Encryption

Signal Messaging App Now Testing Usernames (pcmag.com) 52

Michael Kan reports via PCMag: Encrypted messaging service Signal is now testing usernames, which will offer people a more private way to share their contact details on the app. Signal kicked off the public test today through a new beta build available in its community forums. "After rounds of internal testing, we have hit the point where we think the community that powers these forums can help us test even further before public launch," says Signal VP of Engineering Jim O'Leary.

The development is a big deal since Signal -- an end-to-end encrypted messaging app -- has long required users to sign up with a phone number. That same number also needs to be shared in order to message other users on the app. This can be problematic since sharing your phone number exposes you to privacy and hacking risks. For example, a contact on Signal could choose to call and message your number over an unencrypted cellular network or pass off the number to someone else.

Security

Maine Government Says Data Breach Affects 1.3 Million Residents (techcrunch.com) 40

An anonymous reader quotes a report from TechCrunch: The government of Maine has confirmed over a million state residents had personal information stolen in a data breach earlier this year by a Russia-linked ransomware gang. In a statement published Thursday, the Maine government said hackers exploited a vulnerability in its MOVEit file-transfer system, which stored sensitive data on state residents. The hackers used the vulnerability to access and download files belonging to certain state agencies between May 28 and May 29, the statement read. The Maine government said it was disclosing the incident and notifying affected residents as its assessment of the impacted files "was recently completed."

Maine said that the stolen information may include a person's name, date of birth, Social Security number, driver's license and other state or taxpayer identification numbers. Some individuals had medical and health insurance information taken. The statement said the state holds information about residents "for various reasons, such as residency, employment, or interaction with a state agency," and that the data it holds varies by person. According to the state's breakdown of which agencies are affected, more than half of the stolen data relates to Maine's Department of Health and Human Services, with up to about a third of the data affecting the Maine's Department of Education. The remaining data affects various other agencies, including Maine's Bureau of Motor Vehicles and Maine's Department of Corrections, though the government notes that the breakdown of information is subject to change. More than 1.3 million people live in the state of Maine, according to the U.S. Census Bureau.

Security

Mortgage Giant Mr. Cooper Shuts Down Systems Following Cyberattack (securityweek.com) 30

An anonymous reader quotes a report from SecurityWeek: Mortgage giant Mr. Cooper on Thursday announced that it has shut down certain systems after falling victim to a cyberattack, which resulted in its operations being suspended. The attack occurred on October 31 and prompted an immediate response, including containment measures that involved taking down some systems. The shutdown, the company says in an incident notice on its website, prevents it from processing customer payments temporarily, but such operations will resume as soon as systems are restored. Mr. Cooper says it is currently investigating the potential compromise of customer data, and that it will notify all those whose data might have been impacted by the attack. Headquartered in the Dallas, Texas, area, Mr. Cooper is one of the largest mortgage servicers in the US, with approximately 4.3 million customers. While it remains unclear what kind of cyberattack hit Mr. Cooper's systems, the mortgage and loan giant did confirm that customer data was compromised. However, banking information does not appear to be impacted. "Mr. Cooper does not store banking information related to mortgage payments on our systems. This information is hosted with a third-party provider and, based on the information we have to date, we do not believe it was affected by this incident," the company added.

According to TechCrunch, citing a filing with the U.S. Securities and Exchange Commission, Mr. Cooper said it "expects to incur up to $10 million in additional vendor costs during its fiscal fourth quarter, adding that it does not expect a material impact to its business."
AMD

AMD Begins Polaris and Vega GPU Retirement Process, Reduces Ongoing Driver Support (anandtech.com) 19

As AMD is now well into their third generation of RDNA architecture GPUs, the sun has been slowly setting on AMD's remaining Graphics Core Next (GCN) designs, better known by the architecture names of Polaris and Vega. From a report: In recent weeks the company dropped support for those GPU architectures in their open source Vulkan Linux driver, AMDVLK, and now we have confirmation that the company is slowly winding down support for these architectures in their Windows drivers as well. Under AMD's extended driver support schedule for Polaris and Vega, the drivers for these architectures will no longer be kept at feature parity with the RDNA architectures. And while AMD will continue to support Polaris and Vega for some time to come, that support is being reduced to security updates and "functionality updates as available."

