Windows

Microsoft: Windows 24H2 Will Remove Cortana and WordPad Apps (bleepingcomputer.com) 102

Microsoft says the Cortana, Tips, and WordPad applications will be automatically removed on systems upgraded to the upcoming Windows 11 24H2 release. From a report: This was shared in a Thursday blog announcing that Windows 11, version 24H2 (Build 26100.712) is now available for Insiders in the Release Preview Channel. The company removed the Cortana standalone app from Windows 11 in preview build 25967 for Insiders, released in the Canary Channel in early October. It first announced that it would end support for Cortana in a support document published in June and deprecated it in another Canary build in August.

In September, Microsoft announced that it would deprecate WordPad -- automatically installed on Windows systems for 28 years, since 1995, and an optional Windows feature since the Windows 10 Insider Build 19551 release in February 2020 -- with a future Windows update. In November, the company also informed users that the Tips app was deprecated and would be removed in a future Windows release.

Security

Memory Sealing 'mseal' System Call Merged For Linux 6.10 (phoronix.com) 50

"Merged this Friday evening into the Linux 6.10 kernel is the new mseal() system call for memory sealing," reports Phoronix: The mseal system call was led by Jeff Xu of Google's Chrome team. The goal with memory sealing is to also protect the memory mapping itself against modification. The new mseal Linux documentation explains:

"Modern CPUs support memory permissions such as RW and NX bits. The memory permission feature improves security stance on memory corruption bugs, i.e. the attacker can't just write to arbitrary memory and point the code to it, the memory has to be marked with X bit, or else an exception will happen. Memory sealing additionally protects the mapping itself against modifications. This is useful to mitigate memory corruption issues where a corrupted pointer is passed to a memory management system... Memory sealing can automatically be applied by the runtime loader to seal .text and .rodata pages and applications can additionally seal security-critical data at runtime. A similar feature already exists in the XNU kernel with the VM_FLAGS_PERMANENT flag and on OpenBSD with the mimmutable syscall."

The mseal system call is designed to be used by the likes of the GNU C Library "glibc" while loading ELF executables to seal non-writable memory segments or by the Google Chrome web browser and other browsers for protecting security sensitive data structures.

Programming

Rust Foundation Reports 20% of Rust Crates Use 'Unsafe' Keyword (rust-lang.org) 92

A Rust Foundation blog post begins by reminding readers that Rust programs "are unable to compile if memory management rules are violated, essentially eliminating the possibility of a memory issue at runtime."

But then it goes on to explore "Unsafe Rust in the wild" (used for a small set of actions like dereferencing a raw pointer, modifying a mutable static variable, or calling unsafe functions). "At a superficial glance, it might appear that Unsafe Rust undercuts the memory-safety benefits Rust is becoming increasingly celebrated for. In reality, the unsafe keyword comes with special safeguards and can be a powerful way to work with fewer restrictions when a function requires flexibility, so long as standard precautions are used."

The Foundation lists those available safeguards — which "make exploits rare — but not impossible." But then they go on to analyze just how much Rust code actually uses the unsafe keyword: The canonical way to distribute Rust code is through a package called a crate. As of May 2024, there are about 145,000 crates; of which, approximately 127,000 contain significant code. Of those 127,000 crates, 24,362 make use of the unsafe keyword, which is 19.11% of all crates. And 34.35% make a direct function call into another crate that uses the unsafe keyword [according to numbers derived from the Rust Foundation project Painter]. Nearly 20% of all crates have at least one instance of the unsafe keyword, a non-trivial number.

Most of these Unsafe Rust uses are calls into existing third-party non-Rust language code or libraries, such as C or C++. In fact, the crate with the most uses of the unsafe keyword is the Windows crate, which allows Rust developers to call into various Windows APIs. This does not mean that the code in these Unsafe Rust blocks are inherently exploitable (a majority or all of that code is most likely not), but that special care must be taken while using Unsafe Rust in order to avoid potential vulnerabilities...

