smooth wombat writes: The Windows 11 24H2 update has had a host of issues associated with it including disappearing mouse cursors and blue screens related to Intel drivers. Now comes word that the new update leaves behind over 8 GB of undeletable cache files.

According to Windows Latest, attempts to delete the cache via the Control Panel are unsuccessful. Although you can select the cache for deletion and initiate the deletion process, the cache remains. Various other methods to remove the Windows update cache failed, too. It only cleared after a clean Windows installation altogether.

Retailers across the U.S. are grappling with the aftermath of Redbox's bankruptcy, tasked with removing 24,000 abandoned DVD-dispensing machines. CVS, Walgreens, Walmart, and others are facing logistical challenges and potential safety hazards, according to WSJ. The 890-pound kiosks, often hardwired into stores' electrical systems, require specialized removal.

Further reading: Redbox App Axed, Dashing People's Hopes of Keeping Purchased Content.

Alypius shares a report from 9to5Mac: It was revealed this weekend that Chinese hackers managed to access systems run by three of the largest internet service providers (ISPs) in the US. What's notable about the attack is that it compromised security backdoors deliberately created to allow for wiretaps by US law enforcement. [...] Apple famously refused the FBI's request to create a backdoor into iPhones to help access devices used by shooters in San Bernardino and Pensacola. The FBI was subsequently successful in accessing all the iPhones concerned without the assistance it sought.

Our arguments against such backdoors predate both cases, when Apple spoke out on the issue in the wake of terrorist attacks in Paris more than a decade ago: "Apple is absolutely right to say that the moment you build in a backdoor for use by governments, it will only be a matter of time before hackers figure it out. You cannot have an encryption system which is only a little bit insecure any more than you can be a little bit pregnant. Encryption systems are either secure or they're not -- and if they're not then it's a question of when, rather than if, others are able to exploit the vulnerability."

This latest case perfectly illustrates the point. The law required ISPs to create backdoors that could be used for wiretaps by US law enforcement, and hackers have now found and accessed them. Exactly the same would be true if Apple created backdoors into iPhones.

BleepingComputer's Lawrence Abrams: Internet Archive's "The Wayback Machine" has suffered a data breach after a threat actor compromised the website and stole a user authentication database containing 31 million unique records. News of the breach began circulating Wednesday afternoon after visitors to archive.org began seeing a JavaScript alert created by the hacker, stating that the Internet Archive was breached.

"Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!," reads a JavaScript alert shown on the compromised archive.org site. The text "HIBP" refers to is the Have I Been Pwned data breach notification service created by Troy Hunt, with whom threat actors commonly share stolen data to be added to the service.

Hunt told BleepingComputer that the threat actor shared the Internet Archive's authentication database nine days ago and it is a 6.4GB SQL file named "ia_users.sql." The database contains authentication information for registered members, including their email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data. Hunt says there are 31 million unique email addresses in the database, with many subscribed to the HIBP data breach notification service. The data will soon be added to HIBP, allowing users to enter their email and confirm if their data was exposed in this breach.

OpenAI said a group with apparent ties to China tried to carry out a phishing attack on its employees, reigniting concerns that bad actors in Beijing want to steal sensitive information from top US artificial intelligence companies. From a report: The AI startup said Wednesday that a suspected China-based group called SweetSpecter posed as a user of OpenAI's chatbot ChatGPT earlier this year and sent customer support emails to staff. The emails included malware attachments that, if opened, would have allowed SweetSpecter to take screenshots and exfiltrate data, OpenAI said, but the attempt was unsuccessful.

"OpenAI's security team contacted employees who were believed to have been targeted in this spear phishing campaign and found that existing security controls prevented the emails from ever reaching their corporate emails," OpenAI said. The disclosure highlights the potential cybersecurity risks for leading AI companies as the US and China are locked in a high-stakes battle for artificial intelligence supremacy. In March, for example, a former Google engineer was charged with stealing AI trade secrets for a Chinese firm.

AmiMoJo writes: A treaty finalized by the UK may bring about the end of the .io domain. Last week, the British government announced that it has agreed to give up ownership of the Chagos Islands, a territory in the Indian Ocean it has controlled since 1814 -- relinquishing the .io domain with it.

The Internet Assigned Numbers Authority (IANA) has a process for retiring old country code domains within five years (with the possibility for extensions). The IANA established this rule after the Soviet Union's .su domain lingered after its collapse, becoming a domain commonly used among cybercriminals. Since then, IANA has also had to retire the .yu domain previously used for Yugoslavia, but it remained operational for years following the country's breakup while government websites transitioned to new domains. And while the independent Solomon Islands does have the domain name .sb, where 'B' stands for how it used to be a British protectorate, that domain was registered decades after it achieved independence. The UK still has the inactive .gb domain as well, but it's considering getting rid of it.

