An anonymous reader quotes a report from BleepingComputer: A new ClickFix campaign is luring users to fraudulent Google Meet conference pages showing fake connectivity errors that deliver info-stealing malware for Windows and macOS operating systems. ClickFix is a social-engineering tactic that emerged in May, first reported by cybersecurity company Proofpoint, from a threat actor (TA571) that used messages impersonating errors for Google Chrome, Microsoft Word, and OneDrive. The errors prompted the victim to copy to clipboard a piece of PowerShell code that would fix the issues by running it in Windows Command Prompt. Victims would thus infect systems with various malware such as DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, a clipboard hijacker, and Lumma Stealer.

In July, McAfee reported that the ClickFix campaigns were becoming mode frequent, especially in the United States and Japan. A new report from Sekoia, a SaaS cybersecurity provider, notes that ClickFix campaigns have evolved significantly and now use a Google Meet lure, phishing emails targeting transport and logistics firms, fake Facebook pages, and deceptive GitHub issues. According to the French cybersecurity company, some of the more recent campaigns are conducted by two threat groups, the Slavic Nation Empire (SNE) and Scamquerteo, considered to be sub-teams of the cryptocurrency scam gangs Marko Polo and CryptoLove.

Chipmaker Qualcomm has indefinitely paused production and support of its Snapdragon Developer Kit for Windows, citing quality concerns. Qualcomm says the product "has not met our usual standards of excellence." The cancellation comes shortly after the recent launch of over 30 Snapdragon X-series powered PCs.

The business world's favourite software program enters its 40th year. The Economist: Excel has featured in plenty of workplace blunders -- though its defenders will be quick to blame human error. The financial world is littered with tales of costly spreadsheet errors. Excel has also been blamed for botching gene names in over a third of genomics papers (because it labelled them as dates); underreporting covid-19 cases in England (because it only had a limited number of rows in which to record the results); and disrupting the trial of January 6th rioters in America (because sensitive information was left in hidden cells).

Such snafus have not dented Excel's dominance. Might artificial intelligence (AI) steal its crown? With whizzy new tools powered by the technology promising to make data analysis easier, the familiar grid of numbers and calculations could soon feel outdated. Rather than replacing spreadsheets, though, AI might make them even better. Last month Microsoft introduced an AI assistant for Excel which lets users crunch data using natural-language prompts. Excel, and its faithful, aren't ready to be filtered out just yet.

South Korea will prepare stronger measures in a bid to prevent overseas leaks of business secrets amid intensifying competition for advanced technologies, the finance minister said on Thursday. From a report: "We will prevent illegal leaks of advanced technologies to raise the global competitiveness of our companies and strengthen technology leadership," Minister Choi Sang-mok said.

The government will set up a "big data" system aimed at preventing technology leaks at the patent agency and introduce new regulations to ensure stronger punishment for culprits, Choi said. He did not specify what the stronger penalties would be under the new regulations. In the past five years, there have been 97 attempts to leak business secrets to a foreign country, with 40 of them in the semiconductor industry, according to the National Intelligence Service.

The Cybersecurity Association of China (CSAC) has recommended a security review of Intel's products sold in China, accusing the U.S. chipmaker of harming national security and citing vulnerabilities in its chips. Reuters reports: While CSAC is an industry group rather than a government body, it has close ties to the Chinese state and the raft of accusations against Intel, published in a long post on its official WeChat account, could trigger a security review from China's powerful cyberspace regulator, the Cyberspace Administration of China (CAC). "It is recommended that a network security review is initiated on the products Intel sells in China, so as to effectively safeguard China's national security and the legitimate rights and interests of Chinese consumers," CSAC said. [...]

CSAC in its post accuses Intel chips, including Xeon processors used for artificial intelligence tasks, of carrying several vulnerabilities, concluding that Intel "has major defects when it comes to product quality, security management, indicating that it is extremely irresponsible attitude towards customers." The industry group goes on to state that operating systems embedded in all Intel processors are vulnerable to backdoors created by the U.S. National Security Agency (NSA). "This poses a great security threat to the critical information infrastructures of countries all over the world, including China...the use of Intel products poses a serious risk to national security." CSAC said.

An anonymous reader quotes a report from Wired: Real-time video deepfakes are a growing threat for governments, businesses, and individuals. Recently, the chairman of the US Senate Committee on Foreign Relations mistakenly took a video call with someone pretending to be a Ukrainian official. An international engineering company lost millions of dollars earlier in 2024 when one employee was tricked by a deepfake video call. Also, romance scams targeting everyday individuals have employed similar techniques. "It's probably only a matter of months before we're going to start seeing an explosion of deepfake video, face-to-face fraud," says Ben Colman, CEO and cofounder at Reality Defender. When it comes to video calls, especially in high-stakes situations, seeing should not be believing.

