Disney plans to transition away from using Slack as its companywide collaboration tool after a hacking group leaked over a terabyte of data from the platform. Many teams at Disney have already begun moving to other enterprise-wide tools, with the full transition expected later this year. Reuters reports: Hacking group NullBulge had published data from thousands of Slack channels at the entertainment giant, including computer code and details about unreleased projects, the Journal reported in July. The data spans more than 44 million messages from Disney's Slack workplace communications tool, WSJ reported earlier this month. The company had said in August it was investigating an unauthorized release of over a terabyte of data from one of its communication systems.

An anonymous reader quotes a report from The Register: Germany's Federal Office for Information Security (BSI) says one in ten organizations in the country affected by CrowdStrike's outage in July are dropping their current vendor's products. Four percent of organizations have already abandoned their existing solutions, while a further 6 percent plan to do so in the near future. It wasn't explicitly said whether this referred to CrowdStrike's Falcon product specifically or was a knee-jerk reaction to security vendors generally. One in five will also change the selection criteria when it comes to reviewing which security vendor gets their business. The whole fiasco doesn't seem to have hurt the company much though, at least not yet.

The findings come from a report examining the experiences of 311 affected organizations in Germany, published today. Of those affected in one way or another, most said they first heard about the issues from social media (23 percent) rather than CrowdStrike itself (22 percent). The report also revealed that half of the 311 surveyed orgs had to halt operations -- 48 percent experienced temporary downtime. Ten hours, on average. Aside from the obvious business continuity impacts, this led to various issues with customers too. Forty percent said their collaboration with customers was damaged because they couldn't provide their usual services, while more than one in ten organizations didn't even want to address the topic. The majority of respondents (66 percent) said they will improve their incident response plans in light of what happened, or have done so already, despite largely considering events like these as unavoidable. The report highlights a curious finding that over half of CrowdStrike customers wanted to install updates more regularly, even though that would have been worse for an organization.

"Regardless, with the number of urgent patch warnings we and the infosec community dish out every week, it's probably a net positive, even if it's slightly misguided," concludes The Register.

Apple's latest macOS 15 "Sequoia" update, released earlier this week, has disrupted security tools from major providers including CrowdStrike, SentinelOne, and Microsoft, according to reports. The extent and cause of the disruption remain unclear.

Google is updating its Password Manager to allow users to sync passkeys across multiple devices, including Windows, macOS, Linux, and Android, with iOS and ChromeOS support coming soon. Engadget reports: Once saved, the passkey automatically syncs across other devices using Google Password Manager. The company says this data is end-to-end encrypted, so it'll be pretty tough for someone to go in and steal credentials. [...] Today's update also brings another layer of security to passkeys on Google Password Manager. The company has introduced a six-digit PIN that will be required when using passkeys on a new device. This would likely stop nefarious actors from logging into an account even if they've somehow gotten ahold of the digital credentials. Just don't leave the PIN number laying on a sheet of paper directly next to the computer.

The Register's Jessica Lyons reports: Chinese state-sponsored spies have been spotted inside a global engineering firm's network, having gained initial entry using an admin portal's default credentials on an IBM AIX server. In an exclusive interview with The Register, Binary Defense's Director of Security Research John Dwyer said the cyber snoops first compromised one of the victim's three unmanaged AIX servers in March, and remained inside the US-headquartered manufacturer's IT environment for four months while poking around for more boxes to commandeer. It's a tale that should be a warning to those with long- or almost-forgotten machines connected to their networks; those with shadow IT deployments; and those with unmanaged equipment. While the rest of your environment is protected by whatever threat detection you have in place, these legacy services are perfect starting points for miscreants.

This particular company, which Dwyer declined to name, makes components for public and private aerospace organizations and other critical sectors, including oil and gas. The intrusion has been attributed to an unnamed People's Republic of China team, whose motivation appears to be espionage and blueprint theft. It's worth noting the Feds have issued multiple security alerts this year about Beijing's spy crews including APT40 and Volt Typhoon, which has been accused of burrowing into American networks in preparation for destructive cyberattacks.

