The company behind Flipper Zero expects $80 million in sales this year, which ZDNet estimates at around 500,000 unit sales.

In its Kickstarter days the company sold almost $5 million as preorders, remembers TechCrunch, and the company claims it sold $25 million worth of the devices last year: So what are they selling? Flipper Zero is a "portable gamified multi-tool" aimed at everyone with an interest in cybersecurity, whether as a penetration tester, curious nerd or student — or with more nefarious purposes. The tool includes a bunch of ways to manipulate the world around you, including wireless devices (think garage openers), RFID card systems, remote keyless systems, key fobs, entry to barriers, etc. Basically, you can program it to emulate a bunch of different lock systems.

The system really works, too — I'm not much of a hacker, but I've been able to open garages, activate elevators and open other locking systems that should be way beyond my hacking skill level. On the one hand, it's an interesting toy to experiment with, which highlights how insecure much of the world around us actually is. On the other hand, I'm curious if it's a great idea to have 300,000+ hacking devices out in the wild that make it easy to capture car key signals and gate openers and then use them to open said apertures.
The company points out that their firmware is open source, and can be inspected by anyone.

ZDNet calls it "incredibly user-friendly" and "a fantastic educational tool and a stepping stone to get people — young and old — into cybersecurity," with "a very active community of users that are constantly finding new things to do with it". (Even third-party operating systems are available).

"Instead of looking like some scary hacking tool, all black and bristling with antennas, it looks like a kid's toy, all plastic and brightly colored," writes ZDNet. "It reminds me of Tamagotchis..."

Thanks to Slashdot reader ZipNada for suggesting the article.

An anonymous reader quotes a report from TechCrunch: Two U.S. schools have confirmed that TIAA, a nonprofit organization that provides financial services for individuals in academic fields, has been caught up in the mass-hacks targeting MOVEit file transfer tools. Middlebury College in Vermont and Trinity College in Connecticut both released security notices confirming they experienced data breaches as a result of a security incident at the Teachers Insurance and Annuity Association of America, or TIAA. According to its website, TIAA serves mire than five million active and retired employees participating at more than 15,000 institutions and manages $1.3 trillion in assets in more than 50 countries.

Both of the security notices confirm that TIAA was affected by hackers' widespread exploitation of a flaw in MOVEit Transfer, an enterprise file transfer tool developed by Progress Software. The mass-hack has so far claimed more than 160 victims, according to Emsisoft threat analyst Brett Callow, including the U.S. Department of Health and Human Services (HHS) and Siemens Energy. Only 12 of these victims have confirmed the number of people affected, which already adds up to more than 16 million individuals.

While TIAA notified affected schools of its security incident, the organization has yet to publicly acknowledge the incident. In response to a Twitter user questioning the organization's silence, TIAA responded saying that its offices were closed. It's not yet known how many organizations have been impacted as a result of the cyberattack on TIAA. TIAA has not yet been listed on the dark web leak site of the Russia-linked Clop ransomware gang, which has claimed responsibility for the ongoing MOVEit cyberattacks.

Chipmaker TSMC said on Friday that one of its hardware suppliers experienced a "security incident" that allowed the attackers to obtain configurations and settings for some of the servers the company uses in its corporate network. From a report: The disclosure came a day after the LockBit ransomware crime syndicate listed TSMC on its extortion site and threatened to publish the data unless it received a payment of $70 million. The hardware supplier, Kinmax Technology, confirmed that one of its test environments had been attacked by an external group, which was then able to retrieve configuration files and other parameter information. The company said it learned of the breach on Thursday and immediately shut down the compromised systems and notified the affected customer.

"Since the above information has nothing to do with the actual application of the customer, it is only the basic setting at the time of shipment," Kinmax officials wrote. "At present, no damage has been caused to the customer, and the customer has not been hacked by it." In an email, a TSMC representative wrote, "Upon review, this incident has not affected TSMC's business operations, nor did it compromise any TSMC's customer information. After the incident, TSMC has immediately terminated its data exchange with this supplier in accordance with the Company's security protocols and standard operating procedures." The statement didn't say if TSMC has been contacted by the attackers or if it plans to pay the ransom.

