Cristiano Amon is the new boss of Qualcomm, a U.S. tech giant that designs semiconductors. His first task: Convince companies to make more chips for him -- and fast. From a report: Months before Cristiano Amon started as CEO of Qualcomm, he already was at work on his first crisis. To solve it, he sat in a mostly empty meeting room in Taipei and pleaded with executives from one of the world's biggest semiconductor makers for more chips. He needed the help so that Qualcomm, a designer of circuits that go into hundreds of millions of electronic devices every year, could chase new markets and meet demand from big customers such as Apple, Samsung Electronics and China's top handset-makers. In fact, he needed the assistance so much that he got permission from the Taiwanese government to arrive in March and then waited through a three-day quarantine. Once he and his team got to the meeting place in a Taipei hotel, they negotiated with counterparts across a large room outfitted with microphones and speakers to communicate.

"I'm a very big believer that sometimes you have to meet folks in person," said Mr. Amon, who was named CEO in January and officially took over in June. Many new CEOs across the business world had to adjust to their roles amid unprecedented pandemic-era restrictions, getting to know key employees without ever meeting them in person and managing offices and business relationships from far away. Few can say they had a more tumultuous transition than Mr. Amon, a gregarious Brazilian who revels in person-to-person contact. He is juggling a cluster of major challenges -- a global chip shortage, a sudden shift in a key market, and an unexpected acquisition opportunity -- while trying to put his own stamp on a company after working there for more than two decades. He wants to focus on an expansion beyond Qualcomm's core mobile-phone chip business, a shift that began before he took over. "I've been doing many things in parallel and I want to succeed in them all," he said in an interview. "I can't afford not to do them because we're in a hurry."

"I'm done with paying for a virtual private network," writes the New York Times' lead consumer technology writer. [Alternate URLs here and here.] The reality is that web security has improved so much in the last few years that VPN services, which charge monthly subscription fees that cost as much as Netflix, offer superfluous protection for most people concerned about privacy, some security researchers said.

Many of the most popular VPN services are now also less trustworthy than in the past because they have been bought by larger companies with shady track records. That's a deal-breaker when it comes to using a VPN service, which intercepts our internet traffic. If you can't trust a product that claims to protect your privacy, what good is it? "Trusting these people is really critical," Matthew Green, a computer scientist who studies encryption, said about VPN providers. "There's no good way to know what they're doing with your data, which they have huge amounts of control over...."

As a mainstream privacy tool, it's no longer an ideal solution. This sent me down a rabbit hole of seeking alternatives to paying for a VPN. I ended up using some web tools to create my own private network [on the cloud] for free, which wasn't easy... Not only is it free to use, but I no longer have to worry about trust because the operator of the technology is me.
"But I also learned that many casual users may not even need a VPN anymore," the article concludes. (Unless you're living in an authoritarian country and trying to reach information beyond its firewall.) One cybersecurity firm tells the Times that journalists with sensitive contacts or business executives carrying trade secrets might also still benefit from a VPN. But (according to the firm) the rest of us can just try two-factor authentication and keeping all of our software up-to-date. (And if you'd rather not use a public wifi network — use your phone as a mobile hot spot.)

The article also notes that 95% of the top 1,000 websites are now already encrypted with HTTPS, according to W3Techs.

It also points out that one VPN company accused of developing malware nonetheless spent close to a billion dollars to buy at least four other VPN services — and then also bought several VPN review sites, which then give top ratings to VPN services it owns...

The Washington Post explores recent breaches at Twitch and Epik — and asks whether they really signal an upsurge in "hacktivism": The perpetrators of these hacks are distancing themselves from financially driven cybercriminals and ransomware gangs by portraying their attacks as moral crusades against what they said were the companies' sins. In celebratory notes released alongside their data dumps, the Epik hackers said they were sick of the company serving hateful websites, while the Twitch hackers used a hashtag criticizing company efforts to confront harassment and said the site had become a "disgusting cesspool...." Allan Liska, a senior intelligence analyst with the cybersecurity firm Recorded Future, said the growing accessibility and sophistication of hacking tools and the ease with which social media can draw attention to a major hack has contributed to a dramatic upsurge in attacks by "hacktivists..."

[The attacks] also showcase how weak the world's cybersecurity defenses remain despite an eruption of concern after this year's major ransomware attacks, including the crippling cyberattack on Colonial Pipeline that brought panic to fuel markets on the East Coast... Troy Hunt, a security consultant in Australia who created the data-breach notification site Have I Been Pwned, said many such hacks are actually crimes of opportunity, with a loftier mission applied later. He recalled a popular information security joke: "The definition of hacktivist is you hack someone, then make up a reason they deserve it."