After discovering China's agents within its network in August, the manufacturer alerted local and federal law enforcement agencies and worked with government cybersecurity officials on attribution and mitigation, we're told. Binary Defense was also called in to investigate. Before being caught and subsequently booted off the network, the Chinese intruders uploaded a web shell and established persistent access, thus giving them full, remote access to the IT network -- putting the spies in a prime position for potential intellectual property theft and supply-chain manipulation. If a compromised component makes it out of the supply chain and into machinery in production, whoever is using that equipment or vehicle will end up feeling the brunt when that component fails, goes rogue, or goes awry.

"The scary side of it is: With our supply chain, we have an assumed risk chain, where whoever is consuming the final product -- whether it is the government, the US Department of the Defense, school systems â" assumes all of the risks of all the interconnected pieces of the supply chain," Dwyer told The Register. Plus, he added, adversarial nations are well aware of this, "and the attacks continually seem to be shifting left." That is to say, attempts to meddle with products are happening earlier and earlier in the supply-chain pipeline, thus affecting more and more victims and being more deep-rooted in systems. Breaking into a classified network to steal designs or cause trouble is not super easy. "But can I get into a piece of the supply chain at a manufacturing center that isn't beholden to the same standards and accomplish my goals and objectives?" Dwyer asked. The answer, of course, is yes. [...]

International police forces have taken down an encrypted communication platform and arrested 51 people, marking a success for co-ordinated efforts to crack down on anonymous messaging services used by criminal groups. FT: Europol and law enforcement agencies from nine countries dismantled Ghost [non-paywalled source], an online platform which used three different encryption standards and allowed users to destroy all messages by sending a specific code, Europol announced on Wednesday. The crackdown is the latest operation by international agencies to decode encrypted messaging services used by criminals to manage their international operations, following the takedown of platforms such as EncroChat and Sky ECC in recent years.

[...] McLean said Ghost was administered by a 32-year-old man from Australia, one of the operation's principal targets. As a result of the decryption operation, where officers broke the app's code so they could read users' messages, the death or injury of as many as 50 people could have been prevented, McLean said.

An anonymous reader shares a report: Last week, the FBI took control of a botnet made up of hundreds of thousands of internet-connected devices, such as cameras, video recorders, storage devices, and routers, which was run by a Chinese government hacking group, FBI director Christopher Wray and U.S. government agencies revealed Wednesday. The hacking group, dubbed Flax Typhoon, was "targeting critical infrastructure across the U.S. and overseas, everyone from corporations and media organizations to universities and government agencies," Wray said at the Aspen Cyber Summit cybersecurity conference on Wednesday.

"But working in collaboration with our partners, we executed court-authorized operations to take control of the botnet's infrastructure," Wray said, explaining that once the authorities did that, the FBI also removed the malware from the compromised devices. "Now, when the bad guys realized what was happening, they tried to migrate their bots to new servers and even conducted a [Distributed Denial of Service] attack against us."

An anonymous reader shares a report: September has been a big month for desktop hypervisors, with the field's big players all delivering significant updates. Oracle delivered VirtualBox version 7.1, billed as a major upgrade thanks to its implementation of a UI with a "modernized look and feel, offering a selection between Basic and Experienced user level with reduced or full UI functionality."

[...] Parallels also released a desktop hypervisor update last week. Version 20 of the eponymous tool now offers a VM that's packed with tools developers may find handy as they work on generative AI applications. Among those tools are the Docker community edition, lmutils, the OpenCV computer vision library, and the Ollama chatbot interface for AI models. [...] The other big player in desktop hypervisors is VMware, with its Fusion and Workstation products for macOS and Windows respectively. Both were recently updated.

Luxury camera maker Leica Camera reported record sales in 2023, defying the global decline in digital camera demand. The German company's Q3 model, priced at $6,000, saw six-month waiting lists upon release last year. Industry data shows premium camera sales are surging as smartphone photography dominates the consumer market, Economist writes.

The Camera and Imaging Products Association reports the average camera price has tripled in six years as manufacturers shift focus to high-end models. Fujifilm's X100 series, launched in February at $1,600, is sold out and commanding higher prices on secondary markets. Nikon and other brands are following suit, prioritizing premium offerings. From a report: In a Japanese interview with Yomiuri, Nikon's president, Muneaki Tokunari, acknowledged that while smartphones harmed overall sales of digital interchangeable lens cameras, they may contribute to the demand for high-end cameras. Not many years removed from dire straits, Tokunari also outlined Nikon's ambitious expansion plans, including its recent acquisition of RED Digital Cinema.