Online piracy, now being linked with malware, identity theft, and banking fraud, has prompted a coordinated concerning campaign for tougher legislation beyond copyright laws. The French government, news website TorrentFreak reports, is considering an ambitious approach: integrating state-operated domain blacklists into web browsers. This step is well-intentioned, indicating an evolving strategy in battling piracy.

RSS Advisory Board: This month marks the 20th anniversary of the effort that became the Atom feed format. It all began on June 16, 2003, with a blog post from Apache Software Foundation contributor Sam Ruby asking for feedback about what constitutes a well-formed blog entry. The development of RSS 2.0 had been an unplanned hopscotch from a small group at Netscape to a smaller one at UserLand Software, but Atom was a barn raising. Hundreds of software developers, web publishers and technologists gathered for a discussion in the abstract that led to a concrete effort to build a well-specified syndication format and associated publishing API that could become Internet standards. Work was done on a project wiki that grew to over 1,500 pages. Everything was up for a vote, including a plebiscite on choosing a name that ballooned into a four-month-long bikeshed discussion in which Pie, Echo, Wingnut, Feedcast, Phaistos and several dozen alternatives finally, mercifully, miraculously lost out to Atom.

The road map of the Atom wiki lists the people, companies and projects that jumped at the chance to create a new format for feeds. XML specification co-author Tim Bray wrote: "The time to write it all down and standardize it is not when you're first struggling to invent the technology. We now have aggregators and publishing systems and search engines and you-name-it, and I think the community collectively understands pretty well what you need, what you don't need, and what a good syntax looks like. So, now's the time."

After a cybersecurity audit mistakenly reset everyone's password, a high school changed every student's password to "Ch@ngeme!" giving every student the chance to hack into any other student's account, according to emails obtained by TechCrunch. From the report: Last week, Oak Park and River Forest (OPRF) High School in Illinois told parents that during a cybersecurity audit, "due to an unexpected vendor error, the system reset every student's password, preventing students from being able to log in to their Google account."

"To fix this, we have reset your child's password to Ch@ngeme! so that they can once again access their Google account. This password change will take place beginning at 4 p.m. today," the school, which has around 3,000 students, wrote in an email dated June 22. "We strongly suggest that your child update this password to their own unique password as soon as possible."

The US Securities and Exchange Commission has roiled the cybersecurity industry by putting executives of SolarWind on notice that it may pursue legal action for violations of federal law in connection with their response to the 2020 attack on the company's infrastructure that affected thousands of customers in government agencies and companies globally. From a report: Current and former employees and officers of the company, including the chief financial officer (CFO) and chief information security officer (CISO), have received so-called Wells Notices notices from the SEC staff, in connection with the investigation of the 2020 cyberattack, the company said in an SEC filing.

"The Wells Notices provided to these individuals each state that the SEC staff has made a preliminary determination to recommend that the SEC file a civil enforcement action against the recipients alleging violations of certain provisions of the U.S. federal securities laws," SolarWinds said in its filing. A Wells Notice is neither a formal charge of wrongdoing nor a final determination that the recipient has violated any law, SolarWinds noted. However, if the SEC does pursue legal action and prevails in a lawsuit, there could be various consequences.

An anonymous reader shares a report: If you want official updates from the Minecraft dev team, you better not look on Reddit. A post from a Reddit user bearing the name sliced_lime and a flair indicating they are the Minecraft Java Tech Lead (almost certainly Mojang's Mikael Hedberg) announced yesterday that Mojang would no longer be posting official content to Reddit, in the wake of that platform's response to protests over changes to its API. "As you have no doubt heard by now, Reddit management introduced changes recently that have led to rule and moderation changes across many subreddits," read the post, before announcing that those changes have led Mojang to "no longer feel that Reddit is an appropriate place to post official content or refer [its] players to".

The events are only obliquely referred to in the post, but it seems the move has been sparked by Reddit's crackdown on protests against recent changes to its API that would, in essence, kill off third-party apps that let users access the site. Subreddit mods have spent the last few weeks mounting various campaigns against Reddit's corporate leadership, either "going dark" by turning the subreddits they oversee into private, invite-only communities or else marking them as NSFW, meaning Reddit can't sell ads on those pages. Reddit responded by pressuring disgruntled mods, and in some cases ousting and trying to replace them.