For AMD users keeping a close eye on their driver releases, they'll likely recognize that AMD already began this process back in September -- though AMD hasn't officially documented the change until now. As of AMD's September Adrenaline 23.9 driver series, AMD split up the RDNA and GCN driver packages, and with that they have also split the driver branches between the two architectures. As a result, only RDNA cards are receiving new features and updates as part of AMD's mainline driver branch (currently 23.20), while the GCN cards have been parked on a maintenance driver branch - 23.19.

Cloud

Microsoft Won't Let You Close OneDrive on Windows Until You Explain Yourself (theverge.com) 245

Microsoft now wants you to explain exactly why you're attempting to close its OneDrive for Windows app before it allows you to do so. From a report: Neowin has spotted that the latest update to OneDrive now includes an annoying dialog box that asks you to select the reason why you're closing the app every single time you attempt to close OneDrive from the taskbar. Closing OneDrive is already buried away and not a simple task, with Microsoft hiding it under a "pause syncing" option when you right-click on OneDrive in the taskbar. But now, the quit option is grayed out until you select a reason for quitting OneDrive from a drop-down box. Here are the options:
1. I don't want OneDrive running all the time
2. I don't know what OneDrive is
3. I don't use OneDrive
4. I'm trying to fix a problem with OneDrive
5. I'm trying to speed up my computer
6. I get too many notifications
7. Other

Android

Google-led App Defense Alliance Joins Linux Foundation (techcrunch.com) 17

The App Defense Alliance (ADA), an initiative set up by Google back in 2019 to combat malicious Android apps infiltrating the Play app store, has joined the Joint Development Foundation (JDF), a Linux Foundation project focused on helping organizations working on technical specifications, standards, and related efforts. From a report: The App Defense Alliance had, in fact, already expanded beyond its original Android malware detection roots, covering areas such as malware mitigation, mobile app security assessments (MASA), and cloud app security assessments (CASA). And while its founding members included mobile security firms such as ESET, Lookout and Zimperium, it has ushered in new members through the years including Trend Micro and McAfee. Today's news, effectively, sees ADA join an independent foundation, a move designed to open up the appeal to other big tech companies, such as Facebook parent Meta and Microsoft, both of which are now joining the ADA's steering committee. The ultimate goal is to "improve app security" through fostering greater "collaborative implementation of industry standards," according to a joint statement today.
Chrome

Google Search and Chrome Are Getting New Tools To Help Users Find Discounts (techcrunch.com) 17

Google is coming for Honey and other deal-finding tools by introducing new features on Search and Chrome to help users find discounts. From a report: The tech giant announced on Tuesday that it's adding a designated page for deals on Search, while Chrome is getting features that proactively look for discount codes and provide users with price insights. The new deals search results page on Search is designed to help users find products that are on sale from across the web in one designated spot. The page will display deals in categories like apparel, electronics, toys and beauty. You'll also find deals from different types of merchants, including big box stores, DTC brands, luxury multi-brand retailers, designer labels and local stores.

Users can scroll through deals by category and also see popular stores that have deals on what you're looking for. If you see something you're interested in, you can click on the product or visit the merchant site to learn more. Google says that if you're signed into your Google account, the page will take into account what you usually like to shop. To access the new deals page, you need to search "shop deals." Or, if you're looking for something specific, you can search for categories like "shop sneaker deals."

United Kingdom

Tech Groups Fear New Powers Will Allow UK To Block Encryption (ft.com) 40

Tech groups have called on ministers to clarify the extent of proposed powers that they fear would allow the UK government to intervene and block the rollout of new privacy features for messaging apps. FT: The Investigatory Powers Amendment Bill, which was set out in the King's Speech on Tuesday, would oblige companies to inform the Home Office in advance about any security or privacy features they want to add to their platforms, including encryption. At present, the government has the power to force telecoms companies and messaging platforms to supply data on national security grounds and to help with criminal investigations.