Tokunari says that many camera businesses were recently operating at a loss and that some competitors excited the photo business altogether. This was, unsurprisingly, driven in large part by the massive growth of the smartphone market and the improving quality of smartphone cameras, which reached the "good enough" stage the late Steve Jobs predicted years before the camera industry felt the sting of smartphones.

However, "We are now in an age where smartphones and digital cameras can coexist," Tokunari explains in the machine-translated Yomiuri interview, initially spotted by Digicame-Info. "Global sales of digital cameras have fallen to one-twentieth of their peak. However, domestic companies are doing well. The top five companies hold most of the world's market share. This is a rare example in Japanese industry."

Google is updating the post-quantum cryptography in Chrome, replacing the experimental Kyber with the fully standardized Module Lattice Key Encapsulation Mechanism (ML-KEM) to enhance protection against quantum computing attacks. BleepingComputer reports: This change comes roughly five months after Google rolled out the post-quantum secure TLS key encapsulation system on Chrome stable for all users, which also caused some problems with TLS exchanges. The move from Kyber to ML-KEM though is not related to those early problems, that got resolved soon after manifesting. Rather, its a strategic choice to abandon an experimental system for a NIST-approved and fully standardized mechanism.

ML-KEM was fully endorsed by the U.S. National Institute of Standards and Technology (NIST) in mid-August, with the agency publishing the complete technical specifications of the final version at the time. Google explains that despite the technical changes from Kyber to ML-KEM being minor, the two are essentially incompatible, so a switch had to be made. "The changes to the final version of ML-KEM make it incompatible with the previously deployed version of Kyber," explains Google. "As a result, the codepoint in TLS for hybrid post-quantum key exchange is changing from 0x6399 for Kyber768+X25519, to 0x11EC for ML-KEM768+X25519."

Apple has increased its out-of-warranty battery replacement fee for iPhone 16 Pro models. From a report: Apple Stores can replace the battery inside an iPhone 16 Pro or iPhone 16 Pro Max for $119 in the U.S., which is up from $99 for the iPhone 15 Pro and iPhone 15 Pro Max. This is a 20% increase to the fee, which includes the cost of a new battery and service by an Apple Store. The fee may vary at third-party Apple Authorized Service Providers. The fee remains $99 for the standard iPhone 16 and iPhone 16 Plus. Customers with AppleCare+ can still get an iPhone 16 Pro battery replaced for free, but only if the battery retains less than 80% of its original capacity.

Apple says all four iPhone 16 models are equipped with larger batteries, and all of the devices received an internal redesign for improved heat dissipation, according to the company. A metal enclosure was rumored for at least some iPhone 16 batteries, but we are still waiting for teardowns to get a proper look inside of the devices.

Microsoft has abandoned plans to overhaul its Edge browser interface, scrapping the design choice unveiled in February 2023. The redesign -- featuring a sleeker look with rounded tab buttons and increased blur effects -- aimed to give Edge a distinct identity as the company pushed into AI services. The new design never officially launched and the company has no intention to launch it later, according to Microsoft-focused news outlet Windows Central.

A Microsoft spokesperson confirmed to Windows Central that the company is moving away from the rounded tabs concept. Some elements of the redesign will remain, including webpage borders and a repositioned user button, but the majority of the proposed changes have been shelved. The decision marks a retreat from Microsoft's efforts to visually differentiate Edge from Google Chrome and align it with Windows 11's design language.

On Tuesday Ivanti issued a "high severity vulnerability" announcement for version 4.6 of its Cloud Service Appliance (or CSA). "Successful exploitation could lead to unauthorized access to the device running the CSA." And Friday that announcement got an update: Ivanti "has confirmed exploitation of this vulnerability in the wild."

While Ivanti released a security update, they warned that "with the end-of-life status this is the last fix that Ivanti will backport for this version. Customers must upgrade to Ivanti CSA 5.0 for continued support."

This prompted a response from CISA (the Cybersecurity and Infrastructure Security Agency, part of the U.S. Department of Homeland Security). The noted that Ivanti is urging customers to upgrade to version 5.0, as "Ivanti no longer supports CSA 4.6 (end-of-life)." But in addition, CISA "ordered all federal civilian agencies to remove CSA 4.6. from service or upgrade to the 5.0. by October 4," reports the Record: Ivanti said users will know they are impacted by exploitation of the bug by looking to see if there are modified or newly added administrative users. They also urged customers to check security alerts if they have certain security tools involved.

