If Netflix follows through with its test to charge an additional fee to users sharing passwords, it could rake in $1.6 billion in global revenue annually, according to a new Wall Street analysis. Variety reports: Last week, Netflix said it was launching a test in three Latin America countries (Chile, Costa Rica and Peru) to address password sharing. Customers will be able to add up to two Extra Member accounts for about $2-$3/month each, on top of their regular monthly fee. According to estimates by Cowen & Co. analysts, if Netflix rolls the program out globally it could add an incremental $1.6 billion in global revenue annually, or about 4% upside to the firm's 2023 revenue projection of $38.8 billion. The firm's estimate assumes that about half of non-paying Netflix password-sharing households will become paying members; further, the model predicts that of those, about half will opt to sign up for their own separate paid account.

An anonymous reader quotes a report from TechCrunch: Police in the United Kingdom have arrested seven people over suspected connections to the Lapsus$ hacking group, which has in recent weeks targeted tech giants including Samsung, Nvidia, Microsoft and Okta. In a statement given to TechCrunch, Detective Inspector Michael O'Sullivan from the City of London Police said: "The City of London Police has been conducting an investigation with its partners into members of a hacking group. Seven people between the ages of 16 and 21 have been arrested in connection with this investigation and have all been released under investigation. Our enquiries remain ongoing."

News of the arrests comes just hours after a Bloomberg report revealed a teenager based in Oxford, U.K. is suspected of being the mastermind of the now-prolific Lapsus$ hacking group. Four researchers investigating the gang's recent hacks said they believed the 16-year-old, who uses the online moniker "White" or "Breachbase," was a leading figure in Lapsus$, and Bloomberg was able to track down the suspected hacker after his personal information was leaked online by rival hackers. TechCrunch has seen a copy of the the suspected hacker's leaked personal information, which we are not sharing -- but it matches Bloomberg's reporting. City of London Police, which primarily focuses on financial crimes, did not say if the 16-year-old was among those arrested.

At least one member of Lapsus$ was also apparently involved with a recent data breach at Electronic Arts, according to [security reporter Brian Krebs], and another is suspected to be a teenager residing in Brazil. The latter is said to be so capable of hacking that researchers first believed that the activity they were witnessing was automated. Researchers' ability to track the suspected Lapsus$ members may be because the group, which now has more than 45,000 subscribers to its Telegram channel where it frequently recruits insiders and leaks victims' data, does little to cover its tracks. In a blog post this week, Microsoft said the group uses brazen tactics to gain initial access to a target organization, which has included publicly recruiting company insiders. As reported by Bloomberg this week, the group has even gone as far as to join the Zoom calls of companies they've breached and taunted employees trying to clean up their hack.

An anonymous reader quotes a report from Gizmodo: A hacker group claims to have stolen and leaked a trove of Nestle's data. The company says that can't possibly be true. Why? Because the data was actually leaked by Nestle itself several weeks ago. In emails to Gizmodo, a Nestle spokesperson disavowed allegations from the hacktivist collective Anonymous, which claimed this week to have stolen and leaked a 10 gigabyte tranche from the global food and beverage conglomerate. Anonymous said it was punishing Nestle for its reticence to withdraw from Russia, as a host of other major companies have done. The data, which Anonymous said included internal emails, passwords, and information on Nestle's customers, was posted to the web on Tuesday.

But, according to Nestle, Anonymous is full of it. A spokesperson told Gizmodo, "This recent claim of a cyber-attack against Nestle and subsequent data leak has no foundation." The spokesperson explained that the trove of data floating around the web was, in fact, the product of a mistake the company made earlier this year: "It relates to a case from February, when some randomized and predominantly publicly available test data of a B2B nature was made accessible unintentionally online for a short period of time." [...] In a follow-up email, the same company spokesperson explained that the data, some of which was already public and some of which was not, had been accidentally published to the open internet for multiple weeks. According to the spokesperson: "Some predominantly publicly-available data (e.g., company names and company addresses and some business email addresses) was erroneously made available on the web for a limited period of time (a few weeks). It was detected by our security team at the time and the appropriate review was carried out. The data was prepared for a B2B test website to perform some functionality checks." Nestle on Wednesday said it planned to partly scale back its operations in Russia, continuing to provide "essential food, such as infant food and medical/hospital nutrition."

