An anonymous reader quotes a report from Wired: The U.S. Department of Justice, Mandiant, and Microsoft stumbled upon the SolarWinds breach six months earlier than previously reported, WIRED has learned, but were unaware of the significance of what they had found. The breach, publicly announced in December 2020, involved Russian hackers compromising the software maker SolarWinds and inserting a backdoor into software served to about 18,000 of its customers. That tainted software went on to infect at least nine US federal agencies, among them the Department of Justice (DOJ), the Department of Defense, Department of Homeland Security, and the Treasury Department, as well as top tech and security firms including Microsoft, Mandiant, Intel, Cisco, and Palo Alto Networks. The hackers had been in these various networks for between four and nine months before the campaign was exposed by Mandiant.

WIRED can now confirm that the operation was actually discovered by the DOJ six months earlier, in late May 2020 -- but the scale and significance of the breach wasn't immediately apparent. Suspicions were triggered when the department detected unusual traffic emanating from one of its servers that was running a trial version of the Orion software suite made by SolarWinds, according to sources familiar with the incident. The software, used by system administrators to manage and configure networks, was communicating externally with an unfamiliar system on the internet. The DOJ asked the security firm Mandiant to help determine whether the server had been hacked. It also engaged Microsoft, though it's not clear why the software maker was also brought onto the investigation.

It's not known what division of the DOJ experienced the breach, but representatives from the Justice Management Division and the US Trustee Program participated in discussions about the incident. The Trustee Program oversees the administration of bankruptcy cases and private trustees. The Management Division advises DOJ managers on budget and personnel management, ethics, procurement, and security. Investigators suspected the hackers had breached the DOJ server directly, possibly by exploiting a vulnerability in the Orion software. They reached out to SolarWinds to assist with the inquiry, but the company's engineers were unable to find a vulnerability in their code. In July 2020, with the mystery still unresolved, communication between investigators and SolarWinds stopped. A month later, the DOJ purchased the Orion system, suggesting that the department was satisfied that there was no further threat posed by the Orion suite, the sources say. According to WIRED, the DOJ said it "notified the US Cybersecurity and Infrastructure Agency (CISA) about the breach at the time it occurred -- though a US National Security Agency spokesperson expressed frustration that the agency was not also notified."

"But in December 2020, when the public learned that a number of federal agencies were compromised in the SolarWinds campaign -- the DOJ among them -- neither the DOJ nor CISA revealed to the public that the operation had unknowingly been found months earlier. The DOJ initially said its chief information officer had discovered the breach on December 24."

According to FBI Director Christopher Wray, Chinese hackers vastly outnumber U.S. cyber intelligence staff "by at least 50 to 1." CNBC reports: "To give you a sense of what we're up against, if each one of the FBI's cyber agents and intel analysts focused exclusively on the China threat, Chinese hackers would still outnumber FBI Cyber personnel by at least 50 to 1," Wray said in prepared remarks for a budget hearing before a House Appropriations subcommittee on Thursday. The disclosure highlights the massive scale of cyber threats the U.S. is facing, particularly from China. Wray said the country has "a bigger hacking program than every other major nation combined and have stolen more of our personal and corporate data than all other nations -- big or small -- combined."

The agency is requesting about $63 million to help it beef up its cyber staff with 192 new positions. Wray said this would also help the FBI put more cyber staff in field offices to be closer to where victims of cyber crimes actually are.

Windows 10 22H2 will be the final version of the operating system, Microsoft said in a blog post on Thursday. From a report: Moving forward, all editions of Windows 10 will be supported with monthly security updates until October 14th, 2025, when Microsoft will end support. (Some releases on the Long-Term Servicing Channel, or LTSC, will get updates past that end of support date.) Microsoft is encouraging users to now transition to Windows 11 because Windows 10 won't be getting any new features.

An anonymous reader quotes a report from The Hacker News: Google on Wednesday said it obtained a temporary court order in the U.S. to disrupt the distribution of a Windows-based information-stealing malware called CryptBot and "decelerate" its growth. The tech giant's Mike Trinh and Pierre-Marc Bureau said the efforts are part of steps it takes to "not only hold criminal operators of malware accountable, but also those who profit from its distribution." CryptBot is estimated to have infected over 670,000 computers in 2022 with the goal of stealing sensitive data such as authentication credentials, social media account logins, and cryptocurrency wallets from users of Google Chrome. The harvested data is then exfiltrated to the threat actors, who then sell the data to other attackers for use in data breach campaigns. CryptBot was first discovered in the wild in December 2019.