The startup is laser-focused on partnering with business and government clients to help thwart AI-powered deepfakes. Even with this core mission, Colman doesn't want his company to be seen as more broadly standing against artificial intelligence developments. "We're very pro-AI," he says. "We think that 99.999 percent of use cases are transformational -- for medicine, for productivity, for creativity -- but in these kinds of very, very small edge cases the risks are disproportionately bad." Reality Defender's plan for the real-time detector is to start with a plug-in for Zoom that can make active predictions about whether others on a video call are real or AI-powered impersonations. The company is currently working on benchmarking the tool to determine how accurately it discerns real video participants from fake ones. Unfortunately, it's not something you'll likely be able to try out soon. The new software feature will only be available in beta for some of the startup's clients.

As Reality Defender works to improve the detection accuracy of its models, Colman says that access to more data is a critical challenge to overcome -- a common refrain from the current batch of AI-focused startups. He's hopeful more partnerships will fill in these gaps, and without specifics, hints at multiple new deals likely coming next year. After ElevenLabs was tied to a deepfake voice call of US president Joe Biden, the AI-audio startup struck a deal with Reality Defender to mitigate potential misuse. [...] "We don't ask my 80-year-old mother to flag ransomware in an email," says Colman. "Because she's not a computer science expert." In the future, it's possible real-time video authentication, if AI detection continues to improve and shows to be reliably accurate, will be as taken for granted as that malware scanner quietly humming along in the background of your email inbox.

wiredmikey shares a report from SecurityWeek: Dane Stuckey, the former Chief Information Security Officer (CISO) of big data analytics and AI firm Palantir, has joined OpenAI CISO. Stuckey served in senior security roles at Palantir for more than ten years, including 6 plus years as the company's CISO. In his new role, Stuckey said he would be working alongside Matt Knight, Head of Security at OpenAI. "Security is germane to OpenAI's mission," said Stuckey in a post on X. "It is critical we meet the highest standards for compliance, trust, and security to protect hundreds of millions of users of our products, enable democratic institutions to maximally benefit from these technologies, and drive the development of safe AGI for the world."

"I am so excited for this next chapter, and can't wait to help secure a future where AI benefits us all," Stuckey added.

An anonymous reader shares a report: The big financial moments in life used to be marked with a flourish of a pen. Buying a house. A car. Breakfast. Not anymore. Visa, Mastercard, Discover and American Express dropped the requirement to sign for charges like restaurant checks in 2018. They don't look at our scribbles to verify identity or stop fraud. Taps, clicks and electronic signatures took over the heavy lifting for many everyday purchases -- and many contracts, loan applications and even Social Security forms. The John Hancock was written off as a relic useful mainly to inflate the value of sports memorabilia. But signatures didn't die.

We continue to be asked to sign with ink on paper or using fingers on touch screens at many restaurants, bars and other businesses. And people keep signing card receipts out of habit -- even when there is no blank space for it -- because it feels weird not to, payment networks and retail groups say. "Traditions have this odd way of sticking around," said Doug Kantor, general counsel of the National Association of Convenience Stores. Signatures had been used to verify identity and agree to financial terms for centuries. Banks kept records of customer signatures to check against, but the sheer number of transactions and advancements in technology eventually made that impractical.

By the 1980s, charges could be processed electronically. Signatures were still used in cases of fraud or stolen cards. Banks could call merchants and ask them to present a signed receipt. Yet given how easy signatures are to forge, they proved limited as a fraud prevention tool. Now there are more sophisticated ways to determine whether cards are stolen or misused, according to Mark Nelsen, global head of consumer payments at Visa.

AeroGarden, which sells Wi-Fi-connected indoor gardening systems, is going out of business on January 1. While Scotts Miracle-Gro has continued selling AeroGarden products after announcing the impending shutdown, the future of the devices' companion app is uncertain.

Digital River has not paid numerous merchants since midsummer for software and digital products they sold through its MyCommerce platform. The Register: "After over 20 years of partnership with Digital River, Traction Software Ltd has been left feeling as though we've been 'rug pulled,'" Lee Midgley, managing director of Traction Software, told The Register. "For the past three months, we've experienced a complete halt in software sales revenue payments with no support, no direct contact, and only additional terms and conditions designed to delay resolution and extract more money from us.

"Astonishingly, Digital River continued to take sales from our loyal customers until we removed them from the order system. It now appears they have no intention of making payments and may be entering a liquidation process under a new CEO who has been involved in similar situations before."