Google's Threat Analysis Group announced on Thursday that it had discovered a pair of North Korean hacking cadres going by the monikers Operation Dream Job and Operation AppleJeus in February that were leveraging a remote code execution exploit in the Chrome web browser. From a report: The blackhatters reportedly targeted the US news media, IT, crypto and fintech industries, with evidence of their attacks going back as far as January 4th, 2022, though the Threat Analysis Group notes that organizations outside the US could have been targets as well.

"We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques," the Google team wrote on Thursday. "It is possible that other North Korean government-backed attackers have access to the same exploit kit." Operation Dream Job targeted 250 people across 10 companies with fraudulent job offers from the likes of Disney and Oracle sent from accounts spoofed to look like they came from Indeed or ZipRecruiter. Clicking on the link would launch a hidden iframe that would trigger the exploit.

An anonymous reader quotes a report from Bloomberg: Cybersecurity researchers investigating a string of hacks against technology companies, including Microsoft and Nvidia, have traced the attacks to a 16-year-old living at his mother's house near Oxford, England. Four researchers investigating the hacking group Lapsus$, on behalf of companies that were attacked, said they believe the teenager is the mastermind.

The teen is suspected by the researchers of being behind some of the major hacks carried out by Lapsus$, but they haven't been able to conclusively tie him to every hack Lapsus$ has claimed. The cyber researchers have used forensic evidence from the hacks as well as publicly available information to tie the teen to the hacking group. Bloomberg News isn't naming the alleged hacker, who goes by the online alias "White" and "breachbase," who is a minor and hasn't been publicly accused by law enforcement of any wrongdoing. Another member of Lapsus$ is suspected to be a teenager residing in Brazil, according to the investigators. One person investigating the group said security researchers have identified seven unique accounts associated with the hacking group, indicating that there are likely others involved in the group's operations. The teen is so skilled at hacking — and so fast-- that researchers initially thought the activity they were observing was automated, another person involved in the research said. [...]

The teenage hacker in England has had his personal information, including his address and information about his parents, posted online by rival hackers. At an address listed in the leaked materials as the teen's home near Oxford, a woman who identified herself as the boy's mother talked with a Bloomberg reporter for about 10 minutes through a doorbell intercom system. The home is a modest terraced house on a quiet side street about five miles from Oxford University. The woman said she was unaware of the allegations against her son or the leaked materials. She said she was disturbed that videos and pictures of her home and the teen's father's home were included. The mother said the teenager lives at that address and had been harassed by others, but many of the other leaked details couldn't be confirmed. She declined to discuss her son in any way or make him available for an interview, and said the issue was a matter for law enforcement and that she was contacting the police.

Microsoft announced on Wednesday that it will expand its cybersecurity skilling initiative to 23 additional countries. The campaign, which began last year in the U.S., is part of the company's push to help solve the cybersecurity industry's growing talent problem, while also helping diversify the industry. From a report: Like many industries within tech, cybersecurity is facing both a workforce shortage and a widening skills gap among workers. According to Kate Behncken, vice president and lead of Microsoft Philanthropies, by 2025 there will be 3.5 million cybersecurity jobs open globally. Microsoft originally launched the skilling campaign in the U.S. last fall, partnering with 135 community colleges to skill and recruit workers into the cybersecurity industry. By expanding skilling and training to 23 countries, Microsoft aims to get ahead of the demand. The countries, which include Australia, Brazil, Canada and India, were chosen due to their "elevated cyberthreat risk."