The issue arose one day after another Ivanti bug caused alarm among defenders. The company pledged a security overhaul in April after a cascade of headline-grabbing nation-state attacks broke through the systems of government agencies in the U.S. and Europe using vulnerabilities in Ivanti products.

For 30 days, 17,000 AT&T workers in nine different states from the CWA union went on strike. As it began one North Carolina newspaper noted some AT&T customers "report prolonged internet outages." Last week an Emory University economist told NPR that "If it wasn't disruptive or it didn't have any kind of negative element towards customers, then AT&T, I suspect, wouldn't feel any kind of pressure to negotiate."

The 30-day strike was "the longest telecommunications strike in the region's history," according to the union — announcing today that they'd now negotiated "strong tentative contract agreements" and that workers would report to work for their scheduled shifts tomorrow. The new contract in the Southeast covers 17,000 workers technicians, customer service representatives and others who install, maintain and support AT&T's residential and business wireline telecommunications network in Alabama, Florida, Georgia, Kentucky, Louisiana, Mississippi, North Carolina, South Carolina and Tennessee.

Wages and health care costs were key issues at the bargaining table, and the five-year agreement includes across the board wage increases of 19.33%, with additional 3% increases for Wire Technicians and Utility Operations. The health care agreement holds health care premiums steady in the first year and lowers them in the second and third years, with modest monthly increases in the final two years.
The statement adds that "CWA members and retirees from every region and sector of our union mobilized in support of our bargaining teams, including by distributing flyers with information about the strike at AT&T Wireless stores." CWA District 3 Vice President Richard Honeycutt added "We know that our customers have faced hardship during the strike as well. We are happy to be getting back to work keeping our communities safe and connected."

There's also a separate four-year agreement covering 8,500 AT&T West workers in California and Nevada. "Union members will meet to review the tentative agreements, before holding ratification votes in each region."

AT&T's chief operating officer said the Southeast agreement will "support our competitive position in the broadband industry where we can grow and win against our mostly non-union competitors."

The Rust foundation is making "considerable progress" on a complete security audit of the Rust ecosystem, according to the coding news site I Programmer, citing a newly-released report from the nonprofit Rust foundation: The foundation is investigating the development of a Public Key Infrastructure (PKI) model for the Rust language, including the design and implementation for a PKI CA and a resilient Quorum model for the project to implement, and the report says that language updates suggested by members of the Project were nearly ready for implementation.

Following the XZ backdoor vulnerability, the Security Initiative has focused on supply chain security, including work on provenance-tracking, verifying that a given crate is actually associated with the repository it claims to be. The top 5,000 crates by download count have been checked and verified.

Threat modeling has now been completed on the Crates ecosystem. Rust Infrastructure, crates.io and the Rust Project.

Two open source security tools, Painter and Typomania, have been developed and released. Painter can be used to build a graph database of dependencies and invocations between all crates within the crates.io ecosystem, including the ability to obtain 'unsafe' statistics, better call graph pruning, and FFI boundary mapping. Typomania ports typogard to Rust, and can be used to detect potential typosquatting as a reusable library that can be adapted to any registry.
They've also tightened admin privileges for Rust's package registry, according to the article. And "In addition to the work on the Security Initiative, the Foundation has also been working on improving interoperability between Rust and C++, supported by a $1 million contribution from Google."

According to the Rust foundation's technology director, they've made "impressive technical strides and developed new strategies to reinforce the safety, security, and longevity of the Rust programming language." And the director says the new report "paints a clear picture of the impact of our technical projects like the Security Initiative, Safety-Critical Rust Consortium, infrastructure and crates.io support, Interop Initiative, and much more."

"A two-day AI Labor Summit between AFL-CIO leaders and Microsoft executives this week reflects the tech giant's revamped approach to unions," writes GeekWire, "which includes a pledge by the company to incorporate feedback from labor unions and their members into the development of artificial intelligence."

