chicksdaddy share a report from the Security Ledger: Vulnerabilities in Subaru's STARLINK telematics software enabled two, independent security researchers to gain unrestricted access to millions of Subaru vehicles deployed in the U.S., Canada and Japan. In a report published Thursday researchers Sam Curry and Shubham Shah revealed a now-patched flaw in Subaru's STARLINK connected vehicle service that allowed them to remotely control Subarus and access vehicle location information and driver data with nothing more than the vehicle's license plate number, or easily accessible information like the vehicle owner's email address, zip code and phone number. (Note: Subaru STARLINK is not to be confused with the Starlink satellite-based high speed Internet service.)

[Curry and Shah downloaded a year's worth of vehicle location data for Curry's mother's 2023 Impreza (Curry bought her the car with the understanding that she'd let him hack it.) The two researchers also added themselves to a friend's STARLINK account without any notification to the owner and used that access to remotely lock and unlock the friend's Subaru.] The details of Curry and Shah's hack of the STARLINK telematics system bears a strong resemblance to hacks documented in his 2023 report Web Hackers versus the Auto Industry as well as a September, 2024 discovery of a remote access flaw in web-based applications used by KIA automotive dealers that also gave remote attackers the ability to steal owners' personal information and take control of their KIA vehicle. In each case, Curry and his fellow researchers uncovered publicly accessible connected vehicle infrastructure intended for use by [employees and dealers was found to be trivially vulnerable to compromise and lack even basic protections around account creation and authentication].

Microsoft has launched an open-source document database platform built on PostgreSQL, partnering with FerretDB as a front-end interface. The solution includes two PostgreSQL extensions: pg_documentdb_core for BSON optimization and pg_documentdb_api for data operations.

FerretDB CEO Peter Farkas said the integration with Microsoft's DocumentDB extension has improved performance twentyfold for certain workloads in FerretDB 2.0. The platform carries no commercial licensing fees or usage restrictions under its MIT license, according to Microsoft.

Chinese AI firm DeepSeek said Monday it had degraded the service, only accepting registration of new users with China-code phones numbers, amid a "large-scale malicious attack."

An anonymous reader quotes a report from Ars Technica: Late last month, researchers revealed a finding that's likely to shock some people and confirm the low expectations of others: Renewable energy facilities throughout Central Europe use unencrypted radio signals to receive commands to feed or ditch power into or from the grid that serves some 450 million people throughout the continent. Fabian Braunlein and Luca Melette stumbled on their discovery largely by accident while working on what they thought would be a much different sort of hacking project. After observing a radio receiver on the streetlight poles throughout Berlin, they got to wondering: Would it be possible for someone with a central transmitter to control them en masse, and if so, could they create a city-wide light installation along the lines of Project Blinkenlights?

The first Project Blinkenlights iteration occurred in 2001 in Berlin, when the lights inside a large building were synchronized to turn on and off to give the appearance of a giant, low-resolution monochrome computer screen. The researchers, who presented their work last month at the 38th Chaos Communication Congress in Hamburg, Germany, wondered if they could control streetlights in Berlin to create a city-wide version, though they acknowledged it would likely be viewable only from high altitudes. They didn't know then, but their project was about to undergo a major transformation.

After an extensive and painstaking reverse-engineering process that took about a year, Braunlein and Melette learned that they could indeed control the streetlights simply by replaying legitimate messages they observed being sent over the air previously. They then learned something more surprising — the very same system for controlling Berlin's lights was used throughout Central Europe to control other regional infrastructure, including switches that regulate the amount of power renewable electric generation facilities feed into the grid. Collectively, the facilities could generate as much as 40 gigawatts in Germany alone, the researchers estimate. In addition, they estimate that in Germany, 20 GW of loads such as heat pumps and wall boxes are controlled via those receivers. That adds up to 60 GW that might be controllable through radio signals anyone can send.