The new legislation was designed to "recalibrate" those powers to respond to risks posed to public safety by multinational tech companies rolling out new services that "preclude lawful access to data," the government said. But Meredith Whittaker, president of private messaging group Signal, urged ministers to provide more clarity on what she described as a "bellicose" proposal amid fears that, if enacted, the new legislation would allow ministers and officials to veto the introduction of new safety features. "We will need to see the details, but what is being described suggests an astonishing level of technically confused government over-reach that will make it nearly impossible for any service, homegrown or foreign, to operate with integrity in the UK," she told the Financial Times.

Bug

Apple Delays Work on Next Year's iPhone, Mac Software To Fix Bugs (bloomberg.com) 74

In a rare move, Apple hit pause on development of next year's software updates for the iPhone, iPad, Mac and other devices so that it could root out glitches in the code. From a report: The delay, announced internally to employees last week, was meant to help maintain quality control after a proliferation of bugs in early versions, according to people with knowledge of the decision. Rather than adding new features, company engineers were tasked with fixing the flaws and improving the performance of the software, said the people, who asked not to be identified because the matter is private.

Apple's software -- famous for its clean interfaces, easy-to-use controls and focus on privacy -- is one of its biggest selling points. That makes quality control imperative. But the company has to balance a desire to add new features with making sure its operating systems run as smoothly as possible. [...] When looking at new operating systems due for release next year, the software engineering management team found too many "escapes" -- an industry term for bugs missed during internal testing. So the division took the unusual step of halting all new feature development for one week to work on fixing the bugs. With thousands of different Apple employees working on a range of operating systems and devices -- that need to work together seamlessly -- it's easy for glitches to crop up.

Crime

'Encryption King' Arrested In Turkey (404media.co) 31

An anonymous reader quotes a report from 404 Media: Hakan Ayik, an infamous drug trafficker who also popularized the use of certain brands of encrypted phones around the world, was arrested during a series of dramatic raids in Turkey last week. At one point a group of heavily armed Turkish tactical officers in brown and gray camouflage piled outside an apartment and banged on the door repeatedly. They then smashed the door down and moved inside with a riot shield, according to a video tweeted by Turkey's Minister of the Interior. The video then showed a photograph of Ayik, shirtless and on his knees while staring straight ahead, surrounded by multiple officers.

It was a moment that capped off the arrest of Australia's most wanted man, and a sign that Turkey is no longer a safe haven to organized criminals. But it was also something of a closing act on Anom, a brand of encrypted phone that the FBI secretly took over and managed for years after inserting a backdoor into the product, allowing agents to read tens of millions of messages sent across it. Ayik unknowingly helped the FBI gain that piercing insight into organized crime by selling the devices to other criminal associates. Given Ayik's position as a trusted authority on what communications tools drug traffickers should use, one associate even referred to him as the 'encryption king' in an Anom message I've seen.
According to the Sydney Morning Herald, Ayik will not be extradited to Australia. Instead, Australian police are encouraging Turkish authorities to investigate and prosecute him as a Turkish citizen.
Encryption

Scientist Claims Quantum RSA-2048 Encryption Cracking Breakthrough (tomshardware.com) 129

Mark Tyson reports via Tom's Hardware: A commercial smartphone or Linux computer can be used to crack RSA-2048 encryption, according to a prominent research scientist. Dr Ed Gerck is preparing a research paper with the details but couldn't hold off from bragging about his incredible quantum computing achievement (if true) on his LinkedIn profile. Let us be clear: the claims seem spurious, but it should be recognized that the world isn't ready for an off-the-shelf system that can crack RSA-2048, as major firms, organizations, and governments haven't yet transitioned to encryption tech that is secured for the post-quantum era.

In his social media post, Gerck states that a humble device like a smartphone can crack the strongest RSA encryption keys in use today due to a mathematical technique that "has been hidden for about 2,500 years -- since Pythagoras." He went on to make clear that no cryogenics or special materials were used in the RSA-2048 key-cracking feat. BankInfoSecurity reached out to Gerck in search of some more detailed information about his claimed RSA-2048 breakthrough and in the hope of some evidence that what is claimed is possible and practical. Gerck shared an abstract of his upcoming paper. This appears to show that instead of using Shor's algorithm to crack the keys, a system based on quantum mechanics was used, and it can run on a smartphone or PC.