But just two days later, "Microsoft Gaming CEO Phil Spencer announced it was game over for the jobs of another 650 Microsoft staffers (on top of an earlier 1,900 employee staff reduction)," writes long-time Slashdot reader theodp, "cuts that Spencer made clear were related to Microsoft's $69B acquisition of Activision Blizzard in 2023." Interestingly, Microsoft's Smith in October 2023 affirmed a "groundbreaking neutrality agreement" with the Communications Workers of America union (CWA) — designed to go into effect if Microsoft was successful in its acquisition of Activision Blizzard — in which Microsoft acknowledged the rights of its employees to unionize and pledged to work constructively with any who did. At the same time, Microsoft made it clear that it hoped its employees wouldn't feel the need to form or join unions, saying they would "never need to organize to have a dialogue with Microsoft's leaders."

In July 2023, the AFL-CIO applauded Microsoft's Activision Blizzard acquisition and the Microsoft-CWA agreement, which AFL-CIO union federation president Liz Shuler said "sets a new standard for respecting workers' rights in the video game industry and the larger technology sector." And in December 2023, Shuler thanked Smith for Microsoft's "absolutely historic partnership" on AI and the Future of the Workforce, which Shuler suggested "can be mutually beneficial for workers, for businesses, and for our country as a whole."
Thursday the CWA union issued critical remarks about the layoffs at Microsoft Gaming (which were later retweeted by the @AFLCIO Twitter account).

"While we would hope that a company like Microsoft with $88 billion in profits last year could achieve 'long-term success' without destroying the livelihoods of 650 of our colleagues, heartless layoffs like these have become all too common."

23andMe has agreed to pay $30 million to settle a lawsuit over a data breach that exposed the personal information of 6.4 million customers in 2023. BleepingComputer reports: The proposed class action settlement (PDF), filed Thursday in a San Francisco federal court and awaiting judicial approval, includes cash payments for affected customers, which will be distributed within ten days of final approval. "23andMe believes the settlement is fair, adequate, and reasonable," the company said in a memorandum filed (PDF) Friday.

23andMe has also agreed to strengthen its security protocols, including protections against credential-stuffing attacks, mandatory two-factor authentication for all users, and annual cybersecurity audits. The company must also create and maintain a data breach incident response plan and stop retaining personal data for inactive or deactivated accounts. An updated Information Security Program will also be provided to all employees during annual training sessions. "23andMe denies the claims and allegations set forth in the Complaint, denies that it failed to properly protect the Personal Information of its consumers and users, and further denies the viability of Settlement Class Representatives' claims for statutory damages," the company said in the filed preliminary settlement.

"23andMe denies any wrongdoing whatsoever, and this Agreement shall in no event be construed or deemed to be evidence of or an admission or concession on the part of 23andMe with respect to any claim of any fault or liability or wrongdoing or damage whatsoever."

An anonymous reader quotes a report from Ars Technica: Researchers still don't know the cause of a recently discovered malware infection affecting almost 1.3 million streaming devices running an open source version of Android in almost 200 countries. Security firm Doctor Web reported Thursday that malware named Android.Vo1d has backdoored the Android-based boxes by putting malicious components in their system storage area, where they can be updated with additional malware at any time by command-and-control servers. Google representatives said the infected devices are running operating systems based on the Android Open Source Project, a version overseen by Google but distinct from Android TV, a proprietary version restricted to licensed device makers.

Although Doctor Web has a thorough understanding of Vo1d and the exceptional reach it has achieved, company researchers say they have yet to determine the attack vector that has led to the infections. "At the moment, the source of the TV boxes' backdoor infection remains unknown," Thursday's post stated. "One possible infection vector could be an attack by an intermediate malware that exploits operating system vulnerabilities to gain root privileges. Another possible vector could be the use of unofficial firmware versions with built-in root access." The following device models infected by Vo1d are: [R4, TV BOX, KJ-SMART4KVIP].

One possible cause of the infections is that the devices are running outdated versions that are vulnerable to exploits that remotely execute malicious code on them. Versions 7.1, 10.1, and 12.1, for example, were released in 2016, 2019, and 2022, respectively. What's more, Doctor Web said it's not unusual for budget device manufacturers to install older OS versions in streaming boxes and make them appear more attractive by passing them off as more up-to-date models. Further, while only licensed device makers are permitted to modify Google's AndroidTV, any device maker is free to make changes to open source versions. That leaves open the possibility that the devices were infected in the supply chain and were already compromised by the time they were purchased by the end user. "These off-brand devices discovered to be infected were not Play Protect certified Android devices," Google said in a statement. "If a device isn't Play Protect certified, Google doesn't have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety."