When Braunlein and Melette realized how much power was controlled, they wondered how much damage might result from rogue messages sent simultaneously to multiple power facilities in strategically designed sequences and times of day. By their calculation, an optimally crafted series of messages sent under certain conditions would be enough to bring down the entire European grid. [...] The grid security experts Ars talked to for this story said they're doubtful of the assessment. "A sudden deficit of 60 GW will definitely lead to a brownout because 60 GW is far more than [the] reserves available," said Albert Moser, a RWTH Aachen professor with expertise in power grids. "A sudden deficit of 60 GW could even lead to a blackout due to the very steep fall of frequency that likely cannot be handled fast enough by underfrequency relays (load shedding)." He wasn't able to confirm that 60 GW of generation/load is controlled by radio signals or that security measures for Radio Ripple Control are insufficient.

Jan Hoff, a grid security expert, was also doubtful there'd be enough electricity dropped quickly enough to cause a brownout. "He likened the grid to the roly-poly toys from the 1970s, which were built to be knocked around but not fall over," said Ars.

The British Museum was partly closed after a dismissed IT contractor trespassed, shutting down systems including its ticketing platform. The move disrupted operations and forced the closure of temporary exhibitions. The Guardian reports: While the museum will remain open this weekend, only a handful of ticket holders will be able to access its paid-for exhibitions, such as its Silk Roads show, because the IT system that manages bookings has been rendered unusable. The incident caused chaos in the middle of a busy Friday afternoon and is the latest security issue to blight the institution. A statement on the museum's website on Friday said that "due to an IT infrastructure issue some galleries have had to be closed. Please note that this means capacity will be limited, and priority will be given to members and pre-booked ticket holders. Currently our exhibitions remain closed."

The FBI warned this week that North Korean IT workers are abusing their access to steal source code and extort U.S. companies that have been tricked into hiring them. From a report: The security service alerted public and private sector organizations in the United States and worldwide that North Korea's IT army will facilitate cyber-criminal activities and demand ransoms not to leak online exfiltrated sensitive data stolen from their employers' networks. "North Korean IT workers have copied company code repositories, such as GitHub, to their own user profiles and personal cloud accounts. While not uncommon among software developers, this activity represents a large-scale risk of theft of company code," the FBI said.

"North Korean IT workers could attempt to harvest sensitive company credentials and session cookies to initiate work sessions from non-company devices and for further compromise opportunities." To mitigate these risks, the FBI advised companies to apply the principle of least privilege by disabling local administrator accounts and limiting permissions for remote desktop applications. Organizations should also monitor for unusual network traffic, especially remote connections since North Korean IT personnel often log into the same account from various IP addresses over a short period of time.

An anonymous reader quotes a report from Ars Technica: When threat actors use backdoor malware to gain access to a network, they want to make sure all their hard work can't be leveraged by competing groups or detected by defenders. One countermeasure is to equip the backdoor with a passive agent that remains dormant until it receives what's known in the business as a "magic packet." On Thursday, researchers revealed that a never-before-seen backdoor that quietly took hold of dozens of enterprise VPNs running Juniper Network's Junos OS has been doing just that. J-Magic, the tracking name for the backdoor, goes one step further to prevent unauthorized access. After receiving a magic packet hidden in the normal flow of TCP traffic, it relays a challenge to the device that sent it. The challenge comes in the form of a string of text that's encrypted using the public portion of an RSA key. The initiating party must then respond with the corresponding plaintext, proving it has access to the secret key.

The lightweight backdoor is also notable because it resided only in memory, a trait that makes detection harder for defenders. The combination prompted researchers at Lumin Technology's Black Lotus Lab to sit up and take notice. "While this is not the first discovery of magic packet malware, there have only been a handful of campaigns in recent years," the researchers wrote. "The combination of targeting Junos OS routers that serve as a VPN gateway and deploying a passive listening in-memory only agent, makes this an interesting confluence of tradecraft worthy of further observation." The researchers found J-Magic on VirusTotal and determined that it had run inside the networks of 36 organizations. They still don't know how the backdoor got installed.

