An anonymous reader quotes a report from MacRumors: iOS 18, iPadOS 18, and macOS Sequoia feature a new, dedicated Passwords app for faster access to important credentials. The Passwords app replaces iCloud Keychain, which is currently only accessible via a menu in Settings. Now, passwords are available directly via a standalone app for markedly quicker access, bringing it more in line with rival services. The Passwords app consolidates various credentials, including passwords, passkeys, and Wi-Fi passwords, into a single, easily accessible location. Users can filter and sort their accounts based on various criteria, such as recently created accounts, credential type, or membership in shared groups.

Passwords is also compatible with Windows via the iCloud for Windows app, extending its utility to users who operate across different platforms. The developer beta versions of iOS 18, iPadOS 18, and macOS Sequoia are available today with official release to the public scheduled for the fall, providing an early look at the Passwords app.

A group of Israeli researchers explored the security of the Visual Studio Code marketplace and managed to "infect" over 100 organizations by trojanizing a copy of the popular 'Dracula Official theme to include risky code. Further research into the VSCode Marketplace found thousands of extensions with millions of installs. From a report: Visual Studio Code (VSCode) is a source code editor published by Microsoft and used by many professional software developers worldwide. Microsoft also operates an extensions market for the IDE, called the Visual Studio Code Marketplace, which offers add-ons that extend the application's functionality and provide more customization options. Previous reports have highlighted gaps in VSCode's security, allowing extension and publisher impersonation and extensions that steal developer authentication tokens. There have also been in-the-wild findings that were confirmed to be malicious.

Security researchers say they believe financially motivated cybercriminals have stolen a "significant volume of data" from hundreds of customers hosting their vast banks of data with cloud storage giant Snowflake. TechCrunch: Incident response firm Mandiant, which is working with Snowflake to investigate the recent spate of data thefts, said in a blog post Monday that the two firms have notified around 165 customers that their data may have been stolen. It's the first time that the number of affected Snowflake customers has been disclosed since the account hacks began in April. Snowflake has said little to date about the attacks, only that a "limited number" of its customers are affected. The cloud data giant has more than 9,800 corporate customers, like healthcare organizations, retail giants and some of the world's largest tech companies, which use Snowflake for data analytics.

An anonymous reader shares a report: A study claims to have proof of what some have suspected: return to office mandates are just back-channel layoffs and post-COVID work culture is making everyone miserable. HR software biz BambooHR surveyed more than 1,500 employees, a third of whom work in HR. The findings suggest the return to office movement has been a poorly-executed failure, but one particular figure stands out - a quarter of executives and a fifth of HR professionals hoped RTO mandates would result in staff leaving.

While that statistic essentially admits the quiet part out loud, there was some merit to that belief. People did quit when RTO mandates were enforced at many of the largest companies, but it wasn't enough, the study reports. More than a third (37 percent) of respondents in leadership roles believed their employers had undertaken layoffs in the past 12 months as a result of too few people quitting in protest of RTO mandates, the study found. Nearly the same number thought their management wanted employees back in the office to monitor them more closely. The end result has been the growth of a different office culture, one that's even more performative, suspicious, and divisive than before the COVID pandemic, the study concludes.

New Atlas reports on a research team that successfuly used GPT-4 to exploit 87% of newly-discovered security flaws for which a fix hadn't yet been released. This week the same team got even better results from a team of autonomous, self-propagating Large Language Model agents using a Hierarchical Planning with Task-Specific Agents (HPTSA) method: Instead of assigning a single LLM agent trying to solve many complex tasks, HPTSA uses a "planning agent" that oversees the entire process and launches multiple "subagents," that are task-specific... When benchmarked against 15 real-world web-focused vulnerabilities, HPTSA has shown to be 550% more efficient than a single LLM in exploiting vulnerabilities and was able to hack 8 of 15 zero-day vulnerabilities. The solo LLM effort was able to hack only 3 of the 15 vulnerabilities.
"Our findings suggest that cybersecurity, on both the offensive and defensive side, will increase in pace," the researchers conclude. "Now, black-hat actors can use AI agents to hack websites. On the other hand, penetration testers can use AI agents to aid in more frequent penetration testing. It is unclear whether AI agents will aid cybersecurity offense or defense more and we hope that future work addresses this question.

"Beyond the immediate impact of our work, we hope that our work inspires frontier LLM providers to think carefully about their deployments."