In some ways, it is good that the claimed breakthrough doesn't claim to use Shor's algorithm. Alan Woodward, a professor of computer science at the University of Surrey, told BankInfoSecurity that no quantum computer in existence has enough gates to implement Shor's algorithm and break RSA-2048. So at least this part of Gerck's explanation checks out. However, the abstract of Gerck's paper looks like it is "all theory proving various conjectures - and those proofs are definitely in question," according to Woodward. The BankInfoSecurity report on Gerck's "QC Algorithms: Faster Calculation of Prime Numbers" paper quotes other skeptics, most of whom are waiting for more information and proofs before they organize a standing ovation for Gerck.

The Military

US Military Members' Personal Data Being Sold By Online Brokers, Report Finds 32

Jacob Knutson reports via Axios: Sensitive, highly detailed personal data for thousands of active-duty and veteran U.S. military members can be purchased for as little as one cent per name through data broker websites, according to a new study (PDF) published on Monday by Duke University researchers. [...] The data about military personnel purchased as part of the study included full names, physical and email addresses, health and financial information and details about their ethnicity, religious practices and political affiliation. In some cases, the information also included whether the person owned or rented a home, was married or had children. The children's ages and sexes were accessible, too.

The researchers bought data on up to around 45,000 military personnel for between $0.12 to $0.32 per record. They also bought data belonging to 5,000 friends and family members of military personnel. Larger data purchases of over 1.5 million service members were available for as little as $0.01 per record from at least one broker the researchers contacted. The researchers called on Congress to pass a comprehensive privacy law and for regulatory agencies like the Federal Trade Commission to develop rules to govern military personnel data purchases.
China

Huawei and Tencent Spearhead China's Hold on Cybersecurity Patents (nikkei.com) 28

China's presence is growing in cybersecurity technology, with companies such as Huawei and Tencent accounting for six of the top 10 global patent holdings in the sector as of August. From a report: Chinese companies have made headway in technological fields that affect economic security, according to industry insiders, as they focus on fostering their own tech amid the growing standoff between the U.S. and China. The rankings, compiled by Nikkei in cooperation with U.S. information services provider LexisNexis, are based on patents registered in 95 countries and regions, including Japan, the U.S., China and the European Union. Patent registrations were screened for the cybersecurity field using such factors as the international patent classification, with filings of the same patent in multiple countries counted as a single patent.

As of August, IBM led the rankings with 6,363 patents. Huawei Technologies came in second with 5,735 patents and Tencent Holdings placed third with 4,803. Other Chinese companies in the top 10 included financial services provider Ant Group in sixth with 3,922 patents, followed by power transmission company State Grid Corp. of China with 3,696, Alibaba Group Holding with 3,122 and sovereign wealth fund China Investment with 3,042. Patent applications filed by Chinese companies have increased since around 2018, when the U.S. began to impose full-scale export controls on Chinese high-tech companies. Compared with 10 years ago, IBM's patent holdings increased by a factor of 1.5. In contrast, holdings for Huawei and Tencent were 2.3 times and 13 times higher, respectively.

Microsoft

Microsoft Disputes Severity of Four Zero-Day Vulnerabilities Found in Exchange by Trend Micro (bleepingcomputer.com) 26

"Microsoft Exchange is impacted by four zero-day vulnerabilities that attackers can exploit remotely to execute arbitrary code or disclose sensitive information on affected installations," reports Bleeping Computer, citing disclosures Thursday from Trend Micro's Zero Day Initiative, who reported them to Microsoft on September 7th and 8th, 2023.

In an email to the site, a Microsoft spokesperson said customers who applied the August Security Updates are already protected from the first vulnerability, while the other three require attackers to have prior access to email credentials. (And for two of them no evidence was presented that it can be leveraged to gain elevation of privilege.)

"We've reviewed these reports and have found that they have either already been addressed, or do not meet the bar for immediate servicing under our severity classification guidelines and we will evaluate addressing them in future product versions and updates as appropriate."

From Bleeping Computer's report: ZDI disagreed with this response and decided to publish the flaws under its own tracking IDs to warn Exchange admins about the security risks... All these vulnerabilities require authentication for exploitation, which reduces their severity CVSS rating to between 7.1 and 7.5... It should be noted, though, that cybercriminals have many ways to obtain Exchange credentials, including brute-forcing weak passwords, performing phishing attacks, purchasing them, or acquiring them from info-stealer logs...

