Cox Communications has disclosed a data breach after a hacker impersonated a support agent to gain access to customers' personal information. BleepingComputer reports: This week, customers began receiving letters in the mail disclosing that Cox Communications learned on October 11th, 2021, that "unknown person(s)" impersonated a Cox support agent to access customer information. "On October 11, 2021, Cox learned that an unknown person(s) had impersonated a Cox agent and gained access to a small number of customer accounts. We immediately launched an internal investigation, took steps to secure the affected customer accounts, and notified law enforcement of the incident," reads the data breach notification signed from Amber Hall, Chief Compliance and Privacy Officer of Cox Communications. "After further investigation, we discover that the unknown person(s) may have viewed certain types of information that are maintained in your Cox customer account, including your name, address, telephone number, Cox account number, Cox.net email address, username, PIN code, account security question and answer, and/or the types of services that you receive from Cox."

While Cox does not state that financial information or passwords were accessed, they are advising affected customers to monitor their financial accounts and to change passwords on other accounts using the same one as the Cox customer account. Cox is offering affected customers a free one-year Experian IdentityWorks that can be used to monitor credit reports and detect signs of fraudulent activity.

An anonymous reader quotes a report from The Guardian: A German court has ruled that a man who slipped while walking a few meters from his bed to his home office can claim on workplace accident insurance as he was technically commuting. The man was working from home and on his way to his desk one floor below his bedroom, the federal social court, which oversees social security issues, said in its decision. While walking on the spiral staircase connecting the rooms, the unnamed man slipped and broke his back.

The court noted that the employee usually started working in his home office "immediately without having breakfast beforehand," but did not explain why that was relevant to the case. However, later it said that statutory accident insurance was only afforded to the "first" journey to work, suggesting that a trip on the way to get breakfast after already being in the home office could be rejected. The employer's insurance refused to cover the claim. While two lower courts disagreed on whether the short trip was a commute, the higher federal social court said it had found that "the first morning journey from bed to the home office [was] an insured work route." It ruled: "The plaintiff suffered an accident at work when he fell on the way to his home office in the morning."

The German federal court said: "If the insured activity is carried out in the household of the insured person or at another location, insurance cover is provided to the same extent as when the activity is carried out at the company premises." It is not clear if the man was working from home due to the pandemic or had done so previously. The ruling said the law applied to "teleworking positions," which are "computer workstations that are permanently set up by the employer in the private area of the employees."

JoeyRox writes: Last week, a Reddit user reported that they weren't able to call 911 using their Pixel 3 and later said they were working with Google support to figure out the issue. Yesterday, Google announced what was causing the issue in a reply to the post: an "unintended interaction between the Microsoft Teams app and the underlying Android operating system." In its comment, Google says that the bug happens when someone is using Android 10 or later and has Teams installed but isn't logged into the app. The company says that Microsoft will be releasing an update to Teams "soon" to prevent the issue and that there's an update to Android coming January 4th.

The three political parties set to form the new German government have agreed to stop buying zero-day vulnerabilities and limit the government's future use of monitoring software (spyware). From a report: The Green Party, the Social Democratic Party (SPD), and the Free Democratic Party (FDP) entered into a government coalition last month, and their new joint government cabinet is expected to be formally elected to power later today following a vote in the German Parliament.

Their political collaboration was announced last month, on November 24, and the announcement was also accompanied by a 178-page document outlining the coalition's joint core governing principles on a number of social, political, and economic topics. Among them were different IT, privacy, and cybersecurity-related issues, including two paragraphs that addressed the German's state penchant for acquiring zero-day vulnerabilities and using them in surveillance operations. "The exploitation of weak points in IT systems is in a highly problematic relationship to IT security and civil rights," the three parties said in the section dedicated to national and internal security.

Over 40 million people in the United States had their personal health information exposed in data breaches this year, a significant jump from 2020 and a continuation of a trend toward more and more health data hacks and leaks. The Verge reports: Health organizations are required to report any health data breaches that impact 500 or more people to the Office for Civil Rights at the Department of Health and Human Services, which makes the breaches public. So far this year, the office has received reports of 578 breaches, according to its database. That's fewer than the 599 breaches reported in 2020 (PDF), but last year's breaches only affected about 26 million people. Since 2015, hacks or other IT incidents have been the leading reason people have their health records exposed, according to a report (PDF) from security company Bitglass. Before then, lost or stolen devices led to the most data breaches.

