An anonymous reader shares a report: In late 2019, the government of New South Wales in Australia rolled out digital driver's licenses. The new licenses allowed people to use their iPhone or Android device to show proof of identity and age during roadside police checks or at bars, stores, hotels, and other venues. ServiceNSW, as the government body is usually referred to, promised it would "provide additional levels of security and protection against identity fraud, compared to the plastic [driver's license]" citizens had used for decades.

Now, 30 months later, security researchers have shown that it's trivial for just about anyone to forge fake identities using the digital driver's licenses, or DDLs. The technique allows people under drinking age to change their date of birth and for fraudsters to forge fake identities. The process takes well under an hour, doesn't require any special hardware or expensive software, and will generate fake IDs that pass inspection using the electronic verification system used by police and participating venues. All of this, despite assurances that security was a key priority for the newly created DDL system. "To be clear, we do believe that if the Digital Driver's Licence was improved by implementing a more secure design, then the above statement made on behalf of ServiceNSW would indeed be true, and we would agree that the Digital Driver's Licence would provide additional levels of security against fraud compared to the plastic driver's licence," Noah Farmer, the researcher who identified the flaws, wrote in a post published last week.

Today is the 15th birthday of Google Maps Street View, Google's project to take ground-level, 360-degree photographs of the entire world. To celebrate, the company is rolling out a few new features. From a report: First up, Google is bringing historical Street View data to iOS and Android phones. The feature has long existed on desktop browsers, where you can click into Street View mode and then time travel through Google's image archives. When you tap on a place to see Street View imagery, a "see more dates" button will appear next to the current age of the photo, letting you browse all the photos for that area going back to 2007. Google says the feature will release "starting today on Android and iOS globally," though, like all Google product launches, it will take some time to fully roll out.

If you'd like to help Google with its plan to photograph the entire world, the company is launching "Street View Studio." Google calls this "a new platform with all the tools you need to publish 360 image sequences quickly and in bulk." The Street View app is still around for people who want to build a 360 photosphere from a regular smartphone camera, but Google imagines Street View Studio as a tool for people with consumer 360 cameras. Google has a store-style page that lists compatible 360 cameras; the options range from sub-$200 fisheye cameras to the $3,600, ball-shaped Insta360 Pro, which looks like something out of Star Wars.

Riding the wave of enthusiasm for no-code/low-code solutions, Microsoft today announced Power Pages, a standalone product within the company's Power Platform portfolio for creating business websites. Power Pages previously existed as a component within Power Apps called Power Apps portals, but it's been broken out and redesigned with a new user experience. From a report: "As a new, standalone product, Power Pages empowers anyone, regardless of their technical background, with an effective platform to create data-powered, modern, and secure websites," Sangya Singh, vice president of power portals at Microsoft, said in a blog post. "In addition to being low-code, Power Pages extends far beyond portals former capabilities to enable organizations of any size to securely build websites with exciting new aesthetic features and advanced capabilities for customization with pro-dev extensibility."

There's no shortage of web design startups on the market. But Microsoft is touting Power Pages' integrations with its existing services as the key differentiator. For example, Power Pages ties in with Visual Studio Code, GitHub, the Power Platform command line interface and Azure DevOps to let more advanced users automate development workflows (e.g. by downloading and uploading projects) and leverage CI/CD practices. Power Pages also allows users to implement role-based access controls and web app firewalls via Azure, and to collect and share business info with site visitors via Microsoft's Dataverse platform.

Microsoft is planning to support third-party widgets inside Windows 11 later this year. At its annual Build developer conference today, the software giant says it will open up access to Windows 11 widgets to developers as companions to their win32 or PWA apps. From a report: Currently, the Windows 11 widgets system is restricted to native widgets created by Microsoft, and the selection is rather limited. Microsoft has built widgets for its Outlook and To Do apps, but the rest are largely web-powered ones that present the weather, entertainment feeds, or news in the dedicated widgets panel for Windows 11.

"We're energized by the customer feedback on Widgets to date, people are enjoying the quick access to content most important to them in a way that is seamless without breaking their flow," says Panos Panay, head of devices and Windows. "Beginning later this year you'll be able to start building Widgets as companion experiences for your Win32 and PWA apps on Windows 11, powered by the Adaptive Cards platform."

