The Washington Post's editorial board recently commented on the problem of America's "dead downtowns. Tourists are back, but office workers are still missing in action.... [R]estaurants, coffee hangouts, stores and transit systems cannot sustain themselves without more people in center cities...."

The problem? America "is in the midst of one of the biggest workforce shifts in generations: Many now have experienced what it is like to work from home and have discovered they prefer it."

Their proposed solution? The Post's editorial board is urging cities to adapt to the new reality of workers wanting to work two or three days remotely in part by converting commercial offices to apartments and entertainment venues. The goal is a "24/7" downtown with ample work spaces, apartments, parks and entertainment venues that draw people in during the day and have a core of residents who keep the area vibrant after commuters go home.... Office use isn't going back to pre-pandemic levels. Even Texas cities that did not shut down during the worst of the pandemic are 20 to 30 percent below 2019 office occupancy. New York, Los Angeles and D.C. are still down more than 40 percent. This a classic oversupply problem. Cities have too much office space, especially in the older buildings that companies are fleeing as they seek out new construction with more light and flexible space.

Mayors and city lawmakers have reason to be bold in seizing this opportunity. There's growing interest among developers and investors who want to be a part of the office-to-apartment revolution. They are already eyeing the easiest buildings to convert: The ones with elevators in the middle, windows and light on all sides, and the right length and width. The challenge for city leaders is to generate interest in the buildings that are "maybe" candidates for conversion.
The Post's suggestions include announcing targets for new residents living downtown, and speeding up city approvals like permitting and rezoning. "America's cities are ripe for new skylines and fresh streetscapes. The best leaders will get going soon."

The New York Times reports: Apple will conduct an asessment of its U.S. labor practices under an agreement with a coalition of investors that includes five New York City pension funds. The assessment will focus on whether Apple is complying with its official human rights policy as it relates to "workers' freedom of association and collective bargaining rights in the United States," the company said in a filing last week with the Securities and Exchange Commission.

The audit comes amid complaints by federal regulators and employees that the company has repeatedly violated workers' labor rights as they have sought to unionize over the past year. Apple has denied the accusations. "There's a big apparent gap between Apple's stated human rights policies regarding worker organizing, and its practices," said Brad Lander, the New York City comptroller, who helped initiate the discussion with Apple on behalf of the city's public worker pension funds....

The investor coalition that pushed for the labor assessment argues that Apple's response to the union campaigns is at odds with its human rights policy because that policy commits it to respect the International Labor Organization's Declaration on Fundamental Principles and Rights at Work, which includes "freedom of association and the effective recognition of the right to collective bargaining."
"Apple offered few details, saying that it would conduct the assessment by the end of the year and that it would publish a report related to the assessment."

PayPal is sending out data breach notifications to thousands of users who had their accounts accessed through credential stuffing attacks that exposed some personal data. From a report: Credential stuffing are attacks where hackers attempt to access an account by trying out username and password pairs sourced from data leaks on various websites. This type of attack relies on an automated approach with bots running lists of credentials to "stuff" into login portals for various services. Credential stuffing targets users that employ the same password for multiple online accounts, which is known as "password recycling."

PayPal explains that the credential stuffing attack occurred between December 6 and December 8, 2022. The company detected and mitigated it at the time but also started an internal investigation to find out how the hackers obtained access to the accounts. By December 20, 2022, PayPal concluded its investigation, confirming that unauthorized third parties logged into the accounts with valid credentials. The electronic payments platform claims that this was not due to a breach on its systems and has no evidence that the user credentials were obtained directly from them. According to the data breach reporting from PayPal, 34,942 of its users have been impacted by the incident. During the two days, hackers had access to account holders' full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers.