The new CEO, Barry Kasoff, was first noted on the e-commerce biz website in August. Kasoff is also listed as the president of Realization Services, "a full-service strategic consulting firm specializing in turnaround management and value enhancement..." The privately-owned, Minnesota-based business appears to have laid off a significant number of employees, presumably the result of what its UK subsidiary describes as cost reduction initiatives implemented in late 2022.

New submitter king*jojo writes: The owners of WinAmp have just deleted their entire repo one month after uploading the source code to GitHub. Lots of source code, and quite possibly, not all of it theirs. The deletion happened soon after The Register enquired about the seeming inclusion of Shoutcast DNAS code and some Microsoft and Intel codecs.

The Register's Jessica Lyons reports: Apple wants to shorten SSL/TLS security certificates' lifespans, down from 398 days now to just 45 days by 2027, and sysadmins have some very strong feelings about this "nightmarish" plan. As one of the hundreds that took to Reddit to lament the proposal said: "This will suck. My least favorite vendor manages something like 10 websites for us, and we have to provide the certs manually every time. Between live and test this is gonna suck."

The Apple proposal, a draft ballot measure that will likely go up for a vote among Certification Authority Browser Forum (CA/B Forum) members in the upcoming months, was unveiled by the iThings maker during the Forum's fall meeting. If approved, it will affect all Safari certificates, which follows a similar push by Google, that plans to reduce the max-validity period on Chrome for these digital trust files down to 90 days.

... [W]hile it's generally agreed that shorter lifespans improve internet security overall -- longer certificate terms mean criminals have more time to exploit vulnerabilities and old website certificates -- the burden of managing these expired certs will fall squarely on the shoulders of systems administrators. [...] Even certificate provider Sectigo, which sponsored the Apple proposal, admitted that the shortened lifespans "will no doubt prove a headache for busy IT security teams, juggling with lots of certificates expiring at different times." While automation is often touted as the solution to this problem, sysadmins were quick to point out that some SSL certs can't be automated. "This is somewhat nightmarish," said one sysadmin. "I have about 20 appliance like services that have no support for automation. Almost everything in my environment is automated to the extent that is practical. SSL renewal is the lone achilles heel that I have to deal with once every 365 days."

Longtime Slashdot reader mprindle shares a report from BleepingComputer: Cisco has confirmed to BleepingComputer that it is investigating recent claims that it suffered a breach after a threat actor began selling allegedly stolen data on a hacking forum. [...] This statement comes after a well-known threat actor named "IntelBroker" said that he and two others called "EnergyWeaponUser and "zjj" breached Cisco on October 6, 2024, and stole a large amount of developer data from the company.

"Compromised data: Github projects, Gitlab Projects, SonarQube projects, Source code, hard coded credentials, Certificates, Customer SRCs, Cisco Confidential Documents, Jira tickets, API tokens, AWS Private buckets, Cisco Technology SRCs, Docker Builds, Azure Storage buckets, Private & Public keys, SSL Certificates, Cisco Premium Products & More!," reads the post to a hacking forum. IntelBroker also shared samples of the alleged stolen data, including a database, customer information, various customer documentation, and screenshots of customer management portals. However, the threat actor did not provide further details about how the data was obtained.

An anonymous reader shares a report: If you're a fan of uBlock Origin, don't be surprised if it stops functioning on Chrome. The Google-owned browser has started disabling the free ad blocker as part of the company's plan to phase out older "Manifest V2" extensions. On Tuesday, the developer of uBlock Origin, Raymond Hill, retweeted a screenshot from one user, showing the Chrome browser disabling the ad blocker. "These extensions are no longer supported. Chrome recommends that you remove them," the pop-up from the Chrome browser told the user. In response, Hill wrote: "The depreciation of uBO in the Chrome Web Store has started."

SSD prices are set to drop up to 10% in Q4 2024, market research firm TrendForce has reported. The decline stems from increased production and weakening demand, particularly in the consumer sector. Enterprise SSD prices, however, may see a slight increase. TrendForce analysts attribute the softer demand partly to slower-than-expected adoption of AI PCs. The mobile storage market could experience even steeper price cuts, with eMMC and UFS components potentially falling 13% as smartphone makers deplete inventories. The forecast follows modest price reductions observed in Q3 2024.

9to5Mac's Filipe Esposito reports: Passkeys were introduced two years ago, and they replace traditional passwords with more secure authentication using a security key or biometrics. To make the technology even better, the FIDO Alliance published on Monday new specifications for passkeys, which ensure a way to let users import and export them. Currently, there's no secure way to move passkeys between different password managers. For example, if you've stored a specific passkey in Apple's Passwords app, you can't simply move it to 1Password, or vice versa. But that will change soon.

