Searching Google for downloads of popular software has always come with risks, but over the past few months, it has been downright dangerous, according to researchers and a pseudorandom collection of queries. Ars Technica reports: "Threat researchers are used to seeing a moderate flow of malvertising via Google Ads," volunteers at Spamhaus wrote on Thursday. "However, over the past few days, researchers have witnessed a massive spike affecting numerous famous brands, with multiple malware being utilized. This is not "the norm.'"

The surge is coming from numerous malware families, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, Vidar, Formbook, and XLoader. In the past, these families typically relied on phishing and malicious spam that attached Microsoft Word documents with booby-trapped macros. Over the past month, Google Ads has become the go-to place for criminals to spread their malicious wares that are disguised as legitimate downloads by impersonating brands such as Adobe Reader, Gimp, Microsoft Teams, OBS, Slack, Tor, and Thunderbird.

On the same day that Spamhaus published its report, researchers from security firm Sentinel One documented an advanced Google malvertising campaign pushing multiple malicious loaders implemented in .NET. Sentinel One has dubbed these loaders MalVirt. At the moment, the MalVirt loaders are being used to distribute malware most commonly known as XLoader, available for both Windows and macOS. XLoader is a successor to malware also known as Formbook. Threat actors use XLoader to steal contacts' data and other sensitive information from infected devices. The MalVirt loaders use obfuscated virtualization to evade end-point protection and analysis. To disguise real C2 traffic and evade network detections, MalVirt beacons to decoy command and control servers hosted at providers including Azure, Tucows, Choopa, and Namecheap. "Until Google devises new defenses, the decoy domains and other obfuscation techniques remain an effective way to conceal the true control servers used in the rampant MalVirt and other malvertising campaigns," concludes Ars. "It's clear at the moment that malvertisers have gained the upper hand over Google's considerable might."

New Netflix rules that would have enforced a limitation on users' sharing passwords are reportedly a mistake and don't apply in the US -- for now. From a report: Netflix has long been planning to cut down on password sharing, or letting friends share one paid account. The company appeared to go further, however, with the inclusion in its help pages of a new set of rules.

Broadly, anyone at a subscriber's physical address could continue using the service. But the paying subscriber would have to confirm every 31 days that a user away from their residence -- such as at college -- was part of the household. According to The Streamable, Netflix says it was all a mistake -- for the United States. "For a brief time yesterday, a help center article containing information that is only applicable to Chile, Costa Rica, and Peru, went live in other countries," a Netflix spokesperson told the publication. "We have since updated it."

Russian antiwar activists placed their faith in Telegram, a supposedly secure messaging app. How does Putin's regime seem to know their every move? From a report: Matsapulina's case [anecdote in the story] is hardly an isolated one, though it is especially unsettling. Over the past year, numerous dissidents across Russia have found their Telegram accounts seemingly monitored or compromised. Hundreds have had their Telegram activity wielded against them in criminal cases. Perhaps most disturbingly, some activists have found their "secret chats" -- Telegram's purportedly ironclad, end-to-end encrypted feature -- behaving strangely, in ways that suggest an unwelcome third party might be eavesdropping.

These cases have set off a swirl of conspiracy theories, paranoia, and speculation among dissidents, whose trust in Telegram has plummeted. In many cases, it's impossible to tell what's really happening to people's accounts -- whether spyware or Kremlin informants have been used to break in, through no particular fault of the company; whether Telegram really is cooperating with Moscow; or whether it's such an inherently unsafe platform that the latter is merely what appears to be going on.

An anonymous reader shares a report: BMW i4 owner was rightfully puzzled when their car flashed a strange alert on the screen, saying its parking spot was "too steep" to perform an over-the-air software upgrade. How does that happen? And why is it a problem in the first place? As Clare Eliza found out, it simply isn't possible to remotely update any of the i4's software if the car isn't parked on flat ground. And instead of allowing the operator to override this, it will wait until you physically move it somewhere more level to continue. As it turns out, BMW doesn't have one singular reason why the vehicle can't perform this task on an incline. Rather, the limitation is there as a safety blanket.