An anonymous reader quotes a report from TechCrunch: A hacker has stolen the messages, call logs and locations intercepted by a widely used phone monitoring app called LetMeSpy, according to the company that makes the spyware. The phone monitoring app, which is used to spy on thousands of people using Android phones around the world, said in a notice on its login page that on June 21, "a security incident occurred involving obtaining unauthorized access to the data of website users." "As a result of the attack, the criminals gained access to e-mail addresses, telephone numbers and the content of messages collected on accounts," the notice read.

LetMeSpy is a type of phone monitoring app that is marketed for parental control or employee monitoring. The app is also specifically designed to stay hidden on a phone's home screen, making it difficult to detect and remove. Also known as stalkerware or spouseware, these kinds of phone monitoring apps are often planted by someone -- such as spouses or domestic partners -- with physical access to a person's phone, without their consent or knowledge. Once planted, LetMeSpy silently uploads the phone's text messages, call logs, and precise location data to its servers, allowing the person who planted the app to track the person in real-time.

Polish security research blog Niebezpiecznik first reported the breach. When Niebezpiecznik contacted the spyware maker for comment, the hacker reportedly responded instead, claiming to have seized wide access to the spyware maker's domain. It's not clear who is behind the LetMeSpy hack or their motives. The hacker intimated that they deleted LetMeSpy's databases stored on the server. A copy of the hacked database also appeared online later the same day. TechCrunch reviewed the leaked data, which included years of victims' call logs and text messages dating back to 2013. The database we reviewed contained current records on at least 13,000 compromised devices, though some of the devices shared little to no data with LetMeSpy. (LetMeSpy claims to delete data after two months of account inactivity.)

Apple has criticised powers in the UK's Online Safety Bill that could be used to force encrypted messaging tools like iMessage, WhatsApp and Signal to scan messages for child abuse material. From a report: Its intervention comes as 80 organisations and tech experts have written to Technology Minister Chloe Smith urging a rethink on the powers. Apple told the BBC the bill should be amended to protect encryption. End-to-end encryption (E2EE) stops anyone but the sender and recipient reading the message. Police, the government and some high-profile child protection charities maintain the tech -- used in apps such as WhatsApp and Apple's iMessage -- prevents law enforcement and the firms themselves from identifying the sharing of child sexual abuse material.

But in a statement Apple said: "End-to-end encryption is a critical capability that protects the privacy of journalists, human rights activists, and diplomats. "It also helps everyday citizens defend themselves from surveillance, identity theft, fraud, and data breaches. The Online Safety Bill poses a serious threat to this protection, and could put UK citizens at greater risk. "Apple urges the government to amend the bill to protect strong end-to-end encryption for the benefit of all."

Investigations triggered by the cracking of encrypted phones three years ago have so far led to more than 6,500 arrests worldwide and the seizure of hundreds of tons of drugs, French, Dutch and European Union prosecutors said Tuesday. From a report: The announcement underscored the staggering scale of criminality -- mainly drugs and arms smuggling and money laundering -- that was uncovered as a result of police and prosecutors effectively listening in to criminals using encrypted EncroChat phones. "It helped to prevent violent attacks, attempted murders, corruption and large-scale drug transports, as well as obtain large-scale information on organised crime," European Union police and judicial cooperation agencies Europol and Eurojust said in a statement.

The French and Dutch investigation gained access to more than 115 million encrypted communications between some 60,000 criminals via servers in the northern French town of Roubaix, prosecutors said at a news conference in the nearby city of Lille. As a result, 6,558 suspects have been arrested worldwide, including 197 "high-value targets." Seized drugs included 30.5 million pills, 103.5 metric tons (114 tons) of cocaine, 163.4 metric tons (180 tons) of cannabis and 3.3 metric tons (3.6 tons) of heroin. The investigations also led to nearly 740 million euros ($809 million) in cash being recovered and assets or bank accounts worth another 154 million euros ($168 million) frozen.

