An anonymous reader quotes a report from Politico: The Trump administration's immigration enforcers used mobile location data to track people's movements on a larger scale than previously known, according to documents that raise new questions about federal agencies' efforts to get around restrictions on warrantless searches. The data, harvested from apps on hundreds of millions of phones, allowed the Department of Homeland Security to obtain data on more than 336,000 location data points across North America, the documents show. Those data points may reference only a small portion of the information that CBP has obtained.

These data points came from all over the continent, including in major cities like Los Angeles, New York, Chicago, Denver, Toronto and Mexico City. This location data use has continued into the Biden administration, as Customs and Border Protection renewed a contract for $20,000 into September 2021, and Immigration and Customs Enforcement signed another contract in November 2021 that lasts until June 2023. The American Civil Liberties Union obtained the records from DHS through a lawsuit it filed in 2020. It provided the documents to POLITICO and separately released them to the public on Monday.

The documents highlight conversations and contracts between federal agencies and the surveillance companies Babel Street and Venntel. Venntel alone boasts that its database includes location information from more than 250 million devices. The documents also show agency staff having internal conversations about privacy concerns on using phone location data. In just three days in 2018, the documents show that the CBP collected data from more than 113,000 locations from phones in the Southwestern United States -- equivalent to more than 26 data points per minute -- without obtaining a warrant. The documents highlight the massive scale of location data that government agencies including CBP and ICE received, and how the agencies sought to take advantage of the mobile advertising industry's treasure trove of data. "It was definitely a shocking amount," said Shreya Tewari, the Brennan fellow for the ACLU's Speech, Privacy and Technology Project. "It was a really detailed picture of how they can zero in on not only a specific geographic area, but also a time period, and how much they're collecting and how quickly."

Images of a canceled mid-range version of the Surface Duo have appeared online thanks to an archived eBay listing. Dubbed as a Surface Duo 2 "dev unit" on eBay.com, the listing (which has since been deleted) provides us with a first look at what appears to be a "lite" version of the Surface Duo 2. From a report: The images reveal the device to have a smaller camera bump, slightly more rounded external design with a matte finish, and flat displays similar to the Surface Duo 1. Unfortunately, the eBay listing provides no details other than images of the handset. I had come across the eBay listing last month but was unsure if it was legitimate. By the time I was able to verify, the device had been sold to an unknown buyer and the listing was removed. I've since been able to confirm that the listing and device were indeed real.

Reuters reports: Amazon.com Inc is pausing the construction of six new office buildings in Bellevue and Nashville to reevaluate the designs to suit hybrid work, the tech giant said on Friday... "The pandemic has significantly changed the way people work ... Our offices are long-term investments and we want to make sure that we design them in a way that meets our employees' needs in the future," said John Schoettler, vice president of Global Real Estate and Facilities at Amazon.

Separately, Bloomberg News reported on Friday that Facebook parent Meta Platforms and Amazon have pulled back on their office expansion plans in New York City.... "The past few years have brought new possibilities around the ways we connect and work," a Meta spokesperson told Reuters without confirming or denying the report.
Various news sites seems to have different pieces of the story. On Hawaii's most populous island Oahu, the office vacancy rate is now 14% — the highest level ever recorded.

And this week a tech founder admitted in Fast Company that after converting to a hybrid company, "we're just as productive as we were before the pandemic (if not more so). Our engineering team's engagement has remained strong, and we've actually seen a boost in retention since the transition to hybrid work....

"Our transition from in-person, to remote, and now to hybrid work has reinforced the value of staying open-minded to innovation not just in our products, but also in how we work."

Slashdot reader storagedude writes: The first signs of the ransomware attack at data storage vendor Spectra Logic were reports from a number of IT staffers about little things going wrong at the beginning of the day. Matters steadily worsened within a very short time and signs of a breach became apparent. Screens then started to display a ransom demand, which said files had been encrypted by the NetWalker ransomware virus. The ransom demand was $3.6 million, to be paid in bitcoin within five days.

Tony Mendoza, Senior Director of Enterprise Business Solutions at Spectra Logic, laid out the details of the attack at the annual Fujifilm Recording Media USA Conference in San Diego late last month, as reported by eSecurity Planet.

"We unplugged systems, as the virus was spreading faster than we could investigate," Mendoza told conference attendees. "As we didn't have a comprehensive cybersecurity plan in place, the attack brought the entire business to its knees."

To make matters worse, the backup server had also been wiped out, but with the help of recovery specialist Ankura, uncorrupted snapshots and [offline] tape backups helped the company get back online in days, although full recovery took a month.