"The vehicle has all sorts of sensors (pitch, yaw, lateral and longitudinal acceleration and deceleration, etc.) that allow it to understand its orientation, so it knows when it's on an incline," a BMW spokesperson told The Drive. "It's likely a catchall, every-worst-case-no-matter-how-unlikely scenario safety precaution to try to prevent any chance of the vehicle moving should the programming be interrupted or go wrong." Essentially, it's there just in case something unexpected happens; it's better to plan for the worst, after all.

An anonymous reader quotes a report from The Verge: First, Anker told us it was impossible. Then, it covered its tracks. It repeatedly deflected while utterly ignoring our emails. So shortly before Christmas, we gave the company an ultimatum: if Anker wouldn't answer why its supposedly always-encrypted Eufy cameras were producing unencrypted streams -- among other questions -- we would publish a story about the company's lack of answers. It worked.

In a series of emails to The Verge, Anker has finally admitted its Eufy security cameras are not natively end-to-end encrypted -- they can and did produce unencrypted video streams for Eufy's web portal, like the ones we accessed from across the United States using an ordinary media player. But Anker says that's now largely fixed. Every video stream request originating from Eufy's web portal will now be end-to-end encrypted -- like they are with Eufy's app -- and the company says it's updating every single Eufy camera to use WebRTC, which is encrypted by default. Reading between the lines, though, it seems that these cameras could still produce unencrypted footage upon request.

That's not all Anker is disclosing today. The company has apologized for the lack of communication and promised to do better, confirming it's bringing in outside security and penetration testing companies to audit Eufy's practices, is in talks with a "leading and well-known security expert" to produce an independent report, is promising to create an official bug bounty program, and will launch a microsite in February to explain how its security works in more detail. Those independent audits and reports may be critical for Eufy to regain trust because of how the company has handled the findings of security researchers and journalists. It's a little hard to take the company at its word! But we also think Anker Eufy customers, security researchers and journalists deserve to read and weigh those words, particularly after so little initial communication from the company. That's why we're publishing Anker's full responses [here]. As highlighted by Ars Technica, some of the notable statements include: - Its web portal now prohibits users from entering "debug mode."
- Video stream content is encrypted and inaccessible outside the portal.
- While "only 0.1 percent" of current daily users access the portal, it "had some issues," which have been resolved.
- Eufy is pushing WebRTC to all of its security devices as the end-to-end encrypted stream protocol.
- Facial recognition images were uploaded to the cloud to aid in replacing/resetting/adding doorbells with existing image sets, but has been discontinued. No recognition data was included with images sent to the cloud.
- Outside of the "recent issue with the web portal," all other video uses end-to-end encryption.
- A "leading and well-known security expert" will produce a report about Eufy's systems.
- "Several new security consulting, certification, and penetration testing" firms will be brought in for risk assessment.
- A "Eufy Security bounty program" will be established.
- The company promises to "provide more timely updates in our community (and to the media!)."

Razer announced its lightest gaming mouse today, the Viper Mini Signature Edition. From a report: It only weighs 49g, making it 16 percent lighter than the company's Viper V2 Pro and one of the most lightweight mice we've seen from a large company. The mouse uses a magnesium alloy exoskeleton with a semi-hollow interior (bearing a slight resemblance to the SteelSeries Aerox 3 Wireless). "We wanted to push beyond the traditional honeycomb design, and this required a material with an outstanding strength-to-weight ratio," said Razer's Head of Industrial Design, Charlie Bolton. "After evaluating plastics, carbon fiber and even titanium, we ultimately chose magnesium alloy for its exceptional properties." Razer says the mouse uses its fastest wireless tech and will be among its best-performing wireless mice. Price: $280.

Google has expanded OSS-Fuzz Reward Program to offer rewards of up to $30,000 for researchers who find security flaws in open source programs. From a report: The expanded scope of the program now means the total rewards possible per project integration rise from $20,000 to $30,000. The purpose of OSS-Fuzz is to support open source projects adopt fuzz testing and the new categories of rewards support those who create more ways of integrating new projects.

Google created two new reward categories that reward wider improvements across all OSS-Fuzz projects. It offers up to $11,337 available per category. It's also offering rewards for notable FuzzBench fuzzer integrations, and for integrating new sanitizers or 'bug detectors' that help find vulnerabilities. "We hope to accelerate the integration of critical open source projects into OSS-Fuzz by providing stronger incentives to security researchers and open source maintainers," explains Oliver Chang of Google's OSS-Fuzz team.