An anonymous reader quotes a report from Ars Technica: The Department of Homeland Security has terminated all members of advisory committees, including one that has been investigating a major Chinese hack of large US telecom firms. "The Cyber Safety Review Board -- a Department of Homeland Security investigatory body stood up under a Biden-era cybersecurity executive order to probe major cybersecurity incidents -- has been cleared of non-government members as part of a DHS-wide push to cut costs under the Trump administration, according to three people familiar with the matter," NextGov/FCW reported yesterday.

A memo sent Monday by DHS Acting Secretary Benjamine Huffman said that in order to "eliminate[e] the misuse of resources and ensur[e] that DHS activities prioritize our national security, I am directing the termination of all current memberships on advisory committees within DHS, effective immediately. Future committee activities will be focused solely on advancing our critical mission to protect the homeland and support DHS's strategic priorities." The memo said advisory board members terminated this week "are welcome to reapply." The Cyber Safety Review Board's list of members included security experts from the private sector and lead cybersecurity officials from multiple government agencies. "The CSRB was 'less than halfway' done with its Salt Typhoon investigation, according to a now-former member," wrote freelance cybersecurity reporter Eric Geller, who quoted an anonymous source as saying the Cyber Safety Review Board's review of Salt Typhoon is "dead." The former member was also quoted as saying, "There are still professional staff for the CSRB and I hope they will continue some of the work in the interim."

The Cyber Safety Review Board operates under (PDF) the DHS's Cybersecurity and Infrastructure Security Agency (CISA), notes Ars. The review board previously investigated a 2023 hack of Microsoft Exchange Online and more recently has been investigating how the Chinese hacking group called Salt Typhoon infiltrated major telecom providers such as Verizon and AT&T.

A security researcher discovered and fixed a critical domain name server misconfiguration in Mastercard's systems that persisted undetected for nearly five years, potentially exposing the credit card giant to traffic interception risks.

Philippe Caturegli, founder of security firm Seralys, found that one of Mastercard's five DNS servers incorrectly pointed to "akam.ne" instead of "akam.net" from June 2020 to January 2025. He spent $300 to register the domain through Niger's domain authority to prevent potential exploitation. Mastercard said the typo has been corrected, insisting there was "not a risk to our systems."

Cloudflare blocked 21.3 million DDoS attacks in 2024, including a record-breaking 5.6 terabit-per-second strike that targeted an Asian internet service provider last October. The yearly total marked a 53% increase from 2023.

The 80-second October attack, which originated from over 13,000 compromised Internet of Things devices running Mirai malware variant, highlighted an alarming trend: hyper-volumetric attacks exceeding 1 terabit per second grew by 1,885% in the fourth quarter compared to the previous quarter. Ransom DDoS attacks, where criminals threatened organizations with service disruptions unless paid, rose 78% in the same period.

An anonymous reader quotes a report from ZDNet: This year, artificial intelligence will be dominated by the maturation of AI code as corporate "workers" that can take over corporate processes and be managed just like employees, according to a year-outlook blog post disseminated by investment bank Goldman Sachs featuring its chief information officer, Marco Argenti. "The capabilities of AI models to plan and execute complex, long-running tasks on humans' behalf will begin to mature," writes Argenti. "This will create the conditions for companies to eventually 'employ' and train AI workers to be part of hybrid teams of humans and AIs working together."

"There's a great opportunity for capital to move towards the application layer, the toolset layer," says Goldman Sachs CIO Marco Argenti. "I think we will see that shift happening, most likely as early as next year." Argenti predicts that corporate HR offices will have to manage "human and machine resources," and there may even be AI "layoffs" as programs are replaced by more highly capable versions. [...]

Among other predictions offered by Argenti is that the most-capable AI models will be like PhD graduates -- so-called expert AI systems that have "industry-specific knowledge" for finance, medicine, etc. [...] "The intersection of LLMs and robotics will increasingly bring AI into, and enable it to experience, the physical world, which will help enable reasoning capabilities for AI," he writes. Argenti sees "responsible AI" increasing in importance as a board-room priority in 2025, and, in something of a repeat of last year's predictions, he expects that the largest generative AI models -- the "frontier" models of OpenAI and others -- will become the province of only a handful of institutions with budgets large enough to pursue their enormous training costs. That is the "Formula One" version of AI, where the "engines" of AI are made by a handful of powerful providers. Everyone else will work on smaller-model development, Argenti predicts. Further reading: Nvidia's Huang Says That IT Will 'Become the HR of AI Agents'

Migrating from VMware's virtualization platform could take up to four years and cost organizations between $300 and $3,000 per virtual machine, Gartner has warned in a new report. Companies running 2,000 or more virtual machines will need up to 10 full-time staff for initial assessment and another six employees for a nine-month technical evaluation, according to Gartner.