Rust lives up to its reputation as an excellent and transformative tool for safe and secure programming, even in an Unsafe context. But this reputation requires resources, collaboration, and constant examination to uphold properly. For example, the Rust Project is continuing to develop tools like Miri to allow the checking of unsafe Rust code. The Rust Foundation is committed to this work through its Security Initiative: a program to support and advance the state of security within the Rust Programming language ecosystem and community. Under the Security Initiative, the Rust Foundation's Technology team has developed new tools like [dependency-graphing] Painter, TypoMania [which checks package registries for typo-squatting] and Sandpit [an internal tool watching for malicious crates]... giving users insight into vulnerabilities before they can happen and allowing for a quick response if an exploitation occurs.

The Almighty Buck

Best Buy and Geek Squad Were Most Impersonated Orgs By Scammers In 2023 (theregister.com) 20

An anonymous reader quotes a report from The Register: The Federal Trade Commission (FTC) has shared data on the most impersonated companies in 2023, which include Best Buy, Amazon, and PayPal in the top three. The federal agency detailed the top ten companies scammers impersonate and how much they make depending on the impersonation. By far the most impersonated corp was Best Buy and its repair business Geek Squad, with a total of 52k reports. Amazon impersonators came in second place with 34k reports, and PayPal a distant third with 10,000. Proportionally, the top three made up roughly 72 percent of the reports among the top ten, and Best Buy and Geek Squad scam reports were about 39 percent on their own. Though, high quantity doesn't necessarily translate to greater success for scammers, as the FTC also showed how much scammers made depending on what companies they impersonated. Best Buy and Geek Squad, Amazon, and PayPal scams made about $15 million, $19 million, and $16 million respectively, but that's nothing compared to the $60 million that Microsoft impersonators were able to fleece. [...]

The FTC also reported the vectors scammers use to contact their victims. Phone and email are still the most common means, but social media is becoming increasingly important for scamming and features the most costly scams. The feds additionally disclosed the kinds of payment methods scammers use for all sorts of frauds, including company and individual impersonation scams, investment scams, and romance scams. Cryptocurrency and bank transfers were popular for investment scammers, who are the most prolific on social media, while gift cards were most common for pretty much every other type of scam. However, not all scammers ask for digital payment, as the Federal Bureau of Investigation says that even regular old mail is something scammers are relying on to get their ill-gotten gains.

Apple

Apple Explains Rare iOS 17.5 Bug That Resurfaced Deleted Photos (9to5mac.com) 59

Apple has shed more light on the bizarre iOS 17.5 bug that caused long-deleted photos to mysteriously reappear on users' devices. In a statement to 9to5Mac, the iPhone maker clarified that the issue stemmed from a corrupted database on the device itself, not iCloud Photos. This means the photos were never fully erased from the device, but they also weren't synced to iCloud. Interestingly, these files could have hitched a ride to new devices through backups or direct transfers.
Encryption

Signal Slams Telegram's Security (techcrunch.com) 33

Messaging app Signal's president Meredith Whittaker criticized rival Telegram's security on Friday, saying Telegram founder Pavel Durov is "full of s---" in his claims about Signal. "Telegram is a social media platform, it's not encrypted, it's the least secure of messaging and social media services out there," Whittaker told TechCrunch in an interview. The comments come amid a war of words between Whittaker, Durov and Twitter owner Elon Musk over the security of their respective platforms. Whittaker said Durov's amplification of claims questioning Signal's security was "incredibly reckless" and "actually harms real people."

"Play your games, but don't take them into my court," Whittaker said, accusing Durov of prioritizing being "followed by a professional photographer" over getting facts right about Signal's encryption. Signal uses end-to-end encryption by default, while Telegram only offers it for "secret chats." Whittaker said many in Ukraine and Russia use Signal for "actual serious communications" while relying on Telegram's less-secure social media features. She said the "jury is in" on the platforms' comparative security and that Signal's open source code allows experts to validate its privacy claims, which have the trust of the security community.
Security

Courtroom Recording Software Compromised With Backdoor Installer (arstechnica.com) 18