Microsoft is adding artificial intelligence capabilities from ChatGPT maker OpenAI to another of its products -- this time a customer-relationship app that's meant to help win revenue from Salesforce. From a report: Viva Sales, which connects Microsoft's Office and video conferencing programs with customer relations management software, will be able to generate email replies to clients using OpenAI's product for creating text. The AI tools, which include OpenAI's GPT 3.5 -- the system that is the basis for the ChatGPT chatbot -- will cull data from customer records and Office email software. That information will then be used to generate emails containing personalized text, pricing details and promotions. The Viva Sales app was initially released in October and works with Microsoft's Dynamics customer management program and that of rival Salesforce. It's free for users who sign up for the premium versions of Dynamics and $40 per user per month for Salesforce customers.

Netflix has unveiled its plans to prevent password sharing between people in households outside of an account owner's primary location. From a report: As reported by gHacks, the streaming service has detailed how it aims to crackdown on account sharing in an updated FAQ. The information varies between countries, but it looks like the company will be paying careful attention to the devices used to log in to accounts from now on. The FAQ pages for US and UK subscribers currently highlight that devices may require verification if they are not associated with the Netflix household or if they attempt to access an account outside the subscriber's primary location for an extended period of time.

The FAQ pages for countries where Netflix is testing extra membership fees for account sharing have tweaked the rules. The Costa Rican Help Center states that devices must connect to the Wi-Fi at the primary location and watch something on Netflix "at least once every 31 days." The company will use information "such as IP addresses, device IDs, and account activity" to determine whether a device signed into an account is connected to the primary location. A device may be blocked from watching Netflix if it's deemed to fall outside of the household. As further set out in the guidelines, if you are the primary account owner and you find yourself travelling between locations, you can request a temporary code to access Netflix for seven consecutive days. Alternatively, you can update your primary location if it has changed.

Organizations using Microsoft's Defender for Endpoint will now be able to isolate Linux devices from their networks to stop miscreants from remotely connecting to them. The Register reports: The device isolation capability is in public preview and mirrors what the product already does for Windows systems. "Some attack scenarios may require you to isolate a device from the network," Microsoft wrote in a blog post. "This action can help prevent the attacker from controlling the compromised device and performing further activities such as data exfiltration and lateral movement. Just like in Windows devices, this device isolation feature." Intruders won't be able to connect to the device or run operations like assuming unauthorized control of the system or stealing sensitive data, Microsoft claims.

According to the vendor, when the device is isolated, it is limited in the processes and web destinations that are allowed. That means if they're behind a full VPN tunnel, they won't be able to reach Microsoft's Defender for Endpoint cloud services. Microsoft recommends that enterprises use a split-tunneling VPN for cloud-based traffic for both Defender for Endpoint and Defender Antivirus. Once the situation that caused the isolation is cleared up, organizations will be able to reconnect the device to the network. Isolating the system is done via APIs. Users can get to the device page of the Linux systems through the Microsoft 365 Defender portal, where they will see an "Isolate Device" tab in the upper right among other response actions. Microsoft has outlined the APIs for both isolating the device and releasing it from lock down.

Google's cell network provider Google Fi has confirmed a data breach, likely related to the recent security incident at T-Mobile, which allowed hackers to steal millions of customers' information. From a report: In an email sent to customers on Monday, obtained by TechCrunch, Google said that the primary network provider for Google Fi recently informed the company that there had been suspicious activity relating to a third party support system containing a "limited amount" of Google Fi customer data.

The timing of the notice -- and the fact that Google Fi uses a combination of T-Mobile and U.S. Cellular for network connectivity -- suggests the breach is linked to the most recent T-Mobile hack. This breach, disclosed on January 19, allowed intruders access to a trove of personal data belonging to 37 million customers, including billing addresses, dates of birth and T-Mobile account details. The incident marked the eighth time T-Mobile has been hacked since 2018. In the case of the Google Fi's breach, Google says the hackers accessed limited customer information, including phone numbers, account status, SIM card serial numbers, and information related to details about customers' mobile service plan, such as whether they have selected unlimited SMS or international roaming.