"Very often the politically motivated reasons we see are convenient excuses," Hunt said.

Security Week reports: A previously unknown, modular malware family that targets Linux systems has been used in targeted attacks to collect credentials and gain access to victim systems, ESET reported on Thursday. Dubbed FontOnLake, the malware family employs a rootkit to conceal its presence and uses different command and control servers for each sample, which shows how careful its operators are to maintain a low profile.

What's more, the malware developers are constantly modifying the FontOnLake modules, and use three categories of components that have been designed to work together, namely trojanized applications, backdoors, and rootkits.

Evidence suggests that FontOnLake has been used in attacks aimed at organizations in Southeast Asia. The first malware samples related to this family emerged last May. The malware was previously described by Avast and Lacework as the HCRootkit / Sutersu Linux rootkit, as well as by Tencent Security Response Center in a February report.

The various trojanized applications that ESET's researchers have identified during their investigation are used to load custom backdoor or rootkit modules, but also to collect sensitive data when needed. Posing as standard Linux utilities, these files were also designed to achieve persistence on the compromised systems. What the researchers haven't figured out yet is the manner in which the trojanized applications are delivered to the victims. ESET's analysis of FontOnLake has revealed the use of three different backdoors, all written in C++, all using the same Asio library from Boost, and all capable of exfiltrating sshd credentials and bash command history.

The simplest of the three was designed to launch and mediate access to a local SSH server, update itself, and transmit collected credentials. The malware appears to be under development.
The second backdoor was also capable of file manipulation, updating itself, and uploading and downloading files, according to the article, while the third backdoor "accepts remote connections, serves as a proxy and can download and run Python scripts, in addition to exfiltrating credentials."

"Just two years ago the metropolitan areas that serve as the nation's technology hubs seemed to be sucking tech jobs away from other parts of the country," remembers business writer Peter Coy in the New York Times. "A Brookings Institution report in December 2019 noted that just five cities — Boston, San Diego, San Francisco, Seattle and San Jose, Calif. — accounted for more than 90 percent of employment growth in the innovation sector from 2005 to 2017.

"The trend is now in the other direction: The tech hubs' share of employment is falling." This development was already starting in 2019, and the Covid-19 pandemic has accelerated it. Newspapers are full of stories about Silicon Valley tech workers moving to parts of the country where the housing is cheaper and the fishing is better... Employers seem to be benefiting from the trend: Mark Muro, a Brookings senior fellow, told The Wall Street Journal in July that tech companies, by letting people work outside their home offices, can "truly access lost Einsteins all across the country."

The evidence for this shift used to be mostly anecdotal. Now there's hard data. It comes from the Conference Board, a business-supported research organization. Gad Levanon, the founder of the board's Labor Market Institute, gave me a preview of data he has collected using software that tracks almost all the online want ads in the United States. He focused on ads placed by tech employers based in five tech hubs — the same five as those surveyed by Brookings in 2019, except with Los Angeles in place of Boston. His findings? "West Coast tech companies are dramatically shifting their hiring to other parts of the U.S.," Levanon wrote to me in an email. "Not just for tech jobs, but also engineers, scientists, managers, business and financial professionals."

Levanon also analyzed the data according to where new jobs are being offered. "They are moving to all over the place," he wrote me. Some of the jobs, he explained, are in metropolitan areas where the employers were already established — such as New York, Washington, Boston and Austin, Texas. "But some of the shift," he said, "is to areas where they barely hired before" — like Boise, Idaho, and Des Moines, Iowa. Because of the pandemic, employers have gotten more comfortable with hiring people who don't work at their companies' headquarters, Levanon says. Some new hires may be working at home while others are in satellite offices. Casting the net wider gives companies access to more talent — including people who may work for lower salaries because their living costs are cheaper elsewhere.

Google has warned about 14,000 of its users about being targeted in a state-sponsored phishing campaign from APT28, a threat group that has been linked to Russia. BleepingComputer reports: Shane Huntley, who is at the helm of Google's Threat Analysis Group (TAG) that responds to government-backed hacking, notes that the higher-than-usual number of alerts this month comes from "from a small number of widely targeted campaigns which were blocked." The campaign from APT28, also known as Fancy Bear, lead to a larger number of warnings for Gmail users across various industries. In a statement sent by a Google spokesperson, Huntley says that Fancy Bear's phishing campaign accounts for 86% of all the batch warnings delivered this month. He explains that these notifications indicate targeting of the recipient, not a compromise of their Gmail account: "So why do we do these government warnings then? The warning really mostly tells people you are a potential target for the next attack so, now may be a good time to take some security actions."