"Smartwatches are being sent to random military members loaded with malware, much like malware distribution via USB drives in the past," writes longtime Slashdot reader frdmfghtr. "Recipients are advised not to turn them on and report the incident to their local security office." Defense News reports: The Department of the Army Criminal Investigation Division, or CID, in an announcement last week warned the watches may contain malware, potentially granting whoever sent the peripherals "access to saved data to include banking information, contacts, and account information such as usernames and passwords."

A more innocuous tactic may also be to blame: so-called brushing, used in e-commerce to boost a seller's ratings through fake orders and reviews. The CID, an independent federal law enforcement agency consisting of thousands of personnel, did not say exactly how many smartwatches were so far distributed.

An anonymous reader quotes a report from Gizmodo: One of the cybercriminals behind 2020's major Twitter hack was sentenced to five years in U.S. federal prison on Friday. Joseph O'Connor (AKA "PlugwalkJoe"), a 24-year-old British citizen, previously pleaded guilty to seven charges associated with the digital attack. He was arrested in Spain in 2021 and extradited to the U.S. in April of this year. In addition to the five years of jail time, O'Connor was also sentenced to three additional years under supervised release and ordered to pay back more than $790,000 in illicitly obtained funds, according to a news release from the U.S. Attorney's Office of the Southern District of New York. Previously, Graham Ivan Clark, another one of the hackers involved who was 17 at the time of the attack, pleaded guilty to related charges and was sentenced to three years in prison.

With all charges combined, O'Connor faced a maximum of 77 years in prison, per a Reuters report, while prosecutors called for a seven-year sentence. Ultimately, he will likely only serve about half of his five years, after having already spent nearly 2.5 years in pre-trial custody, Judge Jed S. Rakoff said during the Friday hearing, according to TechCrunch. Along with his fellow hackers, O'Connor "used his sophisticated technological abilities for malicious purposes -- conducting a complex SIM swap attack to steal large amounts of cryptocurrency, hacking Twitter, conducting computer intrusions to take over social media accounts, and even cyberstalking two victims, including a minor victim," according to a previous statement given by prosecuting U.S. Attorney Damian Williams. [...]

An investigation by the New York State Department of Financial Services determined that the breach was made possible because Twitter "lacked adequate cybersecurity protections," according to an October 2020 report. O'Connor and co were able to gain access to the social platform's internal systems through a simple scheme of calling Twitter employees posing as the company IT department. They were able to trick four Twitter workers into providing their login credentials. The FBI launched its own investigation, which found that O'Connor and his co-conspirators had managed to transfer account ownership to unauthorized users -- sometimes themselves, and sometimes to others willing to pay for the accounts. O'Connor himself paid $10,000 to take over one specific, unnamed account, according to a Department of Justice press statement from May. In addition to the Twitter hack, O'Connor also pleaded guilty to stealing nearly $800,000 from a crypto company by SIM swapping at least three executives' phone numbers. He further admitted to blackmailing an unnamed public figure via Snapchat and swatting a 16-year-old girl.

Australia's prime minister, Anthony Albanese, has told residents they should turn their smartphones off and on again once a day as a cybersecurity measure -- and tech experts agree. From a report: Albanese said the country needed to be proactive to thwart cyber risks, as he announced the appointment of Australia's inaugural national cybersecurity coordinator. "We need to mobilise the private sector, we need to mobilise, as well, consumers," the prime minister said on Friday. "We all have a responsibility. Simple things, turn your phone off every night for five minutes. For people watching this, do that every 24 hours, do it while you're brushing your teeth or whatever you're doing." The Australian government's advice is not new. In 2020, the United State's National Security Agency issued best-practice guidelines for mobile device security, which included rebooting smartphones once a week to prevent hacking.

An anonymous reader shared this report from the Washington Post: Working from home appears to be here to stay, especially for women and college-educated workers, according to economic data released Thursday that revealed how Americans spent their time in 2022. The data, from the American Time Use Survey (ATUS), suggests that the pandemic changes that upended the workplace, family life and social interactions continue to have a lasting effect on life in the United States.

Many white-collar workers who hunkered down at home during pandemic shutdowns have returned to the office, but extraordinarily high numbers have not. For many, remote work appears to be a new normal... Working from home "is a permanent shift," said Julia Pollak, chief economist at ZipRecruiter. "We're now seeing many companies start as remote-first companies." The new data is a "continuation of what we've been seeing" in the American workforce, she said...