ZDI suggests that the only salient mitigation strategy is to restrict interaction with Exchange apps. However, this can be unacceptably disruptive for many businesses and organizations using the product. We also suggest implementing multi-factor authentication to prevent cybercriminals from accessing Exchange instances even when account credentials have been compromised.

Security

Okta Breach: 134 Customers Exposed in October Support System Hack 13

Okta says attackers who breached its customer support system last month gained access to files belonging to 134 customers, five of them later being targeted in session hijacking attacks with the help of stolen session tokens. From a report: "From September 28, 2023 to October 17, 2023, a threat actor gained unauthorized access to files inside Okta's customer support system associated with 134 Okta customers, or less than 1% of Okta customers," Okta revealed. "Some of these files were HAR files that contained session tokens which could in turn be used for session hijacking attacks. The threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers, 3 of whom have shared their own response to this event." The three Okta customers that already disclosed they were targeted due to the company's October security breach are 1Password, BeyondTrust, and Cloudflare. They all notified Okta of suspicious activity after detecting unauthorized attempts to log into in-house Okta administrator accounts.
Security

Fusus' AI-Powered Cameras Are Spreading Across the United States 33

An anonymous reader quotes a report from 404 Media: Spread across four computer monitors arranged in a grid, a blue and green interface shows the location of more than 50 different surveillance cameras. Ordinarily, these cameras and others like them might be disparate, their feeds only available to their respective owners: a business, a government building, a resident and their doorbell camera. But the screens, overlooking a pair of long conference tables, bring them all together at once, allowing law enforcement to tap into cameras owned by different entities around the entire town all at once. This is a demonstration of Fusus, an AI-powered system that is rapidly springing up across small town America and major cities alike. Fusus' product not only funnels live feeds from usually siloed cameras into one central location, but also adds the ability to scan for people wearing certain clothes, carrying a particular bag, or look for a certain vehicle.

404 Media has obtained a cache of internal emails, presentations, memos, photos, and more which provide insight into how Fusus teams up with police departments to sell its surveillance technology. All around the country, city councils are debating whether they want to have a system that qualitatively changes what surveillance cameras mean for a town's residents and public agencies. While many have adopted Fusus, others have pushed back, and refused to have the hardware and software installed in their neighborhoods. In some ways, Fusus is deploying smart camera technology that historically has been used in places like South Africa, where experts warned about it creating an ever present blanket of surveillance. Now, tech with some of the same capabilities is being used across small town America.

Rather than selling cameras themselves, Fusus' hardware and software latches onto existing installations, which can include government-owned surveillance cameras as well as privately owned cameras at businesses and homes. It turns dumb cameras into smart ones. "In essence, the Fusus solution puts a brain into every camera connected with the system," one memorandum obtained by 404 Media reads.
In addition to integrating with existing surveillance installations, Fusus' hardware, called SmartCORE, can turn cameras into automatic license plate readers (ALPRs). It can reportedly offer facial recognition features, too, although Fusus hasn't provided clear clarification on this matter.

The report says the system has been adopted by numerous police departments across the United States, with approximately 150 jurisdictions using Fusus. Orland Park police have called it a "game-changer." It's also being used internationally, launching in the United Kingdom.

Here's what Beryl Lipton, investigative researcher at the Electronic Frontier Foundation (EFF), had to say about it: "The lack of transparency and community conversation around Fusus exacerbates concerns around police access of the system, AI analysis of video, and analytics involving surveillance and crime data, which can influence officer patrols and priorities. In the absence of clear policies, auditable access logs, and community transparency about the capabilities and costs of Fusus, any community in which this technology is adopted should be concerned about its use and abuse."
China

US House Panel Seeks Ban On Federal Purchases of China Drones (reuters.com) 33

David Shepardson reports via Reuters: The top members of a U.S. House committee on China are introducing a bill that seeks to ban the U.S. government from buying Chinese drones. Mike Gallagher, the Republican chair of the committee, and Raja Krishnamoorthi, the ranking Democrat, are introducing the "American Security Drone Act" on Wednesday, the lawmakers said in a statement to Reuters. "This bill would prohibit the federal government from using American taxpayer dollars to purchase this equipment from countries like China," Gallagher said. "It is imperative that Congress pass this bipartisan bill to protect U.S. interests and our national security supply chain."