The notorious hacker IntelBroker claims to have stolen data from HPE systems, including source code, private repositories, digital certificates, and access to certain services. SecurityWeek reports: The compromised data allegedly includes source code for products such as Zerto and iLO, private GitHub repositories, digital certificates, Docker builds, and even some personal information that the hacker described as "old user PII for deliveries." IntelBroker is also offering access to some services used by HPE, including APIs, WePay, GitHub and GitLab. Contacted by SecurityWeek, HPE said it's aware of the breach claims and is conducting an investigation.

"HPE became aware on January 16 of claims being made by a group called IntelBroker that it was in possession of information belonging to HPE. HPE immediately activated our cyber response protocols, disabled related credentials, and launched an investigation to evaluate the validity of the claims," said HPE spokesperson Adam R. Bauer. "There is no operational impact to our business at this time, nor evidence that customer information is involved," Bauer added.

Hackers could steal sensitive personal data from former startup employees by exploiting abandoned company domains and Google login systems, security researcher Dylan Ayrey revealed at ShmooCon conference. The vulnerability particularly affects startups that relied on "Sign in with Google" features for their business software.

Ayrey, CEO of Truffle Security, demonstrated the flaw by purchasing one failed startup's domain and accessing ChatGPT, Slack, Notion, Zoom and an HR system containing Social Security numbers. His research found 116,000 website domains from failed tech startups currently available for sale. While Google offers preventive measures through its OAuth "sub-identifier" system, some providers avoid it due to reliability concerns - which Google disputes. The company initially dismissed Ayrey's finding as a fraud issue before reversing course and awarding him a $1,337 bounty. Google has since updated its documentation but hasn't implemented a technical fix, TechCrunch reports.

Canon has launched a new iOS livestreaming app that allows users to switch between three camera views -- but initially excludes support for Canon cameras. The "Live Switcher Mobile" app, compatible only with Apple devices, offers automated camera switching and streaming to platforms including YouTube, Twitch, and Facebook through RTMP protocol.

The free version supports 720p resolution with ads and watermarks, while an $18 monthly subscription unlocks 1080p quality and additional features. Canon plans to add support for its cameras in future updates, it says.

Further reading: Canon Draws Fire for Charging Subscription Fee To Use Cameras as Webcams.

Technology giants must do more to co-operate with law enforcement on encryption or they risk threatening European democracy, according to the head of Europol, as the agency gears up to renew pressure on companies at the World Economic Forum in Davos this week. From a report: Catherine De Bolle told the Financial Times she will meet Big Tech groups in the Swiss mountain resort to discuss the matter, claiming that companies had a "social responsibility" to give the police access to encrypted messages that are used by criminals to remain anonymous. "Anonymity is not a fundamental right," said the EU law enforcement agency's executive director.

"When we have a search warrant and we are in front of a house and the door is locked, and you know that the criminal is inside of the house, the population will not accept that you cannot enter." In a digital environment, the police needed to be able to decode these messages to fight crime, she added. "You will not be able to enforce democracy [without it]."

Amazon has angered its workers again "after forcing them to return to the office five days a week," reports the New York Post. The problem? "Not enough desks for everyone." (As well as "packed parking lots" that are turning some workers away.)

The Post cites interviews conducted with seven Amazon employees by Business Insider (which notes that in mid-December Amazon had already delayed full return-to-office at dozens of locations, sometimes until as late as May, because of office-capacity issues).