An anonymous reader shares a report: While not every user is actively monitoring hardware resource usage when gaming, enthusiasts and reviewers often turn the stats on to see how certain games and other applications are being handled by the hardware. During such a test run, CapFrameX, which developed a useful frametime analysis tool, noticed a weird anomaly when gauging the performance of the Ryzen 7 5800X3D on Lara Croft Shadow of the Tomb Raider (SotTR). The processor usage reported on Windows 11 is seemingly unusually low in one of the scenes in the game which is typically known to be quite intense on the CPU. Only one out the 16 threads seem to be reporting the correct usage whereas all the other threads are under 10% utilization. CapFrameX notes the issue though it isn't sure what could be causing it: " The core usage reporting on Window 11 is completely broken. Should be >80% for SotTR + this particular scene and settings. What happened? Did the recent update change the timer behavior?"

Zola, a wedding planning startup that allows couples to create websites, budgets and gift registries, has confirmed that hackers gained access to user accounts but has denied a breach of its systems. From a report: The incident first came to light over the weekend after Zola customers took to social media to report that their accounts had been hijacked. Some reported that hackers had depleted funds held in their Zola accounts, while others said they had thousands of dollars charged to their credit cards and gift cards. In a statement given to TechCrunch, Zola spokesperson Emily Forrest confirmed that accounts had been breached as a result of a credential stuffing attack, where existing sets of exposed or breached usernames and passwords are used to access accounts on different websites that share the same set of credentials. [...] Zola declined to say how many users were affected by the breach and declined to answer our questions regarding the lack of two-factor authentication (2FA) currently offered to users, which helps to protect accounts against credential stuffing attacks.

After nearly 20 years, Hollywood Designer 6.0 is "very stable and mature", write its developers — envisioning both hobbyist and professional users (with its support for modern graphics-editing features like filter effects and vector graphics) in its massive new evolution.

Long-time Slashdot reader Mike Bouma explains: Airsoft Softwair has released Hollywood Designer 6.0, "a full-blown multimedia authoring system that runs on top of Hollywood and can be used to create all sorts of multimedia-based applications, for example presentations, slide shows, games, and applications. Thanks to Hollywood, all multimedia applications created using Hollywood Designer can be exported as stand-alone executables for the following systems: AmigaOS3, AmigaOS4, WarpOS, MorphOS, AROS, Windows, macOS, Linux, Android, and iOS."

The current version of Hollywood is v9.1 with various updated add-ons. To see earlier versions of Hollywood 9.0 & Designer 5.0 in action have a look at Kas1e's short demonstration on AmigaOS4 / AmigaOne X5000.

As Pwn2Own Vancouver comes to a close, a whopping $1,115,000 has been awarded by Trend Micro and Zero Day Initiative. The 15th anniversary edition saw 17 "contestants" attacking 21 targets, reports Hot Hardware — though "the biggest payouts were for serious exploits against Microsoft's Teams utility." While Teams isn't technically a part of Windows, it does come bundled with all new installs of Windows 11, which means that these exploits are practically Windows exploits. Hector "p3rr0" Peralta, Masato Kinugawa, and STAR Labs each earned $150,000 for major exploits of the utility.

Windows 11 itself wasn't spared, though. Marcin Wiazowski and STAR Labs each earned $40,000 for privilege escalation exploits on Microsoft's operating system on day one, and on day two, TO found a similar bug for a $40,000 payout of his own. Day three saw no less than three more fresh exploits against Windows 11, all in the serious privilege escalation category; all three winners pocketed another $40,000....

Other targets attacked at Pwn2Own 2022 included Mozilla Firefox (hacked), Apple Safari (hacked), and Ubuntu Desktop (hacked)... Of course, details of the hacks aren't made public, because they're zero-days, after all. That means that they haven't been patched yet, so releasing details of the exploits could allow malicious actors to make use of the bugs. Details will be revealed 3 months from now, during which time Microsoft, Tesla, Apple, and others should have their software all sewn up.
With all the points totalled, the winner was Singapore-based cybersecurity company Star Labs, which was officially crowned "Master of Pwn" on Saturday. "They won $270,000 and 27 points during the contest," explains the official Twitter feed for Zero Day Initiative (the judges for the event).