Hackers have compromised a popular courtroom recording software, JAVS, gaining full control through a backdoored update. Louisville, Kentucky-based Justice AV Solutions, its maker, pulled the compromised software, reset passwords, and audited its systems. Cybersecurity firm Rapid7 found that the corrupted installer grants attackers full access and transmits host system data to a command-and-control server. The Record adds: In its advisory, Rapid7 stressed the need to reimage all endpoints where the software was installed, and to reset credentials on web browsers and for any accounts logged into affected endpoints, both local and remote. "Simply uninstalling the software is insufficient, as attackers may have implanted additional backdoors or malware. Re-imaging provides a clean slate," they wrote. "Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials."
IT

Leaked Contract Shows Samsung Forces Repair Shop To Snitch On Customers (404media.co) 34

Speaking of Samsung, samleecole shares a report about the contract the South Korean firm requires repair shops to sign: In exchange for selling them repair parts, Samsung requires independent repair shops to give Samsung the name, contact information, phone identifier, and customer complaint details of everyone who gets their phone repaired at these shops, according to a contract obtained by 404 Media. Stunningly, it also requires these nominally independent shops to "immediately disassemble" any phones that customers have brought them that have been previously repaired with aftermarket or third-party parts and to "immediately notify" Samsung that the customer has used third-party parts.

"Company shall immediately disassemble all products that are created or assembled out of, comprised of, or that contain any Service Parts not purchased from Samsung," a section of the agreement reads. "And shall immediately notify Samsung in writing of the details and circumstances of any unauthorized use or misappropriation of any Service Part for any purpose other than pursuant to this Agreement. Samsung may terminate this Agreement if these terms are violated."

Google

Google: Stop Trying To Trick Employees With Fake Phishing Emails (pcmag.com) 100

An anonymous reader shares a report: Did your company recently send you a phishing email? Employers will sometimes simulate phishing messages to train workers on how to spot the hacking threat. But one Google security manager argues the IT industry needs to drop the practice, calling it counterproductive. "PSA for Cybersecurity folk: Our co-workers are tired of being 'tricked' by phishing exercises y'all, and it is making them hate us for no benefit," tweeted Matt Linton, a security incident manager at Google.

Linton also published a post on the Google Security blog about the pitfalls of today's simulated phishing tests. The company is required to send fake phishing emails to its employees to meet the US government's security compliance requirements. In these tests, Google sends an employee a phishing email. If the worker clicks a link in the email, they'll be told they failed the test and will usually be required to take some sort of training course. However, Linton argues that simulated phishing tests can lead to harmful side effects, which can undermine a company's security. "There is no evidence that the tests result in fewer incidences of successful phishing campaigns," Linton said, noting that phishing attacks continue to help hackers gain a foothold inside networks, despite such training. He also pointed to a 2021 study that ran for 15 months and concluded that these phishing tests don't "make employees more resilient to phishing."

Network

A Root-Server at the Internet's Core Lost Touch With Its Peers. We Still Don't Know Why. 44

A server maintained by Cogent Communications, one of the 13 root servers crucial to the Internet's domain name system, fell out of sync with its peers for over four days due to an unexplained glitch. This issue, which could have caused worldwide stability and security problems, was resolved on Wednesday.

The root servers store cryptographic keys necessary for authenticating intermediate servers under the DNSSEC mechanism. Inconsistencies in these keys across the 13 servers could lead to an increased risk of attacks such as DNS cache poisoning. Engineers postponed planned updates to the .gov and .int domain name servers' DNSSEC to use ECDSA cryptographic keys until the situation stabilized. Cogent stated that it became aware of the issue on Tuesday and resolved it within 25 hours. ArsTechnica, which has a great writeup about the incident, adds: Initially, some people speculated that the depeering of Tata Communications, the c-root site outage, and the update errors to the c-root itself were all connected somehow. Given the vagueness of the statement, the relation of those events still isn't entirely clear.
Security

Hacker Breaches Scam Call Center, Warns Victims They've Been Scammed (404media.co) 21

A hacker claims to have breached a scam call center, stolen the source code for the company's tools, and emailed the company's scam victims, according to multiple screenshots and files provided by the hacker to 404 Media. From the report: The hack is the latest in a long series of vigilante actions in which hackers take matters into their own hands and breach or otherwise disrupt scam centers. A massively popular YouTube community, with creators mocking their targets, also exists around the practice.