The annual survey by the Bureau of Labor Statistics and the Census Bureau asks thousands of Americans how they spent the past 24 hours of their lives across different categories of activities. Results from 2019 through 2021 showed that the pandemic dramatically shifted how much time people spend working at home. The new data suggests those changes persisted through 2022, even as much of life returned to normal as more people got vaccinated and boosted against the coronavirus, and case counts fell...

There is a clear benefit to remote work for employees, Pollak said. Working from home saves time and money on commuting, and many employees want the flexibility to work from anywhere, to better support their parents or children. She said remote work also is "part of the reason for this huge spike in new business formation. It has lowered the barriers to starting a business."
The 2022 figures show 34% of workers over the age of 15 still said they were working at home — and 54% of workers with a workers with a bachelor's degree or higher. (Meanwhile, workers without a high school diploma "were even less likely to work from home in 2022 than they were before the pandemic.")

The Post also reports another interesting finding in the data. "Americans ages 20 to 24 are the only group that spent more time socializing than before the pandemic. Teenagers, and adults ages 55 to 64, reported an overall decline in time spent socializing since before the pandemic."

On Thursday San Francisco's mayor London Breed "proposed remaking the city's struggling downtown by tearing down abandoned retail space..." reports CNN, "and building new structures to reshape the struggling city..." Breed's comments come as San Francisco faces empty offices, a cratering commercial real estate market, and an exodus of retailers from its once-bustling downtown area, especially as pandemic work-from-home policies saw many residents leaving for less expensive parts of the country... Breed argued that an overall shift to online shopping post-pandemic has contributed to declining foot traffic in the area.

"You can convert certain spaces. A Westfield Mall could become something completely different than what it currently is," she said. "We can even tear down the whole building and build a whole new soccer stadium. We can create lab space or look at it as another company in some other capacity," she added...

Many tech companies in the city were quick to switch to remote work or flexible hybrid policies over the last few years, resulting in many workers filtering out of the city. Office vacancies in San Francisco have reached a 30-year high, negatively impacting the city's commercial real estate market and local retailers and restaurants, which have experienced declining sales and foot traffic. "Would I like for everyone to come back to the office five days a week? Of course, I would. But is that going to happen? Probably not. So, let's make some adjustments to do everything we can to reimagine what parts of San Francisco can be," Breed said.

In August, white-hat hackers at the DEFCON hacker convention will compete to try and breach the computer systems on a satellite in orbit. It took four years, but "this year, we are in space for real," said Steve Colenzo, Technology Transfer Lead for the Air Force Research Laboratory's Information Directorate in Rome, New York, and one of the contest organizers. From a report: Hack-A-Sat 4, taking place live at DEFCON Aug. 10-13 in Las Vegas, will be the first-ever hacking contest staged on a vehicle in orbit. In previous years, the contests used genuine working satellite hardware, but running safely on the ground. [...] Hack-A-Sat 4 is an attack/defend contest in which teams compete to hack each other's systems while defending their own. It is being staged by the Air Force Research Laboratory and the U.S. Space Force. More than 380 teams signed up for the qualification round in April, and the eight top-scoring ones, which include contestants from Australia, Germany, Italy and Poland, as well as the U.S., will participate in the finals at DEFCON.

"We always knew our objective was to do this in space," Colenzo said. But when, back in 2020, organizers asked satellite operators if they could stage a hacking contest on their space assets, "The answer, and there was really no hesitation, the answer was always no." Hack-A-Sat organizers realized that, if they wanted to reach their objective of staging such a contest in space, they would have to launch their own satellite, Colenzo said. The Moonlighter satellite was launched on a SpaceX rideshare rocket to the International Space Station June 5 by the U.S. government-backed non-profit The Aerospace Corporation. It's a foot-long toaster-sized cubesat satellite with extendable solar panels.

If all goes according to plan, Moonlighter will be deployed into orbit early in July, Project leader Aaron Myrick told Newsweek. Moonlighter is designed to be hacked, he said, and there are numerous safety measures in place. "The first thing that we said was that propulsion was off the table," Moonlighter can't change its own orbit, which might make it a hazard to other satellites. And its ground controllers have the ability to reboot the system, kicking out any intruders and restoring their control.