Here in mid-January, the Post writes, many returning-to-office workers still aren't happy: Some meeting rooms have not had enough chairs — and there also have not been enough meeting rooms for everyone, one worker told the publication... [S]imply reaching the office is a challenge in itself, according to the report. Some complained they were turned away from company parking lots that were full, while others griped about having to join meetings from the road due to excess traffic on their way to the office, according to the Slack messages. Once staffers conquer the challenges of reaching the office and finding a desk, some lamented the lack of in-person discussions since many of the meetings remain virtual, according to BI.
Amazon acknowledged they had offices that were "not quite ready" to "welcome everyone back a full five days a week," according to Post, though Amazon believed the number of not-quite-ready offices were "relatively small".

But the parking lot situation may continue. Business Insider says one employee from Amazon's Nashville office "said the wait time for a company parking pass was backed up for months." (Although another Nashville staffer said Amazon was handing out passes for them to take mass-transit for free, which they'd described as "incredibly generous.")

There's also Amazon shuttle busses, according to the article. Although other staffers "said they were denied a spot on Amazon shuttle buses because the vehicles were full..." Others said they just drove back home, while some staffers found street parking nearby, according to multiple Slack messages seen by Business Insider...

This month, some employees were still questioning the logic behind the policy. They said being in the office has had little effect on their work routine and has not generated much of a productivity gain. A considerable portion of their in-office work is still being done through video calls with customers who are elsewhere, these employees told BI. Many Amazon colleagues are at other office locations, so face-to-face meetings still don't happen very often, they added.
The Post adds another drawback of returning to the office. "Employees at Amazon's Toronto office said their personal belongings have repeatedly been stolen from their desks."

In 2022 Google released a tool to easily scan for vulnerabilities in dependencies named OSV-Scanner. "Together with the open source community, we've continued to build this tool, adding remediation features," according to Google's security blog, "as well as expanding ecosystem support to 11 programming languages and 20 package manager formats... Users looking for an out-of-the-box vulnerability scanning CLI tool should check out OSV-Scanner, which already provides comprehensive language package scanning capabilities..."

Thursday they also announced an extensible library for "software composition analysis" scanning (as well as file-system scanning) named OSV-SCALIBR (Open Source Vulnerability — Software Composition Analysis LIBRary). The new library "combines Google's internal vulnerability management expertise into one scanning library with significant new capabilities such as:

• Software composition analysis for installed packages, standalone binaries, as well as source code

• OSes package scanning on Linux (COS, Debian, Ubuntu, RHEL, and much more), Windows, and Mac

• Artifact and lockfile scanning in major language ecosystems (Go, Java, Javascript, Python, Ruby, and much more)

• Vulnerability scanning tools such as weak credential detectors for Linux, Windows, and Mac

• Software Bill of Materials (SBOM) generation in SPDX and CycloneDX, the two most popular document formats

• Optimization for on-host scanning of resource constrained environments where performance and low resource consumption is critical

"OSV-SCALIBR is now the primary software composition analysis engine used within Google for live hosts, code repos, and containers. It's been used and tested extensively across many different products and internal tools to help generate SBOMs, find vulnerabilities, and help protect our users' data at Google scale. We offer OSV-SCALIBR primarily as an open source Go library today, and we're working on adding its new capabilities into OSV-Scanner as the primary CLI interface."

Fortune reports 18% of workers have engaged in "career catfishing" — getting a job offer, but then refusing to show up on the first day of work.

And when someone posted Fortune's article to Reddit's antiwork subreddit, it drew 2,100 upvotes -- and another 84 comments. ("I love doing this...! This feels really great to do after a company has jerked you around, and basically said that several other people were in line ahead of you... after five interviews.")

But Fortune reports there's other sources of frustration: At the moment, Gen Z is contending with an onerous battle to land an entry-level, full-time role. The class of 2025 is set to apply to more jobs than the graduating class prior, already submitting 24% more applications on average this past summer than seniors did last year. Furthermore, the class of 2024 applied to 64% more jobs than the cohort before them, according to job platform Handshake. To make matters all the more bleak, the number of job listings has dwindled from 2023 levels, generating deeper frenzy and more intense competition for the roles listed.