Firefox is finally gaining proper AV1 support. Neowin reports: According to an update made to a post on Bugzilla, the Mozilla Foundation is finally ready to add hardware acceleration for the AV1 video format. Developers plan to implement improved AV1 support in the upcoming release of Firefox 100, scheduled to arrive on May 3, 2022. Hardware acceleration for AV1 video brings several noticeable benefits to customers. The standard developed by Alliance for Open Media and initially released in March 2018 offers better video compression than H.264 (about 50%) and VP9 (about 20%). Shifting AV1 video processing from software to hardware improves efficiency and reduces energy consumption, resulting in better battery life on tablets and laptops. Google and Microsoft announced hardware-accelerated AV1 video in Chrome and Edge in late 2020. Mozilla, on the other hand, did not rush to introduce improved AV1 support in Firefox. While it is easy to dunk on Firefox, there is a reason why developers took their time. Hardware-accelerated AV1 video is not something you can add to any computer with Windows 10, and it requires a PC with the most recent and powerful hardware.

An anonymous reader shares a report: A digital extortion gang with a murky background and unconventional methods -- one researcher called them "laughably bad" at times -- has claimed responsibility for a string of compromises against some of the world's largest technology companies. The group, known as Lapsus$, said in a series of public posts on the messaging app Telegram this week that it had accessed Okta, the San Francisco-based identity-management firm that provides authentication tools for an array of business clients. Okta said Tuesday that attackers may have viewed data from approximately 2.5% of its customers after breaching the laptop of an engineer at a third-party vendor.

Lapsus$ previously claimed to breach organizations including Nvidia, Samsung Electronics, and the gaming company Ubisoft Entertainment. The group said it also accessed data from Microsoft, saying it had gathered source code from the company's Bing search engine, Bing Maps and the Cortana digital assistant. Microsoft said attackers gained "limited access" to its systems, and that attackers had compromised a single account to gather data. In recent years, most hacking groups have used malware to encrypt a victim's files, then demanded payment to unlock them, so-called ransomware. Sometimes the groups steal sensitive data and threaten to make it public unless they are paid. Lapsus$ functions as a "large-scale social engineering and extortion campaign," though it does not deploy ransomware, Microsoft said. The group uses phone-based tactics to target personal email accounts at victim organizations and pays individual employees or business partners of an organization for illicit access, according to Microsoft. Lapsus$ also is known for hijacking individual accounts at cryptocurrency exchanges to drain user holdings.

Authentication services provider Okta is investigating a report of a digital breach, the company said on Tuesday, after hackers posted screenshots showing what they claimed was its internal company environment. From a report: A hack at Okta could have major consequences because thousands of other companies rely on the San Francisco-based firm to manage access to their own networks and applications. The company was aware of the reports and was investigating, Okta official Chris Hollis said in a brief statement. "We will provide updates as more information becomes available," he added. The screenshots were posted by a group of ransom-seeking hackers known as LAPSUS$ on their Telegram channel late on Monday. In an accompanying message, the group said its focus was "ONLY on Okta customers." TechCrunch adds: Okta chief executive Todd McKinnon confirmed the breach in a tweet thread overnight on March 22: "In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January."

apoc.famine shares a report from Ars Technica: Hundreds of thousands of sites use the OAuth protocol to let visitors login using their existing accounts with companies like Google, Facebook, or Apple. Instead of having to create an account on the new site, visitors can use an account that they already have -- and the magic of OAuth does the rest. The Browser-in-the-Browser (BitB) technique capitalizes on this scheme. Instead of opening a genuine second browser window that's connected to the site facilitating the login or payment, BitB uses a series of HTML and cascading style sheets (CSS) tricks to convincingly spoof the second window. The URL that appears there can show a valid address, complete with a padlock and HTTPS prefix. The layout and behavior of the window appear identical to the real thing.

While the method is convincing, it has a few weaknesses that should give savvy visitors a foolproof way to detect that something is amiss. Genuine OAuth or payment windows are in fact separate browser instances that are distinct from the primary page. That means a user can resize them and move them anywhere on the monitor, including outside the primary window. BitB windows, by contrast, aren't a separate browser instance at all. Instead, they're images rendered by custom HTML and CSS and contained in the primary window. That means the fake pages can't be resized, fully maximized or dragged outside the primary window. All users should protect their accounts with two-factor authentication. One other thing more experienced users can do is right click on the popup page and choose "inspect." If the window is a BitB spawn, its URL will be hardcoded into the HTML.