British telco Virgin Media is facing a 50,000 pound financial penalty after spamming more than 400,000 opted-out customers urging them to sign back up to receive marketing bumf. The Register reports: Just one customer complained to the Information Commissioner's Office (ICO) about receiving the spam -- but that was enough to spur the regulator into investigating. In a message disguised as a routine communication about tariff prices, Virgin told the unfortunate 451,217 recipients it knew full well they'd opted out of marketing emails but wanted them to opt back in. A dischuffed customer wrote to the ICO urging action, describing the spam as "basically a service message dressed up as an attempt to get me to opt back in to marketing communications." When the ICO asked Virgin why it did this thing, the telco said the 451,000 recipients had opted out of being spammed more than a year ago, and therefore "might have changed their marketing preferences."

Even though 6,500 customers decided to opt back into receiving marketing emails as a result of the mailshot, the ICO said this wasn't enough to ignore regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003. This is the bit of the law that says email marketers must have your consent before filling your mailbox with enticing new ways to part you from your hard-earned cash. "The fact that Virgin Media had the potential for financial gain from its breach of the regulation (by signing up more clients to direct marketing) is an aggravating factor, not a defense," sniffed the unamused watchdog.

Microsoft is continuing to update and refine Windows 11 two months after its public release, and the Notepad app is the latest bit of the operating system to get some attention. From a report: The updated version of the Notepad app is rolling out to Windows Insiders in the Dev channel, where the company is also testing tweaks to the taskbar and Start menu, a new-old button for setting the default web browser, an updated Media Player app, and other changes. The main changes appear pretty much as they did in the leaked Notepad screenshots from early October: the new unified title bar and menu bar pick up Windows 11's "mica" styling, as well as dark-mode support, support for switching between dark and light mode, and modernized font controls.

UnknowingFool writes: Two days before Missouri governor Michael Parson (R) accused a newspaper reporter, Josh Renaud, of "hacking" for reporting about a fixed flaw in a state website, the state government of Missouri was planning to publicly thank Renaud for alerting them of the flaw, emails show in a public records request. Two days later, however, the Governor publicly accused Renaud of crimes. Also in the request, emails show that a day before the article was published the state's cybersecurity specialist informed other state officials that "this incident is not an actual network intrusion." [Instead, the state's database was "misconfigured," which "allowed open source tools to be used to query data that should not be public."]

St Louis Dispatch reporter, Josh Renaud, had discovered that the state's website was exposing the Social Security Numbers of teachers and other school employees in the HTML code of the state's site. He informed the state who fixed the flaw, and he delayed publishing the article until after the flaw was fixed. The article was published on October 14. The same day, Governor Parson accused Renaud of cyber crimes. A week later, Parson doubled down after criticism.

Problems with some of the Amazon Web Services cloud servers are causing slow loading or failures for significant chunks of the internet. From a report: The company's widespread network of data centers powers many of the things you interact with online, so as we've seen in previous AWS outage incidents, any problem can have massive ripple effects. People started noticing problems at around 10:45AM ET. There are reports of outages for Disney Plus streaming, as well as games like PUBG, League of Legends, and Valorant. We've also noticed some problems accessing Amazon.com, as well as other Amazon products like the Alexa AI assistant, Kindle ebooks, Amazon Music, or Ring security cameras. The DownDetector list of services with spikes in their outage reports runs off nearly any recognizable name: Tinder, Roku, Coinbase, both Cash App and Venmo, and the list goes on.

An anonymous reader quotes a report from The Record: Microsoft said today that its legal team has successfully obtained a court warrant that allowed it to seize 42 domains used by a Chinese cyber-espionage group in recent operations that targeted organizations in the US and 28 other countries. Tracked by Microsoft as Nickel, but also known under other names such as APT15, Mirage, or Vixen Panda, Ke3Chang, and others, the group has been active since 2012 and has conducted numerous operations against a broad set of targets. Tom Burt, Microsoft VP of Customer Security & Trust, said today that the recent domains had been used for "intelligence gathering" from government agencies, think tanks, and human rights organizations.

