Bug

Zyxel Firewalls Borked By Buggy Update, On-Site Access Required For Fix (theregister.com) 18

Zyxel customers are facing reboot loops, high CPU usage, and login issues after an update on Friday went awry. The only fix requires physical access and a Console/RS232 cable, as no remote recovery options are available. The Register reports: "We've found an issue affecting a few devices that may cause reboot loops, ZySH daemon failures, or login access problems," Zyxel's advisory reads. "The system LED may also flash. Please note this is not related to a CVE or security issue." "The issue stems from a failure in the Application Signature Update, not a firmware upgrade. To address this, we've disabled the application signature on our servers, preventing further impact on firewalls that haven't loaded the new signature versions."

The firewalls affected include USG Flex boxes and ATP Series devices running ZLD firmware versions -- installations that have active security licenses and dedicated signature updates enabled in on-premises/standalone mode. Those running on the Nebula platform, on USG Flex H (uOS), and those without valid security licenses are not affected.

The Internet

Comcast Is Rolling Out 'Ultra-Low Lag' Tech That Could Fix the Internet (theverge.com) 80

Comcast is deploying "Low Latency, Low Loss, Scalable Throughput" (L4S) technology across its Xfinity internet network in six U.S. cities, a system that reduces the time data packets take to travel between users and servers. Initial trials showed a 78% reduction in working latency under normal home conditions. The technology will first support FaceTime calls, Nvidia's GeForce Now cloud gaming, and Steam games, with planned expansion to Meta's mixed reality applications.
Security

Chinese and Iranian Hackers Are Using US AI Products To Bolster Cyberattacks (msn.com) 19

Hackers linked to China, Iran and other foreign governments are using new AI technology to bolster their cyberattacks against U.S. and global targets, according to U.S. officials and new security research. WSJ: In the past year, dozens of hacking groups in more than 20 countries turned to Google's Gemini chatbot to assist with malicious code writing, hunts for publicly known cyber vulnerabilities and research into organizations to target for attack, among other tasks, Google's cyber-threat experts said. While Western officials and security experts have warned for years about the potential malicious uses of AI, the findings released Wednesday from Google are some of the first to shed light on how exactly foreign adversaries are leveraging generative AI to boost their hacking prowess.

This week, the China-built AI platform DeepSeek upended international assumptions about how far along Beijing might be the AI arms race, creating global uncertainty about a technology that could revolutionize work, diplomacy and warfare. Expand article logo Continue reading Groups with known ties to China, Iran, Russia and North Korea all used Gemini to support hacking activity, the Google report said. They appeared to treat the platform more as a research assistant than a strategic asset, relying on it for tasks intended to boost productivity rather than to develop fearsome new hacking techniques. All four countries have generally denied U.S. hacking allegations.

Security

Apple Chips Can Be Hacked To Leak Secrets From Gmail, ICloud, and More (arstechnica.com) 28

An anonymous reader quotes a report from Ars Technica: Apple-designed chips powering Macs, iPhones, and iPads contain two newly discovered vulnerabilities that leak credit card information, locations, and other sensitive data from the Chrome and Safari browsers as they visit sites such as iCloud Calendar, Google Maps, and Proton Mail. The vulnerabilities, affecting the CPUs in later generations of Apple A- and M-series chip sets, open them to side channel attacks, a class of exploit that infers secrets by measuring manifestations such as timing, sound, and power consumption. Both side channels are the result of the chips' use of speculative execution, a performance optimization that improves speed by predicting the control flow the CPUs should take and following that path, rather than the instruction order in the program. [...]

The researchers published a list of mitigations they believe will address the vulnerabilities allowing both the FLOP and SLAP attacks. They said that Apple officials have indicated privately to them that they plan to release patches. In an email, an Apple representative declined to say if any such plans exist. "We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these types of threats," the spokesperson wrote. "Based on our analysis, we do not believe this issue poses an immediate risk to our users."
FLOP, short for Faulty Load Operation Predictor, exploits a vulnerability in the Load Value Predictor (LVP) found in Apple's A- and M-series chipsets. By inducing the LVP to predict incorrect memory values during speculative execution, attackers can access sensitive information such as location history, email content, calendar events, and credit card details. This attack works on both Safari and Chrome browsers and affects devices including Macs (2022 onward), iPads, and iPhones (September 2021 onward). FLOP requires the victim to interact with an attacker's page while logged into sensitive websites, making it highly dangerous due to its broad data access capabilities.

