Security

Employees of Failed Startups Are at Special Risk of Stolen Personal Data Through Old Google Logins (techcrunch.com) 7

Hackers could steal sensitive personal data from former startup employees by exploiting abandoned company domains and Google login systems, security researcher Dylan Ayrey revealed at ShmooCon conference. The vulnerability particularly affects startups that relied on "Sign in with Google" features for their business software.

Ayrey, CEO of Truffle Security, demonstrated the flaw by purchasing one failed startup's domain and accessing ChatGPT, Slack, Notion, Zoom and an HR system containing Social Security numbers. His research found 116,000 website domains from failed tech startups currently available for sale. While Google offers preventive measures through its OAuth "sub-identifier" system, some providers avoid it due to reliability concerns - which Google disputes. The company initially dismissed Ayrey's finding as a fraud issue before reversing course and awarding him a $1,337 bounty. Google has since updated its documentation but hasn't implemented a technical fix, TechCrunch reports.
IT

Canon's New Livestreaming App Doesn't Support Canon Cameras (engadget.com) 18

Canon has launched a new iOS livestreaming app that allows users to switch between three camera views -- but initially excludes support for Canon cameras. The "Live Switcher Mobile" app, compatible only with Apple devices, offers automated camera switching and streaming to platforms including YouTube, Twitch, and Facebook through RTMP protocol.

The free version supports 720p resolution with ads and watermarks, while an $18 monthly subscription unlocks 1080p quality and additional features. Canon plans to add support for its cameras in future updates, it says.

Further reading: Canon Draws Fire for Charging Subscription Fee To Use Cameras as Webcams.
Encryption

Europol Chief Says Big Tech Has 'Responsibility' To Unlock Encrypted Messages (ft.com) 80

Technology giants must do more to co-operate with law enforcement on encryption or they risk threatening European democracy, according to the head of Europol, as the agency gears up to renew pressure on companies at the World Economic Forum in Davos this week. From a report: Catherine De Bolle told the Financial Times she will meet Big Tech groups in the Swiss mountain resort to discuss the matter, claiming that companies had a "social responsibility" to give the police access to encrypted messages that are used by criminals to remain anonymous. "Anonymity is not a fundamental right," said the EU law enforcement agency's executive director.

"When we have a search warrant and we are in front of a house and the door is locked, and you know that the criminal is inside of the house, the population will not accept that you cannot enter." In a digital environment, the police needed to be able to decode these messages to fight crime, she added. "You will not be able to enforce democracy [without it]."

IT

After Forced Return-to-Office, Some Amazon Workers Find Not Enough Desks, No Parking (nypost.com) 151

Amazon has angered its workers again "after forcing them to return to the office five days a week," reports the New York Post. The problem? "Not enough desks for everyone." (As well as "packed parking lots" that are turning some workers away.)

The Post cites interviews conducted with seven Amazon employees by Business Insider (which notes that in mid-December Amazon had already delayed full return-to-office at dozens of locations, sometimes until as late as May, because of office-capacity issues).

Here in mid-January, the Post writes, many returning-to-office workers still aren't happy: Some meeting rooms have not had enough chairs — and there also have not been enough meeting rooms for everyone, one worker told the publication... [S]imply reaching the office is a challenge in itself, according to the report. Some complained they were turned away from company parking lots that were full, while others griped about having to join meetings from the road due to excess traffic on their way to the office, according to the Slack messages. Once staffers conquer the challenges of reaching the office and finding a desk, some lamented the lack of in-person discussions since many of the meetings remain virtual, according to BI.
Amazon acknowledged they had offices that were "not quite ready" to "welcome everyone back a full five days a week," according to Post, though Amazon believed the number of not-quite-ready offices were "relatively small".

But the parking lot situation may continue. Business Insider says one employee from Amazon's Nashville office "said the wait time for a company parking pass was backed up for months." (Although another Nashville staffer said Amazon was handing out passes for them to take mass-transit for free, which they'd described as "incredibly generous.")

