Security

384,000 Sites Pull Code From Sketchy Code Library Recently Bought By Chinese Firm (arstechnica.com) 35

An anonymous reader quotes a report from Ars Technica: More than 384,000 websites are linking to a site that was caught last week performing a supply-chain attack that redirected visitors to malicious sites, researchers said. For years, the JavaScript code, hosted at polyfill[.]com, was a legitimate open source project that allowed older browsers to handle advanced functions that weren't natively supported. By linking to cdn.polyfill[.]io, websites could ensure that devices using legacy browsers could render content in newer formats. The free service was popular among websites because all they had to do was embed the link in their sites. The code hosted on the polyfill site did the rest. In February, China-based company Funnull acquired the domain and the GitHub account that hosted the JavaScript code. On June 25, researchers from security firm Sansec reported that code hosted on the polyfill domain had been changed to redirect users to adult- and gambling-themed websites. The code was deliberately designed to mask the redirections by performing them only at certain times of the day and only against visitors who met specific criteria.

The revelation prompted industry-wide calls to take action. Two days after the Sansec report was published, domain registrar Namecheap suspended the domain, a move that effectively prevented the malicious code from running on visitor devices. Even then, content delivery networks such as Cloudflare began automatically replacing pollyfill links with domains leading to safe mirror sites. Google blocked ads for sites embedding the Polyfill[.]io domain. The website blocker uBlock Origin added the domain to its filter list. And Andrew Betts, the original creator of Polyfill.io, urged website owners to remove links to the library immediately. As of Tuesday, exactly one week after malicious behavior came to light, 384,773 sites continued to link to the site, according to researchers from security firm Censys. Some of the sites were associated with mainstream companies including Hulu, Mercedes-Benz, and Warner Bros. and the federal government. The findings underscore the power of supply-chain attacks, which can spread malware to thousands or millions of people simply by infecting a common source they all rely on.

Privacy

Europol Says Mobile Roaming Tech Making Its Job Too Hard (theregister.com) 33

Top Eurocops are appealing for help from lawmakers to undermine a privacy-enhancing technology (PET) they say is hampering criminal investigations -- and it's not end-to-end encryption this time. Not exactly. From a report: Europol published a position paper today highlighting its concerns around SMS home routing -- the technology that allows telcos to continue offering their services when customers visit another country. Most modern mobile phone users are tied to a network with roaming arrangements in other countries. EE customers in the UK will connect to either Telefonica or Xfera when they land in Spain, or T-Mobile in Croatia, for example.

While this usually provides a fairly smooth service for most roamers, Europol is now saying something needs to be done about the PETs that are often enabled in these home routing setups. According to the cops, they pointed out that when roaming, a suspect in a criminal case who's using a SIM from another country will have all of their mobile communications processed through their home network. If a crime is committed by a Brit in Germany, for example, then German police couldn't issue a request for unencrypted data as they could with a domestic operator such as Deutsche Telekom.

IT

Roku Faces Criticism Over Controversial TV Update (theverge.com) 29

Roku's recent update has sparked controversy among TV owners, particularly those with TCL and Hisense models. The update, version 13.0.0 released on June 6, introduced a feature called "Roku Smart Picture" that has led to numerous complaints about unwanted motion smoothing effects. The Verge adds: While Roku doesn't explicitly mention motion smoothing, or what Roku calls "action smoothing," the update has made it so that I and many others with Roku TVs see motion smoothing, regardless of whether the picture setting is Roku Smart Picture or not. My TV didn't even support motion smoothing before this. Now, I can't make it go away.
Windows

New Windows 11 Start Menu Annoyingly Hides Oft-Used Actions (pcworld.com) 100

An anonymous reader shares a report: A new test version of Windows 11 is available for Windows Insiders on the Dev Channel with Build 26120.961, which rolls out a significant change: a new Windows Start menu. You'll immediately notice that Microsoft has redesigned the Microsoft user account display, moving it to the center of the Start menu as soon as you click on the username or profile picture.

This new "account manager" feature gives you quicker access to your various Microsoft accounts, such as Microsoft 365, Xbox Game Pass, and OneDrive cloud storage. To no surprise, Microsoft is using this prominent display to remind you of their own products and services. The difference to the current Windows 11 Start menu is obvious, as the following screenshot shows:

Security

A Hacker Stole OpenAI Secrets 18

A hacker infiltrated OpenAI's internal messaging systems in early 2023, stealing confidential information about the ChatGPT maker's AI technologies, New York Times reported Thursday. The breach, disclosed to employees in April that year but kept from the public, has sparked internal debate over the company's security protocols and potential national security implications, the report adds. The hacker accessed an employee forum containing sensitive discussions but did not breach core AI systems. OpenAI executives, believing the hacker had no government ties, opted against notifying law enforcement, the Times reported. From the report: After the breach, Leopold Aschenbrenner, an OpenAI technical program manager focused on ensuring that future A.I. technologies do not cause serious harm, sent a memo to OpenAI's board of directors, arguing that the company was not doing enough to prevent the Chinese government and other foreign adversaries from stealing its secrets.