An anonymous reader quotes a report from TechCrunch: U.S. money transfer giant MoneyGram has confirmed that hackers stole its customers' personal information and transaction data during a cyberattack last month. The company said in a statement Monday that an unauthorized third party "accessed and acquired" customer data during the cyberattack on September 20. The cyberattack -- the nature of which remains unknown -- sparked a week-long outage that resulted in the company's website and app falling offline. MoneyGram says it serves over 50 million people in more than 200 countries and territories each year.

The stolen customer data includes names, phone numbers, postal and email addresses, dates of birth, and national identification numbers. The data also includes a "limited number" of Social Security numbers and government identification documents, such as driver's licenses and other documents that contain personal information, like utility bills and bank account numbers. MoneyGram said the types of stolen data will vary by individual. MoneyGram said that the stolen data also included transaction information, such as dates and amounts of transactions, and, "for a limited number of consumers, criminal investigation information (such as fraud)."

Veteran Microsoft engineer Larry Osterman is the latest to throw his hat into the "tabs versus spaces" ring. From a report: The debate has vexed engineers for decades -- is it best to indent code with tabs or spaces? Osterman, a four-decade veteran of Microsoft, was Team Tabs when storage was tight, but has since become Team Spaces with the advent of terabytes of relatively inexpensive storage. "Here's the thing," he said. "When you've got 512 kilobytes, and you're writing a program in Pascal with lots of indentation, if you're taking eight bytes for every one of those indentations, for eight spaces, you could save seven bytes in your program by using a tab character."

It all added up, even when floppy disks were part of the equation.

However, according to Osterman, things have changed. Storage is less of an issue, so why not use spaces? A cynic might wonder if that sort of attitude has led to the bloatware of today, where software requires ever-increasing amounts of storage in return for precious little extra functionality and a never-ending stream of patches. Any decent compiler should strip out any extraneous characters, assuming the code is indeed being compiled beforehand and not interpreted at run-time. For his part, Osterman is now a member of team spaces. "I like spaces simply because it always works and it's always consistent," he said.

IT services and consulting company Cognizant engaged in a pattern of discriminatory conduct toward non-Indian workers and should pay punitive damages to compensate employees who suffered harm, a US jury found. From a report: The verdict came after the IT firm failed to persuade a Los Angeles federal judge last month to toss a 2017 job bias class-action lawsuit when a previous trial ended with a deadlocked jury. A Cognizant spokesperson said the company is disappointed with the verdict and plans to appeal. "We provide equal employment opportunities for all employees and have built a diverse and inclusive workplace that promotes a culture of belonging in which all employees feel valued, are engaged and have the opportunity to develop and succeed," Jeff DeMarrais said in an emailed statement.

Bloomberg News reported in July that the Teaneck, New Jersey-based company was among a handful of outsourcing firms exploiting loopholes in the H1-B visa lottery system. The company defended its practices, saying it's fully compliant with US laws on the visa process. Cognizant also said that in recent years it has increased its US hiring and reduced its dependence on the H1-B program.

Apple has rolled out an update to macOS 15 Sequoia that addresses compatibility issues with third-party security software that emerged in the initial release. The update, macOS 15.0.1, aims to resolve problems affecting products from CrowdStrike and Microsoft. The compatibility problems had disrupted the functionality of several cybersecurity tools when macOS 15 first launched in September.

Google is developing a version of Chrome for Android that supports browser extensions, a feature long absent from mobile versions, AndroidAuthority reports. The report adds: Specifically, the company is experimenting with "desktop" builds of Chrome for Android. These "desktop" builds are currently intended for Chromebooks as they transition to use more parts of Android, but there's hope the work will benefit mobile devices, too.

U.S. public utility giant American Water says it has disconnected some of its systems after discovering that hackers breached its internal networks last week. From a report: American Water, which supplies drinking water and wastewater services to more than 14 million people across the United States, confirmed the security incident in an 8-K regulatory filing with the U.S. Securities and Exchange Commission on Monday. The New Jersey-based company said in its filing that its water and wastewater facilities are "at this time" not affected and continue to operate without interruption, though the company noted that it's currently "unable to predict the full impact of this incident." American Water said it also notified law enforcement of the intrusion.