The malware has been traditionally delivered via maliciously modified versions of legitimate and popular software packages such as Google Earth Pro and Google Chrome that are hosted on fake websites. [...] The major distributors of CryptBot, per Google, are suspected to be operating a "worldwide criminal enterprise" based out of Pakistan. Google said it intends to use the court order, granted by a federal judge in the Southern District of New York, to "take down current and future domains that are tied to the distribution of CryptBot," thereby kneecapping the spread of new infections.

After security researchers criticized Google for not including end-to-end encryption with Authenticator's account-syncing update, the company announced "plans to offer E2EE" in the future. "Right now, we believe that our current product strikes the right balance for most users and provides significant benefits over offline use," writes Google product manager Christiaan Brand on Twitter. "However, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves." The Verge reports: Earlier this week, Google Authenticator finally started giving users the option to sync two-factor authentication codes with their Google accounts, making it much easier to sign into accounts on new devices. While this is a welcome change, it also poses some security concerns, as hackers who break into someone's Google account could potentially gain access to a trove of other accounts as a result. If the feature supported E2EE, hackers and other third parties, including Google, wouldn't be able to see this information.

Security researchers Mysk highlighted some of these risks in a post on Twitter, noting that "if there's ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised." They added that Google could potentially use the information linked to your accounts to serve personalized ads and also advised users not to use the syncing feature until it supports E2EE. Brand pushed back against the criticism, stating that while Google encrypts "data in transit, and at rest, across our products, including in Google Authenticator," applying E2EE comes at the "cost of enabling users to get locked out of their own data without recovery."

Microsoft will no longer manufacture mice, keyboards, and webcams that are Microsoft-branded. Instead, Microsoft is now focusing on its Surface-branded PC accessories, which include mice, keyboards, pens, and more. From a report: It brings an end to the legacy of Microsoft-branded PC hardware after the company first launched its first mouse in 1983 and bundled it with Microsoft Word and Notepad. "Going forward, we are focusing on our Windows PC accessories portfolio under the Surface brand," says Dan Laycock, senior communications manager at Microsoft, in a statement to The Verge. "We will continue to offer a range of Surface branded PC Accessories -- including mice, keyboards, pens, docks, adaptive accessories, and more. Existing Microsoft branded PC accessories like mice, keyboards, and webcams will continue to be sold in existing markets at existing sell-in prices while supplies last."

Brave browser: Every Web search result seen in Brave Search is now served by our own index. We've removed all search API calls to Bing, which previously represented about 7% of query results.

Google Authenticator just got an update that should make it more useful for people who frequently use the service to sign in to apps and websites. From a report: As of today, Google Authenticator will now sync any one-time two-factor authentication (2FA) codes that it generates to users' Google Accounts. Previously, one-time Authenticator codes were stored locally, on a single device, meaning losing that device often meant losing the ability to sign in to any service set up with Authenticator's 2FA. To take advantage of the new sync feature, simply update the Authenticator app. If you're signed in to a Google Account within Google Authenticator, your codes will automatically be backed up and restored on any new device you use. You can also manually transfer your codes to another device even if you're not signed in to a Google Account by following the steps on this support page.

Some users might be wary of syncing their sensitive codes with Google's cloud -- even if they did originate from a Google product. But Christiaan Brand, a group product manager at Google, asserts it's in the pursuit of convenience without sacrificing security. "We released Google Authenticator in 2010 as a free and easy way for sites to add 'something you have' 2FA that bolsters user security when signing in," Brand wrote in the blog post announcing today's change. "With this update we're rolling out a solution to this problem, making one time codes more durable by storing them safely in users' Google Account."

Microsoft will stop forcing customers of its popular Office software to also have its Teams video conferencing and messaging app automatically installed on their devices, in a move designed to prevent an official antitrust probe by EU regulators. From a report: The US tech giant has made the concession to avoid a formal investigation, said two people with direct knowledge of the decision, following a 2020 complaint by rival Slack which claimed Microsoft's practice of bundling the two services together was anti-competitive. These people said that, in future, when companies buy Office they can do it with or without Teams if they wished, but the mechanism on how to do this remains unclear. The people stressed talks are still ongoing and a deal is not certain. The move is part of an effort by Microsoft to try to avoid what would be its first antitrust probe in more than a decade, having sought to avoid legal battles with the European Commission that have proved bruising in the past.

