A serious Safari bug disclosed in this blog post from FingerprintJS can disclose information about your recent browsing history and even some info of the logged-in Google account. From a report: A bug in Safari's IndexedDB implementation on Mac and iOS means that a website can see the names of databases for any domain, not just its own. The database names can then be used to extract identifying information from a lookup table. For instance, Google services store an IndexedDB instance for each of your logged in accounts, with the name of the database corresponding to your Google User ID. Using the exploit described in the blog post, a nefarious site could scrape your Google User ID and then use that ID to find out other personal information about you, as the ID is used to make API requests to Google services. In the proof-of-concept demo, the user's profile picture is revealed. FingerprintJS says they reported the bug to Apple on November 28, but it has not yet been resolved.

"The San Diego County Sheriff's Department last week encrypted its radio communications, blocking the public from listening to information about public safety matters in real time," reports the San Diego Union Tribune: The department is the latest law enforcement agency in the county and state to cut off access to radio communications in response to a California Department of Justice mandate that required agencies to protect certain personal information that law enforcement personnel obtain from state databases. Such information — names, drivers license numbers, dates of birth and other information from the California Law Enforcement Telecommunications System, or CLETS — sometimes is broadcast over police radios.

The October 2020 mandate gave agencies two options: to limit the transmission of database-obtained personal information on public channels or to encrypt their radio traffic. Police reform advocates say the switch to encrypted channels is problematic. The radio silence, they say, will force members of the public, including the news media, to rely on law enforcement agencies' discretion in releasing information about public safety matters....

A sheriff's spokesperson has said the department is exploring ways to disseminate information about incidents as they unfold. One idea is an online page that would show information about calls to which deputies respond.

"Microsoft warned on Saturday evening that it had detected a highly destructive form of malware in dozens of government and private computer networks in Ukraine," reports the New York Times, "that appeared to be waiting to be triggered by an unknown actor...."

The Times reports that the malware "bears some resemblance" to NotPetya, the widespreading 2017 malware which "American intelligence officials later traced to Russian actors."

The discovery comes in the midst of what the Times earlier called "the security crisis Russia has ignited in Eastern Europe by surrounding Ukraine on three sides with 100,000 troops and then, by the White House's accounting, sending in saboteurs to create a pretext for invasion."

Long-time Slashdot reader 14erCleaner shares the Times' latest report: In a blog post, [Microsoft] said that on Thursday — around the same time government agencies in Ukraine found that their websites had been defaced — investigators who watch over Microsoft's global networks detected the code. "These systems span multiple government, nonprofit and information technology organizations, all based in Ukraine," Microsoft said.... The code appears to have been deployed around the time that Russian diplomats, after three days of meetings with the United States and NATO over the massing of Russian troops at the Ukrainian border, declared that the talks had essentially hit a dead end....

Microsoft said that it could not yet identify the group behind the intrusion, but that it did not appear to be an attacker that its investigators had seen before. The code, as described by the company's investigators, is meant to look like ransomware — it freezes up all computer functions and data, and demands a payment in return. But there is no infrastructure to accept money, leading investigators to conclude that the goal is to inflict maximum damage, not raise cash.

It is possible that the destructive software has not spread too widely and that Microsoft's disclosure will make it harder for the attack to metastasize. But it is also possible that the attackers will now launch the malware and try to destroy as many computers and networks as possible.... Warnings like the one from Microsoft can help abort an attack before it happens, if computer users look to root out the malware before it is activated. But it can also be risky. Exposure changes the calculus for the perpetrator, who, once discovered, may have nothing to lose in launching the attack, to see what destruction it wreaks.

So far there is no evidence that the destructive malware has been unleashed by the hackers who placed it in the Ukrainian systems....

The new attack would wipe hard drives clean and destroy files. Some defense experts have said such an attack could be a prelude to a ground invasion by Russia. Others think it could substitute for an invasion, if the attackers believed a cyberstrike would not prompt the kind of financial and technological sanctions that [U.S. President] Biden has vowed to impose in response.
Ukraine's Ministry of Digital Development issued a statement that "All evidence indicates that Russia is behind the cyberattack. Moscow continues to wage a hybrid war and is actively building up its forces in the information and cyberspaces." While the Associated Press reported the statement, the Times notes that the ministry provided no evidence, "and early attribution of attacks is frequently wrong or incomplete."