Cyberattacks on US hospitals are on the rise, adding a layer of financial pressure onto an industry still struggling to recover from the pandemic. From a report: Health facilities have been hit with 226 digital incursions affecting 36 million people this year, on track to be more widespread than 2022 attacks, according to John Riggi, the national advisor for cybersecurity and risk at the American Hospital Association. Cyber raids on hospitals more than tripled in the past five years and have become more sophisticated, just when hospitals are coping with higher costs for labor and supplies and grappling with staff shortages. The industry in 2022 had what Moody's Investors Service analyst Matthew Cahill called "arguably the worst year in health-care history" for financial performance. "There's really no wiggle room for hospitals to deal with this," Cahill said in an interview. He said cyber risk has contributed to downgrades, including one at Missouri's Capital Region Medical Center last year following a breach.

Health-care facilities are attractive targets for cybercriminals because they hold ample personal data on patients, Matt Fabian and Lisa Washburn of Municipal Market Analytics wrote in a research note. Staffing shortages and wide use of third-party technology make the sector particularly vulnerable. The problem is particularly dire at smaller and rural hospitals, which have more financial distress and tend to use older technology. In an April note, Moody's cited an IBM survey that showed hospitals for 12 years have had the highest average cyberattack cost per industry, with $10.1 million in 2022. The AHA's Riggi said that while most hospitals have insurance, the cost to recover from attacks could be up to 10 times what insurance pays out.

An anonymous reader quotes a report from KrebsOnSecurity: The United Parcel Service (UPS) says fraudsters have been harvesting phone numbers and other information from its online shipment tracking tool in Canada to send highly targeted SMS phishing (a.k.a. "smishing") messages that spoofed UPS and other top brands. The missives addressed recipients by name, included details about recent orders, and warned that those orders wouldn't be shipped unless the customer paid an added delivery fee. In a snail mail letter sent this month to Canadian customers, UPS Canada Ltd. said it is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered, and that it has been working with partners in its delivery chain to try to understand how the fraud was occurring.

"During that review, UPS discovered a method by which a person who searched for a particular package or misused a package look-up tool could obtain more information about the delivery, potentially including a recipient's phone number," the letter reads. "Because this information could be misused by third parties, including potentially in a smishing scheme, UPS has taken steps to limit access to that information." The written notice goes on to say UPS believes the data exposure "affected packages for a small group of shippers and some of their customers from February 1, 2022 to April 24, 2023." [...]

In a statement provided to KrebsOnSecurity, Sandy Springs, Ga. based UPS [NYSE:UPS] said the company has been working with partners in the delivery chain to understand how that fraud was being perpetrated, as well as with law enforcement and third-party experts to identify the cause of this scheme and to put a stop to it. "Law enforcement has indicated that there has been an increase in smishing impacting a number of shippers and many different industries," reads an email from Brian Hughes, director of financial and strategy communications at UPS. "Out of an abundance of caution, UPS is sending privacy incident notification letters to individuals in Canada whose information may have been impacted," Hughes said. "We encourage our customers and general consumers to learn about the ways they can stay protected against attempts like this by visiting the UPS Fight Fraud website."

Privacy-focused firm DuckDuckGo has released a public beta of its browser for Windows, offering more default privacy protections and an assortment of Duck-made browsing tools. From a report: Like its Mac browser, DuckDuckGo (DDG) uses "the underlying operating system rendering API" rather than its own forked browser code. That's "a Windows WebView2 call that utilizes the Blink rendering engine underneath," according to DuckDuckGo's blog post. Fittingly, the browser reports itself as Microsoft Edge at most header-scanning sites. Inside the DuckDuckGo browser, you'll find:

1. Duck Player, which shows (most) YouTube videos "without privacy-invading ads" and doesn't feed your recommendations
2. Tracker blocking that DDG cites as "above and beyond" other browsers, including third-party tracker loading
3. Enforced encryption
4. The "fire button" that instantly closes all tabs and clears website data
5. Cookie pop-up management, automatically selecting a private option and hiding "I accept" pop-ups
6. Email protection, making it easier to use an auto-forwarding duck.com address on web forms