The nation's second-largest wireless carrier on Thursday disclosed that a "bad actor" took advantage of one of its application programming interfaces to gain data on "approximately 37 million current postpaid and prepaid customer accounts." CNET reports: In an 8K filing with the US Securities and Exchange Commission, the carrier says that it was able to trace and stop the "malicious activity" within a day of learning about it. T-Mobile also says that the API that was used does not allow for access to "any customer payment card information, Social Security numbers/tax IDs, driver's license or other government ID numbers, passwords/PINs or other financial account information." According to the filing, the carrier believes that the breach first occurred "on or around" Nov. 25, 2022. The carrier didn't learn that a "bad actor" was getting data from its systems until Jan. 5.

The company's API, however, did reveal other user information, including names, billing addresses, email addresses, phone numbers and birth dates of its customers, their T-Mobile account numbers, and information on which plan features they have with the carrier and the number of lines on their accounts. The company said in the SEC filing that it has "begun notifying customers whose information may have been obtained by the bad actor in accordance with applicable state and federal requirements." In 2021, T-Mobile suffered a data breach that exposed data of roughly 76.6 million people. "T-Mobile agreed to a $500 million settlement in the case in July, with $350 million going to settle customer claims from a class action lawsuit and $150 million going to upgrade its data protection system," adds CNET.

Fewer companies that are infected with ransomware are coughing up extortion payments demanded by hackers, according to new research from Chainalysis. From a report: In findings published on Thursday, the blockchain forensics firm estimated that ransom payments -- which are almost always paid in cryptocurrency -- fell to $456.8 million in 2022 from $765.6 million in 2021, a 40% drop. "That doesn't mean attacks are down, or at least not as much as the drastic dropoff in payments would suggest," according to the report. "Instead, we believe that much of the decline is due to victim organizations increasingly refusing to pay ransomware attackers." Chainalysis also said the actual totals could be much higher, as there are cryptocurrency addresses controlled by ransomware attackers that its researchers haven't yet identified.

Apple today announced that Advanced Data Protection is expanding beyond the United States. MacRumors reports: Starting with iOS 16.3, the security feature will be available globally, giving users to option to enable end-to-end encryption for many additional iCloud data categories, including Photos, Notes, Voice Memos, Messages backups, device backups, and more. iOS 16.3 is currently in beta and expected to be released to the public next week.

By default, Apple stores encryption keys for some iCloud data types on its servers to ensure that users can recover their data if they lose access to their Apple ID account. If a user enables Advanced Data Protection, the encryption keys are deleted from Apple's servers and stored on a user's devices only, preventing Apple, law enforcement, or anyone else from accessing the data, even if iCloud servers were to be breached.

iCloud already provides end-to-end encryption for 14 data categories without Advanced Data Protection turned on, including Messages (excluding backups), passwords stored in iCloud Keychain, Health data, Apple Maps search history, Apple Card transactions, and more. Advanced Data Protection expands this protection to the vast majority of iCloud categories, with major exceptions including the Mail, Contacts, and Calendar apps. For more information, you can read Apple's Advanced Data Protection support document.

Email marketing and newsletter giant Mailchimp says it was hacked and that dozens of customers' data was exposed. From a report: It's the second time the company was hacked in the past six months. Worse, this breach appears to be almost identical to a previous incident. Mailchimp said in an unattributed blog post that its security team detected an intruder on January 11 accessing one of its internal tools used by Mailchimp customer support and account administration, though the company did not say for how long the intruder was in its systems, if known. Mailchimp said the hacker targeted its employees and contractors with a social engineering attack. The hacker then used those compromised employee passwords to gain access to data on 133 Mailchimp accounts, which the company notified of the intrusion. One of those targeted accounts belongs to e-commerce giant WooCommerce. In a note to customers, WooCommerce said it was notified by Mailchimp a day later that the breach may have exposed the names, store web addresses and email addresses of its customers, though it said no customer passwords or other sensitive data was taken.