Thanks to long-time Slashdot reader schwit1 for sharing the article.

It was "a catastrophic IT failure," writes Computer Weekly. It was nearly two years ago that Birmingham City Council, the largest local authority in Europe, "declared itself in financial distress" — effectively declaring bankruptcy — after the costs on an Oracle project costs ballooned from $25 million to around $125.5 million.

But Computer Weekly's investigation finds signs that the program board and its manager wanted to go live in April of 2022 "regardless of the state of the build, the level of testing undertaken and challenges faced by those working on the programme." One manager's notes "reveal concerns that the program manager and steering committee could not be swayed, which meant the system went live despite having known flaws." Computer Weekly has seen notes from a manager at BCC highlighting a number of discrepancies in the Birmingham City Council report to cabinet published in June 2023, 14 months after the Oracle system went into production. The report stated that some critical elements of the Oracle system were not functioning adequately, impacting day-to-day operations. The manager's comments reveal that this flaw in the implementation of the Oracle software was known before the system went live in April 2022... An insider at Birmingham City Council who has been closely involved in the project told Computer Weekly it went live "despite all the warnings telling them it wouldn't work"....

Since going live, the Oracle system effectively scrambled financial data, which meant the council had no clear picture of its overall finances. The insider said that by January 2023, Birmingham City Council could not produce an accurate account of its spending and budget for the next financial year: "There's no way that we could do our year-end accounts because the system didn't work."
A June 2023 report to cabinet "stated that due to issues with the council's bank reconciliation system, a significant number of transactions had to be manually allocated to accounts rather than automatically via the Oracle system," according to the article. But Computer Weekly has seen a 2019 presentation slide deck showing the council was already aware that Oracle's out-of-the-box bank reconciliation system "did not handle mixed debtor/non-debtor bank files. The workaround suggested was either a lot of manual intervention or a platform as a service (PaaS) offering from Evosys, the Oracle implementation partner contracted by BCC to build the new IT system."

The article ultimately concludes that "project management failures over a number of years contributed to the IT failure."

Slashdot reader storagedude shared this report from The Cyber Express: A security researcher discovered an exploitable timing leak in the Kyber key encapsulation mechanism (KEM) that's in the process of being adopted by NIST as a post-quantum cryptographic standard. Antoon Purnal of PQShield detailed his findings in a blog post and on social media, and noted that the problem has been fixed with the help of the Kyber team. The issue was found in the reference implementation of the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) that's in the process of being adopted as a NIST post-quantum key encapsulation standard. "A key part of implementation security is resistance against side-channel attacks, which exploit the physical side-effects of cryptographic computations to infer sensitive information," Purnal wrote.

To secure against side-channel attacks, cryptographic algorithms must be implemented in a way so that "no attacker-observable effect of their execution depends on the secrets they process," he wrote. In the ML-KEM reference implementation, "we're concerned with a particular side channel that's observable in almost all cryptographic deployment scenarios: time." The vulnerability can occur when a compiler optimizes the code, in the process silently undoing "measures taken by the skilled implementer." In Purnal's analysis, the Clang compiler was found to emit a vulnerable secret-dependent branch in the poly_frommsg function of the ML-KEM reference code needed in both key encapsulation and decapsulation, corresponding to the expand_secure implementation.
While the reference implementation was patched, "It's important to note that this does not rule out the possibility that other libraries, which are based on the reference implementation but do not use the poly_frommsg function verbatim, may be vulnerable — either now or in the future," Purnal wrote.

Purnal also published a proof-of-concept demo on GitHub. "On an Intel Core i7-13700H, it takes between 5-10 minutes to leak the entire ML-KEM 512 secret key using end-to-end decapsulation timing measurements."

"Researchers observed a new Linux variant of the TargetCompany ransomware family that targets VMware ESXi environments," reports BleepingComputer: In a report Wednesday, cybersecurity company Trend Micro says that the new Linux variant for TargetCompany ransomware makes sure that it has administrative privileges before continuing the malicious routine... Once on the target system, the payload checks if it runs in a VMware ESXi environment by executing the 'uname' command and looking for 'vmkernel.' Next, a "TargetInfo.txt" file is created and sent to the command and control (C2) server. It contains victim information such as hostname, IP address, OS details, logged-in users and privileges, unique identifiers, and details about the encrypted files and directories. The ransomware will encrypt files that have VM-related extensions (vmdk, vmem, vswp, vmx, vmsn, nvram), appending the ".locked" extension to the resulting files.