But the Times also cites U.S. national security adviser Jake Sullivan as saying "If it turns out that Russia is pummeling Ukraine with cyberattacks, and if that continues over the period ahead, we will work with our allies on the appropriate response."

"A California judge ruled this week that the confidentiality agreements Google requires its employees to sign are too broad and break the state's labor laws," reports the Washington Post, calling it "a decision that could make it easier for workers at famously secret Big Tech firms to speak openly about their companies." A Google employee identified as John Doe argued that the broad nondisclosure agreement the company asked him to sign barred him from speaking about his job to other potential employers, amounting to a non-compete clause, which are illegal in California. In a Thursday ruling in California Superior Court, a judge agreed with the employee, while declining to make a judgment on other allegations that Google's agreements blocked whistleblowing and sharing information about wages with other workers.

The ruling marks the latest victory for labor advocates who have sought to force Big Tech companies to relax the stringent confidentiality policies that compel employees to stay quiet about every aspect of their jobs, even after they quit....

The decision isn't final and could still be appealed by Google.... If Google doesn't appeal, or loses the appeal, it could have a real impact on how much power companies hold over employees, said Ramsey Hanafi, a partner with QH Law in San Francisco. "It would mean most of these Big Tech companies would have to rewrite their agreements," Hanafi said. "They all have this broad language that employees can't say anything about anything about their old companies...."

In its opinion, the California Courts of Appeal affirmed the importance of the state's labor laws that go further than federal laws in protecting employees' rights to free speech. Those laws give workers in California the right to "speak as they choose about their work lives," the court wrote. "In sum, these statutes establish as a minimum employment standard an employee anti-gag rule...."
The lawsuit was originally filed in 2016, the article points out, and has been responsible for exposing several internal Google documents (including one detailing a program where employees can report suspected leakers of Google information).

CityDAO -- the group that bought 40 acres of Wyoming in hopes of "building a city on the Ethereum blockchain" -- announced this week that its Discord server was hacked and members' funds were successfully stolen as a result. From a report: "EMERGENCY NOTICE. A CityDAO Discord admin account has been hacked. THERE IS NO LAND DROP. DO NOT CONNECT YOUR WALLET," the project's Twitter account declared. CityDAO is a "decentralized autonomous organization" that hopes to collectively govern a blockchain city, offering citizenship and governance tokens in exchange for the purchase of a "land NFT" bestowing ownership rights to a plot of land. Like many other cryptocurrency, NFT, and DAO projects, CityDAO's community lives on Discord, a popular service chiefly designed for gamers but which has become an indispensable part of the crypto ecosystem. On Discord, CityDAO issues announcements, updates, answers questions, hosts a community, and issues alerts for "land drops," or opportunities to buy NFTs that represent parcels of land.

The attack worked by compromising the Discord account of a moderator, a core-team member and early investor who goes by Lyons800. They detailed the angle of attack in a Twitter thread the following day. First, the attacker posted a doctored screenshot showing a conversation with Lyons800 in another Discord server, claiming that he was scamming people there. Lyons800 offered to prove it wasn't him and got on a voice call with the scammer, who convinced the moderator to let them inspect their console. From there, the scammer obtained Lyons800's Discord authentication token that let them hijack the account. In a tweet, Lyons800 described this as "a ridiculous security breach from Discord." From here, the scammer launched a webhook attack to exploit CityDAO and BaconDAO -- a group that describes itself as an "investors guild" that educates its members -- where Lyons800 is a co-founder. Webhooks are best thought of as tools that connect Discord servers to other websites, and are often used to send automated messages and updates.

Intel removed the security feature SGX from processors of the 11th and newer generations. Problem is, the feature is one of the requirements to play Ultra HD Blu-Ray discs on computer systems. From a report: The Ultra HD Blu-Ray format, often referred to as 4K Ultra HD or 4K Blu-Ray, supports 4K UHD playback with a pixel resolution of 3840x2160. One of the requirements for playback of Ultra HD Blu-Ray discs on PCs is that SGX is supported by the installed processor and by the motherboard firmware. The Blu-Ray Disc Association defined DRM requirements for Ultra HD Blu-Ray disc playback. Besides SGX, playback is protected by HDCP 2.2 and AACS 2.0, with some discs using AACS 2.1. Intel Software Guard Extensions (SGX) "allow user-level as well as operating system code to define private regions of memory, called enclaves, whose contents are protected and unable to be either read or saved by any process outside the enclave itself, including processes running at higher privilege levels" according to Wikipedia.