Shipments of personal computers and mobile phones are expected to fall for the second straight year in 2023, with phone shipments slumping to a decade low, IT research firm Gartner said on Tuesday. From a report: Mobile phone shipments are projected to fall 4% to 1.34 billion units in 2023, down from 1.40 billion units in 2022, Gartner said. They totaled 1.43 billion in 2021. That was close to the 2009 shipments level when Blackberry and Nokia phones were the market leaders as Apple tried to dent their dominance.

The mobile phone market peaked in 2015 when shipments touched 1.9 billion units. The pandemic led to a fundamental change where people working from home didn't feel the need to change phones frequently, Ranjit Atwal, research director at Gartner, said in an interview.

Hot Hardware reports: When it comes to mechanical hard disk drive (HDDs), you'd be very hard pressed to find any data on failure rates reported by any of the major players, such as Western Digital, Seagate, and the rest. Fortunately for us stat nerds and anyone else who is curious, the folks at cloud backup firm Backblaze frequently issue reliability reports that give insight into the how often various models and capacities give up the ghost. At a glance, Backblaze's latest report highlights that bigger capacity drives -- 12TB, 14TB, and 16TB -- fail less often than smaller capacity models. A closer examination, however, reveals that it's not so cut and dry.

[...] In a nutshell, Backblaze noted an overall rise in the annual failure rates (AFRs) for 2022. The cumulative AFR of all drives deployed rose to 1.37 percent, up from 1.01 percent in 2021. By the end of 2022, Backblaze had 236,608 HDDs in service, including 231,309 data drives and 4,299 boot drives. Its latest report focuses on the data drives. [...] Bigger drives are more reliable than smaller drives, case close, right? Not so fast. There's an important caveat to this data -- while the smaller drives failed more often last year, they are also older, as can be seen in the graph above. "The aging of our fleet of hard drives does appear to be the most logical reason for the increased AFR in 2022. We could dig in further, but that is probably moot at this point. You see, we spent 2022 building out our presence in two new data centers, the Nautilus facility in Stockton, California and the CoreSite facility in Reston, Virginia. In 2023, our focus is expected to be on replacing our older drives with 16TB and larger hard drives," Backblaze says.

GitHub said unknown intruders gained unauthorized access to some of its code repositories and stole code-signing certificates for two of its desktop applications: Desktop and Atom. From a report: Code-signing certificates place a cryptographic stamp on code to verify it was developed by the listed organization, which in this case is GitHub. If decrypted, the certificates could allow an attacker to sign unofficial versions of the apps that had been maliciously tampered with and pass them off as legitimate updates from GitHub. Current versions of Desktop and Atom are unaffected by the credential theft.

"A set of encrypted code signing certificates were exfiltrated; however, the certificates were password-protected and we have no evidence of malicious use," the company wrote in an advisory. "As a preventative measure, we will revoke the exposed certificates used for the GitHub Desktop and Atom applications." The revocations, which will be effective on Thursday, will cause certain versions of the apps to stop working.

An anonymous reader quotes a report from TechCrunch: A bug in a new centralized system that Meta created for users to manage their logins for Facebook and Instagram could have allowed malicious hackers to switch off an account's two-factor protections just by knowing their phone number. Gtm Manoz, a security researcher from Nepal, realized that Meta did not set up a limit of attempts when a user entered the two-factor code used to log into their accounts on the new Meta Accounts Center, which helps users link all their Meta accounts, such as Facebook and Instagram.

With a victim's phone number, an attacker would go to the centralized accounts center, enter the phone number of the victim, link that number to their own Facebook account, and then brute force the two-factor SMS code. This was the key step, because there was no upper limit to the amount of attempts someone could make. Once the attacker got the code right, the victim's phone number became linked to the attacker's Facebook account. A successful attack would still result in Meta sending a message to the victim, saying their two-factor was disabled as their phone number got linked to someone else's account.