There's also Amazon shuttle busses, according to the article. Although other staffers "said they were denied a spot on Amazon shuttle buses because the vehicles were full..." Others said they just drove back home, while some staffers found street parking nearby, according to multiple Slack messages seen by Business Insider...

This month, some employees were still questioning the logic behind the policy. They said being in the office has had little effect on their work routine and has not generated much of a productivity gain. A considerable portion of their in-office work is still being done through video calls with customers who are elsewhere, these employees told BI. Many Amazon colleagues are at other office locations, so face-to-face meetings still don't happen very often, they added.

The Post adds another drawback of returning to the office. "Employees at Amazon's Toronto office said their personal belongings have repeatedly been stolen from their desks."
Google

Google Upgrades Open Source Vulnerability Scanning Tool with SCA Scanning Library (googleblog.com) 2

In 2022 Google released a tool to easily scan for vulnerabilities in dependencies named OSV-Scanner. "Together with the open source community, we've continued to build this tool, adding remediation features," according to Google's security blog, "as well as expanding ecosystem support to 11 programming languages and 20 package manager formats... Users looking for an out-of-the-box vulnerability scanning CLI tool should check out OSV-Scanner, which already provides comprehensive language package scanning capabilities..."

Thursday they also announced an extensible library for "software composition analysis" scanning (as well as file-system scanning) named OSV-SCALIBR (Open Source Vulnerability — Software Composition Analysis LIBRary). The new library "combines Google's internal vulnerability management expertise into one scanning library with significant new capabilities such as:
  • Software composition analysis for installed packages, standalone binaries, as well as source code
  • OSes package scanning on Linux (COS, Debian, Ubuntu, RHEL, and much more), Windows, and Mac
  • Artifact and lockfile scanning in major language ecosystems (Go, Java, Javascript, Python, Ruby, and much more)
  • Vulnerability scanning tools such as weak credential detectors for Linux, Windows, and Mac
  • Software Bill of Materials (SBOM) generation in SPDX and CycloneDX, the two most popular document formats
  • Optimization for on-host scanning of resource constrained environments where performance and low resource consumption is critical

"OSV-SCALIBR is now the primary software composition analysis engine used within Google for live hosts, code repos, and containers. It's been used and tested extensively across many different products and internal tools to help generate SBOMs, find vulnerabilities, and help protect our users' data at Google scale. We offer OSV-SCALIBR primarily as an open source Go library today, and we're working on adding its new capabilities into OSV-Scanner as the primary CLI interface."


IT

Are 'Career Catfishers' Justified In Not Showing Up for Work? (fortune.com) 193

Fortune reports 18% of workers have engaged in "career catfishing" — getting a job offer, but then refusing to show up on the first day of work.

And when someone posted Fortune's article to Reddit's antiwork subreddit, it drew 2,100 upvotes -- and another 84 comments. ("I love doing this...! This feels really great to do after a company has jerked you around, and basically said that several other people were in line ahead of you... after five interviews.")

But Fortune reports there's other sources of frustration: At the moment, Gen Z is contending with an onerous battle to land an entry-level, full-time role. The class of 2025 is set to apply to more jobs than the graduating class prior, already submitting 24% more applications on average this past summer than seniors did last year. Furthermore, the class of 2024 applied to 64% more jobs than the cohort before them, according to job platform Handshake. To make matters all the more bleak, the number of job listings has dwindled from 2023 levels, generating deeper frenzy and more intense competition for the roles listed.

That adds up to a hiring managers' market and senior executives are playing hardball; only 12% of mid-level executives think entry-level workers are prepared to join the workforce, per a report from technology education provider General Assembly. About one in four say they wouldn't hire today's entry-level employees. Yet, that's not really the point of entry-level roles, points out Jourdan Hathaway, General Assembly's chief business officer. By definition, it's a position that requires investment in a young adult, she explained. "The entry-level employee pipeline is broken," Hathaway wrote in a statement. "Companies must rethink how they source, train, and onboard employees."

The especially competitive hiring landscape could be forcing Gen Zers to accept the first gig they can get because the job market is so dire — only to later regret it and not show up the first day.