Microsoft says they are investigating claims that the Lapsus$ data extortion hacking group breached their internal Azure DevOps source code repositories and stolen data. BleepingComputer reports: Unlike many extortion groups we read about today, Lapsus$ does not deploy ransomware on their victim's devices. Instead, they target the source code repositories for large companies, steal their proprietary data, and then attempt to ransom that data back to the company for millions of dollars. While it is not known if the extortion group has successfully ransomed stolen data, Lapsus has gained notoriety over the past months for their confirmed attacks against NVIDIA, Samsung, Vodafone, Ubisoft, and Mercado Libre. Unfortunately, Lapsus$ has a good track record, with their claims of attacks on other companies later confirmed to be true.

While the leaking of source code makes it easier to find vulnerabilities in a company's software, Microsoft has previously stated that leaked source code does not create an elevation of risk. Microsoft says that their threat model assumes that threat actors already understand how their software works, whether through reverse engineering or previous source code leaks. "At Microsoft, we have an inner source approach -- the use of open source software development best practices and an open source-like culture -- to making source code viewable within Microsoft. This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code," explained Microsoft in a blog post about the SolarWinds attackers gaining access to their source code. "So viewing source code isn't tied to elevation of risk." However, source code repositories also commonly contain access tokens, credentials, API keys, and even code signing certificates.

President Biden on Monday urged American companies to put up their cyber-defenses, citing "evolving intelligence that the Russian Government is exploring options for potential cyberattacks" against the U.S. From a report: "The Federal Government can't defend against this threat alone," Biden said in a lengthy statement released by the White House. He called on the private sector, as "critical infrastructure owners and operators," to "accelerate efforts to lock their digital doors." [...] "I urge our private sector partners to harden your cyber defenses immediately," Biden said in the statement. In the lead-up to the invasion of Ukraine, the White House repeatedly publicized its intelligence about Moscow's plans in an effort to deter them.

schwit1 shares a report: About 10 years ago, when Erik Arbuthnot first started hearing about phony-kidnapping hustles, his fellow agents at the FBI scoffed at the cases. "Don't worry about those," they told Arbuthnot. "Those are fake. We handle the real ones." Now the cases have become so widespread that the bureau has a name for them: virtual kidnappings. "It's a telephone extortion scheme," says Arbuthnot, who heads up virtual-kidnapping investigations for the FBI out of Los Angeles. Because many of the crimes go unreported, the bureau doesn't have a precise number on how widespread the scam is. But over the past few years, thousands of families like the Mendelsteins have experienced the same bizarre nightmare: a phone call, a screaming child, a demand for ransom money, and a kidnapping that -- after painful minutes, hours, or even days -- is revealed to be fake. There's the pastor in Memphis who, like Mendelstein, was told his daughter had been kidnapped. The man in Miami who thought his wife and baby daughter were being held for ransom. The guy in Missouri who got conned into thinking his elderly mother had been taken. Overall, the FBI reports, internet scams nearly doubled in 2020 -- and extortion cases like virtual kidnapping have rung up the third-most victims, right behind phishing schemes and phony sales calls.

A data breach at HubSpot, a tool used by many companies to manage marketing campaigns and on-board new users, has affected BlockFi, Swan Bitcoin, NYDIG and Circle. From a report: However, all the companies said their operations were not affected and their treasuries were not at risk. HubSpot is a customer relationship management (CRM) tool used to store users' names, phone numbers and email addresses for marketing purposes, and measure the effectiveness of marketing campaigns. While user information was leaked to hackers, the affected companies said passwords and other internal information were not affected. In outreach emails seen by CoinDesk, the companies said HubSpot is an external tool and hackers did not gain access to internal systems. HubSpot said the breach was the result of a bad actor getting access to an employee account and using it to target stakeholders in the cryptocurrency industry. The company said 30 clients were affected, but has not published a full list.