Manoz found the bug in the Meta Accounts Center last year, and reported it to the company in mid-September. Meta fixed the bug a few days later, and paid Manoz $27,200 for reporting the bug. Meta spokesperson Gabby Curtis told TechCrunch that at the time of the bug the login system was still at the stage of a small public test. Curtis also said that Meta's investigation after the bug was reported found that there was no evidence of exploitation in the wild, and that Meta saw no spike in usage of that particular feature, which would signal the fact that no one was abusing it.

The development team behind the open-source password management software KeePass is disputing what is described as a newly found vulnerability that allows attackers to stealthily export the entire database in plain text. BleepingComputer reports: KeePass is a very popular open-source password manager that allows you to manage your passwords using a locally stored database, rather than a cloud-hosted one, such as LastPass or Bitwarden. To secure these local databases, users can encrypt them using a master password so that malware or a threat actor can't just steal the database and automatically gain access to the passwords stored within it. The new vulnerability is now tracked as CVE-2023-24055, and it enables threat actors with write access to a target's system to alter the KeePass XML configuration file and inject a malicious trigger that would export the database, including all usernames and passwords in cleartext. The next time the target launches KeePass and enters the master password to open and decrypt the database, the export rule will be triggered, and the contents of the database will be saved to a file the attackers can later exfiltrate to a system under their control. However, this export process launches in the background without the user being notified or KeePass requesting the master password to be entered as confirmation before exporting, allowing the threat actor to quietly gain access to all of the stored passwords. [...]

While the CERT teams of Netherlands and Belgium have also issued security advisories regarding CVE-2023-24055, the KeePass development team is arguing that this shouldn't be classified as a vulnerability given that attackers with write access to a target's device can also obtain the information contained within the KeePass database through other means. In fact, a "Security Issues" page on the KeePass Help Center has been describing the "Write Access to Configuration File" issue since at least April 2019 as "not really a security vulnerability of KeePass." If the user has installed KeePass as a regular program and the attackers have write access, they can also "perform various kinds of attacks." Threat actors can also replace the KeePass executable with malware if the user runs the portable version.

"In both cases, having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file (and these attacks in the end can also affect KeePass, independent of a configuration file protection)," the KeePass developers explain. "These attacks can only be prevented by keeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment." If the KeePass devs don't release a version of the app that addresses this issue, BleepingComputer notes "you could still secure your database by logging in as a system admin and creating an enforced configuration file."

"This type of config file takes precedence over settings described in global and local configuration files, including new triggers added by malicious actors, thus mitigating the CVE-2023-24055 issue."

An anonymous reader quotes a report from Ars Technica: Nearly 45GB of source code files, allegedly stolen by a former employee, have revealed the underpinnings of Russian tech giant Yandex's many apps and services. It also revealed key ranking factors for Yandex's search engine, the kind almost never revealed in public. [...] While it's not clear whether there are security or structural implications of Yandex's source code revelation, the leak of 1,922 ranking factors in Yandex's search algorithm is certainly making waves. SEO consultant Martin MacDonald described the hack on Twitter as "probably the most interesting thing to have happened in SEO in years" (as noted by Search Engine Land). In a thread detailing some of the more notable factors, researcher Alex Buraks suggests that "there is a lot of useful information for Google SEO as well."

Yandex, the fourth-ranked search engine by volume, purportedly employs several ex-Google employees. Yandex tracks many of Google's ranking factors, identifiable in its code, and competes heavily with Google. Google's Russian division recently filed for bankruptcy after losing its bank accounts and payment services. Buraks notes that the first factor in Yandex's list of ranking factors is "PAGE_RANK," which is seemingly tied to the foundational algorithm created by Google's co-founders.

As detailed by Buraks (in two threads), Yandex's engine favors pages that: - Aren't too old
- Have a lot of organic traffic (unique visitors) and less search-driven traffic
- Have fewer numbers and slashes in their URL
- Have optimized code rather than "hard pessimization," with a "PR=0"
- Are hosted on reliable servers
- Happen to be Wikipedia pages or are linked from Wikipedia
- Are hosted or linked from higher-level pages on a domain
- Have keywords in their URL (up to three)

Sports fashion retailer JD Sports has confirmed miscreants broke into a system that contained data on a whopping 10 million customers, but no payment information was among the mix. The Register reports: In a post to investors this morning, the London Stock Exchange-listed business said the intrusion related to infrastructure that housed data for online orders from sub-brands including JD, Size? Millets, Blacks, Scotts and MilletSport between November 2018 and October 2020. The data accessed consisted of customer name, billing address, delivery address, phone number, order details and the final four digits of payment cards "of approximately 10 million unique customers." The company does "not hold full payment card details" and said that it has "no reason to believe that account passwords were accessed."