Burt said the seized domains were being used to gather information and data from the hacked organizations. "Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft's secure servers will help us protect existing and future victims while learning more about Nickel's activities," Burt said in a blog post today announcing the company's legal action against Nickel domains. "Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks," he added. According to Burt, the group's victims had been hacked using compromised third-party virtual private network (VPN) suppliers or stolen credentials obtained from spear-phishing campaigns, which is in tune with similar industry reports detailing recent tactics used by Chinese espionage groups, in general.

An anonymous reader quotes a report from Ars Technica: Almost exactly a year ago, security researchers uncovered one of the worst data breaches in modern history, if not ever: a Kremlin-backed hacking campaign that compromised the servers of network management provider SolarWinds and, from there, the networks of 100 of its highest-profile customers, including nine US federal agencies. Nobelium -- the name Microsoft gave to the intruders -- was eventually expelled, but the group never gave up and arguably has only become more brazen and adept at hacking large numbers of targets in a single stroke. The latest reminder of the group's proficiency comes from security firm Mandiant, which on Monday published research detailing Nobelium's numerous feats -- and a few mistakes -- as it continued to breach the networks of some of its highest-value targets.

Mandiant's report shows that Nobelium's ingenuity hasn't wavered. Since last year, company researchers say the two hacking groups linked to the SolarWinds hack -- one called UNC3004 and the other UNC2652 -- have continued to devise new ways to compromise large numbers of targets in an efficient manner. Instead of poisoning the supply chain of SolarWinds, the groups compromised the networks of cloud solution providers and managed service providers, or CSPs, which are outsourced third-party companies that many large companies rely on for a wide range of IT services. The hackers then found clever ways to use those compromised providers to intrude upon their customers. The advanced tradecraft didn't stop there. According to Mandiant, other advanced tactics and ingenuities included:

• Use of credentials stolen by financially motivated hackers using malware such as Cryptbot (PDF), an information stealer that harvests system and web browser credentials and cryptocurrency wallets. The assistance from these hackers allowed the UNC3004 and UNC2652 to compromise targets even when they didn't use a hacked service provider.
• Once the hacker groups were inside a network, they compromised enterprise spam filters or other software with "application impersonation privileges," which have the ability to access email or other types of data from any other account in the compromised network. Hacking this single account saved the hassle of having to break into each account individually.
• The abuse of legitimate residential proxy services or geo-located cloud providers such as Azure to connect to end targets. When admins of the hacked companies reviewed access logs, they saw connections coming from local ISPs with good reputations or cloud providers that were in the same geography as the companies. This helped disguise the intrusions, since nation-sponsored hackers frequently use dedicated IP addresses that arouse suspicions.
• Clever ways to bypass security restrictions, such as extracting virtual machines to determine internal routing configurations of the networks they wanted to hack.
• Gaining access to an active directory stored in a target's Azure account and using this all-powerful administration tool to steal cryptographic keys that would generate tokens that could bypass two-factor authentication protections. This technique gave the intruders what's known as a Golden SAML, which is akin to a skeleton key that unlocks every service that uses the Security Assertion Markup Language, which is the protocol that makes single sign-on, 2FA, and other security mechanisms work.
• Use of a custom downloader dubbed Ceeloader.

Since at least 2017, a mysterious threat actor has run thousands of malicious servers in entry, middle, and exit positions of the Tor network in what a security researcher has described as an attempt to deanonymize Tor users. The Record: Tracked as KAX17, the threat actor ran at its peak more than 900 malicious servers part of the Tor network, which typically tends to hover around a daily total of up to 9,000-10,000. Some of these servers work as entry points (guards), others as middle relays, and others as exit points from the Tor network.