More than 4,400 Internet-exposed servers are running versions of the Sophos Firewall that's vulnerable to a critical exploit that allows hackers to execute malicious code, a researcher has warned. From a report: CVE-2022-3236 is a code-injection vulnerability allowing remote code execution in the User Portal and Webadmin of Sophos Firewalls. It carries a severity rating of 9.8 out of 10. When Sophos disclosed the vulnerability last September, the company warned it had been exploited in the wild as a zero-day. The security company urged customers to install a hotfix and, later on, a full-blown patch to prevent infection.

According to recently published research, more than 4,400 servers running the Sophos firewall remain vulnerable. That accounts for about 6 percent of all Sophos firewalls, security firm VulnCheck said, citing figures from a search on Shodan. "More than 99% of Internet-facing Sophos Firewalls haven't upgraded to versions containing the official fix for CVE-2022-3236," VulnCheck researcher Jacob Baines wrote. "But around 93% are running versions that are eligible for a hotfix, and the default behavior for the firewall is to automatically download and apply hotfixes (unless disabled by an administrator). It's likely that almost all servers eligible for a hotfix received one, although mistakes do happen. That still leaves more than 4,000 firewalls (or about 6% of Internet-facing Sophos Firewalls) running versions that didn't receive a hotfix and are therefore vulnerable."

Microsoft plans to cut thousands of jobs with some roles expected to be eliminated in human resources and engineering divisions, according to media reports on Tuesday. From a report: The expected layoffs would be the latest in the U.S. technology sector, where companies including Amazon.com and Meta have announced retrenchment exercises in response to slowing demand and a worsening global economic outlook. Microsoft's move could indicate that the tech sector may continue to shed jobs.

"From a big picture perspective, another pending round of layoffs at Microsoft suggests the environment is not improving, and likely continues to worsen," Morningstar analyst Dan Romanoff said. U.K broadcaster Sky News reported, citing sources, that Microsoft plans to cut about 5% of its workforce, or about 11,000 roles.

Over 290 MSI motherboards are reportedly affected by an insecure default UEFI Secure Boot setting that allows any operating system image to run regardless of whether it has a wrong or missing signature. From a report: This discovery comes from a Polish security researcher named Dawid Potocki, who claims that he did not receive a response despite his efforts to contact MSI and inform them about the issue. The issue, according to Potocki, impacts many Intel and AMD-based MSI motherboards that use a recent firmware version, affecting even brand-new MSI motherboard models.

Last month, CircleCI urged users to rotate their secrets following a breach of the company's systems. The company confirmed in a blog post on Friday that some customers' data was stolen in the breach. While the customer data was encrypted, cybercriminals obtained the encryption keys able to decrypt the data. TechCrunch reports: The company said in a detailed blog post on Friday that it identified the intruder's initial point of access as an employee's laptop that was compromised with malware, allowing the theft of session tokens used to keep the employee logged in to certain applications, even though their access was protected with two-factor authentication. The company took the blame for the compromise, calling it a "systems failure," adding that its antivirus software failed to detect the token-stealing malware on the employee's laptop. Session tokens allow a user to stay logged in without having to keep re-entering their password or re-authorizing using two-factor authentication each time. But a stolen session token allows an intruder to gain the same access as the account holder without needing their password or two-factor code. As such, it can be difficult to differentiate between a session token of the account owner, or a hacker who stole the token.

CircleCi said the theft of the session token allowed the cybercriminals to impersonate the employee and gain access to some of the company's production systems, which store customer data. "Because the targeted employee had privileges to generate production access tokens as part of the employee's regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys," said Rob Zuber, the company's chief technology officer. Zuber said the intruders had access from December 16 through January 4.

Zuber said that while customer data was encrypted, the cybercriminals also obtained the encryption keys able to decrypt customer data. "We encourage customers who have yet to take action to do so in order to prevent unauthorized access to third-party systems and stores," Zuber added. Several customers have already informed CircleCi of unauthorized access to their systems, Zuber said. Zuber said that CircleCi employees who retain access to production systems "have added additional step-up authentication steps and controls," which should prevent a repeat-incident, likely by way of using hardware security keys.