An anonymous reader shares a report: Over the weekend, users on Reddit and YouTube began posting about problems with AMD's newest Ryzen 7000X3D processors. In some cases, the systems simply stopped booting. But in at least one instance, a Ryzen 7800X3D became physically deformed, bulging out underneath and bending the pins on the motherboard's processor socket. In a separate post, motherboard maker MSI indicated that the damage "may have been caused by abnormal voltage issues." Ryzen 7000X3D processors already impose limits on overclocking and power settings, but new BIOS updates from MSI specifically disallow any kind of "overvolting" features that could give the CPUs more power than they were built to handle.

You can still undervolt your CPU to attempt to reduce temperatures and energy usage by giving the CPU a bit less power than it was designed for. The Ryzen 7000X3D processors are set to a lower voltage than regular Ryzen 7000 CPUs by default because the extra L3 cache layered on top of the processor die can raise temperatures and make the CPU more difficult to cool. This has also made the chips much more power-efficient than the standard Ryzen chips, but that efficiency comes at the cost of overclocking settings and other features that some enthusiasts use to squeeze more performance out of their PCs.

Google is leaning into flexibility as part of a new strategy to stymie the impact of belt-tightening among cyber chiefs. From a report: Google Cloud and Mandiant, the threat intelligence unit it acquired last year, unveiled at the RSA Conference in San Francisco today that they're opening their security products to integrations from competitors, as well as offering new Google plug-ins for other vendors' tools. The news, which was shared first with Axios, means that Google customers will now have more options to embed Google's tools in partner companies' products, like CrowdStrike, Trellix and SentinelOne. Other companies, like Accenture and login management company Okta, will also be integrating their products into Google's as part of the plan. Chief information security officers are facing increasing board pressure during a wobbly economy to cut down the number of vendors they work with and simplify their security programs. As a result, vendors have started to intertwine their competitors' products into their own tools in recent years to reach more customers.

Hackers, particularly state-sponsored and organized cybercriminals, wreak havoc worldwide. However, their aliases, such as Fancy Bear and Refined Kitten, often undermine the seriousness of their actions, Wired argues. Microsoft's cybersecurity division recently revamped its naming taxonomy for the hundreds of hacker groups it tracks, adopting two-word names with a weather-based term to indicate the hackers' suspected country and affiliation.

For instance, the Iranian group Phosphorous is now dubbed Mint Sandstorm, while Russia's Iridium (Sandworm) goes by Seashell Blizzard. Critics, like Rob Lee, founder and CEO of cybersecurity firm Dragos, argue that the whimsical new names could hinder the perception of the profession and be counterproductive for cybersecurity analysis. Furthermore, the new naming scheme forces analysts and customers to revise their databases and products to align with Microsoft's terminology. The revised system also risks cementing educated guesses about hackers' national loyalties without clarity on the confidence of those assessments.

Long-time Slashdot reader theodp writes: According to Google Trends, peak "Lean to Code" occurred in early 2019 when laid-off Buzzfeed and Huffpost journalists were taunted with the phrase on Twitter... As Meta founder and CEO Mark Zuckerberg recently put it, "We're in a different world." Indeed. Encouraging kids to pursue CS careers in Code.org's viral 2013 launch video, Zuckerberg explained, "Our policy at Facebook is literally to hire as many talented engineers as we can find."

In Learning to Code Isn't Enough, a new MIT Technology Review article, Joy Lisi Rankin reports on the long history of learn-to-code efforts, which date back to the 1960s. "Then as now," Lisi Rankin writes, "just learning to code is neither a pathway to a stable financial future for people from economically precarious backgrounds nor a panacea for the inadequacies of the educational system."
But is that really true? Vox does note that the latest round of layoffs at Meta "is impacting workers in core technical roles like data scientists and software engineers — positions once thought to be beyond reproach." Yet while that's also true at other companies, those laid-off tech workers also seem to be finding similar positions by working in other industries: Software engineers were the most overrepresented position in layoffs in 2023, relative to their employment, according to data requested by Vox from workforce data company Revelio Labs. Last year, when major tech layoffs first began, recruiters and customer success specialists experienced the most outsize impact. So far this year, nearly 20 percent of the 170,000 tech company layoffs were software engineers, even though they made up roughly 14 percent of employees at these companies. "Early layoffs were dominated by recruiters, which is forgoing future hiring," Revelio senior economist Reyhan Ayas told Vox. "Whereas in 2023 we see a shift toward more core engineering and software engineering, which signals a change in focus of current business priorities."