Their role is to encrypt and anonymize user traffic as it enters and leaves the Tor network, creating a giant mesh of proxy servers that bounce connections between each other and provide the much-needed privacy that Tor users come for. Servers added to the Tor network typically must have contact information included in their setup, such as an email address, so Tor network administrators and law enforcement can contact server operators in the case of a misconfiguration or file an abuse report. However, despite this rule, servers with no contact information are often added to the Tor network, which is not strictly policed, mainly to ensure there's always a sufficiently large number of nodes to bounce and hide user traffic.

A group of workers at an Activision Blizzard division supporting the Call of Duty franchise plan to call out of work Monday in protest of job cuts that took place last week. The move reflects a broader labor movement taking hold at the embattled video game publisher. From a report: The workers sent a letter to management of their studio Raven Software, which is owned by Activision and works on Call of Duty: Warzone. In it, they ask the company to reinstate the dozen people who were terminated, according to a copy of the email reviewed by Bloomberg. "Those participating in this demonstration do so with the continued success of the studio at the forefront of their mind," they wrote. The job cuts targeted a team of contractors primarily responsible for testing Call of Duty: Warzone, ensuring the free-to-play game operates smoothly and without errors. The staff wasn't given a clear justification for the dismissals, said Alex Dupont, a QA tester on the team and a spokesman for the workers who are striking.

Mozilla has announced through its Mozilla Hacks blog that it plans to ship a 'novel sandboxing technology' called RLBox with Firefox 95 which it has been developing alongside researchers from the University of California San Diego and the University of Texas. From a report: It said RLBox makes it easier to isolate subcomponents of the browser efficiently and gives Mozilla more options than traditional sandboxing granted it. Mozilla said this new method of sandboxing, which uses WebAssembly to isolate potentially-buggy code, builds on a prototype that was shipped in Firefox 74 and Firefox 75 to Linux and Mac users respectively. With Firefox 95, RLBox will be deployed on all supported Firefox platforms including desktop and mobile to isolate three different modules: Graphite, Hunspell, and Ogg. With Firefox 96, two more modules, Expat and Woff2, will also be isolated.

Concerned about America's cybersecurity preparedness, the White House "is accelerating efforts to fill nearly 600,000 vacant cybersecurity positions in the public and private sectors bogging down efforts to protect digital infrastructure," reports Axios: Following a deluge of ransomware attacks targeting critical government and corporate infrastructure this year, clogs in the talent pipeline are leaving federal, cash-strapped local governments and Big Business even more susceptible to hacking. The issue has emerged repeatedly in Senate and House hearings but received little public attention until recently...

Microsoft...has pitched in by providing free cybersecurity curriculum to every public community college. A nonprofit, Public Infrastructure Security Cyber Education Systems, provides university students hands-on experience: monitoring real-time data on local government networks...

A job-tracking database funded by the Commerce Department shows there are nearly 600,000 U.S. cyber job openings nationwide.

The Department of Homeland Security recently launched a federal recruiting tool aimed at courting young, diverse talent. DHS currently has about 1,500 cybersecurity-related vacancies, affecting the agency's efforts to protect the homeland. A Senate audit found key agencies across the federal government continue to fail to meet basic cybersecurity standards, with eight of them earning a C- in the report.

Historically, local and federal government entities have struggled to compete with private sector companies, where bidding wars for talent are commonplace.

Recently a New York Times headlined asked "Is the four-day work week finally within our grasp?" Kickstarter, Shake Shack and Unilever's New Zealand unit are among those that have experimented with the four-day workweek, or have announced plans to. And after an experiment in Iceland supported the idea that the system improves worker well-being without reducing overall output, a majority of the country's workers have now moved to shorter workweeks, or will gain the right to... Roughly 1% of Iceland's working population was involved in its trials of shorter workweeks for equal pay, which ran for several years starting in 2015.

"The trials were successful," concluded a recent research report on the experiment. "Participating workers took on fewer hours and enjoyed greater well-being, improved work-life balance and a better cooperative spirit in the workplace — all while maintaining existing standards of performance and productivity...." And the extra day off means fewer commuting days, which saves time and reduces environmental impact....

Proponents of four-day weeks say the key is to rein in meetings. "You have better discipline around meetings. You're a lot more thoughtful in how you use technology," said Alex Soojung-Kim Pang, author of "Shorter," a book about the four-day workweek. He also said that a shorter week requires workers to set aside time for focused work and refrain from email or other communications during that time.