Russia's attacks on Ukraine's electrical grid are straining the war-torn country's mobile-telephone network, leading to a global hunt for batteries and other equipment critical for keeping the communications system working. From a report: Ukraine's power outages aren't just putting out the lights. The electricity shortages also affect water supplies, heating systems, manufacturing and the cellular-telephone and internet network, a vital communications link in a nation where fixed-line telephones are uncommon. Consumers can charge their cellphones at cafes or gas stations with generators, but the phones have to communicate with base stations whose antennas and switching equipment need large amounts of power. With rolling blackouts now a regular feature of life in Ukraine, the internet providers are relying on batteries to keep the network going.

The stakes are high, since Ukrainian officials are using positive news of the war, speeches by President Volodymyr Zelensky and videos distributed by cellphone to maintain popular support for fighting Russia. First responders and evacuees rely on the mobile network, and a long-term loss of communications in major cities would compound the existing problems of electrical, heating and water outages, the companies say. Labor shortages have exacerbated the mobile-network issues as many Ukrainians have been displaced by the war or gone to the front to fight. In December, the chief executive of Ukraine's Lifecell mobile operator, Ismet Yazici, went into the field himself to wheel in a generator and restore backup power at a cell tower, according to the company. But the biggest problem is power equipment.

An anonymous reader shares a report from the Washington Post: Staff at Activision Blizzard-owned video game studio Proletariat — whose name is a term for the working class — announced their intention to form a union in December of last year. "Well, what'd you expect?" the Proletariat Workers Alliance wrote on Twitter at the time. Earlier this week, however, Proletariat leadership shared an update: Instead of voluntarily recognizing the union, it will conduct an anonymous vote through the National Labor Relations Board.

Proletariat owner Activision Blizzard has been accused of employing union-busting tactics in its negotiations with two other subsidiaries that have voted to unionize, Raven Software and Blizzard Albany.

"It often feels like you're tossing your resume into the abyss and praying to the recruitment gods for a response," writes Vox.

But then the real ordeal begins: Companies are seemingly coming up with new, higher, and harder hoops to jump through at every turn. That translates to endless rounds of interviews, various arbitrary tests, and complex exercises and presentations that entail hours of work and prep. There can be good reasons for firms to do this — they really want to make sure they get the right person, and they're trying to reduce biases — but it's hard not to feel like it can just be too much.

"There's no reason why 10 years ago we were able to hire people on two interviews and now it's taking 20 rounds of interviews," said Maddie Machado, a career strategist who has previously worked as a recruiter at companies such as LinkedIn, Meta, and Microsoft. "It's kind of like dating. When you go on a first date, you need a second date. You don't need 20 dates to know if you like somebody...."

Another man was told to start looking for apartments across the country after being flown out for a final interview, only to follow up a couple of weeks later and learn that the recruiter simply forget to tell him he hadn't gotten the job. "My interviewing experiences have been worse than dating, with the ghosting and non-responses," he said....

There's no denying that over the years, in many instances, the hiring process has gotten harder and more convoluted. A 2022 survey from hiring software company Greenhouse found that 60 percent of job seekers were "unimpressed by time-consuming recruitment processes...." The pandemic and current economic conditions may be exacerbating employers' anxiety even more. Sondra Levitt [a leadership and career coach with Korn Ferry, an organizational consulting firm] said she thinks many firms feel like they "jumped too fast" to make hires amid the great resignation or great reshuffle, as for much of 2021 and 2022 workers hopped jobs in droves. The pendulum is swinging the other way now, with managers being extra careful to do their due diligence, especially as the economy looks rocky.
"Perhaps the simplest answer to why companies make it so hard is that they can," the article concludes. Job-hunters have faced IQ tests, credit checks, and even reviews of their grades from high school. (I still remember one employer who asked everyone to take the Meyers-Briggs personality test.)