Finally, a ransom note named "HOW TO DECRYPT.txt" is dropped, containing instructions for the victim on how to pay the ransom and retrieve a valid decryption key. "After all tasks have been completed, the shell script deletes the payload using the 'rm -f x' command so all traces that can be used in post-incident investigations are wiped from impacted machines."

Thanks to long-time Slashdot reader joshuark for sharing the article.

An anonymous reader shares a report: Buy a pair of wired headphones, and you'd be forgiven for thinking they're just plug and play. Stick them into your phone, and out goes the audio up copper cables into your earholes. Simple as that. Trouble is, that straightforward mechanism has gotten more complicated, and in recent years there has been an influx of budget wired earbuds that, counterintuitively, depend on Bluetooth to function, despite having those copper cables. The problem is largely present in earbuds designed for iPhones. In 2016, Apple removed universal 3.5-mm headphone jacks in its iPhones, which means there are nearly eight years worth of iPhones out in the world -- from the iPhone 7 to the iPhone 14 -- that can connect to headphones only via Bluetooth or Apple's proprietary Lightning ports. (Apple switched to USB-C ports in its iPhones last year after legislation from the European Union put pressure on device companies to standardize connection ports.)

Apple used this move to push its wireless AirPods, and it also sells its own wired headphones that connect to its Lightning ports for $19. You can also get an official $9 dongle that adapts the Lightning port to a 3.5-mm output. These work as intended, connecting with the Lightning port to playback audio. But Apple also has strict certification processes called MFi that require any accessories for Apple products to meet certain requirements in order to work with the Lightning port as intended. That means companies have to pay for the privilege of being a genuine Apple accessory. (If you have an unlicensed accessory, you'll probably see an alert pop up every time you plug it in saying, "Accessory may not be supported.") This has led to a steady trickle of knockoff earbuds that have chosen to use roundabout ways of connecting to Apple's proprietary port. Namely, by requiring a Bluetooth connection -- even for wired buds.

Apple will introduce a new app called Passwords next week, aiming to simplify website and software logins for users, according to Bloomberg. The app -- offered as part of iOS 18, iPadOS 18, and macOS 15 -- will be unveiled at Apple's Worldwide Developers Conference on June 10. Powered by iCloud Keychain, Passwords will generate and manage passwords, allowing imports from rival services, and support Vision Pro headset and Windows computers.

An anonymous reader quotes a report from BleepingComputer: The FBI urges past victims of LockBit ransomware attacks to come forward after revealing that it has obtained over 7,000 LockBit decryption keys that they can use to recover encrypted data for free. FBI Cyber Division Assistant Director Bryan Vorndran announced this on Wednesday at the 2024 Boston Conference on Cyber Security. "From our ongoing disruption of LockBit, we now have over 7,000 decryption keys and can help victims reclaim their data and get back online," the FBI Cyber Lead said in a keynote. "We are reaching out to known LockBit victims and encouraging anyone who suspects they were a victim to visit our Internet Crime Complaint Center at ic3.gov."

This call to action comes after law enforcement took down LockBit's infrastructure in February 2024 in an international operation dubbed "Operation Cronos." At the time, police seized 34 servers containing over 2,500 decryption keys, which helped create a free LockBit 3.0 Black Ransomware decryptor. After analyzing the seized data, the U.K.'s National Crime Agency and the U.S. Justice Department estimate the gang and its affiliates have raked in up to $1 billion in ransoms following 7,000 attacks targeting organizations worldwide between June 2022 and February 2024. However, despite law enforcement efforts to shut down its operations, LockBit is still active and has since switched to new servers and dark web domains. After disrupting LockBit in February, the U.S. State Department said it is offering a reward of up to $15 million for information leading to the identification or location of the leaders of the ransomware group.

An anonymous reader shares a report: Intel's fastest processors have included hyperthreading, a technique that lets more than one thread run on a single CPU core, for over 20 years -- and it's used by AMD (which calls it "simultaneous multi-threading") as well. But you won't see a little "HT" on the Intel sticker for any Lunar Lake laptops, because none of them use it. Hyperthreading will be disabled on all Lunar Lake CPU cores, including both performance and efficiency cores. Why? The reason is complicated, but basically it's no longer needed. The performance cores or P-Cores on the new Lunar Lake series are 14 percent faster than the same cores on the previous-gen Meteor Lake CPUs, even with the multi-thread-processing of hyperthreading disabled.

