The head of WhatsApp has warned UK ministers that moves to undermine encryption in a relaunched online safety bill would threaten the security of the government's own communications and embolden authoritarian regimes. From a report: In an interview with the Financial Times, Will Cathcart, who runs the Meta-owned messaging app, insisted that alternative techniques were available to protect children using WhatsApp, without having to abandon the underlying security technology that safeguards its more than 2bn users. The UK's bill, which the government argues will make the internet safer, has become a focus of global debate over whether companies such as Google, Meta and Twitter should be forced to proactively scan and remove harmful content on their networks.

Tech companies claim it is not technically possible for encrypted messaging apps to scan for material such as child pornography without undermining the security of the entire network, which prevents anyone -- including platform operators -- from reading users' messages. Cathcart said the UK's ultimate position on the issue would have a global impact. "If the UK decides that it is OK for a government to get rid of encryption, there are governments all around the world that will do exactly the same thing, where liberal democracy is not as strong, where there are different concerns that really implicate deep-seated human rights," he said, citing Hong Kong as a potential example.

Ahead of its Connect conference in October, Cloudflare this week announced an ambitious new project called Turnstile, which seeks to do away with the CAPTCHAs used throughout the web to verify people are who they say they are. From a report: Available to site owners at no charge, Cloudflare customers or no, Turnstile chooses from a rotating suite of "browser challenges" to check that visitors to a webpage aren't, in fact, bots. CAPTCHAs, the challenge-response tests most of us have encountered when filling out forms, have been around for decades, and they've been relatively successfully at keeping bot traffic at bay. But the rise of cheap labor, bugs in various CAPTCHA flavors and automated solvers have begun to poke holes in the system. Several websites offer human- and AI-backed CAPTCHA-solving services for as low as $0.50 per thousand solved CAPTCHAs, and some researchers claim AI-based attacks can successfully solve CAPTCHAs used by the world's most popular websites.

Cloudflare itself was once a CAPTCHA user. But according to CTO John Graham-Cumming, the company was never quite satisfied with it -- if Cloudflare's public rallying cries hadn't made that clear. In a conversation with TechCrunch, Graham-Cumming listed what he sees as the many downsides of CAPTCHA technology, including poor accessibility (visual disabilities can make it impossible to solve a CAPTCHA), cultural bias (CAPTCHAs assume familiarity with objects like U.S. taxis) and the strains that CAPTCHAs place on mobile data plans. [...] Turnstile automatically chooses a browser challenge based on "telemetry and client behavior exhibited during a session," Cloudflare says, rather than factors like login cookies. After running non-interactive JavaScript challenges to gather signals about the visitor and browser environment and using AI models to detect features and visitors who've passed a challenge before, Turnstile fine-tunes the difficulty of the challenge to the specific request -- avoiding having users solve a puzzle.

Microsoft is about to eliminate a method for logging into its Exchange Online email service that is widely considered vulnerable and outdated, but that some businesses still rely upon. From a report: The company has said that as of Oct. 1, it will begin to disable what's known as "basic authentication" for customers that continue to use the system. Basic authentication typically requires only a username and password for login; the system does not play well with multifactor authentication and is prone to a host of other heightened security risks. Microsoft has said that for several types of common password-based threats, attackers almost exclusively target accounts that use basic authentication. At identity platform Okta, which manages logins for a large number of Microsoft Office 365 accounts, "we've seen these problems for years," said Todd McKinnon, co-founder and CEO of Okta. "When we block a threat, nine times out of 10 it's against a Microsoft account that has basic authentication. So we think this is a great thing." Microsoft has been seeking to prod businesses to move off basic authentication for the past three years, but "unfortunately usage isn't yet at zero," it said in a post earlier this month.