The article also acknowledges that "employers themselves have a role in the two-way communication — or lack thereof — between hire and hirer." Almost 80% of hiring managers admitted they've stopped responding to candidates during the application process, according to a survey of 625 hiring managers from Resume Genius.

Gen Zers say that their ghosting is in reaction to the company's behavior. More than a third of applicants who have purposefully dropped the ball say it was because a recruiter was rude to them or misled them about a position, according to Monster... In part, it's likely AI that's fueling said ghosting. AI has become more integrated into the hiring process, becoming a screener that rejects resumes without ever reaching a human person's eyes. That phenomenon possibly fuels both sides' tendency to be non-responsive...

IT

WSJ Reports 'The Balance of Power is Shifting Back to Bosses' (msn.com) 87

The ratio of vacant U.S. jobs to jobless workers "has fallen from a record of 2 in 2022 to 1.1 in November," reports the Wall Street Journal — which adds that "the balance of power between employers and employees has shifted as the labor market has gone from white-hot to merely solid."

JP Morgan's five-days-a-week return-to-office mandate was only the beginning, with big companies like Amazon and Dell "tightening remote-work policies, shrinking travel budgets and cutting back on benefits... Companies are slashing perks such as college-tuition assistance and time off for a sick pet... " 76% of [U.S.] job growth in the past year has been in healthcare and education, leisure and hospitality, and government. In fields such as finance, information, and professional and business services, job growth has been far weaker. While a shift in leverage to employers might have shown up in layoffs or wage cuts in the past, now it is more subtle, often in changes to working conditions. For example, knowing that some workers will quit rather than return to the office, some companies are ending remote work as a way of trimming payroll. "Quiet quitting" — workers who slacked off rather than quit — has been replaced by "quiet cutting" — employers who cut jobs without actually announcing job cuts...

Michael Gibbs, a professor of economics at the University of Chicago's Booth School of Business, said the new mandates might simply be a message to workers that times have changed. "Firms are trying to reset expectations," he said... [After refusing her employers return-to-office four-days-a-week mandate, Mayrian] Sanz, who now works as an independent business and leadership coach, said she applied for 25 to 30 jobs listed as remote but initially got no responses. When some hiring managers finally replied, they had a surprise: Jobs listed as remote would now be in-office. "They just say everything is shifting to going back to the office," she said.

Among tech workers, the share receiving perks such as paid volunteer hours, college-tuition reimbursement, free financial advice and mental-health programs all declined by about 4 percentage points in 2024 from 2023, according to Dice, a technology job board. Average bonuses fell by more than $800, from $15,011 to $14,194. Meanwhile, Netflix has quietly backed off from its unlimited parental leave in a child's first year, The Wall Street Journal reported last month. A company spokesman said at that time that employees have the freedom and flexibility to determine what is best for them.

The article notes that "The actual impact of return-to-office directives remains to be seen," with economists "skeptical" the directives make companies more productive and faster-growing: Many workers now being called in were already spending some time in their cubicles. Nicholas Bloom, a professor of economics at Stanford University, said most of the benefits of collaboration can be achieved with just a few days in the office, while some tasks that require concentration are better done at home.
Elsewhere the Wall Street Journal that looking for a job "is set to get less miserable this year," since roughly two-thirds of U.S. employers plan to add permanent roles within the next six months, "according to a new survey by staffing and consulting firm Robert Half."

And Computerworld notes that the IT unemployment rate is now just 2% in the U.S. (according to official figures from the US Bureau of Labor statistics).
IT

'Career Catfishing' - 34% of Gen Z Workers Didn't Show Up for a New Job (nypost.com) 211

From the New York Post: Generation Z's recent foray into the corporate world has been an eye-popping escapade plagued by their "annoying" workplace habits and helicopter parents accompanying them on interviews. Now, newcomers to the 9-to-5 grind are inflicting a fresh new level of hell onto the workforce with a trending act of defiance known as "career catfishing."
That means "a successful candidate accepted a job and then never showed up," writes Fortune, citing a survey of 1,000 U.K. employees conducted by CV Genius.