A blog post from Zero Day Initiative describes all 21 attacks, including six successful attacks against Windows, three successful attacks against Teams — and four against Ubuntu Desktop.

Sentinel Labs provides malware/threat intelligence analysis for the enterprise cybersecurity platform SentinelOne.

Thursday they reported on "a supply-chain attack against the Rust development community that we refer to as 'CrateDepression'." On May 10th, 2022, the Rust Security Response Working Group released an advisory announcing the discovery of a malicious crate hosted on the Rust dependency community repository. The malicious dependency checks for environment variables that suggest a singular interest in GitLab Continuous Integration (CI) pipelines.

Infected CI pipelines are served a second-stage payload. We have identified these payloads as Go binaries built on the red-teaming framework, Mythic. Given the nature of the victims targeted, this attack would serve as an enabler for subsequent supply-chain attacks at a larger-scale relative to the development pipelines infected. We suspect that the campaign includes the impersonation of a known Rust developer to poison the well with source code that relies on the typosquatted malicious dependency and sets off the infection chain.... In an attempt to fool rust developers, the malicious crate typosquats against the well known rust_decimal package used for fractional financial calculations....

The malicious package was initially spotted by an avid observer and reported to the legitimate rust_decimal github account.... Both [Linux and macOs] variants serve as an all-purpose backdoor, rife with functionality for an attacker to hijack an infected host, persist, log keystrokes, inject further stages, screencapture, or simply remotely administer in a variety of ways....

Software supply-chain attacks have gone from a rare occurrence to a highly desirable approach for attackers to 'fish with dynamite' in an attempt to infect entire user populations at once. In the case of CrateDepression, the targeting interest in cloud software build environments suggests that the attackers could attempt to leverage these infections for larger scale supply-chain attacks.

"In the last six months, we observed a 254% increase in activity from a Linux trojan called XorDdos," writes the Microsoft 365 Defender Research Team. It's a trojan combining denial-of-service functionality with XOR-based encryption for communication.

Microsoft calls it part of "the trend of malware increasingly targeting Linux-based operating systems, which are commonly deployed on cloud infrastructures and Internet of Things devices." And ZDNet describes the trojan "one of the most active Linux-based malware families of 2021, according to Crowdstrike." XorDdos conducts automated password-guessing attacks across thousands of Linux servers to find matching admin credentials used on Secure Shell (SSH) servers... Once credentials are gained, the botnet uses root privileges to install itself on a Linux device and uses XOR-based encryption to communicate with the attacker's command and control infrastructure.

While DDoS attacks are a serious threat to system availability and are growing in size each year, Microsoft is worried about other capabilities of these botnets. "We found that devices first infected with XorDdos were later infected with additional malware such as the Tsunami backdoor, which further deploys the XMRig coin miner," Microsoft notes... Microsoft didn't see XorDdos directly installing and distributing the Tsunami backdoor, but its researchers think XorDdos is used as a vector for follow-on malicious activities...

XorDdoS can perform multiple DDoS attack techniques, including SYN flood attacks, DNS attacks, and ACK flood attacks.
Microsoft's team warns that the trojan's evasion capabilities "include obfuscating the malware's activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis.

"We observed in recent campaigns that XorDdos hides malicious activities from analysis by overwriting sensitive files with a null byte. It also includes various persistence mechanisms to support different Linux distributions."

An 18-year-old graduate student exploited a weakness in Indexed Finance's code and opened a legal conundrum that's still rocking the blockchain community. Then he disappeared. An excerpt from a report: On Oct. 14, in a house near Leeds, England, Laurence Day was sitting down to a dinner of fish and chips on his couch when his phone buzzed. The text was from a colleague who worked with him on Indexed Finance, a cryptocurrency platform that creates tokens representing baskets of other tokens -- like an index fund, but on the blockchain. The colleague had sent over a screenshot showing a recent trade, followed by a question mark. "If you didn't know what you were looking at, you might say, 'Nice-looking trade,'" Day says. But he knew enough to be alarmed: A user had bought up certain tokens at drastically deflated values, which shouldn't have been possible. Something was very wrong. Day jumped up, spilling his food on the floor, and ran into his bedroom to call Dillon Kellar, a co-founder of Indexed. Kellar was sitting in his mom's living room six time zones away near Austin, disassembling a DVD player so he could salvage one of its lasers. He picked up the phone to hear a breathless Day explaining that the platform had been attacked. "All I said was, 'What?'" Kellar recalls.