Turning on the feature would come at too high a power cost, and Lunar Lake is all about boosting performance while keeping laptops in this generation thin, light, and long-lasting. That means maximizing single-thread performance -- the most relevant to users who are typically focusing on one task at a time, as is often the case for laptops -- in terms of surface area, to improve overall performance per watt. Getting rid of the physical components necessary for hyperthreading just makes sense in that context.

In a column at Windows Central, a blog that focuses on Microsoft news, senior editor Zac Bowden discusses the backlash against Windows Recall, a new AI feature in Microsoft's Copilot+ PCs. While the feature is impressive, allowing users to search their entire Windows history, many are concerned about privacy and security. Bowden argues that Microsoft's history of questionable practices, such as ads and bloatware, has eroded user trust, making people skeptical of Recall's intentions. Additionally, the reported lack of encryption for Recall's data raises concerns about third-party access. Bowden argues that Microsoft could have averted the situation by testing the feature openly to address these issues early on and build trust with users. He adds: Users are describing the feature as literal spyware or malware, and droves of people are proclaiming they will proudly switch to Linux or Mac in the wake of it. Microsoft simply doesn't enjoy the same benefit of the doubt that other tech giants like Apple may have.

Had Apple announced a feature like Recall, there would have been much less backlash, as Apple has done a great job building loyalty and trust with its users, prioritizing polished software experiences, and positioning privacy as a high-level concern for the company.

An anonymous reader shares a report: A Chinese research team says it has uncovered a significant security flaw in processor design that could have a wide impact on China's booming domestic chip industry. China was relying on the structure of the world's largest open-source CPU architecture to build their own CPUs and bypass the US chip ban, and was paying attention to any weaknesses, they said. The issue was found in RISC-V, an open-source standard used in advanced chips and semiconductors. Compared with mainstream CPU structures -- such as X86 used by Intel and AMD --RISC-V offers free access and can be modified without restriction.

The flaw allows attackers to bypass the security protections of modern processors and operating systems without administrative rights, leading to the potential theft of protected sensitive information and breaches of personal privacy. The vulnerability was confirmed by the team of Professor Hu Wei at Northwestern Polytechnical University (NPU), a major defence research institute in Shaanxi province. The researchers are experienced in hardware design security, vulnerability detection and cryptographic application safety. It was first reported by the National Computer Network Emergency Response Technical Team/Coordination Centre of China (CNCERT) on April 24, and NPU gave further details in an official announcement on May 24.

An anonymous reader shares a report: Popular app Bartender was quietly bought, and a shady certificate replacement, insertion of invasive telemetry, and a lack of transparent responses by the new owners has shaken confidence in the Mac community. Menu bar organization tool Bartender has been around for a long time. For most of its life, it had an excellent reputation, and a responsive developer who communicated clearly with users. That appears to have changed, recently. It all started with a quiet pair of app certificate shifts which went mostly unnoticed.

That is, until app monitoring service MacUpdater found out, and started asking questions. They posted a warning about the app, saying that "The company and developer behind Bartender was replaced in a silent and dubious matter." But, there's a lot more to the story than just that warning. CoreCode, the developer of MacUpdater, did a great deal of research on the new owners and the app situation prior to posting the warning. They detailed their discoveries in a Reddit thread on the matter. Research performed before the warning pointed out that blog entries on the Bartender website shifted to heavily search engine optimized content. This is in contrast to the prior informational entries previously posted by original developer Ben Surtees.

Microsoft is ending support for Windows 10 in October 2025, but the company is now taking the unusual step of reopening its beta program for Windows 10 to test new features and improvements. From a report: Windows 10 already got the AI Copilot feature that was originally exclusive to Windows 11, and it may well get other features soon. "To bring new features and more improvements to Windows 10 as needed, we need a place to do active feature development with Windows Insiders," explains Microsoft's Windows Insider team in a blog post. "So today, we are opening the Beta Channel for Windows Insiders who are currently on Windows 10."

Microsoft hasn't revealed what additional Windows 10 features it plans to test next, but Windows Insiders can opt into the beta channel to get them early. Crucially, the Windows 10 end of support date of October 14th, 2025 is still unchanged. "Joining the Beta Channel on your Windows 10 PC does not change that," says Microsoft.