In other words, tech companies aren't just trimming the fat by firing people who fill out their extensive ecosystem, which ranges from marketers to massage therapists. They're also, many for the first time, making cuts to the people who build the very products they're known for, and who enjoyed a sort of revered status since they, like the founders of the companies, were coders. Software engineers are still important, but they don't have the power they used to...

The latest monthly jobs report by tech industry association CompTIA found that even though employment at tech companies (which includes all roles at those companies) declined slightly in March, employment in technical occupations across industry sectors increased by nearly 200,000 positions. So even if tech companies are laying off tech workers, other industries are snatching them up. Unfortunately for software engineers and the like, that means they might also have to follow those industries' pay schemes. The average software engineer base pay in the US is $90,000, according to PayScale, but can be substantially higher at tech firms like Facebook, where such workers also get bonuses and stock options.

ChatGPT, OpenAI's large language model for chatbots, not only produces mostly insecure code but also fails to alert users to its inadequacies despite being capable of pointing out its shortcomings. The Register reports: Amid the frenzy of academic interest in the possibilities and limitations of large language models, four researchers affiliated with Universite du Quebec, in Canada, have delved into the security of code generated by ChatGPT, the non-intelligent, text-regurgitating bot from OpenAI. In a pre-press paper titled, "How Secure is Code Generated by ChatGPT?" computer scientists Raphael Khoury, Anderson Avila, Jacob Brunelle, and Baba Mamadou Camara answer the question with research that can be summarized as "not very."

"The results were worrisome," the authors state in their paper. "We found that, in several cases, the code generated by ChatGPT fell well below minimal security standards applicable in most contexts. In fact, when prodded to whether or not the produced code was secure, ChatGPT was able to recognize that it was not." [...] In all, ChatGPT managed to generate just five secure programs out of 21 on its first attempt. After further prompting to correct its missteps, the large language model managed to produce seven more secure apps -- though that's "secure" only as it pertains to the specific vulnerability being evaluated. It's not an assertion that the final code is free of any other exploitable condition. [...]

The academics observe in their paper that part of the problem appears to arise from ChatGPT not assuming an adversarial model of code execution. The model, they say, "repeatedly informed us that security problems can be circumvented simply by 'not feeding an invalid input' to the vulnerable program it has created." Yet, they say, "ChatGPT seems aware of -- and indeed readily admits -- the presence of critical vulnerabilities in the code it suggests." It just doesn't say anything unless asked to evaluate the security of its own code suggestions.

Initially, ChatGPT's response to security concerns was to recommend only using valid inputs -- something of a non-starter in the real world. It was only afterward, when prompted to remediate problems, that the AI model provided useful guidance. That's not ideal, the authors suggest, because knowing which questions to ask presupposes familiarity with specific vulnerabilities and coding techniques. The authors also point out that there's ethical inconsistency in the fact that ChatGPT will refuse to create attack code but will create vulnerable code.

An anonymous reader shares a report: You know that you're supposed to wipe your smartphone or laptop before you resell it or give it to your cousin. After all, there's a lot of valuable personal data on there that should stay in your control. Businesses and other institutions need to take the same approach, deleting their information from PCs, servers, and network equipment so it doesn't fall into the wrong hands. At the RSA security conference in San Francisco next week, though, researchers from the security firm ESET will present findings showing that more than half of secondhand enterprise routers they bought for testing had been left completely intact by their previous owners. And the devices were brimming with network information, credentials, and confidential data about the institutions they had belonged to. The researchers bought 18 used routers in different models made by three mainstream vendors: Cisco, Fortinet, and Juniper Networks. Of those, nine were just as their owners had left them and fully accessible, while only five had been properly wiped. Two were encrypted, one was dead, and one was a mirror copy of another device.

All nine of the unprotected devices contained credentials for the organization's VPN, credentials for another secure network communication service, or hashed root administrator passwords. And all of them included enough identifying data to determine who the previous owner or operator of the router had been. Eight of the nine unprotected devices included router-to-router authentication keys and information about how the router connected to specific applications used by the previous owner. Four devices exposed credentials for connecting to the networks of other organizations -- like trusted partners, collaborators, or other third parties. Three contained information about how an entity could connect as a third party to the previous owner's network. And two directly contained customer data.