They pulled out their laptops and dug into the platform's code, with the help of a handful of acquaintances and Day's cat, Finney (named after Bitcoin pioneer Hal Finney), who perched on his shoulder in support. Indexed was built on the Ethereum blockchain, a public ledger where transaction details are stored, which meant there was a record of the attack. It would take weeks to figure out precisely what had happened, but it appeared that the platform had been fooled into severely undervaluing tokens that belonged to its users and selling them to the attacker at an extreme discount. Altogether, the person or people responsible had made off with $16 million worth of assets. Kellar and Day stanched the bleeding and repaired the code enough to prevent further attacks, then turned to face the public-relations nightmare. On the platform's Discord and Telegram channels, token-holders traded theories and recriminations, in some cases blaming the team and demanding compensation. Kellar apologized on Twitter to Indexed's hundreds of users and took responsibility for the vulnerability he'd failed to detect. "I f---ed up," he wrote. The question now was who'd launched the attack and whether they'd return the funds. Most crypto exploits are assumed to be inside jobs until proven otherwise. "The default is going to be, 'Who did this, and why is it the devs?'" Day says.

As he tried to sleep the morning after the attack, Day realized he hadn't heard from one particular collaborator. Weeks earlier, a coder going by the username "UmbralUpsilon" -- anonymity is standard in crypto communities -- had reached out to Day and Kellar on Discord, offering to create a bot that would make their platform more efficient. They agreed and sent over an initial fee. "We were hoping he might be a regular contributor," Kellar says. Given the extent of their chats, Day would have expected UmbralUpsilon to offer help or sympathy in the wake of the attack. Instead, nothing. Day pulled up their chat log and found that only his half of the conversation remained; UmbralUpsilon had deleted his messages and changed his username. "That got me out of bed like a shot," Day says.

Malicious hackers, some believed to be state-backed, are actively exploiting two unrelated vulnerabilities -- both with severity ratings of 9.8 out of a possible 10 -- in hopes of infecting sensitive enterprise networks with backdoors, botnet software, and other forms of malware. ArsTechnica: The ongoing attacks target unpatched versions of multiple product lines from VMware and of BIG-IP software from F5, security researchers said. Both vulnerabilities give attackers the ability to remotely execute malicious code or commands that run with unfettered root system privileges. The largely uncoordinated exploits appear to be malicious, as opposed to benign scans that attempt to identify vulnerable servers and quantify their number.

The Department of Justice announced today a policy shift in that it will no longer prosecute good-faith security research that would have violated the country's federal hacking law the Computer Fraud and Abuse Act (CFAA). Motherboard: The move is significant in that the CFAA has often posed a threat to security researchers who may probe or hack systems in an effort to identify vulnerabilities so they can be fixed. The revision of the policy means that such research should not face charges.

"Computer security research is a key driver of improved cybersecurity," Deputy Attorney General Lisa O. Monaco said in a statement published with the announcement. "The department has never been interested in prosecuting good-faith computer security research as a crime, and today's announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good." The policy itself reads that "the Department's goals for CFAA enforcement are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems."

A recent cybersecurity report shows how immensely idiotic many CEOs and business owners can be, considering the strength of their chosen account passwords. PC Gamer reports: The research comes from NordPass password manager which identified back in 2020 that the general public's most commonly used passwords were sequential numbers like '123456', 'picture1', and yep, you guessed it: 'password'. The more recent research sample consists of 290 million cybersecurity data breaches around the globe, and denotes the job level of those affected. Turns out, when it comes to CEOs and other high-ranking businesses execs, their password choices are much the same as the general public, although many often feature names. Tiffany was spotted in 100,534 breaches; then there was Charlie with 33,699; Michael was found 10,647 times; and Jordan, 10,472 times.

The report also ranks mythical creatures and animals as some of the top passwords to have been cracked in data breaches. 'Dragon' was spotted 11,926 times, and 'monkey' comes in at 11,675. I spoke to IT support engineer Ash Smith, who recommends that companies should consider handing out randomly generated passwords as new accounts are created. "Arguably the strongest passwords are 3 random words, something that you can make a story about in your head to help you remember," he says.