The PC beta for Modern Warfare 2 was only online for just over a weekend, but cheat developers quickly managed to create wallhacks anyway, according to videos created by multiple cheat developers. From a report: The news highlights the constant cat and mouse game between cheat developers and the companies that make competitive video games, and shows that Modern Warfare 2 will be no different. Warzone, the massively popular free-to-play battle royale game built on top of Call of Duty's mainline games, was notoriously overrun by cheaters before publisher Activision and the development studios working on the game introduced a new anti-cheat mechanism called Ricochet. "I started developing a MW2 beta cheat right away. I was done the same day, the first day of the beta. My users got access once the cheat was complete & tested," Zebleer, the pseudonymous administrator of Phantom Overlay, a cheat provider that has a long history of selling cheats for Warzone, told Motherboard in an email.

[...] EngineOwning, another cheat developer, published a video to their Twitter account over the weekend appearing to show their own product in action, although it didn't seem to be ready for the beta. "Our MW2 cheat is now done and we're currently in close testing," the tweet read. "This means our cheat will be ready when the game launches, with all the features you'd expect." The Anti-Cheat Police Department, a researcher who has tracked the cheating ecosystem and who reports offending players, claimed in their own tweet that "Ricochet has this shitty cheat detected they are just a scam operation at this point."

Intel has announced an intriguing new app called Unison, which aims to "seamlessly" connect Intel-powered computers to smartphones -- not just Android phones but iOS devices as well. From a report: Following what Intel says is a "simple pairing process," the Unison app will allow PCs to replicate four key features of the connected phone. They can answer and make calls; they can share photos and files (pictures taken with the phone will show up in a specific Unison gallery on the PC); they can send and receive texts; and they can receive (and, in some cases, respond to) notifications that the phone receives -- though if Unison is closed, they'll go to the Windows notification center. "The advantage we can bring to a PC user that's got a well-designed Windows PC is not having to choose their device based on the PC they have. They have an iPhone, they have an Android phone, any device they want to use will be able to connect with this capability," Josh Newman, Intel's VP of mobile innovation, told The Verge. "When you're ... on your laptop, and you get notifications or texts on your phone, you can keep it in your bag and get right back into the flow of your work."

An anonymous reader quotes a report from Ars Technica: The Ukrainian government on Monday warned that the Kremlin is planning to carry out "massive cyberattacks" targeting power grids and other critical infrastructure in Ukraine and in the territories of its allies. "By the cyberattacks, the enemy will try to increase the effect of missile strikes on electricity supply facilities, primarily in the eastern and southern regions of Ukraine," an advisory warned. "The occupying command is convinced that this will slow down the offensive operations of the Ukrainian Defence Forces."

Monday's advisory alluded to two cyberattacks the Russian government carried out -- first in 2015 and then almost exactly one year later -- that deliberately left Ukrainians without power during one of the coldest months of the year. The attacks were seen as a proof-of-concept and test ground of sorts for disrupting Ukraine's power supply. "The experience of cyberattacks on Ukraine's energy systems in 2015 and 2016 will be used when conducting operations," the Ukrainian government said on Monday.

It's hard to assess the chances of a successful hacking campaign against Ukraine's power grids. Earlier this year, Ukraine's CERT-UA said it successfully detected a new strain of Industroyer inside the network of a regional Ukrainian energy firm. Industroyer2 reportedly was able to temporarily switch off power to nine electrical substations but was stopped before a major blackout could be triggered. [...] But researchers from Mandiant and elsewhere also note that Sandworm, the name for the Kremlin-backed group behind the power grid hacks, is among the most elite hacking groups in the world. They are known for stealth, persistence, and remaining hidden inside targeted organizations for months or even years before surfacing. Besides an attack on electrical grids, Monday's advisory also warned of other forms of disruptions the country expected Russia to ramp up. "The Kremlin also intends to increase the intensity of DDoS attacks on the critical infrastructure of Ukraine's closest allies, primarily Poland and the Baltic states," the advisory stated. "We don't have any direct knowledge or data to make an assessment on Ukraine's capability to defend its grid, but we do know that CERT-UA stopped the deployment of INDUSTROYER.V2 malware that targeted Ukraine's electric substations earlier this year," Chris Sistrunk, technical manager of Mandiant Industrial Control Systems Consulting, wrote in an email. "Based on that, and what we know about the Ukrainian people's overall resolve, it's increasingly clear that one of the reasons cyberattacks in Ukraine have been dampened is because its defenders are very aggressive and very good at confronting Russian actors."