Mr. Aschenbrenner said OpenAI had fired him this spring for leaking other information outside the company and argued that his dismissal had been politically motivated. He alluded to the breach on a recent podcast, but details of the incident have not been previously reported. He said OpenAI's security wasn't strong enough to protect against the theft of key secrets if foreign actors were to infiltrate the company.
Security

Ransomware Locks Credit Union Users Out of Bank Accounts (arstechnica.com) 27

An anonymous reader quotes a report from Ars Technica: A California-based credit union with over 450,000 members said it suffered a ransomware attack that is disrupting account services and could take weeks to recover from. "The next few days -- and coming weeks -- may present challenges for our members, as we continue to navigate around the limited functionality we are experiencing due to this incident," Patelco Credit Union CEO Erin Mendez told members in a July 1 message (PDF) that said the security problem was caused by a ransomware attack. Online banking and several other services are unavailable, while several other services and types of transactions have limited functionality.

Patelco Credit Union was hit by the attack on June 29 and has been posting updates on this page, which says the credit union "proactively shut down some of our day-to-day banking systems to contain and remediate the issue... As a result of our proactive measures, transactions, transfers, payments, and deposits are unavailable at this time. Debit and credit cards are working with limited functionality." Patelco Credit Union is a nonprofit cooperative in Northern California with $9 billion in assets and 37 local branches. "Our priority is the safe and secure restoration of our banking systems," a July 2 update said. "We continue to work alongside leading third-party cybersecurity experts in support of this effort. We have also been cooperating with regulators and law enforcement."

Patelco says that check and cash deposits should be working, but direct deposits have limited functionality. Security expert Ahmed Banafa "said Tuesday that it looks likely that hackers infiltrated the bank's internal databases via a phishing email and encrypted its contents, locking out the bank from its own systems," the Mercury News reported. Banafa was paraphrased as saying that it is "likely the hackers will demand an amount of money from the credit union to restore its systems back to normal, and will continue to hold the bank's accounts hostage until either the bank finds a way around the hack or until the hackers are paid." Patelco hasn't revealed details about how it will recover from the ransomware attack but acknowledged to customers that their personal information could be at risk. "The investigation into the nature and scope of the incident is ongoing," the credit union said. "If the investigation determines that individuals' information is involved as a result of this incident, we will of course notify those individuals and provide resources to help protect their information in accordance with applicable laws."
While ATMs "remain available for cash withdrawals and deposits," Patelco said many of its other services remain unavailable, including online banking, the mobile app, outgoing wire transfers, monthly statements, Zelle, balance inquiries, and online bill payments. Services with "limited functionality" include company branches, call center services, live chats, debit and credit card transactions, and direct deposits.
Privacy

OpenAI's ChatGPT Mac App Was Storing Conversations in Plain Text (theverge.com) 15

OpenAI's ChatGPT app for macOS contained a security vulnerability until Friday, potentially exposing users' conversations to unauthorized access, according to a developer's findings. The flaw allowed stored chats to be easily located and read in plain text on users' computers. Pedro Jose Pereira Vieito demonstrated the issue on social media, showing how a separate application could access and display recent ChatGPT conversations.
Microsoft

Microsoft Lays Off Employees in New Round of Cuts (geekwire.com) 46

Microsoft conducted another round of layoffs this week in the latest workforce reduction implemented by the Redmond tech giant this year. From a report: The cuts impacted multiple teams and geographies. Posts on LinkedIn from impacted employees show the cuts affecting employees in product and program management roles. "Organizational and workforce adjustments are a necessary and regular part of managing our business," a spokesperson said in a statement. "We will continue to prioritize and invest in strategic growth areas for our future and in support of our customers and partners."
Security

Twilio Says Hackers Identified Cell Phone Numbers of Two-Factor App Authy Users (techcrunch.com) 10