SLAP, on the other hand, stands for Speculative Load Address Predictor and targets the Load Address Predictor (LAP) in Apple silicon, exploiting its ability to predict memory locations. By forcing LAP to mispredict, attackers can access sensitive data from other browser tabs, such as Gmail content, Amazon purchase details, and Reddit comments. Unlike FLOP, SLAP is limited to Safari and can only read memory strings adjacent to the attacker's own data. It affects the same range of devices as FLOP but is less severe due to its narrower scope and browser-specific nature. SLAP demonstrates how speculative execution can compromise browser process isolation.
Privacy

Software Flaw Exposes Millions of Subarus, Rivers of Driver Data (securityledger.com) 47

chicksdaddy share a report from the Security Ledger: Vulnerabilities in Subaru's STARLINK telematics software enabled two, independent security researchers to gain unrestricted access to millions of Subaru vehicles deployed in the U.S., Canada and Japan. In a report published Thursday researchers Sam Curry and Shubham Shah revealed a now-patched flaw in Subaru's STARLINK connected vehicle service that allowed them to remotely control Subarus and access vehicle location information and driver data with nothing more than the vehicle's license plate number, or easily accessible information like the vehicle owner's email address, zip code and phone number. (Note: Subaru STARLINK is not to be confused with the Starlink satellite-based high speed Internet service.)

[Curry and Shah downloaded a year's worth of vehicle location data for Curry's mother's 2023 Impreza (Curry bought her the car with the understanding that she'd let him hack it.) The two researchers also added themselves to a friend's STARLINK account without any notification to the owner and used that access to remotely lock and unlock the friend's Subaru.] The details of Curry and Shah's hack of the STARLINK telematics system bears a strong resemblance to hacks documented in his 2023 report Web Hackers versus the Auto Industry as well as a September, 2024 discovery of a remote access flaw in web-based applications used by KIA automotive dealers that also gave remote attackers the ability to steal owners' personal information and take control of their KIA vehicle. In each case, Curry and his fellow researchers uncovered publicly accessible connected vehicle infrastructure intended for use by [employees and dealers was found to be trivially vulnerable to compromise and lack even basic protections around account creation and authentication].

Microsoft

Microsoft Takes on MongoDB with PostgreSQL-Based Document Database (theregister.com) 23

Microsoft has launched an open-source document database platform built on PostgreSQL, partnering with FerretDB as a front-end interface. The solution includes two PostgreSQL extensions: pg_documentdb_core for BSON optimization and pg_documentdb_api for data operations.

FerretDB CEO Peter Farkas said the integration with Microsoft's DocumentDB extension has improved performance twentyfold for certain workloads in FerretDB 2.0. The platform carries no commercial licensing fees or usage restrictions under its MIT license, according to Microsoft.
EU

Researchers Say New Attack Could Take Down the European Power Grid (arstechnica.com) 33

An anonymous reader quotes a report from Ars Technica: Late last month, researchers revealed a finding that's likely to shock some people and confirm the low expectations of others: Renewable energy facilities throughout Central Europe use unencrypted radio signals to receive commands to feed or ditch power into or from the grid that serves some 450 million people throughout the continent. Fabian Braunlein and Luca Melette stumbled on their discovery largely by accident while working on what they thought would be a much different sort of hacking project. After observing a radio receiver on the streetlight poles throughout Berlin, they got to wondering: Would it be possible for someone with a central transmitter to control them en masse, and if so, could they create a city-wide light installation along the lines of Project Blinkenlights?

The first Project Blinkenlights iteration occurred in 2001 in Berlin, when the lights inside a large building were synchronized to turn on and off to give the appearance of a giant, low-resolution monochrome computer screen. The researchers, who presented their work last month at the 38th Chaos Communication Congress in Hamburg, Germany, wondered if they could control streetlights in Berlin to create a city-wide version, though they acknowledged it would likely be viewable only from high altitudes. They didn't know then, but their project was about to undergo a major transformation.