An anonymous reader quotes a report from Bloomberg: In the heart of midtown Manhattan lies a multibillion-dollar problem for building owners, the city and thousands of workers. Blocks of decades-old office towers sit partially empty, in an awkward position: too outdated to attract tenants seeking the latest amenities, too new to be demolished or converted for another purpose. It's a situation playing out around the globe as employers adapt to flexible work after the Covid-19 pandemic and rethink how much space they need. Even as people are increasingly called back to offices for at least some of the week, vacancy rates have soared in cities from Hong Kong to London and Toronto.

"There's no part of the world that is untouched by the growth of hybrid working," said Richard Barkham, global chief economist for commercial real estate firm CBRE Group Inc. In some cases, companies are simply cutting back on space to reduce their real estate costs. Others are relocating to shiny new towers with top-of-the-line amenities to attract talent and employees who may be reluctant to leave the comforts of working from home. Left behind are older buildings outside of prime locations. The US is likely to have a slower office-market recovery than Asia and Europe because it began the pandemic with a higher vacancy rate, and long-term demand is expected to drop around 10% or more, Barkham said. New York, America's biggest office real estate market, is at the center of the issue.

A study this year by professors at Columbia University and New York University estimated that lower tenant demand because of remote work may cut 28%, or $456 billion, off the value of offices across the US. About 10% of that would be in New York City alone. The implications of obsolete buildings stretch across the local economy. Empty offices have led to a cascade of shuttered restaurants and other street-level businesses that depended on daytime worker traffic. And falling building values mean less property-tax revenue for city coffers. A strip on Manhattan's Third Avenue, from 42nd to 59th streets, shows the problem of older properties in stark terms. While New York leasing demand has bounced back toward pre-pandemic levels, the corridor has 29% of office space available for tenants, nearly double the amount four years ago and above the city's overall rate of 19%, according to research from brokerage firm Savills. "There's no easy fix for landlords, who rely on rental income to pay down debt," notes the report. "Some cities are exploring options to turn downtown offices to residential buildings: Calgary, for instance, has an incentive program for such redevelopments. While New York has had some conversions, the hefty costs and zoning and architectural restrictions make it a difficult proposition."

An anonymous reader shares a report: Are smartphones ever entirely secure? It depends on one's definition of "secure," particularly when dealing with corporate environments. Most companies with bring-your-own-device policies install apps or agents on workers' smartphones to help secure them, leveraging the management capabilities built into operating systems like Android and iOS. But those might not be sufficient. That's what Cloudflare argues, anyway, in the pitch for the new services it's launching this week. Today, the company announced Zero Trust SIM and Zero Trust for Mobile Operators, two product offerings targeting smartphone users, the companies securing corporate phones and the carriers selling data services. Let's start with Zero Trust SIM. Designed to secure all data packets leaving a smartphone, Zero Trust SIM -- once launched in the U.S. (to start) -- will be available as an eSIM deployable via existing mobile device management platforms to both iOS and Android devices. It'll be locked to a specific device, mitigating the risk of SIM-swapping attacks, and usable either in a standalone configuration or in tandem with Cloudflare's mobile agent, WARP.

In a recent email interview, Cloudflare CTO John Graham-Cumming made the case that Zero Trust SIM can accomplish what VPNs and other secure layers can't: cell-level protection. A SIM card can act as another security factor, and -- in combination with hardware keys -- make it nearly impossible to impersonate an employee, he argued. "Zero Trust SIM provides defense in depth. A VPN layer is one of those components, but doesn't remove the need to still deploy cellular connectivity across all of your mobile devices today, and traditional 'AnyConnect-style' VPNs do nothing to stop attackers moving laterally once they're inside the VPN," Graham-Cumming said. "We continue to see organizations breached due to challenges securing their applications and networks, and what was once a real-estate budget is quickly becoming a 'secure my remote and distributed workforce' budget from an IT security perspective." Specifically, Graham-Cumming said that Zero Trust SIM will enable Cloudflare to rewrite DNS requests leaving a device to instead use Cloudflare Gateway for DNS filtering.