Twilio, a major U.S. messaging company, has confirmed that unauthorized actors had identified phone numbers associated with users of its Authy two-factor authentication app. The disclosure comes after a hacker claimed last week to have obtained 33 million phone numbers from Twilio. A Twilio spokesperson told TechCrunch that the company had detected an unauthenticated endpoint allowing access to Authy account data, including phone numbers. The endpoint has since been secured.
United States

Supreme Court Ruling Will Likely Cause Cyber Regulation Chaos (csoonline.com) 408

An anonymous reader shares a report: The US Supreme Court has issued a decision that could upend all federal cybersecurity regulations, moving ultimate regulatory approval to the courts and away from regulatory agencies. A host of likely lawsuits could gut the Biden administration's spate of cyber incident reporting requirements and other recent cyber regulatory actions. [...] While the Court's decision has the potential to weaken or substantially alter all federal agency cybersecurity requirements ever adopted, a series of cyber regulatory initiatives implemented over the past four years could become the particular focus of legal challenges. Parties who previously objected to these initiatives but were possibly reluctant to fight due to the Chevron deference will likely be encouraged to challenge these regulations.

Although all existing regulations are still in effect, the upshot for CISOs is almost certainly some degree of uncertainty as the legal challenges get underway. A host of conflicting decisions across the various judicial circuits in the US could lead to confusion in compliance programs until the smoke clears. CISOs should expect some court cases to water down or eliminate many existing cybersecurity regulatory requirements. A host of recently adopted cyber regulations will likely be challenged following the Court's ruling, but some recent regulations stand out as leading candidates for litigation. Among these are:

Security

Over 14 Million Servers May Be Vulnerable To OpenSSH's 'RegreSSHion' RCE Flaw (zdnet.com) 90

An anonymous reader quotes a report from ZDNet, written by Steven Vaughan-Nichols: Hold onto your SSH keys, folks! A critical vulnerability has just rocked OpenSSH, Linux's secure remote access foundation, causing seasoned sysadmins to break out in a cold sweat. Dubbed "regreSSHion" and tagged as CVE-2024-6387, this nasty bug allows unauthenticated remote code execution (RCE) on OpenSSH servers running on glibc-based Linux systems. We're not talking about some minor privilege escalation here -- this flaw hands over full root access on a silver platter. For those who've been around the Linux block a few times, this feels like deja vu. The vulnerability is a regression of CVE-2006-5051, a bug patched back in 2006. This old foe somehow snuck back into the code in October 2020 with OpenSSH 8.5p1. Thankfully, the Qualys Threat Research Unit uncovered this digital skeleton in OpenSSH's closet. Unfortunately, this vulnerability affects the default configuration and doesn't need any user interaction to exploit. In other words, it's a vulnerability that keeps security professionals up at night.

It's hard to overstate the potential impact of this flaw. OpenSSH is the de facto standard for secure remote access and file transfer in Unix-like systems, including Linux and macOS. It's the Swiss Army knife of secure communication for sysadmins and developers worldwide. The good news is that not all Linux distributions have the vulnerable code. Old OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109. Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable. The bad news is that the vulnerability resurfaced in OpenSSH 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component. Qualys has found over 14 million potentially vulnerable OpenSSH server internet instances. The company believes that approximately 700,000 of these external internet-facing instances are definitely vulnerable. A patch, OpenSSH 9.8/9.8p1 is now available. Many, but not all, Linux distributions have made it available. If you can get it, install it as soon as possible.
If for whatever reason you're not able to install a patch, Vaughan-Nichols recommends you set LoginGraceTime to 0 in the sshd configuration file and use network-based controls to restrict SSH access, while also configuring firewalls and monitoring tools to detect and block exploit attempts.
Security

Despite OS Shielding Up, Half of America Opts For Third-Party Antivirus (theregister.com) 76

Nearly half of Americans are using third-party antivirus software and the rest are either using the default protection in their operating system -- or none at all. From a report: In all, 46 percent of almost 1,000 US citizens surveyed by the reviews site Security.org said they used third-party antivirus on their computers, with 49 percent on their PCs, 18 percent using it on their tablets, and 17 percent on their phones. Of those who solely rely on their operating system's built-in security -- such as Microsoft's Windows Defender, Apple's XProtect, and Android's Google Play -- 12 percent are planning to switch to third-party software in the next six months.

Of those who do look outside the OS, 54 percent of people pay for the security software, 43 percent choose the stripped-down free version, and worryingly, three percent aren't sure whether they pay or not. Among paying users, the most popular brands were Norton, McAfee, and Malwarebytes, while free users preferred -- in order -- McAfee, Avast, and Malwarebytes. The overwhelming reason for purchasing, cited by 84 percent of respondents, was, of course, fear of malware. The next most common reasons were privacy, at 54 percent, and worries over online shopping, at 48 percent. Fear of losing cryptocurrency stashes from wallets was at eight percent, doubled since last year's survey.