The bill would also bar local and state governments from purchasing Chinese drones using federal grants and require a federal report detailing the amount of foreign commercial off-the-shelf drones and covered unmanned aircraft systems procured by federal departments and agencies from China. Krishnamoorthi said the bill "helps protect against any vulnerabilities posed by our government agencies' reliance on foreign-manufactured drone technology and will encourage growth in the U.S. drone industry."

Separately, the U.S. Senate on Tuesday unanimously approved an amendment proposed by Republican Senator Marsha Blackburn and Democrat Mark Warner that would prohibit the Federal Aviation Administration (FAA) from operating or providing federal funds for drones produced in China, Russia, Iran, North Korea, Venezuela or Cuba. "Taxpayer dollars should never fund drones manufactured in regions that are hostile toward our nation," Blackburn said. China recently announced export controls on some drones and drone-related equipment, saying it wanted to safeguard "national security and interests."
The U.S. Commerce Department in 2020 added dozens of Chinese companies to a trade blacklist, including the country's top chipmaker SMIC and Chinese drone giant DJI.
Microsoft

Microsoft Warns It May 'Throttle' Its Generative AI Services for 'Excessive' Users (theregister.com) 15

Microsoft has changed the terms and conditions for its online services to include a warning that "excessive" users of its generative AI services will have their access restricted. From a report: The new language appeared in a November 1 update to Microsoft's legalese spotted by licensing-watchers Cloudy With A Chance Of Licensing. The restrictions are described in a new clause of the document titled "Capacity Limitations," is: "Excessive use of a Microsoft Generative AI Service may result in temporary throttling of Customer's access to the Microsoft Generative AI Service." The document does not, however, define "excessive use", how long a "temporary" restriction might last, or exactly what happens during "throttling."
Chrome

Chrome Not Proceeding With Web Integrity API Deemed By Many To Be DRM (9to5google.com) 24

An anonymous reader shares a report: Back in July, Google's work on a Web Integrity API emerged and many equated it to DRM. While prototyped, it was only at the proposal stage and the company announced today it's not going ahead with it. With this proposal, Google wanted to give websites a way to confirm the authenticity of the user and their device/browser.

The Web Integrity API would let websites "request a token that attests key facts about the environment their client code is running in." It's not all too different from the Play Integrity API (SafetyNet) on Android that Google Wallet and other banking apps use to make sure a device hasn't been tampered with (rooted).

Privacy

Brave Responds To Bing and ChatGPT With a New 'Anonymous and Secure' AI Chatbot (theverge.com) 11

The Brave browser is rolling out a privacy-focused AI assistant named Leo, which the company claims provides "unparalleled privacy" compared to AI chatbot services likes Bing Chat, ChatGPT, Google Bard and others. The Verge reports: Following several months of testing, Leo is now available to use for free by all Brave desktop users running version 1.60 of the web browser. Leo is rolling out "in phases over the next few days" and will be available on Android and iOS "in the coming months."

The core features of Leo aren't too dissimilar from other AI chatbots like Bing Chat and Google Bard: it can translate, answer questions, summarize webpages, and generate new content. Brave says the benefits of Leo over those offerings are that it aligns with the company's focus on privacy -- conversations with the chatbot are not recorded or used to train AI models, and no login information is required to use it. As with other AI chatbots, however, Brave claims Leo's outputs should be "treated with care for potential inaccuracies or errors."

The standard version of Leo utilizes Meta's Llama 2 large language model and is free to use by default. For users who prefer to access a different AI language model, Brave is also introducing Leo Premium, a $15 monthly subscription that features Anthropic's AI assistant, Claude Instant -- a faster and cheaper version of Anthropic's Claude 2 large language model. Brave says that additional models will be available to Leo Premium users alongside access to higher-quality conversations, priority queuing during peak usage, higher rate limits, and early access to new features.

Slashdot Top Deals