After an extensive and painstaking reverse-engineering process that took about a year, Braunlein and Melette learned that they could indeed control the streetlights simply by replaying legitimate messages they observed being sent over the air previously. They then learned something more surprising — the very same system for controlling Berlin's lights was used throughout Central Europe to control other regional infrastructure, including switches that regulate the amount of power renewable electric generation facilities feed into the grid. Collectively, the facilities could generate as much as 40 gigawatts in Germany alone, the researchers estimate. In addition, they estimate that in Germany, 20 GW of loads such as heat pumps and wall boxes are controlled via those receivers. That adds up to 60 GW that might be controllable through radio signals anyone can send.

When Braunlein and Melette realized how much power was controlled, they wondered how much damage might result from rogue messages sent simultaneously to multiple power facilities in strategically designed sequences and times of day. By their calculation, an optimally crafted series of messages sent under certain conditions would be enough to bring down the entire European grid. [...]
The grid security experts Ars talked to for this story said they're doubtful of the assessment. "A sudden deficit of 60 GW will definitely lead to a brownout because 60 GW is far more than [the] reserves available," said Albert Moser, a RWTH Aachen professor with expertise in power grids. "A sudden deficit of 60 GW could even lead to a blackout due to the very steep fall of frequency that likely cannot be handled fast enough by underfrequency relays (load shedding)." He wasn't able to confirm that 60 GW of generation/load is controlled by radio signals or that security measures for Radio Ripple Control are insufficient.

Jan Hoff, a grid security expert, was also doubtful there'd be enough electricity dropped quickly enough to cause a brownout. "He likened the grid to the roly-poly toys from the 1970s, which were built to be knocked around but not fall over," said Ars.
United Kingdom

British Museum Forced To Partly Close After Alleged IT Attack By Former Employee (theguardian.com) 16

The British Museum was partly closed after a dismissed IT contractor trespassed, shutting down systems including its ticketing platform. The move disrupted operations and forced the closure of temporary exhibitions. The Guardian reports: While the museum will remain open this weekend, only a handful of ticket holders will be able to access its paid-for exhibitions, such as its Silk Roads show, because the IT system that manages bookings has been rendered unusable. The incident caused chaos in the middle of a busy Friday afternoon and is the latest security issue to blight the institution. A statement on the museum's website on Friday said that "due to an IT infrastructure issue some galleries have had to be closed. Please note that this means capacity will be limited, and priority will be given to members and pre-booked ticket holders. Currently our exhibitions remain closed."
Security

FBI: North Korean IT Workers Steal Source Code To Extort Employers (bleepingcomputer.com) 27

The FBI warned this week that North Korean IT workers are abusing their access to steal source code and extort U.S. companies that have been tricked into hiring them. From a report: The security service alerted public and private sector organizations in the United States and worldwide that North Korea's IT army will facilitate cyber-criminal activities and demand ransoms not to leak online exfiltrated sensitive data stolen from their employers' networks. "North Korean IT workers have copied company code repositories, such as GitHub, to their own user profiles and personal cloud accounts. While not uncommon among software developers, this activity represents a large-scale risk of theft of company code," the FBI said.

"North Korean IT workers could attempt to harvest sensitive company credentials and session cookies to initiate work sessions from non-company devices and for further compromise opportunities." To mitigate these risks, the FBI advised companies to apply the principle of least privilege by disabling local administrator accounts and limiting permissions for remote desktop applications. Organizations should also monitor for unusual network traffic, especially remote connections since North Korean IT personnel often log into the same account from various IP addresses over a short period of time.

Security

Backdoor Infecting VPNs Used 'Magic Packets' For Stealth and Security (arstechnica.com) 17

An anonymous reader quotes a report from Ars Technica: When threat actors use backdoor malware to gain access to a network, they want to make sure all their hard work can't be leveraged by competing groups or detected by defenders. One countermeasure is to equip the backdoor with a passive agent that remains dormant until it receives what's known in the business as a "magic packet." On Thursday, researchers revealed that a never-before-seen backdoor that quietly took hold of dozens of enterprise VPNs running Juniper Network's Junos OS has been doing just that. J-Magic, the tracking name for the backdoor, goes one step further to prevent unauthorized access. After receiving a magic packet hidden in the normal flow of TCP traffic, it relays a challenge to the device that sent it. The challenge comes in the form of a string of text that's encrypted using the public portion of an RSA key. The initiating party must then respond with the corresponding plaintext, proving it has access to the secret key.