The New York Post notes researchers "found that a staggering 34% of 20-somethings skip Day 1 of work, sans communicating with their new employer, as a demonstration of autonomy." After drudging through the ever-exasperating job hunting process — which often includes submitting dozens of lengthy applications, suffering through endless rounds of interviews and anxiously awaiting updates from sluggish hiring managers — the Z's are apparently "catfishing" jobs to prove that they, rather than their prospective employers, have all the power.

But the rebellious babes aren't the only ones pulling fast ones on new bosses. A surprising 24% of millennials, staffers ranging in age from 28 to 43, have taken a shine to career catfishing, too, per the findings. However, only 11% of Gen Xers, hirelings ages 44 to 59, and 7% of baby boomers, personnel over age 60, have joined in on the office treachery. Unlike their older colleagues, Gen Zs are apparently more concerned about prioritizing their personal needs and goals than kowtowing to the demands of corporate culture.

Fortune agrees that "Gen Z applicants aren't alone in going no- and low-contact during the recruiting process. Some 74% of employers now admit that ghosting is a facet of the hiring landscape, according to a 2023 Indeed survey of thousands of job seekers and employers..." That being said, simply not showing up to work could prove unsustainable in the long run. Like many young workers before them, Gen Zers have garnered a poor reputation with employers. Hiring managers have labeled them as the most difficult generation to work with, according to a Resume Genius report.
The report found employees also admitted to practicing "quiet vacationing" (taking time off without telling your boss) and "coffee badging" (grabbing coffee in the office before returning home)...
Security

FBI Warned Agents It Believes Phone Logs Hacked Last Year (yahoo.com) 20

An anonymous reader shares a report: FBI leaders have warned that they believe hackers who broke into AT&T's system last year stole months of their agents' call and text logs, setting off a race within the bureau to protect the identities of confidential informants, a document reviewed by Bloomberg News shows.

FBI officials told agents across the country that details about their use on the telecom carrier's network were believed to be among the billions of records stolen, according to the document and interviews with a current and a former law enforcement official. They asked not to be named to discuss sensitive information. Data from all FBI devices under the bureau's AT&T service for public safety agencies were presumed taken, the document shows.

The cache of hacked AT&T records didn't reveal the substance of communications but, according to the document, could link investigators to their secret sources. The data was believed to include agents' mobile phone numbers and the numbers with which they called and texted, the document shows. Records for calls and texts that weren't on the AT&T network, such as through encrypted messaging apps, weren't part of the stolen data.

Microsoft

Microsoft Begins Forcing Windows 24H2 Updates on PCs (pcworld.com) 106

Microsoft began mandatory rollouts of the Windows 11 2024 Update (24H2) for eligible devices running Home and Pro editions, the company announced on its Windows 11 issues page. The update, which Microsoft describes as a "full code swap," requires longer installation times, with users reporting processes exceeding an hour.

While users can briefly postpone the installation, the company is now pushing updates to mainstream users not managed by IT departments. The 24H2 update introduces USB4's 80Gbps support, Bluetooth LE Audio for hearing aids, and enhanced Energy Saver controls.
Microsoft

Microsoft Research: AI Systems Cannot Be Made Fully Secure (theregister.com) 28

Microsoft researchers who tested more than 100 of the company's AI products concluded that AI systems can never be made fully secure, according to a new pre-print paper. The 26-author study, which included Azure CTO Mark Russinovich, found that large language models amplify existing security risks and create new vulnerabilities. While defensive measures can increase the cost of attacks, the researchers warned that AI systems will remain vulnerable to threats ranging from gradient-based attacks to simpler techniques like interface manipulation for phishing.
Microsoft

Microsoft Patches Windows To Eliminate Secure Boot Bypass Threat (arstechnica.com) 39

Microsoft has patched a Windows vulnerability that allowed attackers to bypass Secure Boot, a critical defense against firmware infections, the company said. The flaw, tracked as CVE-2024-7344, affected Windows devices for at least seven months. Security researcher Martin Smolar discovered the vulnerability in a signed UEFI application within system recovery software from seven vendors, including Howyar.

