated, but that some businesses still rely upon. From a report: The company has said that as of Oct. 1, it will begin to disable what's known as "basic authentication" for customers that continue to use the system. Basic authentication typically requires only a username and password for login; the system does not play well with multifactor authentication and is prone to a host of other heightened security risks. Microsoft has said that for several types of common password-based threats, attackers almost exclusively target accounts that use basic authentication. At identity platform Okta, which manages logins for a large number of Microsoft Office 365 accounts, "we've seen these problems for years," said Todd McKinnon, co-founder and CEO of Okta. "When we block a threat, nine times out of 10 it's against a Microsoft account that has basic authentication. So we think this is a great thing." Microsoft has been seeking to prod businesses to move off basic authentication for the past three years, but "unfortunately usage isn't yet at zero," it said in a post earlier this month.
IT

Cheat Devs Are Ready for Modern Warfare 2 (vice.com) 58

The PC beta for Modern Warfare 2 was only online for just over a weekend, but cheat developers quickly managed to create wallhacks anyway, according to videos created by multiple cheat developers. From a report: The news highlights the constant cat and mouse game between cheat developers and the companies that make competitive video games, and shows that Modern Warfare 2 will be no different. Warzone, the massively popular free-to-play battle royale game built on top of Call of Duty's mainline games, was notoriously overrun by cheaters before publisher Activision and the development studios working on the game introduced a new anti-cheat mechanism called Ricochet. "I started developing a MW2 beta cheat right away. I was done the same day, the first day of the beta. My users got access once the cheat was complete & tested," Zebleer, the pseudonymous administrator of Phantom Overlay, a cheat provider that has a long history of selling cheats for Warzone, told Motherboard in an email.

[...] EngineOwning, another cheat developer, published a video to their Twitter account over the weekend appearing to show their own product in action, although it didn't seem to be ready for the beta. "Our MW2 cheat is now done and we're currently in close testing," the tweet read. "This means our cheat will be ready when the game launches, with all the features you'd expect." The Anti-Cheat Police Department, a researcher who has tracked the cheating ecosystem and who reports offending players, claimed in their own tweet that "Ricochet has this shitty cheat detected they are just a scam operation at this point."

Slashdot Top Deals