As is customary in such incidents, JD Sports has contacted the relevant authorities such as the Information Commissioner's Office and says it has enlisted the help of "leading cyber security experts." The chain has stores across Europe, with some operating in North America and Canada. It also operates some footwear brands including Go Outdoors and Shoe Palace. "We want to apologize to those customers who may have been affected by this incident," said Neil Greenhalgh, chief financial officer at JD Sports. "We are advising them to be vigilant about potential scam emails, calls and texts and providing details on now to report these."

He added: "We are continuing with a full review of our cyber security in partnership with external specialists following this incident. Protecting that data of our customers is an absolute priority for JS."

Amazon is "selling a vacant Bay Area office complex purchased about 16 months ago," reports Bloomberg, "the company's latest effort to unwind a pandemic-era expansion that left it with a surfeit of warehouses and employees." Amazon in October 2021 paid $123 million for the 29-acre property in Milpitas, California, part of a strategy to lock up real estate near big cities that could be used for new warehouses and facilitate future growth.... Amazon is expected to take a loss on the sale of the Metro Corporate Center, according to one person familiar with the terms of the deal, who spoke on condition of anonymity....

Amazon last year began its biggest-ever round of job cuts that will ultimately affect 18,000 workers around the globe. The world's largest e-commerce company, which is scheduled to report earnings on Feb. 2, warned investors that fourth-quarter sales growth would be the slowest in its history.
SFGate writes that the possible sale "is indicative of broader trends in Bay Area corporate real estate, which has struggled with remote work, tech layoffs and broader economic shifts."

"According to a report by commercial real estate firm Kidder Mathews, direct office vacancies in San Francisco rose to more than 18.4% in the fourth quarter of 2022, while a Kastle Systems report found that office occupancy rates rose to 41.8%, just 1% higher than the rates in September 2022."

When Google laid off 6% of its workforce — some of whom had worked for the company for decades — employees "got the news in their inbox," writes Gawker's founding editor in a scathing opinion piece in the New York Times: That sting is becoming an all-too-common sensation. In the last few years, tens of thousands of people have been laid off by email at tech and digital media companies including Twitter, Amazon, Meta and Vox. The backlash from affected employees has been swift.... It's not just tech and media. Companies in a range of industries claim this is the only efficient way to do a lot of layoffs. Informing workers personally is too complicated, they say — and too risky, as people might use their access to internal systems to perform acts of sabotage. (These layoff emails are often sent to employees' personal email; by the time they check it, they've been locked out of all their employer's own platforms.)

As someone who's managed people in newsrooms and digital start-ups and has hired and fired people in various capacities for the last 21 years, I think this approach is not just cruel but unnecessary. It's reasonable to terminate access to company systems, but delivering the news with no personal human contact serves only one purpose: letting managers off the hook. It ensures they will not have to face the shock and devastation that people feel when they lose their livelihoods. It also ensures the managers won't have to weather any direct criticism about the poor leadership that brought everyone to that point.... Future hiring prospects will be reading all about it on Twitter or Glassdoor. In a tight labor market, a company's cruelty can leave a lasting stain on its reputation....

The expectation that an employee give at least two weeks notice and help with transition is rooted in a sense that workers owe their employers something more than just their labor: stability, continuity, maybe even gratitude for the compensation they've earned. But when it's the company that chooses to end the relationship, there is often no such requirement. The same people whose labor helped build the company get suddenly recoded as potential criminals who might steal anything that's not nailed down....

Approval of unions is already at 71 percent. Dehumanizing workers like this is accelerating the trend. Once unthinkable, unionization at large tech companies now seems all but inevitable. Treating employees as if they're disposable units who can simply be unsubscribed to ultimately endangers a company's own interests. It seems mistreated workers know their value, even if employers — as they are increasingly prone to demonstrate — do not.