Microsoft is heading further down the path of advertising its own services in Windows 11, with different ads now popping up in the Start menu. From a report: To be precise, this is Windows 11 preview build 23435, which was just released to the Dev channel. As Microsoft puts it: "We are continuing the exploration of badging on the Start menu with several new treatments for users logging in with local user accounts to highlight the benefits of signing in with a Microsoft account (MSA)." So, the translation of this is that 'badging' is essentially advertising ('badgering' would perhaps be more accurate), and it's something we've recently seen with Windows 11 urging users to perform a cloud backup (in OneDrive).

In this new preview build, the prodding stick is being employed to nudge those who haven't enlisted for a Microsoft Account (who remain using a local account) into signing up for an MSA. Compared to the previous cloud backup prompt on the Start menu, it's even clearer that this is advertising because it's fully selling the benefits of having a Microsoft account. For example, Microsoft tells you how hooking your Windows 11 installation into an MSA will ensure that your PC is kept backed up and more secure, or that it'll keep your settings synced across multiple devices.

The FBI, Interpol and the UK's National Crime Agency have accused Meta of making a "purposeful" decision to increase end-to-end encryption in a way that in effect "blindfolds" them to child sex abuse. From a report: The Virtual Global Taskforce, made up of 15 law enforcement agencies, issued a joint statement saying that plans by Facebook and Instagram-parent Meta to expand the use of end-to-end encryption on its platforms were "a purposeful design choice that degrades safety systems," including with regards to protecting children. The law enforcement agencies also warned technology companies more broadly about the need to balance safeguarding children online with protecting users' privacy. "The VGT calls for all industry partners to fully appreciate the impact of implementing system design decisions that result in blindfolding themselves to CSA [child sexual abuse] occurring on their platforms or reduces their capacity to identify CSA and keep children safe," the statement said.

An anonymous reader shares a report: Kojima is a small company and little-known outside Japan, where it produces cup holders, USB sockets and door pockets for car interiors. But its modest role in the automotive supply chain is a critical one. And when the company was hacked in February 2022, it brought Toyota Motor's entire production line to a screeching stop. The world's top-selling carmaker had to halt 14 factories at a cost of about $375 million, based on a rough calculation of its sales and output data. Even after the initial crisis was over, it took months for Kojima to get operations close to their old routines.

The company is just one name on Japan's long list of recent cyber victims. Ransomware attacks alone soared 58% last year compared to a year earlier, according to the National Police Agency, and hacking incidents have exposed shortcomings ranging from slow incident response times to a lack of transparency. In a nation that exported chip components worth $42.3 billion last year -- dominating the supply of some materials -- supply chain issues can have global implications. [...] But while Japan has its own particular problems with hackers, many of its vulnerabilities are shared by the US and other technologically strong nations. From the Colonial Pipeline attack in the US to the Australian telecoms hack that exposed 10 million users' personal data, wealthy countries have been repeatedly caught underestimating the harsh realities of cybercrime.

Southwest Airlines has fixed a technical issue that delayed hundreds of flights across the country. In a statement, Southwest Airlines spokesperson Dan Landson says the company resumed operations after working through "data connection issues resulting from a firewall failure." From a report: The airline started having issues at around 10:30AM ET, with data from FlightAware suggesting that over 1,700 Southwest flights have been delayed so far. The Federal Aviation Administration paused departures at the request of Southwest Airlines around this time and later unpaused flights at 11:10AM ET. "Early this morning, a vendor-supplied firewall went down and connection to some operational data was unexpectedly lost," Landson says. "Southwest Teams worked quickly to minimize flight disruptions."

WhatsApp, Signal and other messaging services have urged the UK government to rethink the Online Safety Bill (OSB). From a report: They are concerned that the bill could undermine end-to-end encryption - which means the message can only be read on the sender and the recipient's app and nowhere else. Ministers want the regulator to be able to ask the platforms to monitor users, to root out child abuse images. The government says it is possible to have both privacy and child safety. "We support strong encryption," a government official said, "but this cannot come at the cost of public safety. "Tech companies have a moral duty to ensure they are not blinding themselves and law enforcement to the unprecedented levels of child sexual abuse on their platforms. "The Online Safety Bill in no way represents a ban on end-to-end encryption, nor will it require services to weaken encryption." End-to-end encryption (E2EE) provides the most robust level of security because nobody other than the sender and intended recipient can read the message information. Even the operator of the app cannot unscramble messages as they pass across systems - they can be decrypted only by the people in the chat. "Weakening encryption, undermining privacy and introducing the mass surveillance of people's private communications is not the way forward," an open letter warns.