Google

Google Might Abandon ChromeOS Flex (zdnet.com) 59

An anonymous reader shares a report: ChromeOS Flex extends the lifespan of older hardware and contributes to reducing e-waste, making it an environmentally conscious choice. Unfortunately, recent developments hint at a potential end for ChromeOS Flex. As detailed in a June 12 blog post by Prajakta Gudadhe, senior director of engineering for ChromeOS, and Alexander Kuscher, senior director of product management for ChromeOS, Google's announcement about integrating ChromeOS with Android to enhance AI capabilities suggests that Flex might not be part of this future.

Google's plan, as detailed, suggests that ChromeOS Flex could be phased out, leaving its current users in a difficult position. The ChromiumOS community around ChromeOS Flex may attempt to adjust to these changes if Google open sources ChromeOS Flex, but this is not a guarantee. In the meantime, users may want to consider alternatives, such as various Linux distributions, to keep their older hardware functional.

IT

Figma Disables AI Design Tool That Copied Apple Weather App (techcrunch.com) 28

Design startup Figma is temporarily disabling its "Make Design" AI feature that was said to be ripping off the designs of Apple's own Weather app. TechCrunch: The problem was first spotted by Andy Allen, the founder of NotBoring Software, which makes a suite of apps that includes a popular, skinnable Weather app and other utilities. He found by testing Figma's tool that it would repeatedly reproduce Apple's Weather app when used as a design aid. John Gruber, writing at DaringFireball: This is even more disgraceful than a human rip-off. Figma knows what they trained this thing on, and they know what it outputs. In the case of this utter, shameless, abject rip-off of Apple Weather, they're even copying Weather's semi-inscrutable (semi-scrutable?) daily temperature range bars.

"AI" didn't do this. Figma did this. And they're handing this feature to designers who trust Figma and are the ones who are going to be on the hook when they present a design that, unbeknownst to them, is a blatant rip-off of some existing app.

Security

10-Year-Old Open Source Flaw Could Affect 'Almost Every Apple Device' (thecyberexpress.com) 23

storagedude shares a report from the Cyber Express: Some of the most widely used web and social media applications could be vulnerable to three newly discovered CocoaPods vulnerabilities -- including potentially millions of Apple devices, according to a report by The Cyber Express, the news service of threat intelligence vendor Cyble Inc. E.V.A Information Security researchers reported three vulnerabilities in the open source CocoaPods dependency manager that could allow malicious actors to take over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications, potentially affecting "almost every Apple device." The researchers found vulnerable code in applications provided by Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more.

The vulnerabilities have been patched, yet the researchers still found 685 Pods "that had an explicit dependency using an orphaned Pod; doubtless there are hundreds or thousands more in proprietary codebases." The newly discovered vulnerabilities -- one of which (CVE-2024-38366) received a 10 out of 10 criticality score -- actually date from a May 2014 CocoaPods migration to a new 'Trunk' server, which left 1,866 orphaned pods that owners never reclaimed. While the vulnerabilities have been patched, the work for developers and DevOps teams that used CocoaPods before October 2023 is just getting started. "Developers and DevOps teams that have used CocoaPods in recent years should verify the integrity of open source dependencies used in their application code," the E.V.A researchers said. "The vulnerabilities we discovered could be used to control the dependency manager itself, and any published package." [...] "Dependency managers are an often-overlooked aspect of software supply chain security," the researchers wrote. "Security leaders should explore ways to increase governance and oversight over the use these tools."
"While there is no direct evidence of any of these vulnerabilities being exploited in the wild, evidence of absence is not absence of evidence." the EVA researchers wrote. "Potential code changes could affect millions of Apple devices around the world across iPhone, Mac, AppleTV, and AppleWatch devices."

While no action is required by app developers or users, the EVA researchers recommend several ways to protect against these vulnerabilities. To ensure secure and consistent use of CocoaPods, synchronize the podfile.lock file with all developers, perform CRC validation for internally developed Pods, and conduct thorough security reviews of third-party code and dependencies. Furthermore, regularly review and verify the maintenance status and ownership of CocoaPods dependencies, perform periodic security scans, and be cautious of widely used dependencies as potential attack targets.
Security

Fintech Company Wise Says Some Customers Affected by Evolve Bank Data Breach (techcrunch.com) 3

An anonymous reader shares a report: The money transfer and fintech company Wise says some of its customers' personal data may have been stolen in the recent data breach at Evolve Bank and Trust. The news highlights that the fallout from the Evolve data breach on third-party companies -- and their customers and users -- is still unclear, and it's likely that it includes companies and startups that are yet unknown.