"Hello, everyone! If you are seeing this email then you have been targeted by a fake antivirus company known as 'Waredot,'" the hacker wrote in their alleged email to customers, referring to the scam call center. The email goes on to suggest that customers issue a chargeback "as this trash software isn't worth anywhere NEAR $300-$400 per month, and these trash idiots don't deserve your money!"

Operating Systems

RISC-V Now Supports Rust In the Linux Kernel (phoronix.com) 31

Michael Larabel reports via Phoronix: The latest RISC-V port updates have been merged for the in-development Linux 6.10 kernel. Most notable with today's RISC-V merge to Linux 6.10 is now supporting the Rust programming language within the Linux kernel. RISC-V joins the likes of x86_64, LoongArch, and ARM64 already supporting the use of the in-kernel Rust language support. The use of Rust within the mainline Linux kernel is still rather limited with just a few basic drivers so far and a lot of infrastructure work taking place, but there are a number of new drivers and other subsystem support on the horizon. RISC-V now supporting Rust within the Linux kernel will become more important moving forward.

The RISC-V updates for Linux 6.10 also add byte/half-word compare-and-exchange, support for Zihintpause within hwprobe, a PR_RISCV_SET_ICACHE_FLUSH_CTX prctl(), and support for lockless lockrefs. More details on these RISC-V updates for Linux 6.10 via this Git merge.

Security

Spyware Found on US Hotel Check-in Computers (techcrunch.com) 24

A consumer-grade spyware app has been found running on the check-in systems of at least three Wyndham hotels across the United States, TechCrunch reported Wednesday. From the report: The app, called pcTattletale, stealthily and continually captured screenshots of the hotel booking systems, which contained guest details and customer information. Thanks to a security flaw in the spyware, these screenshots are available to anyone on the internet, not just the spyware's intended users.

This is the most recent example of consumer-grade spyware exposing sensitive information because of a security flaw in the spyware itself. It's also the second known time that pcTattletale has exposed screenshots of the devices that the app is installed on. Several other spyware apps in recent years had security bugs or misconfigurations that exposed the private and personal data of unwitting device owners, in some cases prompting action by government regulators. pcTattletale allows whomever controls it to remotely view the target's Android or Windows device and its data, from anywhere in the world. pcTattletale's website says the app "runs invisibly in the background on their workstations and can not be detected."

Encryption

Undisclosed WhatsApp Vulnerability Lets Governments See Who You Message (theintercept.com) 38

WhatsApp's security team warned that despite the app's encryption, users are vulnerable to government surveillance through traffic analysis, according to an internal threat assessment obtained by The Intercept. The document suggests that governments can monitor when and where encrypted communications occur, potentially allowing powerful inferences about who is conversing with whom. The report adds: Even though the contents of WhatsApp communications are unreadable, the assessment shows how governments can use their access to internet infrastructure to monitor when and where encrypted communications are occurring, like observing a mail carrier ferrying a sealed envelope. This view into national internet traffic is enough to make powerful inferences about which individuals are conversing with each other, even if the subjects of their conversations remain a mystery. "Even assuming WhatsApp's encryption is unbreakable," the assessment reads, "ongoing 'collect and correlate' attacks would still break our intended privacy model."