"We were able to restore everything and paid nothing," said Mendoza. "Other than a few files, all data was recovered."

The attack, which started from a successful phishing attempt, "took us almost a month to fully recover and get over the ransomware pain," said Mendoza.

"A growing number of cities and towns all over the U.S. are handing out cash grants and other perks aimed at drawing skilled employees of faraway companies to live there and work remotely," reports the Wall Street Journal: A handful of such programs have existed for years, but they have started gaining traction during the pandemic — and have really taken off in just the past year or so. Back in October there were at least 24 such programs in the U.S. Today there are 71, according to the Indianapolis-based company MakeMyMove, which is contracted by cities and towns to set up such programs.

Because these programs specifically target remote workers who have high wages, a disproportionate share of those who are taking advantage of them work in tech — and especially for big tech companies. Companies whose employees have participated in one remote worker incentive program in Tulsa, Oklahoma, include Adobe, Airbnb, Amazon, Apple, Dell, Facebook parent Meta Platforms, Google, IBM, Microsoft, Lyft, Netflix, Oracle and Siemens, according to a spokeswoman for the organization.

Local governments are offering people willing to move up to $12,000 in cash, along with subsidized gym memberships, free babysitting and office space....

A skeptic might ask why local economic development programs are spending funds to subsidize the lives of people who work for some of the most valuable companies in the world. On the other hand, because these remote workers aren't coming to town seeking local jobs, an argument can be made that they constitute a novel kind of stimulus program for parts of the country that have been left out of the tech boom — courtesy of big tech companies... Every remote worker these places successfully attract and retain is like gaining a fraction of a new factory or corporate office, with much less expenditure and risk, argues Mark Muro, who studies cities and labor at the Brookings Institution.
The reporter interviewed an Amazon engineer who moved to Greensburg, Indiana (population: 12,193), and Meta worker David Gora, who moved to Tulsa, Oklahoma and praises its relocation program's sense of mission, possibility, and community. "Even with the pay cuts that Meta has imposed on workers who relocate to areas with a lower cost of living, Mr. Gora is saving a lot more money and has a much higher quality of life than before, he adds."

Tulsa's program is unique in that it's funded by a philanthropic organization rather than a local economic-development budget, the article points out. But it adds that "a study conducted by the Economic Innovation Group and commissioned by Tulsa Remote concluded that for every two people the program brings to the city, one new job is created." By contrast, when an office moves to a town, every new high-wage tech job creates an estimated five more jobs in sectors including healthcare, education and service, according to research by economist Enrico Moretti. That's because those deals involve not only people but the money that goes into building and maintaining facilities, paying commercial property taxes and more.

Still, for towns that don't have the budget to attract a whole office or factory, the modest impact of bringing in a handful of remote tech workers can be balanced by the much smaller investment required to attract them.

The Washington Post reports on a "widely adopted, even codified" trend in recent months: people aren't coming in to their offices on Friday.

"The drop-off in office work, particularly on Fridays, has led coffee shops to reduce their hours, delis to rethink staffing and bars like Pat's Tap in Minneapolis to kick off happy hour earlier than ever — starting at 2 p.m." Just 30 percent of office workers swiped into work on Fridays in June, the least of any weekday, according to Kastle Systems, which provides building security services for 2,600 buildings nationwide. That's compared to 41 percent on Mondays, the day with the second-lowest turnout, and 50 percent on Tuesdays, when the biggest share of workers are in the office.

"It's becoming a bit of cultural norm: You know nobody else is going to the office on Friday, so maybe you'll work from home, too," said Peter Cappelli, director of the Center for Human Resources at the University of Pennsylvania's Wharton School. "Even before the pandemic, people thought of Friday as a kind of blowoff day. And now there's a growing expectation that you can work from home to jump-start your weekend...."

Some start-ups and tech firms have begun doing away with Fridays altogether. Crowdfunding platform Kickstarter and online consignment shop ThredUp are among a small but growing number of firms moving to a four-day workweek that runs from Monday to Thursday. Executives at Bolt, a checkout technology company in San Francisco, began experimenting with no-work Fridays last summer and quickly realized they'd hit a winning formula. Employees were more productive than before, and came back to work on Mondays with new enthusiasm. In January, it switched to a four-day workweek for good.
"Managers were onboard, people kept hitting their goals," Bolt's head of employee experience tells the Post. "And they come back on Mondays energized and more engaged."