Zambia's central bank said it refused to pay ransom to a group known as Hive that was behind a cybersecurity breach that caused minimal damage to its systems. From a report: "All of our core systems are still up and running," Greg Nsofu, information and communications technology director at the Bank of Zambia, told reporters in Lusaka, the capital. "Not much sensitive data has actually been shipped out." Only some test data may have been leaked, he said. "Knowing that we had protected our core systems, it wasn't really necessary for us to even engage" in a ransom conversation, Nsofu said. "So we pretty much told them where to get off." The central bank said May 13 that it had suffered a suspected cyberattack, which disrupted some information technology applications on May 9, including its website and bureau de change monitoring system.

Hong Kong is planning a ban on the Telegram messaging service, which is widely used by pro-democracy activists. International Business Times reports: Local media reported that the ban on Telegram was being considered as a means to crack down on rampant doxing, under which pro-democracy campaigners are exposing online sensitive personal data of government officials and citizens. Hong Kong's privacy commissioner for personal data might decide in favor of blocking or restricting access to Telegram in the first such move, the Sing Tao Daily reported, according to Bloomberg. The execution of such a ban would mean that the former British colony has taken a step closer to China-style smothering of personal and civil liberties.

Han Bing, a former database administrator for Lianjia, a Chinese real-estate brokerage giant, has been sentenced to 7 years in prison for logging into corporate systems and deleting the company's data. BleepingComputer reports: Bing allegedly performed the act in June 2018, when he used his administrative privileges and "root" account to access the company's financial system and delete all stored data from two database servers and two application servers. This has resulted in the immediate crippling of large portions of Lianjia's operations, leaving tens of thousands of its employees without salaries for an extended period and forcing a data restoration effort that cost roughly $30,000. The indirect damages from the disruption of the firm's business, though, were far more damaging, as Lianjia operates thousands of offices, employs over 120,000 brokers, owns 51 subsidiaries, and its market value is estimated to be $6 billion.

A ransomware gang that infiltrated some Costa Rican government computer systems has upped its threat, saying its goal is now to overthrow the government. From a report: Perhaps seizing on the fact that President Rodrigo Chaves had only been in office for a week, the Russian-speaking Conti gang tried to increase the pressure to pay a ransom by raising its demand to $20 million. Chaves suggested Monday in a news conference that the attack was coming from inside as well as outside Costa Rica. "We are at war and that's not an exaggeration," Chaves said. He said officials were battling a national terrorist group that had collaborators inside Costa Rica. Chaves also said the impact was broader than previously known, with 27 government institutions, including municipalities and state-run utilities, affected. He blamed his predecessor Carlos Alvarado for not investing in cybersecurity and for not more aggressively dealing with the attacks in the waning days of his government. In a message Monday, Conti warned that it was working with people inside the government.

Microsoft blog: The steep rise in cryptocurrency market capitalization, not surprisingly, mirrors a marked increase in threats and attacks that target or leverage cryptocurrencies. But Microsoft researchers are observing an even more interesting trend: the evolution of related malware and their techniques, and the emergence of a threat type we're referring to as cryware. Cryware are information stealers that collect and exfiltrate data directly from non-custodial cryptocurrency wallets, also known as hot wallets. Because hot wallets, unlike custodial wallets, are stored locally on a device and provide easier access to cryptographic keys needed to perform transactions, more and more threats are targeting them.

Google announced a new initiative Tuesday aimed at securing the open-source software supply chain by curating and distributing a security-vetted collection of open-source packages to Google Cloud customers. From a report: The new service, branded Assured Open Source Software, was introduced in a blog post from the company. In the post, Andy Chang, group product manager for security and privacy at Google Cloud, pointed to some of the challenges of securing open-source software and stressed Google's commitment to open source. "There has been an increasing awareness in the developer community, enterprises, and governments of software supply chain risks," Chang wrote, citing last year's major log4j vulnerability as an example. "Google continues to be one of the largest maintainers, contributors, and users of open source and is deeply involved in helping make the open source software ecosystem more secure." Per Google's announcement, the Assured Open Source Software service will extend the benefits of Google's own extensive software auditing experience to Cloud customers. All open-source packages made available through the service are also used internally by Google, the company said, and are regularly scanned and analyzed for vulnerabilities.