"To paraphrase William Gibson, the four-day week is already here for most companies," said Pang, an organizational strategy consultant in Menlo Park, California. "It's buried under a whole bunch of rubble of outmoded practices and bad meetings. Once you clear that stuff away, then it turns out the four-day week is well within your grasp."
And now one commentator in Newsweek reports that 83% of U.S. workers favor a shorter work week. But there's also a business case for the change, since a Microsoft experiment with a four-day work week in Japan "led to a 40 percent improvement in productivity, as measured by sales per employee...." The strongest argument for a shorter work week is that it doesn't actually require a sacrifice. Although the average American works 8.8 hours a day, not much of this time is actually spent working. If a worker is in the office but isn't working, what is the purpose of them being there? Minutes spent chatting by the water cooler, checking social media and making snacks compound into hours that could be better spent elsewhere. As noted by the historian C. Northcote Parkinson, famous for "Parkinson's Law," work "expands so as to fill the time available for its completion." I think he's right.

Deadlines focus work, and focused work is better work. It's the quality, and not the quantity, of our work that matters.... As we near the post-COVID juncture, I believe it's time to refocus our sights on the forgotten promise of the industrial revolution — to finally help employees find a better work-life balance and actually increase business' productivity and bottom line at the same time. Four great work days are always better than five average days.
It's happening. "The coronavirus pandemic has sped up a transition into more flexible and diverse working hours around the world, opening up ways of working that were unthinkable just a few years ago," reports Reuters. (The traditional model of how we work has been broken," Meghana Reddy, vice president of video messaging service Loom, told the Reuters Next conference.")

And an article in Forbes reminds us that last month Britain's Atom Bank adopted a four-day week for most of its 430 employees, reducing working hours to 34 hours per week from 37.5 hours without reducing pay. "There's even talk at the congressional level: U.S. Rep. Mark Takano, a Democrat from California, introduced a bill in July to reduce the standard work week from 40 hours to 32. The bill has 13 co-sponsors...." The four-day work week will take hold because it embodies the spirit of our times, because workers demand it, and because businesses that implement it will thrive...

Years from now we will look back on our pre-pandemic work habits and lifestyles and wonder why we worked the way we did. We will cringe to recall how we sacrificed evenings and weekends and friendships and family to work all the time. We will ponder how we allowed ourselves to sink beneath relentless professional demands and digital distractions without even noticing we were drowning.

The four-day work week is just one of the corporate experiments that will define the life-work revolution and ultimately the future of work.

The Verge reports: On Wednesday night, someone drained funds from multiple cryptocurrency wallets connected to the decentralized finance platform BadgerDAO. According to the blockchain security and data analytics Peckshield, which is working with Badger to investigate the heist, the various tokens stolen in the attack are worth about $120 million.

While the investigation is still ongoing, members of the Badger team have told users that they believe the issue came from someone inserting a malicious script in the UI of their website. For any users who interacted with the site when the script was active, it would intercept Web3 transactions and insert a request to transfer the victim's tokens to the attacker's chosen address. Because of the transparent nature of the transactions, we can see what happened once the attackers pounced. PeckShield points out one transfer that yanked 896 Bitcoin into the attacker's coffers, worth more than $50 million.

According to the team, the malicious code appeared as early as November 10th, as the attackers ran it at seemingly random intervals to avoid detection....

One of the things Badger is investigating is how the attacker apparently accessed Cloudflare via an API key that should've been protected by two-factor authentication...

"Security researchers analyzed nine popular WiFi routers and found a total of 226 potential vulnerabilities in them," reports Bleeping Computer, "even when running the latest firmware." Slashdot reader joshuark shared their report: The tested routers are made by Asus, AVM, D-Link, Netgear, Edimax, TP-Link, Synology, and Linksys, and are used by millions of people... Researchers at IoT Inspector carried out the security tests in collaboration with CHIP magazine, focusing on models used mainly by small firms and home users. "For Chip's router evaluation, vendors provided them with current models, which were upgraded to the latest firmware version," Florian Lukavsky, CTO & Founder at IoT Inspector, told BleepingComputer via email. "The firmware versions were automatically analyzed by IoT Inspector and checked for more than 5,000 CVEs and other security issues...."