An adviser at the Society of Human Resource Management tells the Post that employers are trying new inducements to get people to return to offices on Fridays. "If you feed them, they will come. Food trucks, special catered events, ice cream socials, that's what's popular right now." And the Post adds that other employers have also tried wine carts, costume contests and karaoke sing-offs — "all aimed at getting workers to give up their couches for cubicles."

An anonymous reader shares a report: Getting Doom to run on things that were never meant to run Doom is something of a cottage industry among a die-hard subset of PC hackers and coders. Your motherboard's BIOS, a bunch of old potatoes, a Lego brick, a home pregnancy test: The list goes on and on. But YouTuber and Doomworld community member kgsws has set a new standard for, well, something with this brilliant bit of techno-recursion: Doom running in Doom.

The full explanation for how it works gets technical but what it comes down to is an exploit that enables code execution within the game itself. That's why this bit of trickery only works with the original DOS-based Doom 2, and not any of the more modern ports like GZDoom, which lack the exploit. (That's not convenient for this project but it's a good thing overall, kgsws noted: "People would abuse it to spread malicious code.")

Google is releasing Chrome OS Flex today, a new version of Chrome OS that's designed for businesses and schools to install and run on old PCs and Macs. From a report: Google first started testing Chrome OS Flex earlier this year in an early access preview, and the company has now resolved 600 bugs to roll out Flex to businesses and schools today. Chrome OS Flex is designed primarily for businesses running old Windows PCs, as Google has been testing and verifying devices from Acer, Asus, Dell, HP, Lenovo, LG, Toshiba, and many more OEMs. Flex will even run on some old Macs, including some 10-year-old MacBooks. The support of old hardware is the big selling point of Chrome OS Flex, as businesses don't have to ditch existing hardware to get the latest modern operating system. More than 400 devices are certified to work, and installation is as easy as using a USB drive to install Chrome OS Flex.

Twitter faced a brief outage on Thursday, leaving thousands of users without service for about an hour. From a report: At the peak, at 8:20 a.m. in New York, 54,582 users reported problems on Downdetector.com, an outage tracking platform. Twitter's website displayed an error message and prompted users to reload the page. It wasn't immediately clear what caused the outage. A message on Twitter's support account posted at 9:10 a.m. said: "Some of you are having issues accessing Twitter and we're working to get it back up and running for everyone. Thanks for sticking with us." By 9:16 a.m., about 1,600 users reported they were still having trouble. The last time Twitter faced an outage was in February, when the site crashed due to a "technical bug" on the page. In its early days, Twitter was famous for crashing amid high traffic, leading to the iconic "fail whale" image that popped up when service was down.

Lenovo has released a security advisory to inform customers that more than 70 of its laptops are affected by a UEFI/BIOS vulnerability that can lead to arbitrary code execution. SecurityWeek reports: Researchers at cybersecurity firm ESET discovered a total of three buffer overflow vulnerabilities that can allow an attacker with local privileges to affected Lenovo devices to execute arbitrary code. However, Lenovo says only one of the vulnerabilities (CVE-2022-1892) impacts all devices, while the other two impact only a handful of laptops. "The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features," ESET explained. "These vulnerabilities were caused by insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable. An attacker could create a specially crafted NVRAM variable, causing buffer overflow of the Data buffer in the second GetVariable call," it added.

Lenovo has also informed customers about Retbleed, a new speculative execution attack impacting devices with Intel and AMD processors. The company has also issued an advisory for a couple of vulnerabilities affecting many products that use the XClarity Controller server management engine. These flaws can allow authenticated users to cause a DoS condition or make unauthorized connections to internal services.

Bandai Namco, the Japanese video game publisher behind titles including Pac-Man, Tekken and Elden Ring, has admitted that hackers accessed its systems and potentially made off with customer data. TechCrunch reports: In a statement shared with TechCrunch, Bandai Namco said it detected "unauthorized access" to its systems by a third party on July 3, adding that it has since taken measures, such as blocking access to the affected servers, to "prevent the damage from spreading." The confirmation comes days after the Alphv ransomware gang, also known as BlackCat, added the Japanese company to its dark web leak site. Bandai Namco declined to elaborate on the nature of the cyberattack or how hackers were able to access its systems, but warned customer data may have been stolen, all but confirming that it was hit by ransomware.