An anonymous reader writes: The Russian Federal Security Service (FSB) said today that it has raided and shut down the operations of the REvil ransomware gang. Raids were conducted today at 25 residents owned by 14 members suspected to be part of the REvil team across Moscow, St. Petersburg, Leningrad, and the Lipetsk regions. Authorities said they seized more than 426 million rubles, $600,000, and 500,000 euro in cash, along with cryptocurrency wallets, computers, and 20 expensive cars. The REvil gang is responsible for ransomware attacks against Apple supplier Quanta, Kaseya, and JBS Foods.

Ukraine's worst cyberattack in four years brought down the websites of scores of government agencies for hours. Authorities didn't immediately identify the source of the hacks, which took place as tensions with Russia intensified over its troop buildup across the border. From a report: Seventy government agencies were were hit, including the Foreign and Agriculture Ministries, Viktor Zhora, the deputy head of the state agency in charge of special communication and information protection, said Friday. Authorities are investigating and will have their first conclusions later in the day, he said. "There was no leak of important data, the content of the websites was not damaged," Ukraine Zhora said. "We are collecting digital evidence and analyzing data to understand the full chain of this attack." Ukraine has previously accused Russia of mounting major cyberattacks against its digital infrastructure. Relations between the two former Soviet partners have worsened since the ouster of a Russian-backed president in 2014 and Moscow's subsequent annexation of Crimea.

JoeyRox shares a report from CNBC: Federal investigators claimed to access encrypted Signal messages used to help charge the leader of the Oath Keepers, an extremist far-right militia group, and other defendants in a seditious plot on Jan. 6, 2021. It's not clear how investigators gained access to the messages. One possibility is that another recipient with access to the messages handed them over to investigators. The complaint references group messages run on the app, so it's possible another participant in those chats cooperated.

segaboy81 writes: I've been running Pihole for years (for myself), but this guy was running one for everybody! Since 2017, those not so savvy who still wanted the experience of Pi-hole, could turn to Adhole.org. That is, until now. Adhole.org is shutting down, citing issues with maintenance and stability

An anonymous reader quotes a report from Ars Technica: Scammers in a few big Texas cities have been putting fake QR codes on parking meters to trick people into paying the fraudsters. Parking enforcement officers recently found stickers with fraudulent QR codes on pay stations in Austin, Houston, and San Antonio. San Antonio police warned the public of the scam on December 20, saying that "people attempting to pay for parking using those QR codes may have been directed to a fraudulent website and submitted payment to a fraudulent vendor." Similar scams were then found in Austin and Houston.

The fake QR codes reportedly directed people to a "Quick Pay Parking" website at the domain passportlab.xyz, which is now offline. It's not clear how many people -- if any -- were tricked into paying the fraudsters. "We don't use QR codes at all for this very reason, because they are easy to fake or place on the devices," Austin parking division manager Jason Redfern told KXAN. "And we heard from industry leaders that this would be a possibility." Austin accepts payments directly at the meter with coins or credit or with the Park ATX mobile payment app. [...] Houston officials found five meters with fake QR codes and removed the stickers, according to KPRC 2. While the scam seems to have been centered in Texas, it could be repeated anywhere. If you see a QR code on a parking meter, ignore it and make sure you pay the city directly.

An anonymous reader quotes a report from Ars Technica: A young hacker and IT security researcher found a way to remotely interact with more than 25 Tesla electric vehicles in 13 countries, according to a Twitter thread he posted yesterday. David Colombo explained in the thread that the flaw was "not a vulnerability in Tesla's infrastructure. It's the owner's faults." He claimed to be able to disable a car's remote camera system, unlock doors and open windows, and even begin keyless driving. He could also determine the car's exact location.

However, Colombo clarified that he could not actually interact with any of the Teslas' steering, throttle, or brakes, so at least we don't have to worry about an army of remote-controlled EVs doing a Fate of the Furious reenactment. Colombo says he reported the issue to Tesla's security team, which is investigating the matter.

The Federal Communications Commission is the next US regulator hoping to hold companies more accountable for data breaches. From a report: Chairwoman Jessica Rosenworcel has shared a rulemaking proposal that would introduce stricter requirements for data breach reporting. Most notably, the new rules would require notifications for customers affected by "inadvertent" breaches -- companies that leave data exposed would have to be just as communicative as victims of cyberattacks. The requirements would also scrap a mandatory one-week waiting period for notifying customers. Carriers, meanwhile, would have to disclose reportable breaches to the FCC in addition to the FBI and Secret Service. Rosenworcel argued the tougher rules were necessary to account for the "evolving nature" of breaches and the risks they posed to victims. People ought to be protected against larger and more frequent incidents, the FCC chair said -- that is, regulations need to catch up with reality.