The application, reloader.efi, circumvented standard security checks through a custom PE loader. Administrative attackers could exploit the vulnerability to install malicious firmware that persists even after disk reformatting. Microsoft revoked the application's digital signature, though the vulnerability's impact on Linux systems remains unclear.
IT

Nvidia Reveals AI Supercomputer Used Non-Stop For Six Years To Perfect Gaming Graphics (pcgamer.com) 51

Nvidia has dedicated a supercomputer running thousands of its latest GPUs exclusively to improving its DLSS upscaling technology for the past six years, a company executive revealed at CES 2025. Speaking at the RTX Blackwell Editor's Day in Las Vegas, Brian Catanzaro, Nvidia's VP of applied deep learning research, said the system operates continuously to analyze failures and retrain models across hundreds of games.
United States

A New Jam-Packed Biden Executive Order Tackles Cybersecurity, AI, and More (wired.com) 127

U.S. President Joe Biden has issued a comprehensive cybersecurity executive order, four days before leaving office, mandating improvements to government network monitoring, software procurement, AI usage, and foreign hacker penalties.

The 40-page directive aims to leverage AI's security benefits, implement digital identities for citizens, and address vulnerabilities that have allowed Chinese and Russian intrusions into U.S. government systems. It requires software vendors to prove secure development practices and gives the Commerce Department eight months to establish mandatory cybersecurity standards for government contractors.
Government

Governments Call For Spyware Regulations In UN Security Council Meeting (techcrunch.com) 13

An anonymous reader quotes a report from TechCrunch: On Tuesday, the United Nations Security Council held a meeting to discuss the dangers of commercial spyware, which marks the first time this type of software -- also known as government or mercenary spyware -- has been discussed at the Security Council. The goal of the meeting, according to the U.S. Mission to the UN, was to "address the implications of the proliferation and misuse of commercial spyware for the maintenance of international peace and security." The United States and 15 other countries called for the meeting. While the meeting was mostly informal and didn't end with any concrete proposals, most of the countries involved, including France, South Korea, and the United Kingdom, agreed that governments should take action to control the proliferation and abuse of commercial spyware. Russia and China, on the other hand, dismissed the concerns.

John Scott-Railton, a senior researcher at The Citizen Lab, a human rights organization that has investigated spyware abuses since 2012, gave testimony in which he sounded the alarm on the proliferation of spyware made by "a secretive global ecosystem of developers, brokers, middlemen, and boutique firms," which "is threatening international peace and security as well as human rights." Scott-Railton called Europe "an epicenter of spyware abuses" and a fertile ground for spyware companies, referencing a recent TechCrunch investigation that showed Barcelona has become a hub for spyware companies in the last few years.

Representatives of Poland and Greece, countries that had their own spyware scandals involving software made by NSO Group and Intellexa, respectively, also intervened. Poland's representative pointed at local legislative efforts to put "more control, including by the judiciary, on the relevant operational activities of the security and intelligence services," while also recognizing that spyware can be used in a legal way. "We are not saying that the use of spyware is never justified or even required," said Poland's representative. And the Greek representative pointed to the country's 2022 bill to ban the sale of spyware.

Security

Russia's Largest Platform For State Procurement Hit By Cyberattack (therecord.media) 53

Roseltorg, Russia's main electronic trading platform for government and corporate procurement, confirmed it was targeted by a cyberattack claimed by the pro-Ukraine hacker group Yellow Drift. The group allegedly deleted 550 terabytes of data, causing significant operational delays and client concerns. The Record reports: The company initially confirmed last Thursday that its services had been temporarily suspended, without providing further details. In a recent Telegram statement, Roseltorg disclosed that it had been targeted by "an external attempt to destroy data and the entire infrastructure of electronic trading." Roseltorg stated that all data and infrastructure affected by the recent attack had been fully restored, and trading systems are expected to resume operations shortly. However, as of the time of writing, the company's website remains offline.