That adds up to a hiring managers' market and senior executives are playing hardball; only 12% of mid-level executives think entry-level workers are prepared to join the workforce, per a report from technology education provider General Assembly. About one in four say they wouldn't hire today's entry-level employees. Yet, that's not really the point of entry-level roles, points out Jourdan Hathaway, General Assembly's chief business officer. By definition, it's a position that requires investment in a young adult, she explained. "The entry-level employee pipeline is broken," Hathaway wrote in a statement. "Companies must rethink how they source, train, and onboard employees."

The especially competitive hiring landscape could be forcing Gen Zers to accept the first gig they can get because the job market is so dire — only to later regret it and not show up the first day.
The article also acknowledges that "employers themselves have a role in the two-way communication — or lack thereof — between hire and hirer." Almost 80% of hiring managers admitted they've stopped responding to candidates during the application process, according to a survey of 625 hiring managers from Resume Genius.

Gen Zers say that their ghosting is in reaction to the company's behavior. More than a third of applicants who have purposefully dropped the ball say it was because a recruiter was rude to them or misled them about a position, according to Monster... In part, it's likely AI that's fueling said ghosting. AI has become more integrated into the hiring process, becoming a screener that rejects resumes without ever reaching a human person's eyes. That phenomenon possibly fuels both sides' tendency to be non-responsive...

The ratio of vacant U.S. jobs to jobless workers "has fallen from a record of 2 in 2022 to 1.1 in November," reports the Wall Street Journal — which adds that "the balance of power between employers and employees has shifted as the labor market has gone from white-hot to merely solid."

JP Morgan's five-days-a-week return-to-office mandate was only the beginning, with big companies like Amazon and Dell "tightening remote-work policies, shrinking travel budgets and cutting back on benefits... Companies are slashing perks such as college-tuition assistance and time off for a sick pet... " 76% of [U.S.] job growth in the past year has been in healthcare and education, leisure and hospitality, and government. In fields such as finance, information, and professional and business services, job growth has been far weaker. While a shift in leverage to employers might have shown up in layoffs or wage cuts in the past, now it is more subtle, often in changes to working conditions. For example, knowing that some workers will quit rather than return to the office, some companies are ending remote work as a way of trimming payroll. "Quiet quitting" — workers who slacked off rather than quit — has been replaced by "quiet cutting" — employers who cut jobs without actually announcing job cuts...

Michael Gibbs, a professor of economics at the University of Chicago's Booth School of Business, said the new mandates might simply be a message to workers that times have changed. "Firms are trying to reset expectations," he said... [After refusing her employers return-to-office four-days-a-week mandate, Mayrian] Sanz, who now works as an independent business and leadership coach, said she applied for 25 to 30 jobs listed as remote but initially got no responses. When some hiring managers finally replied, they had a surprise: Jobs listed as remote would now be in-office. "They just say everything is shifting to going back to the office," she said.

Among tech workers, the share receiving perks such as paid volunteer hours, college-tuition reimbursement, free financial advice and mental-health programs all declined by about 4 percentage points in 2024 from 2023, according to Dice, a technology job board. Average bonuses fell by more than $800, from $15,011 to $14,194. Meanwhile, Netflix has quietly backed off from its unlimited parental leave in a child's first year, The Wall Street Journal reported last month. A company spokesman said at that time that employees have the freedom and flexibility to determine what is best for them.
The article notes that "The actual impact of return-to-office directives remains to be seen," with economists "skeptical" the directives make companies more productive and faster-growing: Many workers now being called in were already spending some time in their cubicles. Nicholas Bloom, a professor of economics at Stanford University, said most of the benefits of collaboration can be achieved with just a few days in the office, while some tasks that require concentration are better done at home.
Elsewhere the Wall Street Journal that looking for a job "is set to get less miserable this year," since roughly two-thirds of U.S. employers plan to add permanent roles within the next six months, "according to a new survey by staffing and consulting firm Robert Half."

And Computerworld notes that the IT unemployment rate is now just 2% in the U.S. (according to official figures from the US Bureau of Labor statistics).