Huntley says that these warnings are normal for individuals such as activists, journalists, government officials, or people that work national security structures because that's who government-backed entities are targeting. All the phishing emails from the Fancy Bear campaign were blocked by Gmail and did not land in the users' inboxes as they were automatically classified as spam. "As we've previously explained, we intentionally send these notices in batches, rather than at the moment we detect the threat itself, so that attackers cannot track some of our defense strategies," Huntley said.

An anonymous reader quotes a report from TechRadar: BrewDog, one of the world's largest craft beer brewers, has exposed personally identifiable information (PII) belonging to more than 200,000 of its shareholders and customers, according to cybersecurity researchers. Cybersecurity consulting firm PenTest Partners discovered that a flaw in the official BrewDog app, which persisted for more than 18 months, made it easy for anyone to access the PII of other users. In its detailed report, PenTest Partners notes that the mobile app doled out the same hard coded API Bearer Token, which effectively rendered request authorization useless. The researchers say that, thanks to the flaw, any user could append the customerID of another user to the API endpoint URL to extract their PII and other details. In addition to being damaging to the user, the flaw could've also been used to adversely affect the company since the leaked details could've been used to generate QR codes to get discounted and even free beers. BrewDog started using hard-coded tokens with v2.5.5 of its app, launched in March 2020, before finally patching the flaw in v2.5.13 release in September 2021.

Instagram has been experiencing issues for many of us here at The Verge, but it turns out that the problem might be broader than that, according to a statement from Facebook. From a report: "We're aware that some people are having trouble accessing our apps and products," Facebook said in a tweet. "We're working to get things back to normal as quickly as possible and we apologize for any inconvenience."

Google has said it will provide 10,000 "high-risk" users with free hardware security keys, days after the company warned thousands of Gmail users that they were targeted by state-sponsored hackers. From a report: The warning, sent by Google's Threat Analysis Group (TAG), alerted more than 14,000 Gmail users that they had been targeted in a state-sponsored phishing campaign from APT28, also known as Fancy Bear, said to be made up of operatives of Russia's GRU intelligence agency. Fancy Bear has been active for more than a decade but it's widely known for hacking into the Democratic National Committee and its disinformation and election influencing campaign in the run-up to the 2016 U.S. presidential election. "These warnings indicate targeting not compromise. If we are warning you there's a very high chance we blocked," Google's TAG director Shane Huntley wrote in a Twitter thread on Thursday. "The increased numbers this month come from a small number of widely targeted campaigns which were blocked."

Hackers have managed to deface Twitch for a few hours this morning, replacing a number of background game images with photos of Amazon CEO Jeff Bezos. From a report: Users reported seeing images of Bezos in the listings for GTA V, Dota 2, Smite, Minecraft, Apex Legends, and many more on the Amazon-owned service. It's not clear how the background images were changed or whether this latest incident was aided by a huge security breach at Twitch earlier this week. Hackers were able to exploit a server misconfiguration and steal hundreds of gigabytes of information. Twitch is still investigating the breach, and so far a wealth of information pertaining to the website's source code, unreleased projects, and even how much the top streamers make has been released.

An anonymous reader quotes a report from the BBC: A gang of car thieves used a handheld device disguised as a Nintendo Game Boy to steal vehicles worth $245,000. Dylan Armer, Christopher Bowes and Thomas Poulson stole five Mitsubishi Outlanders by using the gadget to bypass the cars' security systems. West Yorkshire Police said the device, worth $27,000 could unlock and start a car "in a matter of seconds." The trio, all from Yorkshire, were jailed at Leeds Crown Court after pleading guilty to conspiracy to steal. CCTV footage of the theft showed them unplug the car from its charging point before using the device to unlock and start it. When officers stopped the three men they found the Game Boy-style gadget hidden in a secret compartment of their car. Police said footage recovered from Poulson's phone showed him demonstrating "how quickly and easily the gadget gave them full access to the vehicles, accompanied by a commentary in mocking tones." The force added that the "significant investment required to buy one of the sophisticated devices suggested the thefts were planned and orchestrated crimes."