ZDNet describes CafePress as "a U.S. platform offering print-on-demand products" like custom t-shirts, hats, and mugs.

"CafePress's past owner has been fined $500,000 over a litany of security failures and data breaches," ZDNet reported this week: CafePress became the subject of a US Federal Trade Commission (FTC) investigation surrounding how it handled security — and how the firm allegedly "failed to secure consumers' sensitive personal data and covered up a major breach." On March 15, the US regulator said that Residual Pumpkin is required to pay $500,000 in damages. According to the FTC's complaint (PDF), issued against the platform's former owner Residual Pumpkin Entity, LLC, and its current owner PlanetArt, LLC, there was a lack of "reasonable security measures" to prevent data breaches.

In addition, the FTC claims that CafePress kept user data for longer than necessary, stored personally identifiable information including Social Security numbers and password reset answers in cleartext, and did not patch against known system vulnerabilities. "As a result of its shoddy security practices, CafePress' network was breached multiple times," the FTC says. CafePress experienced a major security incident in 2019. An attacker infiltrated the platform in February 2019 and was able to access data belonging to millions of users. This included email addresses, poorly-encrypted passwords, names, home addresses, security questions and answers, some partial card payment records, phone numbers, and at least 180,000 unencrypted Social Security numbers....

According to the FTC, CafePress was notified a month after the breach and did patch the security flaw — but did not investigate the breach properly "for several months." Customers were also not told. Instead, CafePress implemented a forced password reset as part of its "policy" and only informed users in September 2019, once the data breach had been publicly reported. In a separate case in 2018, CafePress allegedly was made aware of shops being compromised. These accounts were closed — and the shopkeepers, the victims, were then charged $25 account closure fees.

The FTC also claims that the company "misled" users by using consumer email addresses for marketing, despite promises to the contrary.

The board members of the FIDO alliance include Amazon, Google, PayPal, RSA, and Apple and Microsoft (as well as Intel and Arm). It describes its mission as reducing the world's "over-reliance on passwords."

Today Wired reports that the group thinks "it has finally identified the missing piece of the puzzle" for finally achieving large-scale adoption of a password-supplanting technology: On Thursday, the organization published a white paper that lays out FIDO's vision for solving the usability issues that have dogged passwordless features and, seemingly, kept them from achieving broad adoption....

The paper is conceptual, not technical, but after years of investment to integrate what are known as the FIDO2 and WebAuthn passwordless standards into Windows, Android, iOS, and more, everything is now riding on the success of this next step.... FIDO is looking to get to the heart of what still makes passwordless schemes tough to navigate. And the group has concluded that it all comes down to the procedure for switching or adding devices. If the process for setting up a new phone, say, is too complicated, and there's no simple way to log in to all of your apps and accounts — or if you have to fall back to passwords to reestablish your ownership of those accounts — then most users will conclude that it's too much of a hassle to change the status quo.

The passwordless FIDO standard already relies on a device's biometric scanners (or a master PIN you select) to authenticate you locally without any of your data traveling over the Internet to a web server for validation. The main concept that FIDO believes will ultimately solve the new device issue is for operating systems to implement a "FIDO credential" manager, which is somewhat similar to a built-in password manager. Instead of literally storing passwords, this mechanism will store cryptographic keys that can sync between devices and are guarded by your device's biometric or passcode lock. At Apple's Worldwide Developer Conference last summer, the company announced its own version of what FIDO is describing, an iCloud feature known as "Passkeys in iCloud Keychain," which Apple says is its "contribution to a post-password world...."

FIDO's white paper also includes another component, a proposed addition to its specification that would allow one of your existing devices, like your laptop, to act as a hardware token itself, similar to stand-alone Bluetooth authentication dongles, and provide physical authentication over Bluetooth. The idea is that this would still be virtually phish-proof since Bluetooth is a proximity-based protocol and can be a useful tool as needed in developing different versions of truly passwordless schemes that don't have to retain a backup password. Christiaan Brand, a product manager at Google who focuses on identity and security and collaborates on FIDO projects, says that the passkey-style plan follows logically from the smartphone or multi-device image of a passwordless future. "This grand vision of 'Let's move beyond the password,' we've always had this end state in mind to be honest, it just took until everyone had mobile phones in their pockets," Brand says....