Google says that its Chrome browser will soon block internet websites from querying and interacting with devices and servers located inside local private networks, citing security reasons and past abuse from malware operations. From a report: The change will take place through the implementation of a new W3C specification called Private Network Access (PNA) that will be rolled out in the first half of the year. The new PNA specification adds a mechanism inside the Chrome browser through which internet sites can ask systems inside local networks for permission before establishing a connection. If local devices, such as servers or routers fail to respond, internet websites will be blocked from connecting.

PCI Special Interest Group (PCI-SIG) has released the much-awaited final (1.0) specification for PCI Express 6.0. From a report: The next generation of the ubiquitous bus is once again doubling the data rate of a PCIe lane, bringing it to 8GB/second in each direction -- and far, far higher for multi-lane configurations. With the final version of the specification now sorted and approved, the group expects the first commercial hardware to hit the market in 12-18 months, which in practice means it should start showing up in servers in 2023. First announced in the summer of 2019, PCI Express 6.0 is, as the name implies, the immediate follow-up to the current-generation PCIe 5.0 specification. Having made it their goal to keep doubling PCIe bandwidth roughly every 3 years, the PCI-SIG almost immediately set about work on PCIe 6.0 once the 5.0 specification was completed, looking at ways to once again double the bandwidth of PCIe. The product of those development efforts is the new PCIe 6.0 spec, and while the group has missed their original goal of a late 2021 release by mere weeks, today they are announcing that the specification has been finalized and is being released to the group's members. As always, the creation of an even faster version of PCIe technology has been driven by the insatiable bandwidth needs of the industry. The amount of data being moved by graphics cards, accelerators, network cards, SSDs, and other PCIe devices only continues to increase, and thus so must bus speeds to keep these devices fed. As with past versions of the standard, the immediate demand for the faster specification comes from server operators, whom are already regularly using large amounts of high-speed hardware. But in due time the technology should filter down to consumer devices (i.e. PCs) as well.

The many Wordle copycats that were flooding Apple's App Store seem to have disappeared. The apps appear to have been removed by Apple shortly after their existence caused a stir on social media. From a report: Wordle itself doesn't have an official iOS app so other developers looked to hop on the coattails of the game's success. But when one in particular started bragging on Twitter about the attention his version of the app was getting, he quickly caught heat, drawing attention to both his app and the many other Wordle clones on the App Store. While there are still a few five-letter word games on the store, they don't have the name Wordle attached like the most egregious ripoffs from the last few days have. Instead these games have named like PuzzWord. There are still a few games left on the App Store that are actually called Wordle, but one was released three years ago and the other was released five years ago with very different concepts from the surprise hit developed by Josh Wardle. While the apps are now gone from the store, the question of why they're gone remains open. There's been no official word from Apple on whether or not the apps were removed because they violated a store rule, or simply because Apple no longer wanted them on the App Store. Either way, for now the only way to play real Worlde on your phone is still to navigate to the website on a browser.

T-Mobile has officially acknowledged a bug that has blocked some subscribers from using iCloud Private Relay when connected to cellular networking. In a statement to 9to5Mac, T-Mobile blamed this situation on a bug in iOS 15.2 and said that it has "not broadly blocked" iCloud Private Relay. From the report: It's also important to note that this bug is not only affecting T-Mobile subscribers, as the company says in its statement. Instead, it's a bug that seems to affect iOS 15.2 broadly rather than T-Mobile specifically. The issue is also still present in the latest release of iOS 15.3 beta. The full statement reads: "Overnight our team identified that in the 15.2 iOS release, some device settings default to the feature being toggled off. We have shared this with Apple. This is not specific to T-Mobile. Again though, we have not broadly blocked iCloud Phone Relay."

A solution to the problem that has worked for 9to5Mac in testing is to go to Settings, then choose Cellular, then choose your plan, and ensure that "Limit IP Address Tracking" is enabled. Make sure to complete these steps while WiFi is disabled and you are connected to your cellular network. T-Mobile has, however, acknowledged that are situations in which it is required to block iCloud Private Relay due to technical reasons. Namely, if your account or line has content moderation features or parental controls enabled, you will be unable to use iCloud Private Relay when connected to cellular. [...] A source has also confirmed to 9to5Mac that this also applies to certain legacy plans that include the Netflix on Us perk and have Family Allowances enabled.