An anonymous reader writes: The suspected Russian hackers who used SolarWinds and Microsoft software to burrow into U.S. federal agencies emerged with information about counter-intelligence investigations, policy on sanctioning Russian individuals and the country's response to COVID-19, people involved in the investigation told Reuters. The hacks were widely publicized after their discovery late last year, and American officials have blamed Russia's SVR foreign intelligence service, which denies the activity. But little has been disclosed about the spies' aims and successes. [...] It has been previously reported that the hackers breached unclassified Justice Department networks and read emails at the departments of treasury, commerce and homeland security. Nine federal agencies were breached. The hackers also stole digital certificates used to convince computers that software is authorized to run on them and source code from Microsoft(MSFT.O) and other tech companies. One of the people involved said that the exposure of counter-intelligence matters being pursued against Russia was the worst of the losses.

In an annual threat-review paper released on Thursday, Microsoft said the Russian spies were ultimately looking for government material on sanctions and other Russia-related policies, along with U.S. methods for catching Russian hackers. Cristin Goodwin, general manager of Microsoft's Digital Security Unit, said the company drew its conclusions from the types of customers and accounts it saw being targeted. In such cases, she told Reuters, "You can infer the operational aims from that." Others who worked on the government's investigation went further, saying they could see the terms that the Russians used in their searches of U.S. digital files, including "sanctions."

Chris Krebs, the former head of U.S. cyber-defense agency CISA and now an adviser to SolarWinds and other companies, said the combined descriptions of the attackers' goals were logical. "If I'm a threat actor in an environment, I've got a clear set of objectives. First, I want to get valuable intelligence on government decision-making. Sanctions policy makes a ton of sense," Krebs said. The second thing is to learn how the target responds to attacks, or "counter-incident response," he said: "I want to know what they know about me so I can improve my tradecraft and avoid detection."

Russia accounted for most state-sponsored hacking detected by Microsoft over the past year, with a 58% share, mostly targeting government agencies and think tanks in the United States, followed by Ukraine, Britain and European NATO members, the company said. From a report: The devastating effectiveness of the long-undetected SolarWinds hack -- it mainly breached information technology businesses including Microsoft -- also boosted Russian state-backed hackers' success rate to 32% in the year ending June 30, compared with 21% in the preceding 12 months. China, meanwhile, accounted for fewer than 1 in 10 of the state-backed hacking attempts Microsoft detected but was successful 44% of the time in breaking into targeted networks, Microsoft said in its second annual Digital Defense Report, which covers July 2020 through June 2021.

While Russia's prolific state-sponsored hacking is well known, Microsoft's report offers unusually specific detail on how it stacks up against that by other U.S. adversaries. The report also cited ransomware attacks as a serious and growing plague, with the United States by far the most targeted country, hit by more than triple the attacks of the next most targeted nation. Ransomware attacks are criminal and financially motivated. By contrast, state-backed hacking is chiefly about intelligence gathering -- whether for national security or commercial or strategic advantage -- and thus generally tolerated by governments, with U.S. cyber operators among the most skilled. The report by Microsoft, which works closely with Washington government agencies, does not address U.S. government hacking.

New submitter myinnerbanjo writes: With plastics in oceans becoming more and more of a global disaster, Microsoft uses recycled ocean plastic to create a new computer mouse:

"We wanted to do something that's different," said Corinne Holmes, director of environmental compliance, Windows & Devices. "I don't want the clean stuff. We wanted to push the bar. This plastic wasn't from a collection bin sitting on the beach. It was recovered out of a river. It's dirty. It was sitting there for six months, not three weeks."

A massive security breach at Twitch has exposed a wealth of information pertaining to the website's source code, unreleased projects, and even how much the top streamers make. As data analysts and journalists work to decipher what exactly is contained in the hundreds of gigabytes of information, others are still wondering how this happened. From a report: Such a breach seemed like it was increasingly likely to some. The Verge has spoken to multiple sources who claim that during their time at Twitch, the company valued speed and profit over the safety of its users and security of its data. This data breach, which Twitch blames on an error to a server configuration, is the latest in a series of security and moderation problems that have plagued the Amazon-owned streaming platform. In August, hate raids in which marginalized streamers were subjected to uncontrollable numbers of bots spamming hate speech erupted across Twitch. Streamers banded together to create the #twitchdobetter hashtag and organized a walkout on September 1st to bring attention to the problem and spur Twitch to deploy safety measures to stem the hate tide. In response, Twitch acknowledged streamers' complaints, urged patience, and promised it was working on tools that would help to better protect streamers and their communities.