And it's painfully annoying to do multiple rounds of interviews — and then be rejected.

An anonymous reader quotes a report from Game Rant: A Discord user has just released various development assets from Valve's repository. It is not an isolated case as Valve is a constant target of hackers and the like. There have been multiple instances wherein concept images or artwork randomly surface on the internet. Valve is a globally recognized company whose games such as Half-Life, Portal, and Team Fortress have grown its large fan base. Its games go through a lengthy development process, which is the reason hundreds to thousands of documents, photos, and such are accumulated during this period. Only a limited number of staff with a Source developer license would have had access to the repository. As such, the files might have been more secure if access was limited.

Twitter user sylvia_braixen stated that one of the biggest Valve data breaches had just occurred. Not long after, they shared screenshots showing the various drops made onto a Discord server. They believe that the files were from the same wave of uploads that users got a taste of as early as 2016. According to the screenshots, the uploads were done by a user named Leakerwanderer, who had access to the Valve repository. Titles such as Half-Life and Team Fortress 2 are no strangers to leaks, and they were among those that had its assets shown this time as well.

Currently, the documents are accessible via a Discord server named Valve Cut Content. However, upon checking, the server is not accepting new members because of the recent flood of users who have tried to check out the files. With the gravity of the leak, people are left wondering if this data breach is a targeted attack, especially since a recent Valve prototype of Left 4 Dead surfaced online just a few days before. It seems that may have served as a precursor to this bigger repository leak.

A Canadian systems security consultant discovered that an Android TV box purchased from Amazon was pre-loaded with persistent, sophisticated malware baked into its firmware. BleepingComputer reports: The malware was discovered by Daniel Milisic, who created a script and instructions to help users nullify the payload and stop its communication with the C2 (command and control) server. The device in question is the T95 Android TV box with an AllWinner T616 processor, widely available through Amazon, AliExpress, and other big e-commerce platforms. It is unclear if this single device was affected or if all devices from this model or brand include the malicious component.

Milisic believes the malware installed on the device is a strain that resembles 'CopyCat,' a sophisticated Android malware first discovered by Check Point in 2017. This malware was previously seen in an adware campaign where it infected 14 million Android devices to make its operators over $1,500,000 in profits. The analyst tested the stage-1 malware sample on VirusTotal, where it returns only 13 detections out of 61 AV engine scans, classified with the generic term of an Android trojan downloader. [...]

Unfortunately, these inexpensive Android-based TV box devices follow an obscure route from manufacturing in China to global market availability. In many cases, these devices are sold under multiple brands and device names, with no clear indication of where they originate. [...] To avoid such risks, you can pick streaming devices from reputable vendors like Google Chromecast, Apple TV, NVIDIA Shield, Amazon Fire TV, and Roku Stick.

An anonymous reader quotes a report from BleepingComputer: Gen Digital, formerly Symantec Corporation and NortonLifeLock, is sending data breach notifications to customers, informing them that hackers have successfully breached Norton Password Manager accounts in credential-stuffing attacks. According to a letter sample shared with the Office of the Vermont Attorney General, the attacks did not result from a breach on the company but from account compromise on other platforms. "Our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has utilized your username and password for your account," NortonLifeLock said. "This username and password combination may potentially also be known to others."

More specifically, the notice explains that around December 1, 2022, an attacker used username and password pairs they bought from the dark web to attempt to log in to Norton customer accounts. The firm detected "an unusually large volume" of failed login attempts on December 12, 2022, indicating credential stuffing attacks where threat actors try out credentials in bulk. By December 22, 2022, the company had completed its internal investigation, which revealed that the credential stuffing attacks had successfully compromised an undisclosed number of customer accounts: "In accessing your account with your username and password, the unauthorized third party may have viewed your first name, last name, phone number, and mailing address." For customers utilizing the Norton Password Manager feature, the notice warns that the attackers might have obtained details stored in the private vaults. Depending on what users store in their accounts, this could lead to the compromise of other online accounts, loss of digital assets, exposure of secrets, and more. Norton has reset passwords on impacted accounts and implemented additional measures to counter the malicious attempts. They're recommending customers enable two-factor authentication and take up the offer for a credit monitoring service.