The lightweight backdoor is also notable because it resided only in memory, a trait that makes detection harder for defenders. The combination prompted researchers at Lumin Technology's Black Lotus Lab to sit up and take notice. "While this is not the first discovery of magic packet malware, there have only been a handful of campaigns in recent years," the researchers wrote. "The combination of targeting Junos OS routers that serve as a VPN gateway and deploying a passive listening in-memory only agent, makes this an interesting confluence of tradecraft worthy of further observation." The researchers found J-Magic on VirusTotal and determined that it had run inside the networks of 36 organizations. They still don't know how the backdoor got installed.

China

DHS Terminates All Its Advisory Committees, Ending Its Investigation Into Chinese Telecom Hack (arstechnica.com) 144

An anonymous reader quotes a report from Ars Technica: The Department of Homeland Security has terminated all members of advisory committees, including one that has been investigating a major Chinese hack of large US telecom firms. "The Cyber Safety Review Board -- a Department of Homeland Security investigatory body stood up under a Biden-era cybersecurity executive order to probe major cybersecurity incidents -- has been cleared of non-government members as part of a DHS-wide push to cut costs under the Trump administration, according to three people familiar with the matter," NextGov/FCW reported yesterday.

A memo sent Monday by DHS Acting Secretary Benjamine Huffman said that in order to "eliminate[e] the misuse of resources and ensur[e] that DHS activities prioritize our national security, I am directing the termination of all current memberships on advisory committees within DHS, effective immediately. Future committee activities will be focused solely on advancing our critical mission to protect the homeland and support DHS's strategic priorities." The memo said advisory board members terminated this week "are welcome to reapply." The Cyber Safety Review Board's list of members included security experts from the private sector and lead cybersecurity officials from multiple government agencies.
"The CSRB was 'less than halfway' done with its Salt Typhoon investigation, according to a now-former member," wrote freelance cybersecurity reporter Eric Geller, who quoted an anonymous source as saying the Cyber Safety Review Board's review of Salt Typhoon is "dead." The former member was also quoted as saying, "There are still professional staff for the CSRB and I hope they will continue some of the work in the interim."

The Cyber Safety Review Board operates under (PDF) the DHS's Cybersecurity and Infrastructure Security Agency (CISA), notes Ars. The review board previously investigated a 2023 hack of Microsoft Exchange Online and more recently has been investigating how the Chinese hacking group called Salt Typhoon infiltrated major telecom providers such as Verizon and AT&T.
Security

Mastercard DNS Error Went Unnoticed for Years (krebsonsecurity.com) 33

A security researcher discovered and fixed a critical domain name server misconfiguration in Mastercard's systems that persisted undetected for nearly five years, potentially exposing the credit card giant to traffic interception risks.

Philippe Caturegli, founder of security firm Seralys, found that one of Mastercard's five DNS servers incorrectly pointed to "akam.ne" instead of "akam.net" from June 2020 to January 2025. He spent $300 to register the domain through Niger's domain authority to prevent potential exploitation. Mastercard said the typo has been corrected, insisting there was "not a risk to our systems."
Security

DDoS Attacks Soar 53% To 21.3 Million, Cloudflare Reports 21

Cloudflare blocked 21.3 million DDoS attacks in 2024, including a record-breaking 5.6 terabit-per-second strike that targeted an Asian internet service provider last October. The yearly total marked a 53% increase from 2023.

The 80-second October attack, which originated from over 13,000 compromised Internet of Things devices running Mirai malware variant, highlighted an alarming trend: hyper-volumetric attacks exceeding 1 terabit per second grew by 1,885% in the fourth quarter compared to the previous quarter. Ransom DDoS attacks, where criminals threatened organizations with service disruptions unless paid, rose 78% in the same period.
AI

Managing AI Agents As Employees Is the Challenge of 2025, Says Goldman Sachs CIO (zdnet.com) 32

An anonymous reader quotes a report from ZDNet: This year, artificial intelligence will be dominated by the maturation of AI code as corporate "workers" that can take over corporate processes and be managed just like employees, according to a year-outlook blog post disseminated by investment bank Goldman Sachs featuring its chief information officer, Marco Argenti. "The capabilities of AI models to plan and execute complex, long-running tasks on humans' behalf will begin to mature," writes Argenti. "This will create the conditions for companies to eventually 'employ' and train AI workers to be part of hybrid teams of humans and AIs working together."