"There is a possibility that customer information related to the Toys and Hobby Business in Asian regions (excluding Japan) was included in the servers and PCs, and we are currently identifying the status about existence of leakage [sic], scope of the damage and investigating the cause," Bandai Namco said. The Alphv ransomware group -- believed to be the latest incarnation of the DarkSide ransomware gang responsible for the Colonial Pipeline attack -- has threatened that the stolen data will be released "soon," but no exact deadline has been given. Bandai Namco declined to say whether it had been given a ransom demand. "We will continue to investigate the cause of this incident and will disclose the investigation results as appropriate," Bandai Namco added. "We will also work with external organizations to strengthen security throughout the Group and take measures to prevent recurrence. We offer our sincerest apologies to everyone involved for any complications or concerns caused by this incident."

An anonymous reader quotes a report from Ars Technica: Earlier this month, Google sent a request (PDF) to the Federal Election Commission seeking an advisory opinion on the potential launch of a pilot program that would allow political committees to bypass spam filters and instead deliver political emails to the primary inboxes of Gmail users. During a public commenting period that's still ongoing, most people commenting have expressed staunch opposition for various reasons that they're hoping the FEC will consider. "Hard pass," wrote a commenter called Katie H. "Please do not allow Google to open up Pandora's Box on the people by allowing campaign/political emails to bypass spam filters."

Out of 48 comments submitted (PDF) as of July 11, only two commenters voiced support for Google's pilot program, which seeks to deliver more unsolicited political emails to Gmail users instead of marking them as spam. The rest of the commenters opposed the program, raising a range of concerns, including the potential for the policy to degrade user experience, introduce security risks, and even possibly unfairly influence future elections. Business Insider reported that the period for public commenting ends on Saturday, July 16, which is longer than what was shared in conflicting reports that said the initial deadline to comment was July 11. That means there's still time for more Gmail users and interested parties to chime in. "For some opposing commenters, it's about rejecting unnecessary strains on the Gmail user experience," adds Ars. "In short: People don't want emails coming to their inbox that they did not sign up for."

"Other commenters were more concerned over a perceived government overreach." There were also commenters that said the move could introduce security risks, influence elections, and make Gmail more vulnerable to "emotionally charged" messaging that they never signed up for.

An anonymous reader shares a report: System76's "Launch" keyboard has been wildly popular with the Linux community thanks to its open source firmware, ability to be customized, and excellent build quality (it's made in the USA). The Launch keyboard uses a USB-C connector to interface with the host computer, but you can utilize either a USB-C to USB-C or USB-C to USB-A cable to connect it -- depending on what ports you have available. Launch even serves double-duty as a USB hub, allowing you to plug USB devices directly into it. System76's Launch keyboard is already tenkeyless and rather small, but apparently, there has been a desire for an even smaller offering. And so, tomorrow, the company will begin selling exactly that. Called "Launch Lite," the $199 variant is a very similar keyboard to the regular Launch, but in a smaller form factor and with fewer keys. System76 is also launching silent brown and silent pink switch options. Unfortunately, the reduced footprint means the USB hub feature found on the standard Launch is not included on the Lite.

A report commissioned by cloud security company Barracuda found that 94% of respondents have experienced some form of attack on their industrial IoT (IIoT) or operational technology (OT) systems during the last 12 months. From a report: The State of Industrial Security in 2022 report surveyed 800 senior IT and security officers responsible for these industrial systems. "In the current threat landscape, critical infrastructure is an attractive target for cybercriminals, but unfortunately IIoT/OT security projects often take a backseat to other security initiatives or fail due to cost or complexity, leaving organizations at risk," said Tim Jefferson, senior vice president for data protection, network, and application security at Barracuda said in a statement accompanying the report.

Recent attacks such as those targeted through the SolarWinds attack, and the Russian DDoS attack on Lithuania last month, have raised concerns over nation state-backed attacks on industrial systems. As a result, the survey found that 89% of the respondents are very or fairly concerned about the current geopolitical situation. Constellation Research analyst Liz Miller acknowledged that "the Russian invasion of Ukraine set the world on high alert as it anticipated vulnerabilities in IIoT devices becoming prime targets should the battle enter the cyberspace."