The company said it discovered "unauthorized activity" within its networks on October 3 and promptly moved to disconnect affected systems. In a statement on its website, American Water said it is "pausing billing until further notice." "In an effort to protect our customers' data and to prevent any further harm to our environment, we disconnected or deactivated certain systems," Ruben E. Rodriguez, a spokesperson for American Water, told TechCrunch in a statement. "There will be no late charges for customers while these systems are unavailable." Rodriguez declined to state which systems were unavailable and also declined to comment on the nature of the cybersecurity incident.

An anonymous reader shared this report from Engadget: Three new theft protection features that Google announced earlier this year have reportedly started rolling out on Android. The tools — Theft Detection Lock, Offline Device Lock and Remote Lock — are aimed at giving users a way to quickly lock down their devices if they've been swiped, so thieves can't access any sensitive information. Android reporter Mishaal Rahman shared on social media that the first two tools had popped up on a Xiaomi 14T Pro, and said some Pixel users have started seeing Remote Lock.

Theft Detection Lock is triggered by the literal act of snatching. The company said in May that the feature "uses Google AI to sense if someone snatches your phone from your hand and tries to run, bike or drive away." In such a scenario, it'll lock the phone's screen.
The Android reporter summarized the other two locking features in a post on Reddit:

• Remote Lock "lets you remotely lock your phone using just your phone number in case you can't sign into Find My Device using your Google account password."

• Offline Device Lock "automatically locks your screen if a thief tries to keep your phone disconnected from the Internet for an extended period of time."

"All three features entered beta in August, starting in Brazil. Google told me the final versions of these features would more widely roll out this year, and it seems the features have begun expanding."

"Pig Butchering Alert: Fraudulent Trading App targeted iOS and Android users."

That's the title of a new report released this week by cybersecurity company Group-IB revealing the official Apple App Store and Google Play store offered apps that were actually one part of a larger fraud campaign. "To complete the scam, the victim is asked to fund their account... After a few seemingly successful trades, the victim is persuaded to invest more and more money. The account balance appears to grow rapidly. However, when the victim attempts to withdraw funds, they are unable to do so."

Forbes reports: Group-IB determined that the frauds would begin with a period of social engineering reconnaissance and entrapment, during which the trust of the potential victim was gained through either a dating app, social media app or even a cold call. The attackers spent weeks on each target. Only when this "fattening up" process had reached a certain point would the fraudsters make their next move: recommending they download the trading app from the official App Store concerned.

When it comes to the iOS app, which is the one that the report focussed on, Group-IB researchers said that the app remained on the App Store for several weeks before being removed, at which point the fraudsters switched to phishing websites to distribute both iOS and Android apps. The use of official app stores, albeit only fleetingly as Apple and Google removed the fake apps in due course, bestowed a sense of authenticity to the operation as people put trust in both the Apple and Google ecosystems to protect them from potentially dangerous apps.
"The use of web-based applications further conceals the malicious activity," according to the researchers, "and makes detection more difficult." [A]fter the download is complete, the application cannot be launched immediately. The victim is then instructed by the cybercriminals to manually trust the Enterprise developer profile. Once this step is completed, the fraudulent application becomes operational... Once a user registers with the fraudulent application, they are tricked into completing several steps. First, they are asked to upload identification documents, such as an ID card or passport. Next, the user is asked to provide personal information, followed by job-related details...

The first discovered application, distributed through the Apple App Store, functions as a downloader, merely retrieving and displaying a web-app URL. In contrast, the second application, downloaded from phishing websites, already contains the web-app within its assets. We believe this approach was deliberate, since the first app was available in the official store, and the cybercriminals likely sought to minimise the risk of detection. As previously noted, the app posed as a tool for mathematical formulas, and including personal trading accounts within an iOS app would have raised immediate suspicion.
The app (which only runs on mobile phones) first launches a fake activity with formulas and graphics, according to the researchers. "We assume that this condition must bypass Apple's checks before being published to the store. As we can see, this simple trick allows cybercriminals to upload their fraudulent application to the Apple Store." They argue their research "reinforces the need for continued review of app store submissions to prevent such scams from reaching unsuspecting victims". But it also highlights "the importance of vigilance and end-user education, even when dealing with seemingly trustworthy apps..."

"Our investigation began with an analysis of Android applications at the request of our client. The client reported that a user had been tricked into installing the application as part of a stock investment scam. During our research, we uncovered a list of similar fraudulent applications, one of which was available on the Google Play Store. These apps were designed to display stock-related news and articles, giving them a false sense of legitimacy."

T-Mobile experienced three major data breaches in 2021, 2022, and 2023, according to CSO Online, "which impacted millions of its customers."