As just announced by the FIDO Alliance, the new specifications aim to promote user choice by offering a way to import and export passkeys. The draft of the new specifications establishes the Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) formats for transferring not only passkeys, but other types of credentials will also be supported. The new formats are encrypted, which ensures that credentials remain secure during the process. For comparison, most password managers currently rely on CSV files to import and export credentials, which is much less secure.

Following moves by both the European Union and India to implement USB-C as the default charging port for all consumer devices, the British government has now begun a consultation on whether it should follow suit and implement a common standard for charging, and if this should be USB-C. From a report: The consultation has been started by the Office for Product Safety and Standards which sits within the Department for Business and Trade, and it calls for manufacturers, importers, distributors, and trade associations to provide their input on the matter. Of course, should the UK decide against adopting USB-C and implement a separate standard, expect that device manufacturers just provide dongles to support this rather than having unique device versions.

The Office for Product Safety and Standards stated the following on this topic: "We consider that it would potentially help businesses and deliver consumer and environmental benefits if we were to introduce standardized requirements for chargers for certain portable electrical/electronic devices across the whole UK. We are seeking views from manufacturers, importers, distributors, and trade associations as to whether it would be helpful to do so and, if so, whether this should be based on USB-C â" as adopted by the EU."

UPDATE: Forbes writes that China hasn't broken military encryption. While factoring a 50-bit integer is an impressive technical achievement, it's important to note that RSA encryption commonly uses key sizes of 2048 bits or higher. The difficulty of factoring increases exponentially with the size of the number, meaning that the gap between 50-bit and 2048-bit integers is astronomically large...

The advances do not equate to a scalable method for breaking RSA encryption as it is used in practical applications today."
Long-time Slashdot schwit1 originally wrote: Chinese scientists have mounted what they say is the world's first effective attack on a widely used encryption method using a quantum computer. The breakthrough poses a "real and substantial threat" to the long-standing password-protection mechanism employed across critical sectors, including banking and the military, according to the researchers.

Despite the slow progress in general-purpose quantum computing, which currently poses no threat to modern cryptography, scientists have been exploring various attack approaches on specialised quantum computers. In the latest work led by Wang Chao, of Shanghai University, the team said it used a quantum computer produced by Canada's D-Wave Systems to successfully breach cryptographic algorithms.

Using the D-Wave Advantage, they successfully attacked the Present, Gift-64 and Rectangle algorithms -- all representative of the SPN (Substitution-Permutation Network) structure, which forms part of the foundation for advanced encryption standard (AES) widely used in the military and finance. AES-256, for instance, is considered the best encryption available and often referred to as military-grade encryption. While the exact passcode is not immediately available yet, it is closer than ever before, according to the study. "This is the first time that a real quantum computer has posed a real and substantial threat to multiple full-scale SPN structured algorithms in use today," they said in the peer-reviewed paper.

An anonymous reader shares a report: A Florida data broker that lost hundreds of millions of Social Security numbers and other personally identifiable information in a data breach earlier this year, has filed for Chapter 11 bankruptcy protection as the company faces a wave of litigation.

Jericho Pictures, the parent company of the hacked data broker National Public Data, told a Florida bankruptcy court that it was unlikely to be able to repay its debtors or address its anticipated liabilities and class-action lawsuits, including paying "for credit monitoring for hundreds of millions of potentially impacted individuals." In its initial filing, Jericho Pictures' owner, Salvatore Verini, said the company "faces substantial uncertainty facing regulatory challenges by the Federal Trade Commission and more than 20 states with civil penalties for data breaches."

spatwei shared an article from SC World: Attacks on large language models (LLMs) take less than a minute to complete on average, and leak sensitive data 90% of the time when successful, according to Pillar Security.

Pillar's State of Attacks on GenAI report, published Wednesday, revealed new insights on LLM attacks and jailbreaks, based on telemetry data and real-life attack examples from more than 2,000 AI applications. LLM jailbreaks successfully bypass model guardrails in one out of every five attempts, the Pillar researchers also found, with the speed and ease of LLM exploits demonstrating the risks posed by the growing generative AI (GenAI) attack surface...

The more than 2,000 LLM apps studied for the State of Attacks on GenAI report spanned multiple industries and use cases, with virtual customer support chatbots being the most prevalent use case, making up 57.6% of all apps.
Common jailbreak techniques included "ignore previous instructions" and "ADMIN override", or just using base64 encoding. "The Pillar researchers found that attacks on LLMs took an average of 42 seconds to complete, with the shortest attack taking just 4 seconds and the longest taking 14 minutes to complete.

"Attacks also only involved five total interactions with the LLM on average, further demonstrating the brevity and simplicity of attacks."