A Scandinavian hotel chain that fell victim to a ransomware attack last month said it took a novel approach to recover from the incident by switching all affected systems to Chrome OS. The Record reports: Nordic Choice Hotels, which operates 200 hotels across Northern Europe, fell victim to a ransomware attack on December 2, when hackers encrypted some of its internal systems using the Conti ransomware strain. The attack prevented staff from accessing guest reservation data and from issuing key cards to newly arriving guests, as one of the hotel's guests told The Record in an interview last month. But in a press release today, Nordic Choice said that instead of contacting the hackers and negotiating a ransom for the decryption key that would have unlocked the infected devices, the hotel chose to migrate its entire PC fleet from Windows to Chrome OS.

"[I]n less than 24 hours, the first hotel was operating in the Chrome OS ecosystem from Google. And in the following two days, 2000 computers were converted all over the company consisting of 212 hotels in five different countries," the hotel chain explained. Kari Anna Fiskvik, VP Technology at Nordic Choice Hotels, said the hotel had already run a pilot program to test the tool before the attack as a way to save money by reusing old computers with a less-demanding OS. "So when we suddenly had to deal with the cyberattack, the decision to go all in and fasttrack the project was made in seconds," Fiskvik said. Nordic Choice said it plans to migrate another 2,000 computers to Chrome OS, on top of the 2,000 it migrated during the attack. The hotel chain said they expect to save $6.7 million by converting old computers to Chrome OS instead of buying new hardware.

Safety device used for electrical distribution worldwide could be hacked to turn off power, according to cybersecurity experts. From a report: As Ang Cui added more juice to the power grid, overhead electric lines began to glow bright orange. Then, within seconds, the power lines evaporated in a flash of smoke, leaving an entire section of Manhattan in the dark. No actual buildings or people lost power because, luckily, this was just a simulation -- a tabletop diorama of Manhattan complete with tiny copper power lines and the Statue of Liberty relocated to a pared-down Central Park. Cui's colleagues at Red Balloon Security had unleashed a few lines of malicious code that knocked out a computer designed to protect electrical lines. The real-world consequences were unmistakable: hackers could shut off power in parts of the city, an industrial plant or sports stadium by targeting the very systems designed to protect it. "Whew -- need to open a window," said Cui, Red Balloon's chief executive officer and founder, wafting his hands in an effort to clear the smoke swirling around his fourth-floor office. The charred remains of plastic poles were all that was left of the diorama's power lines.

Safety devices like the one Cui's team examined are key to the operation and stability of the modern electric grid. Known as protection relays, they cut the power when faults, or abnormal currents, threaten to damage equipment or harm people. Researchers at Red Balloon discovered vulnerabilities on a relay made by the French firm Schneider Electric SE, called the Easergy P5. The company on Tuesday published a software fix for the device, which is not yet for sale in the U.S. A Schneider Electric spokesman said the firm is "extremely vigilant of cyber threats and continually assesses and evolves our products and R&D practices to better protect our offers, and our customers' operations against them." "Upon learning of the vulnerabilities with the Schneider Electric Easergy P5 protection relay, we worked immediately to resolve them," according to the spokesman. "We urge users of the product to follow the guidance we will provide in the Jan. 11 security notification -- which includes a software patch that will address the immediate risk -- as part of our disclosure process. Users should implement general cybersecurity best practices across their operation to protect their systems."

Bernalillo County filed an emergency notice in federal court last week because a ransomware attack made the Metropolitan Detention Center unable to comply with terms of a settlement agreement in a years-running lawsuit over jail conditions. From a report: The county last Wednesday announced its offices and systems were the victims of a cyberattack, affecting a wide variety of county government operations. Most county buildings were closed until further notice. As a result, the county-operated MDC has been unable to access its cameras since the attack, which is one of the reasons it has fallen out of compliance in the McClendon v. City of Albuquerque lawsuit, which centers on jail conditions. The attack has limited how much time inmates can spend out of their cells, and also reduced their access to telephones and tablets, according to the filing. The county also has been unable to gather data required as a condition of the settlement agreement. No visitors have been allowed. The county said in the filing that its inability to access cameras is one of the more concerning aspects of the cyberattack, which has caused the facility to be on "lockdown" since Wednesday.