New submitter cj9er writes: Considering all the privacy issues in today's online climate (all the issues with Meta right now), what is the best high-end smartphone to select?

Apple: No way they don't sell your data... Sure, they have privacy for third-party apps, but what about the data they collect from the phone itself? Consider what the revenue is on a single smartphone (say $150), how do you think they have all that cash on hand?

Google: Yeah right, Pixel is probably collecting [data] 24/7 considering their main business is selling ads on Search. They have developed the Pixel line because they probably realized they were missing out on the direct collection of data from their own hardware (cut out the middle players using Android).

Samsung: Their TVs even collect and sell data on you. I don't really understand the price premium on Galaxy phones anyways.

I have kept my data and Wi-Fi turned off on my phones for years. Initially it was for battery reasons but now add in data collection. Ultimately, if we could turn off the GPS feature at will on our phones, maybe we could prevent all tracking (except for cellular triangulation). If we then think about safety, GPS is great and now with satellite-tracking on Apple phones, even better. But then what is going on behind the scenes 99.99% of the rest of the time when you don't require those options for safety reasons?

What phone manufacturer can be trusted?

AmiMoJo shares a report from Neowin: Anti-malware solutions maker Malwarebytes has recently uncovered a campaign which is serving tech support scams via malicious ads in Microsoft Edge's 'My Feed' section. They provided an image that shows a screenshot of a malvertising campaign where a fake browser locker page is displayed to dupe potential victims. The adware is smart in the way it operates as Malwarebytes has found that the malicious ad banner redirects only potential targets to the tech support scam page. Meanwhile bots, VPNs and geo-locations are shown the actual ad page powered by the Taboola ad network. The firm notes that the differentiation is made with a help of a base64-encoded JavaScript string.

In the span of just 24 hours, Malwarebytes managed to collect over 200 different hostnames. Somewhat unsurprisingly perhaps, one of the associated domains is linked to an individual who appears to be the director of a software company operating in Delhi, India. You can find more details about this malvertising campaign on Malwarebytes' blog post about the topic.

Corporate employees at Amazon got emails about promotions and raises. Then they got emails saying the raises weren't quite what they thought. From a report: A one-time bonus that was part of their compensation package had been miscalculated due to a software error and would be lower than what they had been told, according to an email sent on Thursday and viewed by Insider. The bonuses had initially been calculated using older, higher stock prices, according to Insider, and about 40% of promoted employees this quarter were affected by the error.

"We identified and immediately corrected an issue with some newly promoted employees' compensation communications," an Amazon spokesperson told Fortune. We are working with employees to ensure they understand their updated compensation." Compensation has been a major issue across the tech sector this year as a strong labor market heats up competition for workers. Earlier this year, Amazon announced its plan to double its maximum base salary to $350,000 to attract talent, something that workers at Google cited after the company's annual internal survey revealed their dissatisfaction with pay.

Police in the UK have arrested a 17-year-old suspected hacker. Reports suggest the arrest is connected to the Rockstar Games hack that led to a major Grand Theft Auto VI leak. The individual may have been involved with an intrusion on Uber as well. From a report: According to journalist Matthew Keys' sources, the arrest is the result of an investigation involving the City of London Police, the UK's National Cyber Crime Unit and the FBI. Keys noted that the police and/or the FBI will reveal more details about the arrest later today. The City of London Police told Engadget it had "no further information to share at this stage."

The GTA VI leak is unquestionably one of the biggest in video game history. Last weekend, the hacker shared a trove of footage from a test build of the game, which is one of the most hotly anticipated titles around. Rockstar, which tends to keep a tight lid on its development process, confirmed on Monday that the leak was legitimate. It said the incident won't impact work on the game and that it will "properly introduce" fans to the next title in the blockbuster series once it's ready.