"There's a great opportunity for capital to move towards the application layer, the toolset layer," says Goldman Sachs CIO Marco Argenti. "I think we will see that shift happening, most likely as early as next year." Argenti predicts that corporate HR offices will have to manage "human and machine resources," and there may even be AI "layoffs" as programs are replaced by more highly capable versions. [...]

Among other predictions offered by Argenti is that the most-capable AI models will be like PhD graduates -- so-called expert AI systems that have "industry-specific knowledge" for finance, medicine, etc. [...] "The intersection of LLMs and robotics will increasingly bring AI into, and enable it to experience, the physical world, which will help enable reasoning capabilities for AI," he writes. Argenti sees "responsible AI" increasing in importance as a board-room priority in 2025, and, in something of a repeat of last year's predictions, he expects that the largest generative AI models -- the "frontier" models of OpenAI and others -- will become the province of only a handful of institutions with budgets large enough to pursue their enormous training costs. That is the "Formula One" version of AI, where the "engines" of AI are made by a handful of powerful providers. Everyone else will work on smaller-model development, Argenti predicts.
Further reading: Nvidia's Huang Says That IT Will 'Become the HR of AI Agents'
IT

VMware Migrations Will Be Long, Expensive, and Risky, Warns Gartner (theregister.com) 87

Migrating from VMware's virtualization platform could take up to four years and cost organizations between $300 and $3,000 per virtual machine, Gartner has warned in a new report. Companies running 2,000 or more virtual machines will need up to 10 full-time staff for initial assessment and another six employees for a nine-month technical evaluation, according to Gartner.
Security

HPE Investigating Breach Claims After Hacker Offers To Sell Data (securityweek.com) 3

The notorious hacker IntelBroker claims to have stolen data from HPE systems, including source code, private repositories, digital certificates, and access to certain services. SecurityWeek reports: The compromised data allegedly includes source code for products such as Zerto and iLO, private GitHub repositories, digital certificates, Docker builds, and even some personal information that the hacker described as "old user PII for deliveries." IntelBroker is also offering access to some services used by HPE, including APIs, WePay, GitHub and GitLab. Contacted by SecurityWeek, HPE said it's aware of the breach claims and is conducting an investigation.

"HPE became aware on January 16 of claims being made by a group called IntelBroker that it was in possession of information belonging to HPE. HPE immediately activated our cyber response protocols, disabled related credentials, and launched an investigation to evaluate the validity of the claims," said HPE spokesperson Adam R. Bauer. "There is no operational impact to our business at this time, nor evidence that customer information is involved," Bauer added.

Security

Employees of Failed Startups Are at Special Risk of Stolen Personal Data Through Old Google Logins (techcrunch.com) 7

Hackers could steal sensitive personal data from former startup employees by exploiting abandoned company domains and Google login systems, security researcher Dylan Ayrey revealed at ShmooCon conference. The vulnerability particularly affects startups that relied on "Sign in with Google" features for their business software.

Ayrey, CEO of Truffle Security, demonstrated the flaw by purchasing one failed startup's domain and accessing ChatGPT, Slack, Notion, Zoom and an HR system containing Social Security numbers. His research found 116,000 website domains from failed tech startups currently available for sale. While Google offers preventive measures through its OAuth "sub-identifier" system, some providers avoid it due to reliability concerns - which Google disputes. The company initially dismissed Ayrey's finding as a fraud issue before reversing course and awarding him a $1,337 bounty. Google has since updated its documentation but hasn't implemented a technical fix, TechCrunch reports.
IT

Canon's New Livestreaming App Doesn't Support Canon Cameras (engadget.com) 18

Canon has launched a new iOS livestreaming app that allows users to switch between three camera views -- but initially excludes support for Canon cameras. The "Live Switcher Mobile" app, compatible only with Apple devices, offers automated camera switching and streaming to platforms including YouTube, Twitch, and Facebook through RTMP protocol.

The free version supports 720p resolution with ads and watermarks, while an $18 monthly subscription unlocks 1080p quality and additional features. Canon plans to add support for its cameras in future updates, it says.

Further reading: Canon Draws Fire for Charging Subscription Fee To Use Cameras as Webcams.

Slashdot Top Deals