While not all flaws carried the same risk, the team found some common problems that affected most of the tested models:

- Outdated Linux kernel in the firmware
- Outdated multimedia and VPN functions
- Over-reliance on older versions of BusyBox
- Use of weak default passwords like "admin"
- Presence of hardcoded credentials in plain text form....

All of the affected manufacturers responded to the researchers' findings and released firmware patches.
The researchers demonstrated one exploit they found on one of the routers that extracted the AES key used for the firmware encryption, letting malicious firmware image updates pass verification checks on the device — and thus potentially planting malware on the router.

jd (Slashdot reader #1,658) shares another perspective on the same study from Security Week: Not all of the identified weaknesses are considered real security flaws, and for some bugs it is unclear whether exploitation is even possible. However, many of the identified vulnerabilities (ranging from 2 in AVM devices to nearly a dozen in other routers) were classified as high- and medium-severity.

Dozens of printers across the internet are printing out a manifesto that encourages workers to discuss their pay with coworkers, and pressure their employers. Motherboard reports: "ARE YOU BEING UNDERPAID?" one of the manifestos read, according to several screenshots posted on Reddit and Twitter. "You have a protected LEGAL RIGHT to discuss your pay with your coworkers. [...] POVERTY WAGES only exist because people are 'willing' to work for them." On Tuesday, a Reddit user wrote in a post that the manifesto was getting randomly printed at his job. "Which one of you is doing this because it's hilarious," the user wrote. "Me and my co-workers need answers."

Some people on Reddit have suggested that the messages are fake (i.e. printed by people with access to a receipt printer and posted for Reddit clout) or as part of a conspiracy to make it seem like the r/antiwork subreddit is doing something illegal. But Andrew Morris, the founder of GreyNoise, a cybersecurity firm that monitors the internet, told Motherboard that his firm has seen actual network traffic going to insecure receipt printers, and that it seems someone or multiple people are sending these printing jobs all over the internet indiscriminately, as if spraying or blasting them all over. Morris has a history of catching hackers exploiting insecure printers. "Someone is using a similar technique as 'mass scanning' to massively blast raw TCP data directly to printer services across the internet," Morris told Motherboard in an online chat. "Basically to every single device that has port TCP 9100 open and print a pre-written document that references /r/antiwork with some workers rights/counter capitalist messaging."

Whoever is doing this, Morris said, is doing it "in an intelligent way." "The person or people behind this are distributing the mass-print from 25 separate servers so blocking one IP isn't enough," he said. "A technical person is broadcasting print requests for a document containing workers rights messaging to all printers that are misconfigured to be exposed to the internet and we've confirmed that it is printing successfully in some number of places the exact number would be difficult to confirm but Shodan suggests that thousands of printers are exposed," he added, referring to Shodan, a tool that scans the internet for insecure computers, servers, and other devices.

Zoom is rolling out a number of new updates for its video conferencing software and one of them might finally encourage users to ensure they're on time for their next big meeting. TechRadar reports: According to a new blog post from the company, Attendance Status makes it easier for organizations to streamline the start of their Zoom Meetings by allowing meeting hosts and co-hosts using its Google Calendar or Outlook Calendar integrations to view who has accepted or declined a meeting invite. However, this new feature also gives them the ability to see whether everyone invited to a meeting has joined. If you're used to arriving earlier for video calls, you should be fine but for those that try to slink in unnoticed later on in a meeting, your boss or manager will now be aware of your absence, so tread carefully. You'll also no longer be able to use the excuse that you had to update your Zoom client as Zoom recently added a new automatic update feature for Windows and macOS that ensures everyone in a meeting is running the latest version of the company's software. Zoom is also rolling out other new features, such as the ability for users to select multiple people to control the movements of slides in a presentation. They've also "added more options for creating polls including ranked responses, matching, short and long answers and even fill in the blank," adds TechRadar. "Finally, Zoom is adding additional watermark settings to its software to help organizations and individuals get the most out of their recorded content and avoid distracting watermarks."