Google warned on Friday that if the Indian antitrust watchdog's ruling is allowed to progress it would result in devices getting expensive in the South Asian market and lead to proliferation of unchecked apps that will pose threats for individual and national security, escalating its concerns over the future of Android in the key overseas region. From a report: "Predatory apps that expose users to financial fraud, data theft and a number of other dangers abound on the internet, both from India and other countries. While Google holds itself accountable for the apps on Play Store and scans for malware as well compliance with local laws, the same checks may not be in place for apps sideloaded from other sources," the company wrote in a blog post, titled "Heart of the Matter." The Competition Commission of India has slapped two fines against Google, alleging the Android-maker abused the Play Store's dominant position in the country and required Android device makers to pre-install its entire Google Mobile Suite.

Malicious hackers have begun exploiting a critical vulnerability in unpatched versions of the Control Web Panel, a widely used interface for web hosting. ArsTechnica reports: "This is an unauthenticated RCE," members of the Shadowserver group wrote on Twitter, using the abbreviation for remote code exploit. "Exploitation is trivial and a PoC published." PoC refers to a proof-of-concept code that exploits the vulnerability. The vulnerability is tracked as CVE-2022-44877. It was discovered by Numan Turle of Gais Cyber Security and patched in October in version 0.9.8.1147. Advisories didn't go public until earlier this month, however, making it likely some users still aren't aware of the threat.

Figures provided by Security firm GreyNoise show that attacks began on January 7 and have slowly ticked up since then, with the most recent round continuing through Wednesday. The company said the exploits are coming from four separate IP addresses located in the US, Netherlands, and Thailand. Shadowserver shows that there are roughly 38,000 IP addresses running Control Web Panel, with the highest concentration in Europe, followed by North America, and Asia. The severity rating for CVE-2022-44877 is 9.8 out of a possible 10. "Bash commands can be run because double quotes are used to log incorrect entries to the system," the advisory for the vulnerability stated. As a result, unauthenticated hackers can execute malicious commands during the login process.

An anonymous reader quotes a report from The Guardian: A Canadian woman has been ordered by a civil tribunal to compensate her former employer for "time theft" after she was caught misrepresenting hours worked by controversial tracking software. Karlee Besse, who worked remotely as an accountant in British Columbia, initially claimed she was fired from her job without cause last year and sought $3,729 in compensation -- both in unpaid wages and severance. But the company, Reach CPA, told the tribunal Beese had logged more than 50 hours that "did not appear to have spent on work-related tasks."

Reach said it installed employee-tracking software called TimeCampon Besse's work laptop after it found her assigned files were over budget and behind schedule, a strategy companies are increasingly taking in the era of remote work. The software tracks how long a document is open, how the employee uses the document and logs the time as work. Weeks later, the company said an analysis "identified irregularities between her timesheets and the software usage logs." While Besse told the tribunal she found the program "difficult" and worried it didn't differentiate between work and personal use, the company demonstrated how TimeCamp automatically makes those distinctions, separating time logs for work from activities such as using the laptop to stream movies and television shows.

Besse said she had printed documents to work on, but did not tell Reach she was using hard copy because she "knew they wouldn't want to hear that" and she was afraid of repercussions. The company said that the software also tracks printing -- and that few documents had been logged as printed. It also said any work from the printed documents would have needed to be input into the company's software, which never happened. [...] The judge tossed out Besse's claim of wrongful termination and ordered her to pay $1,840.27, both in returned wages and as a part of previous advance she had received from the company.