Users can confirm if their device runs Android TV OS via this link and following the steps here.

An anonymous reader quotes a report from Wired: You can tell a lot about someone from their eyes. They can indicate how tired you are, the type of mood you're in, and potentially provide clues about health problems. But your eyes could also leak more secretive information: your passwords, PINs, and messages you type. Today, a group of six computer scientists are revealing a new attack against Apple's Vision Pro mixed reality headset where exposed eye-tracking data allowed them to decipher what people entered on the device's virtual keyboard. The attack, dubbed GAZEploit and shared exclusively with WIRED, allowed the researchers to successfully reconstruct passwords, PINs, and messages people typed with their eyes. "Based on the direction of the eye movement, the hacker can determine which key the victim is now typing," says Hanqiu Wang, one of the leading researchers involved in the work. They identified the correct letters people typed in passwords 77 percent of the time within five guesses and 92 percent of the time in messages.

To be clear, the researchers did not gain access to Apple's headset to see what they were viewing. Instead, they worked out what people were typing by remotely analyzing the eye movements of a virtual avatar created by the Vision Pro. This avatar can be used in Zoom calls, Teams, Slack, Reddit, Tinder, Twitter, Skype, and FaceTime. The researchers alerted Apple to the vulnerability in April, and the company issued a patch to stop the potential for data to leak at the end of July. It is the first attack to exploit people's "gaze" data in this way, the researchers say. The findings underline how people's biometric data -- information and measurements about your body -- can expose sensitive information and beused as part of the burgeoning surveillance industry.

The GAZEploit attack consists of two parts, says Zhan, one of the lead researchers. First, the researchers created a way to identify when someone wearing the Vision Pro is typing by analyzing the 3D avatar they are sharing. For this, they trained a recurrent neural network, a type of deep learning model, with recordings of 30 people's avatars while they completed a variety of typing tasks. When someone is typing using the Vision Pro, their gaze fixates on the key they are likely to press, the researchers say, before quickly moving to the next key. "When we are typing our gaze will show some regular patterns," Zhan says. Wang says these patterns are more common during typing than if someone is browsing a website or watching a video while wearing the headset. "During tasks like gaze typing, the frequency of your eye blinking decreases because you are more focused," Wang says. In short: Looking at a QWERTY keyboard and moving between the letters is a pretty distinct behavior.

The second part of the research, Zhan explains, uses geometric calculations to work out where someone has positioned the keyboard and the size they've made it. "The only requirement is that as long as we get enough gaze information that can accurately recover the keyboard, then all following keystrokes can be detected." Combining these two elements, they were able to predict the keys someone was likely to be typing. In a series of lab tests, they didn't have any knowledge of the victim's typing habits, speed, or know where the keyboard was placed. However, the researchers could predict the correct letters typed, in a maximum of five guesses, with 92.1 percent accuracy in messages, 77 percent of the time for passwords, 73 percent of the time for PINs, and 86.1 percent of occasions for emails, URLs, and webpages. (On the first guess, the letters would be right between 35 and 59 percent of the time, depending on what kind of information they were trying to work out.) Duplicate letters and typos add extra challenges.

Cybersecurity giant Fortinet has confirmed it suffered a data breach after a threat actor claimed to steal 440GB of files from the company's Microsoft Sharepoint server. From a report: Fortinet is one of the largest cybersecurity companies in the world, selling secure networking products like firewalls, routers, and VPN devices. The company also offers SIEM, network management, and EDR/XDR solutions, as well as consulting services.

Early this morning, a threat actor posted to a hacking forum that they had stolen 440GB of data from Fortinet's Azure Sharepoint instance. The threat actor then shared credentials to an alleged S3 bucket where the stolen data is stored for other threat actors to download. The threat actor, known as "Fortibitch," claims to have tried to extort Fortinet into paying a ransom, likely to prevent the publishing of data, but the company refused to pay. In response to our questions about incident, Fortinet confirmed that customer data was stolen from a "third-party cloud-based shared file drive."