Australia's second-largest telecommunications company, Optus, has reported a cyber-attack. The breach exposed customers' names, dates of birth, phone numbers and email addresses. From a report: The company - which has more than ten million subscribers - says it has shut down the attack but not before other details such as driver's licences and passport numbers were hacked. Optus says payment data and account passwords were not compromised. The company said it would notify those at "heightened risk" but all customers should check their accounts. Chief executive Kelly Bayer Rosmarin apologised to its customers, on ABC TV. She said names, dates of birth and contact details had been accessed, "in some cases" the driving licence number, and in "a rare number of cases the passport and the mailing address" had also been exposed. The company had notified the Australian Federal Police after noticing "unusual activity." And investigators were trying "to understand who has been accessing the data and for what purpose."

Weeks after Twitter's ex-security chief accused the company of cybersecurity mismanagement, Twitter has now informed its users of a bug that didn't close all of a user's active logged-in sessions on Android and iOS after an account's password was reset. From a report: This issue could have implications for those who had reset their password because they believed their Twitter account could be at risk, perhaps because of a lost or stolen device, for instance. Assuming whoever had possession of the device could access its apps, they would have had full access to the impacted user's Twitter account. In a blog post, Twitter explains that it had learned of the bug that had allowed "some" accounts to stay logged in on multiple devices after a user reset their password voluntarily. Typically, when a password reset occurs, the session token that keeps a user logged into the app is also revoked -- but that didn't take place on mobile devices, Twitter says. Web sessions, however, were not impacted and were closed appropriately, it noted.

A listing on a popular hacker forum offers 350 million Ask.FM user records for sale in what might be one of the biggest breaches of all time. Cybernews reports: The listing allegedly includes 350 million Ask.FM user records, with the threat actor also offering 607 repositories plus their Gitlab, Jira, and Confluence databases. Ask.FM is a question and answer network launched in June 2010, with over 215 million registered users. The posting also includes a list of repositories, sample git, and sample user data, as well as mentions of the fields in the database: user_id, username, mail, hash, salt, fbid, twitterid, vkid, fbuid, iguid. It appears that Ask.FM is using the weak hashing algorithm SHA1 for passwords, putting them at risk of being cracked and exposed to threat actors.

In response to DataBreaches, the user who posted the database -- Data -- explained that initial access was gained via a vulnerability in Safety Center. The server was first accessed in 2019, and the database was obtained on 2020-03-14. Data also suggested that Ask.FM knew about the breach as early as back in 2020. While the breach has not been confirmed, the seller called "Data" says he will "vouch all day and night for" listed user data from Ask.FM (ASKfm), the social networking site. "I'm selling the users database of Ask.fm and ask.com," Data wrote. "For connoisseurs, you can also get 607 repositories plus their Gitlab, Jira, Confluence databases."

An anonymous reader quotes a report from the Washington Post: A new estimate for the total number of ants burrowing and buzzing on Earth comes to a whopping total of nearly 20 quadrillion individuals. That staggering sum -- 20,000,000,000,000,000, or 20,000 trillion -- reveals ants' astonishing ubiquity even as scientists grow concerned a possible mass die off of insects could upend ecosystems. In a paper released Monday by the Proceedings of the National Academy of Sciences, a group of scientists from the University of Hong Kong analyzed 489 studies and concluded that the total mass of ants on Earth weighs in at about 12 megatons of dry carbon. Put another way: If all the ants were plucked from the ground and put on a scale, they would outweigh all the wild birds and mammals put together.