The WhatsApp threat assessment does not describe specific instances in which it knows this method has been deployed by state actors. But it cites extensive reporting by the New York Times and Amnesty International showing how countries around the world spy on dissident encrypted chat app usage, including WhatsApp, using the very same techniques. As war has grown increasingly computerized, metadata -- information about the who, when, and where of conversations -- has come to hold immense value to intelligence, military, and police agencies around the world. "We kill people based on metadata," former National Security Agency chief Michael Hayden once infamously quipped.
Meta said "WhatsApp has no backdoors and we have no evidence of vulnerabilities in how WhatsApp works." Though the assessment describes the "vulnerabilities" as "ongoing," and specifically mentions WhatsApp 17 times, a Meta spokesperson said the document is "not a reflection of a vulnerability in WhatsApp," only "theoretical," and not unique to WhatsApp.
Windows

Windows XP Can Run On an Intel CPU From 1989 Thanks To Dedicated Modder (techspot.com) 58

An anonymous reader shares a report: For those of us who came of age in the early days of personal computing, the names "Intel 486" and "Windows XP" evoke a nostalgic whirlwind of memories. The 486 was the hot new CPU of the early 90s, while Windows XP became a household name and Microsoft's most popular OS over a decade later. But did you ever imagine these two icons of different eras could be merged into an unholy union? Well, start brushing off those vintage 486 rigs, because a modder has actually made it happen. Going by the name Dietmar on the MSFN forums, he has somehow managed to get Microsoft's beloved Windows XP running on the ancient 486 architecture.

It's worth mentioning that these two were never meant to coexist. The first 486 chips hit the market way back in 1989, while Windows XP landed over a decade later in 2001. The 486 represented a major breakthrough when Intel unveiled it in 1989. Packing over a million transistors, it remained Intel's primary x86 chip until the arrival of the Pentium in 1993. Such was the processor's longevity that Intel continued manufacturing it for embedded systems until 2007. Still, 486 systems were simply too underpowered to run XP, which needed at least a Pentium-class processor from the 586 generation - or any compatible chip that ran at 233MHz or higher. Meanwhile, the i486 could only do 133MHz. It also needed at least 64MB of RAM and at least 1.5GB of storage.

United States

US Government Urges Federal Contractors To Strengthen Encryption (bloomberg.com) 20

Companies working with the US government may be required to start protecting their data and technology from attacks by quantum computers as soon as July. From a report: The National Institute for Standards and Technology, part of the Department of Commerce, will in July stipulate three types of encryption algorithms the agency deems sufficient for protecting data from quantum computers, setting an internationally-recognized standard aimed at helping organizations manage evolving cybersecurity threats. The rollout of the standards will kick off "the transition to the next generation of cryptography," White House deputy national security adviser Anne Neuberger told Bloomberg in Cambridge, England on Tuesday. Breaking encryption not only threatens "national security secrets" but also the the way we secure the internet, online payments and bank transactions, she added.

Neuberger was speaking at an event organized by the University of Cambridge and Vanderbilt University, hosting academics, industry professionals and government officials to discuss the threats posed to cybersecurity by quantum computing, which vastly accelerates processing power by performing calculations in parallel rather than sequentially and will make existing encryption systems obsolete.

Technology

Match Group, Meta, Coinbase And More Form Anti-Scam Coalition (engadget.com) 23

An anonymous reader shares a report: Scams are all over the internet, and AI is making matters worse (no, Taylor Swift didn't giveaway Le Creuset pans, and Tom Hanks didn't promote a dental plan). Now, companies such as Match Group, Meta and Coinbase are launching Tech Against Scams, a new coalition focused on collaboration to prevent online fraud and financial schemes. They will "collaborate on ways to take action against the tools used by scammers, educate and protect consumers and disrupt rapidly evolving financial scams."

Meta, Coinbase and Match Group -- which owns Hinge and Tinder -- first joined forces on this issue last summer but are now teaming up with additional digital, social media and crypto companies, along with the Global Anti-Scam Organization. A major focus of this coalition is pig butchering scams, a type of fraud in which a scammer tricks someone into giving them more and more money through trusting digital relationships, both romantic and platonic in nature.