Some microprocessors from Intel and AMD are vulnerable to a newly discovered speculative execution attack that can covertly leak password data and other sensitive material, sending both chipmakers scrambling once again to contain what is proving to be a stubbornly persistent vulnerability. Ars Technica reports: Researchers from ETH Zurich have named their attack Retbleed because it exploits a software defense known as retpoline, which was introduced in 2018 to mitigate the harmful effects of speculative execution attacks. Speculative execution attacks, also known as Spectre, exploit the fact that when modern CPUs encounter a direct or indirect instruction branch, they predict the address for the next instruction they're about to receive and automatically execute it before the prediction is confirmed. Spectre works by tricking the CPU into executing an instruction that accesses sensitive data in memory that would normally be off-limits to a low-privileged application. Retbleed then extracts the data after the operation is canceled. [...] The ETH Zurich researchers have conclusively shown that retpoline is insufficient for preventing speculative execution attacks. Their Retbleed proof-of-concept works against Intel CPUs with the Kaby Lake and Coffee Lake microarchitectures and AMD Zen 1, Zen 1+, and Zen 2 microarchitectures.

In response to the research, both Intel and AMD advised customers to adopt new mitigations that the researchers said will add as much as 28 percent more overhead to operations. [...] Both Intel and AMD have responded with advisories. Intel has confirmed that the vulnerability exists on Skylake-generation processors that don't have a protection known as enhanced Indirect Branch Restricted Speculation (eIBRS) in place. "Intel has worked with the Linux community and VMM vendors to provide customers with software mitigation guidance which should be available on or around today's public disclosure date," Intel wrote in a blog post. "Note that Windows systems are not affected given that these systems use Indirect Branch Restricted Speculation (IBRS) by default which is also the mitigation being made available to Linux users. Intel is not aware of this issue being exploited outside of a controlled lab environment." AMD, meanwhile, has also published guidance. "As part of its ongoing work to identify and respond to new potential security vulnerabilities, AMD is recommending software suppliers consider taking additional steps to help guard against Spectre-like attacks," a spokesman wrote in an email. The company has also published a whitepaper.

[Research Kaveh Razavi added:] "Retbleed is more than just a retpoline bypass on Intel, specially on AMD machines. AMD is in fact going to release a white paper introducing Branch Type Confusion based on Retbleed. Essentially, Retbleed is making AMD CPUs confuse return instructions with indirect branches. This makes exploitation of returns very trivial on AMD CPUs." The mitigations will come at a cost that the researchers measured to be between 12 percent and 28 percent more computational overhead. Organizations that rely on affected CPUs should carefully read the publications from the researchers, Intel, and AMD and be sure to follow the mitigation guidance.

Getting things started for this "Patch Tuesday" are the disclosure of two new X.Org Server vulnerabilities. Phoronix reports: These issues affecting out-of-bounds accesses with the X.Org Server can lead to local privilege elevation on systems where the X.Org Server is running privileged and remote code execution for SSH X forwarding sessions.

CVE-2022-2319 and CVE-2022-2320 were made public this morning and both deal with the X.Org Server's Xkb keyboard extension not properly validating input that could lead to out-of-bounds memory writes. Fixes for these XKB vulnerabilities have been patched in X.Org Server Git and xorg-server 21.1.4 point release is expected soon with these fixes. Both vulnerabilities were discovered by Trend Micro's Zero Day Initiative.

PyPI or the Python Package Index is giving away 4,000 Google Titan security keys as part of its move to mandatory two-factor authentication (2FA) for critical projects built in the Python programming language. ZDNet reports: PyPI, which is managed by the Python Software Foundation, is the main repository where Python developers can get third-party developed open-source packages for their projects. [...] One way developers can protect themselves from stolen credentials is by using two-factor authentication and the PSF is now making it mandatory for developers behind "critical projects" to use 2FA in coming months. PyPI hasn't declared a specific date for the requirement. "We've begun rolling out a 2FA requirement: soon, maintainers of critical projects must have 2FA enabled to publish, update, or modify them," the PSF said on its PyPI Twitter account.

As part of the security drive, it is giving away 4,000 Google Titan hardware security keys to project maintainers gifted by Google's open source security team. "In order to improve the general security of the Python ecosystem, PyPI has begun implementing a two-factor authentication (2FA) requirement for critical projects. This requirement will go into effect in the coming months," PSF said in a statement. "To ensure that maintainers of critical projects have the ability to implement strong 2FA with security keys, the Google Open Source Security Team, a sponsor of the Python Software Foundation, has provided a limited number of security keys to distribute to critical project maintainers.

PSF says it deems any project in the top 1% of downloads over the prior six months as critical. Presently, there are more than 350,000 projects on PyPI, meaning that more than 3,500 projects are rated as critical. PyPI calculates this on a daily basis so the Titan giveaway should go a long way to cover a chunk of key maintainers but not all of them. In the name of transparency, PyPI is also publishing 2FA account metrics here. There are currently 28,336 users with 2FA enabled, with nearly 27,000 of them using a 2FA app like Microsoft Authenticator. There are over 3,800 projects rated as "critical" and 8,241 PyPI users in this group. The critical group is also likely to grow since projects that have been designated as critical remain so indefinitely while new projects are added to mandatory 2FA over time. The 2FA rule applies to both project maintainers and owners.