The Transportation Security Administration will introduce new regulations that compel the most important U.S. railroad and airport operators to improve their cybersecurity procedures, Homeland Security Secretary Alejandro Mayorkas said on Wednesday. From a report: The upcoming changes will make it mandatory for "higher-risk" rail transit companies and "critical" U.S. airport and aircraft operators to do three things: name a chief cyber official, disclose hacks to the government and draft recovery plans for if an attack were to occur. The planned regulations come after cybercriminals attacked a major U.S. pipeline operator here, causing localized gas shortages along the U.S. East Coast in May. The incident led to new cybersecurity rules for pipeline owners in July.

"Whether by air, land, or sea, our transportation systems are of utmost strategic importance to our national and economic security," Mayorkas said. "The last year and a half has powerfully demonstrated what's at stake." A key concern motivating the new policies comes from a growth in ransomware attacks against critical infrastructure companies.

An anonymous reader quotes a report from Motherboard: The U.S. Navy has lost control of the official Facebook page for its destroyer-class warship, the USS Kidd. Someone has hacked the page and, for the past two days, done nothing but stream Age of Empires. The first stream went on for four hours. As first reported by Task & Purpose, the USS Kidd lost control of its Facebook account at 10:26 p.m. on October 3. The destroyer class warship then streamed Age of Empires for four hours under the headline "Hahahahaha." It's since streamed Age of Empires five more times, each time for at least an hour. Whoever is playing sucks, because they never make it past the Stone Age. As of this writing, the six videos are still up and watchable. The Navy confirmed to Task & Purpose that it had been hacked, adding: "We are currently working with Facebook technical support to resolve the issue."

An anonymous reader shares a report: When Facebook's platforms went down early on Oct. 4, the online tracker Downdetector was among the first places users looked to find out what was happening. Downdetector, which uses crowdsourcing to track outages, recognized Facebook's problems were dramatically different than a typical outage. Its system automatically released a notification, including a tweet, informing the internet of the disruption. The outage was among the biggest ever declared by Downdetector, said Luke Deryckx, chief technology officer at closely held Ookla LLC, the Seattle-based company that owns it. "Downdetector is a vehicle for users to report their experience," he said, adding that the company crowdsources "users' relationship with the internet." "In this case, we'd received a clear and almost instantaneous signal that there was a Facebook-related outage."

The idea of Downdetector was born over drinks at a bar in Haarlem, a city in the Netherlands, in February 2012. Tom Sanders and Sander van de Graaf were both working at IDG Communications Inc., the media publisher of magazines including CIO and Computerworld. Van de Graaf was a developer, and Sanders was the editor in chief. Readers would often call the newsroom to report an online outage at a company or service provider, but the reporters would often get no response -- or have to wait hours -- when they called to ask about the disruption. "We thought, wouldn't there be ways to automate this so we didn't have to check with the press office and we could get the data directly ourselves?" Van de Graaf said.

An unknown individual has leaked the source code and business data of video streaming platform Twitch via a torrent file posted on the 4chan discussion board earlier today. From a report: The leaker said they shared the data as a response to the recent "hate raids" --coordinated bot attacks posting hateful and abusive content in Twitch chats -- that have plagued the platform's top streamers over the summer. "Their community is [...] a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them, and in part one, are releasing the source code from almost 6,000 internal Git repositories," the leaker said earlier today. The leaker claims that the leak contains the "entirety of twitch.tv, with commit history going back to its early beginnings, mobile, desktop and video game console Twitch clients, various proprietary SDKs and internal AWS services used by Twitch, every other property that Twitch owns including IGDB and CurseForge, an unreleased Steam competitor from Amazon Game Studios, and Twitch SOC internal red teaming tools."

Twitch has confirmed the breach. In a tweet it said, "We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available."

Google is reminding us that it will enable two-factor authentication for 150 million more accounts by the end of this year. The Verge reports: In 2018, Google said that only 10 percent of its active accounts were using two-factor authentication. It has been pushing, prodding, and encouraging people to enable the setting ever since. Another prong of the effort will require more than 2 million YouTube creators to turn on two-factor authentication to protect their channels from takeover. Google says it has partnered with organizations to give away more than 10,000 hardware security keys every year. Its push for two-factor has made the technology readily available on your phone whether you use Android or iPhone.

A tool that also helps users keep their accounts secure is using a password manager, and Google now says that it checks over a billion passwords a day via its built-in manager for Chrome, Android, and the Google app. The password manager is also available on iOS, where Chrome can autofill logins for other apps. Google says that soon it will help you generate passwords for other apps, making things even more straightforward. Also coming soon is the ability to see all of your saved passwords directly from the Google app menu. Last but not least, Google is highlighting its Inactive Account Manager. This is a set of decisions to make about what happens to your account if you decide to stop using it or are no longer around and able to make those decisions.