In a statement published on its official website, Wise wrote that the company worked with Evolve from 2020 until 2023 "to provide USD account details." And given that Evolve was breached recently, "some Wise customers' personal information may have been involved." [...] So far, Affirm, EarnIn, Marqeta, Melio and Mercury -- all Evolve partners -- have acknowledged that they are investigating how the Evolve breach impacted their customers.

Microsoft

Microsoft Tells Yet More Customers Their Emails Have Been Stolen (theregister.com) 23

Microsoft revealed that the Russian hackers who breached its systems earlier this year stole more emails than initially reported. "We are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor, and we are providing the customers the email correspondence that was accessed by this actor," a Microsoft spokesperson told Bloomberg (paywalled). "This is increased detail for customers who have already been notified and also includes new notifications." The Register reports: We've been aware for some time that the digital Russian break-in at the Windows maker saw Kremlin spies make off with source code, executive emails, and sensitive U.S. government data. Reports last week revealed that the issue was even larger than initially believed and additional customers' data has been stolen. Along with Russia, Microsoft was also compromised by state actors from China not long ago, and that issue similarly led to the theft of emails and other data belonging to senior U.S. government officials.

Both incidents have led experts to call Microsoft a threat to U.S. national security, and president Brad Smith to issue a less-than-reassuring mea culpa to Congress. All the while, the U.S. government has actually invested more in its Microsoft kit. Bloomberg reported that emails being sent to affected Microsoft customers include a link to a secure environment where customers can visit a site to review messages Microsoft identified as having been compromised. But even that might not have been the most security-conscious way to notify folks: Several thought they were being phished.

IT

90 Workers Given a Choice: Relocate Across the US, or Leave the Company (businessinsider.com) 172

"The outdoor-apparel brand Patagonia has given 90 U.S. employees a choice," reports Business Insider: "tell the company by Friday that you're willing to relocate or leave your job." [Alternate URL here.] The employees all work in customer services, known at Patagonia as the customer-experience, or CX, team, and have been allowed to work remotely to field calls and inquiries. These workers received a text and email Tuesday morning about an "important" meeting... Two company executives, Amy Velligan and Bruce Old, told staff in a 15-minute video meeting that the team would be moving to a new "hub" model. CX employees are now expected to live within 60 miles of one of seven "hubs" — Atlanta; Salt Lake City; Reno, Nevada; Dallas; Austin; Chicago; or Pittsburgh. Workers were offered $4,000 toward relocation costs and extra paid time off. Those willing to relocate were told to do so by September 30.

If CX staff are not willing to live near a hub city, they must leave the company. They were given 72 hours, until Friday, to confirm their decision... Access to company laptops and phones was shut off later that day until employees either agreed to relocate or said they wanted the severance, one affected CX worker said...

Both employees who spoke to Business Insider believed this was because Patagonia didn't want to handle the increased demands of employees in states with higher costs of living. "We've been asking for raises for a long time, and they keep telling us that your wage is based on a Reno cost of living and where you choose to live is on you."

According to the article, "The company hopes to bring staff together at the hubs at least once every six weeks for in-person training, company gatherings, or 'Activism Hours'." A company spokesperson described the changes as "crucial for us to build a vibrant team culture," and said there were workers who had been complaining about feeling disconnected. Though there may be another motive: "The reality is that our CX team has been running at 200% to 300% overstaffed for much of this year," she added. "While we hoped to reach the needed staffing levels through attrition, those numbers were very low, and retention remained high."
One affected worker told Business Insider that the company's proposal "was very factual. If you don't live in these seven metro areas, you either need to move there or give us your stuff and hit the brick. If we don't respond by Friday, they will assume that we have chosen the severance package and we'll start that process."

One worker added that the severance package they received was generous...

Thanks to Slashdot reader NoWayNoShapeNoForm for sharing the article.
Windows

Game Pass Ad in Windows 11 Settings Sparks User Backlash 50

An anonymous reader shares a report: Starting with those builds, Windows 11 will show a Game Pass recommendation / ad within the Settings app. The advertisement will appear on both Windows 11 Home and Windows 11 Pro if you actively play games on your PC. Microsoft lists this feature first under the "Highlights" section of its blog post about the update. Some users aren't pleased. "Microsoft has gone too far," news blog TechRadar wrote.

Slashdot Top Deals