An anonymous reader quotes a report from The Drive: Hackers have uncovered ways to unlock and start nearly all modern Honda-branded vehicles by wirelessly stealing codes from an owner's key fob. Dubbed "Rolling Pwn," the attack allows any individual to "eavesdrop" on a remote key fob from nearly 100 feet away and reuse them later to unlock or start a vehicle in the future without owner's knowledge. Despite Honda's dispute that the technology in its key fobs "would not allow the vulnerability," The Drive has independently confirmed the validity of the attack with its own demonstration.

Older vehicles used static codes for keyless entry. These static codes are inherently vulnerable, as any individual can capture and replay them at will to lock and unlock a vehicle. Manufacturers later introduced rolling codes to improve vehicle security. Rolling codes work by using a Pseudorandom Number Generator (PRNG). When a lock or unlock button is pressed on a paired key fob, the fob sends a unique code wirelessly to the vehicle encapsulated within the message. The vehicle then checks the code sent to it against its internal database of valid PRNG-generated codes, and if the code is valid, the car grants the request to lock, unlock, or start the vehicle. The database contains several allowed codes, as a key fob may not be in range of a vehicle when a button is pressed and may transmit a different code than what the vehicle is expecting to be next chronologically. This series of codes is also known as a "window," When a vehicle receives a newer code, it typically invalidates all previous codes to protect against replay attacks. This attack works by eavesdropping on a paired keyfob and capturing several codes sent by the fob. The attacker can later replay a sequence of valid codes and re-sync the PRNG. This allows the attacker to re-use older codes that would normally be invalid, even months after the codes have been captured.

[...] Contrary to Honda's claim, I independently confirmed the vulnerability by capturing and replaying a sequence of lock and unlock requests with my 2021 Honda Accord and a Software-Defined Radio. Despite being able to start and unlock the car, the vulnerability doesn't allow the attacker to actually drive off with the vehicle due to the proximity functionality of the key fob. However, the fact that a bad actor can get this far is already a bad sign. At this time, the following vehicles may be affected by the vulnerability: 2012 Honda Civic, 2018 Honda X-RV, 2020 Honda C-RV, 2020 Honda Accord, 2021 Honda Accord, 2020 Honda Odyssey, 2021 Honda Inspire, 2022 Honda Fit, 2022 Honda Civic, 2022 Honda VE-1, and 2022 Honda Breeze. It's not yet clear if this affects any Acura-branded vehicles. "[W]e've looked into past similar allegations and found them to lack substance," said a Honda spokesperson in a statement to The Drive. "While we don't yet have enough information to determine if this report is credible, the key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report. In addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claims."

Microsoft is still planning to block Visual Basic for Applications (VBA) macros by default in Office apps. From a report: The software giant rolled back planned changes last week, surprising IT admins who had been preparing for Microsoft to prevent Office users from easily enabling macros in Office files downloaded from the internet. The change, designed to improve security in Office, was supposed to go live in June before Microsoft suddenly reverted the block on June 30th. "Following user feedback, we have rolled back this change temporarily while we make some additional changes to enhance usability," explains Kellie Eickmeyer, principal product manager at Microsoft, in a blog post update. "This is a temporary change, and we are fully committed to making the default change for all users."

Security reporter Brian Krebs: Twice in the past month KrebsOnSecurity has heard from readers who had their accounts at big-three credit bureau Experian hacked and updated with a new email address that wasn't theirs. In both cases the readers used password managers to select strong, unique passwords for their Experian accounts. Research suggests identity thieves were able to hijack the accounts simply by signing up for new accounts at Experian using the victim's personal information and a different email address.

John Turner is a software engineer based in Salt Lake City. Turner said he created the account at Experian in 2020 to place a security freeze on his credit file, and that he used a password manager to select and store a strong, unique password for his Experian account. Turner said that in early June 2022 he received an email from Experian saying the email address on his account had been changed. Experian's password reset process was useless at that point because any password reset links would be sent to the new (impostor's) email address. An Experian support person Turner reached via phone after a lengthy hold time asked for his Social Security Number (SSN) and date of birth, as well as his account PIN and answers to his secret questions. But the PIN and secret questions had already been changed by whoever re-signed up as him at Experian.