Security

EPA Says It Will Step Up Enforcement To Address 'Critical' Vulnerabilities Within Water Sector (therecord.media) 64

The U.S. Environmental Protection Agency on Monday urged water utilities to take action to improve their digital defenses, following a spate of recent cyberattacks. From a report: The agency's "enforcement alert" said that recent inspections of water systems found that more than 70 percent fail to meet basic cybersecurity standards, including some with "critical" vulnerabilities, such as relying on default passwords that haven't been updated and single logins that "can easily be compromised." The notice comes after a Russian hacktivist group claimed credit for digital assaults on water sites in Texas and Indiana. Late last year, Iran-linked Cyber Av3ngers group took responsibility for striking a water authority in Pennsylvania.
The Internet

38% of Webpages That Existed in 2013 Are No Longer Accessible a Decade Later 62

A new Pew Research Center analysis shows just how fleeting online content actually is: 1. A quarter of all webpages that existed at one point between 2013 and 2023 are no longer accessible, as of October 2023. In most cases, this is because an individual page was deleted or removed on an otherwise functional website.
2. For older content, this trend is even starker. Some 38% of webpages that existed in 2013 are not available today, compared with 8% of pages that existed in 2023.

This "digital decay" occurs in many different online spaces. We examined the links that appear on government and news websites, as well as in the "References" section of Wikipedia pages as of spring 2023. This analysis found that:
1. 23% of news webpages contain at least one broken link, as do 21% of webpages from government sites. News sites with a high level of site traffic and those with less are about equally likely to contain broken links. Local-level government webpages (those belonging to city governments) are especially likely to have broken links.
2. 54% of Wikipedia pages contain at least one link in their "References" section that points to a page that no longer exists.[...]
AI

Bruce Schneier Reminds LLM Engineers About the Risks of Prompt Injection Vulnerabilities (schneier.com) 40

Security professional Bruce Schneier argues that large language models have the same vulnerability as phones in the 1970s exploited by John Draper.

"Data and control used the same channel," Schneier writes in Communications of the ACM. "That is, the commands that told the phone switch what to do were sent along the same path as voices." Other forms of prompt injection involve the LLM receiving malicious instructions in its training data. Another example hides secret commands in Web pages. Any LLM application that processes emails or Web pages is vulnerable. Attackers can embed malicious commands in images and videos, so any system that processes those is vulnerable. Any LLM application that interacts with untrusted users — think of a chatbot embedded in a website — will be vulnerable to attack. It's hard to think of an LLM application that isn't vulnerable in some way.

Individual attacks are easy to prevent once discovered and publicized, but there are an infinite number of them and no way to block them as a class. The real problem here is the same one that plagued the pre-SS7 phone network: the commingling of data and commands. As long as the data — whether it be training data, text prompts, or other input into the LLM — is mixed up with the commands that tell the LLM what to do, the system will be vulnerable. But unlike the phone system, we can't separate an LLM's data from its commands. One of the enormously powerful features of an LLM is that the data affects the code. We want the system to modify its operation when it gets new training data. We want it to change the way it works based on the commands we give it. The fact that LLMs self-modify based on their input data is a feature, not a bug. And it's the very thing that enables prompt injection.

Like the old phone system, defenses are likely to be piecemeal. We're getting better at creating LLMs that are resistant to these attacks. We're building systems that clean up inputs, both by recognizing known prompt-injection attacks and training other LLMs to try to recognize what those attacks look like. (Although now you have to secure that other LLM from prompt-injection attacks.) In some cases, we can use access-control mechanisms and other Internet security systems to limit who can access the LLM and what the LLM can do. This will limit how much we can trust them. Can you ever trust an LLM email assistant if it can be tricked into doing something it shouldn't do? Can you ever trust a generative-AI traffic-detection video system if someone can hold up a carefully worded sign and convince it to not notice a particular license plate — and then forget that it ever saw the sign...?

Someday, some AI researcher will figure out how to separate the data and control paths. Until then, though, we're going to have to think carefully about using LLMs in potentially adversarial situations...like, say, on the Internet.

Schneier urges engineers to balance the risks of generative AI with the powers it brings. "Using them for everything is easier than taking the time to figure out what sort of specialized AI is optimized for the task.

"But generative AI comes with a lot of security baggage — in the form of prompt-injection attacks and other security risks. We need to take a more nuanced view of AI systems, their uses, their own particular risks, and their costs vs. benefits."

Slashdot Top Deals