To FIDO, the biggest priority is a paradigm shift in account security that will make phishing a thing of the past.... When asked if this is really it, if the death knell for passwords is truly, finally tolling, Google's Brand turns serious, but he doesn't hesitate to answer: "I feel like everything is coalescing," he says. "This should be durable."
Such a change won't happen overnight, the article points out. "With any other tech migration (ahem, Windows XP), the road will inevitably prove arduous."

An anonymous reader shares a report: Early in March, a bunch of Facebook users got a mysterious, spam-like email titled "Your account requires advanced security from Facebook Protect" and telling them that they were required to turn on the Facebook Protect feature (which they could do by hitting a link in the email) by a certain date, or they would be locked out of their account. The program, according to Facebook, is a "security program for groups of people that are more likely to be targeted by malicious hackers, such as human rights defenders, journalists, and government officials." It's meant to do things like ensure those accounts are monitored for hacking threats and that they are protected by two-factor authentication (2FA).

Unfortunately, the email that Facebook sent from the address security@facebookmail.com resembled a rather common form of spam, and so it's probable that many people ignored it. It actually wasn't spam. In fact, it was real. The first deadline to hit for many people was Thursday, March 17th. And now, they are locked out of their Facebook accounts -- and are having trouble with the process that Facebook has provided to get them back in. Those who did not activate Facebook Protect before their deadline are apparently getting a message explaining why they can't get into their accounts and offering to help them turn it on. However, it's not always working.

The U.S. government is warning of "possible threats" to satellite communication networks amid fears that recent attacks on satellite networks in Europe, sparked by the war in Ukraine, could soon spread to the United States. From a reportL: A joint CISA-FBI advisory published this week urges satellite communication (SATCOM) network providers and critical infrastructure organizations that rely on satellite networks to bolster their cybersecurity defenses due to an increased likelihood of cyberattack, warning that a successful intrusion could create risk in their customer environments.

While the advisory did not name specific sectors under threat, the use of satellite communications is widespread across the United States. It's estimated that about eight million Americans rely on SATCOM networks for internet access. Ruben Santamarta, a cybersecurity expert who specializes in analyzing satellite communications systems, told TechCrunch that networks are used in a wide number of industries, including aviation, government, the media and the military, as well as gas facilities and electricity service stations that are located in remote places.

joshuark writes: In one of those in-your-face irony or karmic debt, Bleeping Computer reports that Microsoft Defender tags Office updates as ransomware. The article states: "Windows admins were hit today by a wave of Microsoft Defender for Endpoint false positives where Office updates were tagged as malicious in alerts pointing to ransomware behavior detected on their systems."

Further on, an explanation for the source of the karmic irony is: "The root cause of the false positives was a recently deployed update within service components for detecting ransomware alerts." Couldn't this have waited for April 1st?

Bleeping Computer goes on, "A Microsoft spokesperson was not available for comment when contacted by BleepingComputer earlier today."

Russian cyber attacks have so far struggled to successfully target Ukraine's critical national infrastructure, according to government officials. From a report: While they are aware of Russian intent to disrupt or infiltrate Ukrainian systems, according to the officials, they have continued to function and Ukraine has mounted a strong defense. Many denial-of-service attacks targeting Ukraine are of low sophistication and impact, the people said, who asked not to be identified discussing private information. The country's experience fending off major cyber attacks since 2015 may have helped prepare it for recent attempts, they added. The destructive "wiper" malware seen in Ukraine is more insidious and the officials said they are on alert for it appearing outside of the country. In the hours prior to Russia's invasion, some Ukrainian government agencies were targeted with the software, which deleted data held on infected computers. More aggressive network take-downs or attacks may not fit with Russian objectives, they added, and Russia could even be leaving the broadband network active for its own means to gather intelligence.