A Google contractor used admin privileges to access private information from Nintendo's YouTube account about an upcoming Yoshi game in 2017, which later made its way to Reddit before Nintendo announced the game, according to a copy of an internal Google database detailing potential privacy and security incidents obtained by 404 Media. From the report: The news provides more clarity on how exactly a Redditor, who teased news of the new Yoshi game, which was later released as Yoshi's Crafted World in 2019, originally obtained their information. A screenshot in the Reddit post shows a URL that starts with www.admin.youtube.com, which is a Google corporate login page. "Google employee deliberately leaked private Nintendo information," the entry in the database reads. The database obtained by 404 Media includes privacy and security issues that Google's own employees reported internally.

jd writes: There aren't many details yet, but a private company used by the National Health Service in London was hit by a ransomware attack today, leading to cancelled operations and cancelled tests. The provider has been hit multiple times this year and is obviously not bothering with making any improvements in cybersecurity. There really should be legal requirements when it comes to maintaining what is de-facto critical infrastructure.

From the article:

"Major NHS hospitals in London have been hit by a cyber-attack, which is seriously disrupting their services, including blood tests and transfusions. The ransomware attack is having a "major impact" on the care provided by Guy's and St Thomas' NHS trust, its chief executive has told staff in a letter. The attack is understood to affect other hospitals, including King's College hospital, and has left them unable to connect to the servers of the private firm that provides their pathology services.

Synnovis, an outsourced provider of lab services to NHS trusts across south-east London, was the target of the attack, believed to be a form of ransomware, a piece of software which locks up a computer system to extort a payment for restoring access. According to one healthcare worker, the labs were still functional, but communication with them was limited to paper only, imposing a huge bottleneck and forcing cancellation or reassignment of all but the most urgent bloodwork. Direct connections with Synnovis' servers were cut to limit the risk of the infection spreading. ...
This is the third attack in the last year to hit part of the Synlab group, a German medical services provider with subsidiaries across Europe. In June 2023, ransomware gang Clop hacked and stole data from the French branch of the company just days after it hit headlines for bringing down a payroll provider for companies including BA, Boots and the BBC. Clop published the stolen data later that summer."

An anonymous reader shares a report: A Ticketmaster data breach that allegedly includes details for 560 million accounts and another one affecting Santander have been linked to their accounts at Snowflake, a cloud storage provider. However, Snowflake says there's no evidence its platform is at fault. A joint statement to that effect made last night with CrowdStrike and Mandiant, two third-party security companies investigating the incident, lends additional credibility to the claim.

Also, an earlier third-party report saying bad actors generated session tokens and may have compromised "hundreds" of Snowflake accounts has now been removed. Hudson Rock, the security firm behind that report, posted a statement of its own today on LinkedIn: "In accordance to a letter we received from Snowflake's legal counsel, we have decided to take down all content related to our report." A post from Snowflake says, "To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product. Throughout the course of our ongoing investigation, we have promptly informed the limited number of customers who we believe may have been impacted."

An anonymous reader quotes a report from The Register: Billions of records detailing people's personal information may soon be dumped online after being allegedly obtained from a Florida firm that handles background checks and other requests for folks' private info. A criminal gang that goes by the handle USDoD put the database up for sale for $3.5 million on an underworld forum in April, and rather incredibly claimed the trove included 2.9 billion records on all US, Canadian, and British citizens. It's believed one or more miscreants using the handle SXUL was responsible for the alleged exfiltration, who passed it onto USDoD, which is acting as a broker. The pilfered information is said to include individuals' full names, addresses, and address history going back at least three decades, social security numbers, and people's parents, siblings, and relatives, some of whom have been dead for nearly 20 years. According to USDoD, this info was not scraped from public sources, though there may be duplicate entries for people in the database.

Fast forward to this month, and the infosec watchers at VX-Underground say they've not only been able to view the database and verify that at least some of its contents are real and accurate, but that USDoD plans to leak the trove. Judging by VX-Underground's assessment, the 277.1GB file contains nearly three billion records on people who've at least lived in the United States -- so US citizens as well as, say, Canadians and Brits. This info was allegedly stolen or otherwise obtained from National Public Data, a small information broker based in Coral Springs that offers API lookups to other companies for things like background checks. There is a small silver lining, according to the VX team: "The database DOES NOT contain information from individuals who use data opt-out services. Every person who used some sort of data opt-out service was not present." So, we guess this is a good lesson in opting out.