After a series of investigations by America's Federal Communications Commission, T-Mobile agreed in court to a number of settlement conditions, including moving toward a "modern zero-trust architecture," designating a Chief Information Security Office, implementing phishing-resistant multifactor authentication, and adopting data minimization, data inventory, and data disposal processes designed to limit its collection and retention of customer information.

Slashdot reader itwbennett writes: According to a consent decree published on Monday by the U.S. Federal Communications Commission, T-Mobile must pay a $15.75 million penalty and invest an equal amount "to strengthen its cybersecurity program, and develop and implement a compliance plan to protect consumers against similar data breaches in the future."

"Implementing these practices will require significant — and long overdue — investments. To do so at T-Mobile's scale will likely require expenditures an order of magnitude greater than the civil penalty here,' the consent decree said.
The article points out that order of magnitude greater than $15.75 million would be $157.5 million...

Last week the Register warned "If you're running the Unix printing system CUPS, with cups-browsed present and enabled, you may be vulnerable to attacks that could lead to your computer being commandeered over the network or internet." (Although the CEO of cybersecurity platform watchTowr told them "the vulnerability impacts less than a single-digit percentage of all deployed internet-facing Linux systems.")

But Tuesday generic (Slashdot reader #14,144) shared this new warning from Akamai: Akamai researchers have confirmed a new attack vector using CUPS that could be leveraged to stage distributed denial-of-service (DDoS) attacks. Research shows that, to begin the attack, the attacking system only needs to send a single packet to a vulnerable and exposed CUPS service with internet connectivity.

The Akamai Security Intelligence and Response Team (SIRT) found that more than 198,000 devices are vulnerable to this attack vector and are accessible on the public internet; roughly 34% of those could be used for DDoS abuse (58,000+). Of the 58,000+ vulnerable devices, hundreds exhibited an "infinite loop" of requests.

The limited resources required to initiate a successful attack highlights the danger: It would take an attacker mere seconds to co-opt every vulnerable CUPS service currently exposed on the internet and cost the attacker less than a single US cent on modern hyperscaler platforms.

WordPress co-founder Matt Mullenweg has asserted his personal ownership of WordPress.org in a new interview, offering new insight into his clash with hosting provider WP Engine. "WordPress.org just belongs to me personally," Mullenweg told The Verge, justifying his decision to cut WP Engine's access to WordPress.org servers. He cited trademark concerns and insufficient ecosystem contributions as key reasons for the action.

Mullenweg said he altered WordPress Foundation's trademark policies to specifically target WP Engine, adding language about their lack of donations. He likened his approach to getting "Al Capone for taxes," using trademark leverage to pressure the company into greater contributions.

A sophisticated malware strain has infected thousands of Linux systems since 2021, exploiting over 20,000 common misconfigurations and a critical Apache RocketMQ vulnerability, researchers at Aqua Security reported. Dubbed Perfctl, the malware employs advanced stealth techniques, including rootkit installation and process name mimicry, to evade detection. It persists through system reboots by modifying login scripts and copying itself to multiple disk locations. Perfctl hijacks systems for cryptocurrency mining and proxy services, while also serving as a backdoor for additional malware. Despite some antivirus detection, the malware's ability to restart after removal has frustrated system administrators.

Cybersecurity firm IronNet, founded by former NSA director Keith Alexander, has collapsed after failing to deliver on its promise to revolutionize cyber defense. The company, which went public in 2021 with a $3 billion valuation, shut down in September 2023 after running out of money.

IronNet's downfall has left investors and former employees bitter, with some accusing the company of misleading them about its financial health. "I'm honestly ashamed that I was ever an executive at that company," said Mark Berly, a former IronNet vice president. He said the company's top leaders cultivated a culture of deceit "just like Theranos." Critics point to questionable business practices, subpar products, and associations that potentially exposed the firm to Russian influence. The company's board included high-profile national security figures, which helped attract investments and contracts. However, IronNet struggled to secure major deals and meet revenue projections.

Apple just fixed a duo of security bugs in iOS 18.0.1 and iPadOS 18.0.1, one of which might cause users' saved passwords to be read aloud. It's hardly an ideal situation for the visually impaired. From a report: For those who rely on the accessibility features baked into their iGadgets, namely Apple's VoiceOver screen reader, now is a good time to apply the latest update. In typical Apple fashion, the company hasn't released much in the way of details about the first security issue, tracked as CVE-2024-44204, which makes it tougher to understand the conditions under which this vulnerability could be triggered, or how to avoid it until the update is applied. What we do know is that it was characterized as a logic issue, which Apple rectified by improving validation. The disclosure of the bug comes less than a month after iOS 18 and iPadOS 18 debuted. Ironically, this release included Apple's first native password manager, the Passwords app.