"It's unimaginable," said Patrick Schultheiss, a lead author on the study who is now a researcher at the University of Wurzburg in Germany, in a Zoom interview. "We simply cannot imagine 20 quadrillion ants in one pile, for example. It just doesn't work." Counting all those insects -- or at least enough of them to come up with a sound estimate -- involved combining data from "thousands of authors in many different countries" over the span of a century, Schultheiss added. To tally insects as abundant as ants, there are two ways to do it: Get down on the ground to sample leaf litter -- or set tiny pitfall traps (often just a plastic cup) and wait for the ants to slip in. Researchers have gotten their boots dirty with surveys in nearly every corner of the world, though some spots in Africa and Asia lack data. "It's a truly global effort that goes into these numbers," Schultheiss said.

Recent research from the otto-js Research Team has uncovered that data that is being checked by both Microsoft Editor and the enhanced spellcheck setting within Google Chrome is being sent to Microsoft and Google respectively. This data can include usernames, emails, DOB, SSN, and basically anything that is typed into a text box that is checked by these features. Neowin reports: As an additional note, even passwords can be sent by these features, but only when a 'Show Password' button is pressed, which converts the password into visible text, which is then checked. The key issue resolves around sensitive user personally identifiable information (PII), and this is a key concern for enterprise credentials when accessing internal databases and cloud infrastructure.

Some companies are already taking action to prevent this, with both AWS and LastPass security teams confirming that they have mitigated this with an update. The issue has already been dubbed 'spell-jacking'. What's most concerning is that these settings are so easy to enable by users, and could result in data exposure without anyone ever realising it. The team at otto-js ran a test of 30 websites, across a range of sectors, and found that 96.7% of them sent data with PII back to Google and Microsoft. At present, the otto-js Research Team recommends that these extensions and settings are not used until this issue is resolved.

Uber said on Monday a hacker affiliated with the Lapsus$ hacking group was responsible for a cyber attack that forced the ride-hailing company to shut several internal communications temporarily last week. From a report: Uber said the attacker had not accessed any user accounts and the databases that store sensitive user information such as credit card numbers, bank account or trip details. "The attacker accessed several internal systems, and our investigation has focused on determining whether there was any material impact," Uber said, adding that investigation was still ongoing. The company said it was in close coordination with the FBI and the U.S. Department of Justice on the matter. Friday's cybersecurity incident had brought down Uber's internal communication system for a while and employees were restricted to use Salesforce-owned office messaging app Slack. Uber said the attacker logged in to a contractor's Uber account after they accepted a two-factor login approval request following multiple requests, giving the hacker access to several employee accounts and tools such as G-Suite and Slack.

ArsTechnica reports: The head of Kiwi Farms said the site experienced a breach that allowed hackers to access his administrator account and possibly the accounts of all other users. On the site, creator Joshua Moon wrote: "The forum was hacked. You should assume the following. Assume your password for the Kiwi Farms has been stolen. Assume your email has been leaked. Assume any IP you've used on your Kiwi Farms account in the last month has been leaked."

Moon said that the unknown individual or individuals behind the hack gained access to his admin account by using a technique known as session hijacking, in which an attacker obtains the authentication cookies a site sets after an account holder enters valid credentials and successfully completes any two-factor authentication requirements. The session hijacking was made possible after uploading malicious content to XenForo, a site Kiwi Farms uses to power its user forums.

mspohr writes: A major bug in Apple's latest iPhone is causing the camera to physically fail when using apps such as TikTok, Snapchat and Instagram, some owners have reported. The bug in the company's iPhone 14 Pro Max, the most expensive model in the iPhone 14 range, appears to affect the optical image stabilisation (OIS) feature, which uses a motor to eliminate the effects of camera shake when taking pictures. Opening the camera in certain apps causes the OIS motor to go haywire, causing audible grinding sounds and physically vibrating the entire phone. The vibration does not occur when using the built-in camera app, suggesting the problem's roots are in a software fault. However, some have warned affected users to limit their usage of apps that trigger the bug, in case excess vibration causes permanent damage to the OIS system. The company has previously warned users about potential damage to the OIS motor, particularly in situations where their phones are experiencing significant vibration. In January this year, the company published a long warning note for users about the risk of mounting their iPhones near "high-power motorcycle engines."