Last week, the previously unknown pro-Ukraine hacker group Yellow Drift claimed responsibility for the attack on Roseltorg, stating they had deleted 550 terabytes of data, including emails and backups. As proof, the hackers published screenshots from the platform's allegedly compromised infrastructure on their Telegram channel. "If you support tyranny and sponsor wars, be prepared to return to the Stone Age," the hackers said.

The cyberattack on Roseltorg is already impacting clients who rely on the platform's operations, including government agencies, state-owned companies and suppliers. Following the company's announcement, many clients expressed concerns in the comments section, complaining about potential financial losses and delays in the procurement process. Roseltorg said in a statement that once access to the trading systems is reinstated, all deadlines for procedures, including contract signings, will be automatically extended without requiring any requests from users.

Security

Dead Google Apps Domains Can Be Compromised By New Owners (arstechnica.com) 34

An anonymous reader quotes a report from Ars Technica: Lots of startups use Google's productivity suite, known as Workspace, to handle email, documents, and other back-office matters. Relatedly, lots of business-minded webapps use Google's OAuth, i.e. "Sign in with Google." It's a low-friction feedback loop -- up until the startup fails, the domain goes up for sale, and somebody forgot to close down all the Google stuff. Dylan Ayrey, of Truffle Security Co., suggests in a report that this problem is more serious than anyone, especially Google, is acknowledging. Many startups make the critical mistake of not properly closing their accounts -- on both Google and other web-based apps -- before letting their domains expire.

Given the number of people working for tech startups (6 million), the failure rate of said startups (90 percent), their usage of Google Workspaces (50 percent, all by Ayrey's numbers), and the speed at which startups tend to fall apart, there are a lot of Google-auth-connected domains up for sale at any time. That would not be an inherent problem, except that, as Ayrey shows, buying a domain allows you to re-activate the Google accounts for former employees if the site's Google account still exists.

With admin access to those accounts, you can get into many of the services they used Google's OAuth to log into, like Slack, ChatGPT, Zoom, and HR systems. Ayrey writes that he bought a defunct startup domain and got access to each of those through Google account sign-ins. He ended up with tax documents, job interview details, and direct messages, among other sensitive materials.
A Google spokesperson said in a statement: "We appreciate Dylan Ayrey's help identifying the risks stemming from customers forgetting to delete third-party SaaS services as part of turning down their operation. As a best practice, we recommend customers properly close out domains following these instructions to make this type of issue impossible. Additionally, we encourage third-party apps to follow best-practices by using the unique account identifiers (sub) to mitigate this risk."
Privacy

UnitedHealth Hid Its Change Healthcare Data Breach Notice For Months (techcrunch.com) 24

Change Healthcare has hidden its data breach notification webpage from search engines using "noindex" code, TechCrunch found, making it difficult for affected individuals to find information about the massive healthcare data breach that compromised over 100 million people's medical records last year.

The UnitedHealth subsidiary said Tuesday it had "substantially" completed notifying victims of the February 2024 ransomware attack. The cyberattack caused months of healthcare disruptions and marked the largest known U.S. medical data theft.
Privacy

PowerSchool Data Breach Victims Say Hackers Stole 'All' Historical Student and Teacher Data (techcrunch.com) 21

An anonymous reader shares a report: U.S. school districts affected by the recent cyberattack on edtech giant PowerSchool have told TechCrunch that hackers accessed "all" of their historical student and teacher data stored in their student information systems. PowerSchool, whose school records software is used to support more than 50 million students across the United States, was hit by an intrusion in December that compromised the company's customer support portal with stolen credentials, allowing access to reams of personal data belonging to students and teachers in K-12 schools.

The attack has not yet been publicly attributed to a specific hacker or group. PowerSchool hasn't said how many of its school customers are affected. However, two sources at affected school districts -- who asked not to be named -- told TechCrunch that the hackers accessed troves of personal data belonging to both current and former students and teachers.
Further reading: Lawsuit Accuses PowerSchool of Selling Student Data To 3rd Parties.

Slashdot Top Deals