Google is making a few changes to the way its search and address bar -- known as the omnibox -- works in the Chrome browser. The changes are individually pretty small, but there's an important and somewhat unexpected trend in them all: Google is making it easier for you to move around the web without having to do so many Google searches. From a report: If you're in Chrome on desktop or mobile, the browser will now try and correct your URL typos, so when you type thevrege.com or ninteendo.com, you'll get autocomplete suggestions based on the right site and not whatever is behind those misspelled domains. The omnibox's autocomplete will now be smarter in general, predicting the site you're looking for based on keywords rather than just guessing what URL you're typing. Chrome can also now search within your bookmarks for sites and files related to what you're typing.

All those features are based on your own browsing history and bookmarks, so it's just Chrome becoming slightly more personalized. But the last change is web-wide and is pretty off-brand for Google: when you start to type in the name of a popular website, the omnibox will show that site's URL in the list of suggestions, and you can select it to go right to that site. (You might have seen this one already: it's been rolling out for a couple of weeks and should be live to everyone now.)

Google security researchers say they have found evidence that government-backed hackers linked to Russia and China are exploiting a since-patched vulnerability in WinRAR, the popular shareware archiving tool for Windows. From a report: The WinRAR vulnerability, first discovered by cybersecurity company Group-IB earlier this year and tracked as CVE-2023-38831, allows attackers to hide malicious scripts in archive files that masquerade as seemingly innocuous images or text documents. Group-IB said the flaw was exploited as a zero-day -- since the developer had zero time to fix the bug before it was exploited -- as far back as April to compromise the devices of at least 130 traders.

Rarlab, which makes the archiving tool, released an updated version of WinRAR (version 6.23) on August 2 to patch the vulnerability. Despite this, Google's Threat Analysis Group (TAG) said this week that its researchers have observed multiple government-backed hacking groups exploiting the security flaw, noting that "many users" who have not updated the app remain vulnerable. In research shared with TechCrunch ahead of its publication, TAG says it has observed multiple campaigns exploiting the WinRAR zero-day bug, which it has tied to state-backed hacking groups with links to Russia and China.

Last year, Andrew Appel, professor of computer science at Princeton University, wrote a 5-part series about Switzerland's e-voting system, highlighting the inherent security vulnerabilities it faces and the safeguards the country has in place. Now, he's writing about an interesting new vulnerability in the system that can be exploited to manipulate votes without anyone knowing. The vulnerability was discovered by Swiss computer scientist Andreas Kuster. From a blog post written by security technologist Bruce Schneier: "The Swiss Post e-voting system aims to protect your vote against vote manipulation and interference. The goal is to achieve this even if your own computer is infected by undetected malware that manipulates a user vote. This protection is implemented by special return codes (Prufcode), printed on the sheet of paper you receive by physical mail. Your computer doesn't know these codes, so even if it's infected by malware, it can't successfully cheat you as long as, you follow the protocol.

Unfortunately, the protocol isn't explained to you on the piece of paper you get by mail. It's only explained to you online, when you visit the e-voting website. And of course, that's part of the problem! If your computer is infected by malware, then it can already present to you a bogus website that instructs you to follow a different protocol, one that is cheatable. To demonstrate this, I built a proof-of-concept demonstration."

Appel again: "Kuster's fake protocol is not exactly what I imagined; it's better. He explains it all in his blog post. Basically, in his malware-manipulated website, instead of displaying the verification codes for the voter to compare with what's on the paper, the website asks the voter to enter the verification codes into a web form. Since the website doesn't know what's on the paper, that web-form entry is just for show. Of course, Kuster did not employ a botnet virus to distribute his malware to real voters! He keeps it contained on his own system and demonstrates it in a video."

Amir Golestan, the 40-year-old CEO of the Charleston, S.C. based technology company Micfo, has been sentenced to five years in prison for wire fraud. From a report: Golestan's sentencing comes nearly two years after he pleaded guilty to using an elaborate network of phony companies to secure more than 735,000 Internet Protocol (IP) addresses from the American Registry for Internet Numbers (ARIN), the nonprofit which oversees IP addresses assigned to entities in the U.S., Canada, and parts of the Caribbean.

In 2018, ARIN sued Golestan and Micfo, alleging they had obtained hundreds of thousands of IP addresses under false pretenses. ARIN and Micfo settled that dispute in arbitration, with Micfo returning most of the addresses that it hadn't already sold. ARIN's civil case caught the attention of federal prosecutors in South Carolina, who in May 2019 filed criminal wire fraud charges against Golestan, alleging he'd orchestrated a network of shell companies and fake identities to prevent ARIN from knowing the addresses were all going to the same buyer.

Amazon has quietly rolled out support for passkeys as it becomes the latest tech giant to join the passwordless future. But you still might have to hold onto your Amazon password for a little while longer. From a report: The option to set up a passkey is now available on the e-commerce giant's website, allowing users to log in using biometric authentication on their device, such as their fingerprint or face scan. Doing so makes it far more difficult for bad actors to remotely access users' accounts, given that the attacker also needs physical access to the user's device.

But Amazon's implementation of passkeys isn't without issues, as noted by Vincent Delitz, co-founder of German tech startup Corbado, who first documented the arrival of passkey support on Amazon. Delitz noted that there is currently no support for passkeys in Amazon's native apps, such as Amazon's shopping app or Prime Video, which TechCrunch has also checked, meaning you still have to use a password to sign-in (for now). What's more, if you've set up a passkey but previously set up two-factor authentication (2FA), Amazon will still prompt you to enter a one-time verification code when logging in, a move Delitz said was "redundant," since passkeys remove the need for 2FA as they are stored on your device.

The US is pushing a group of governments to publicly commit to not make ransom payments to hackers ahead of an annual meeting of more than 45 nations in Washington later this month. From a report: Anne Neuberger, deputy national security adviser, told Bloomberg News that she is "incredibly hopeful" about enlisting support for such a statement but acknowledged it's a "hard policy decision." If members can't agree to the statement in advance of the meeting, then it will be included as a discussion point, she said. [...] The aim of the statement is to change that calculus, Neuberger said. "Ransom payments are what's driving ransomware," she said. "That's the reason we think it's so needed."

AMD has taken down the latest version of its AMD Adrenalin Edition graphics driver after Counter-Strike 2-maker Valve warned that players using its Anti-Lag+ technology would result in a ban under Valve's anti-cheat rules. From a report: AMD first introduced regular Anti-Lag mitigation in its drivers back in 2019, limiting input lag by reducing the amount of queued CPU work when the processor was getting too far ahead of the GPU frame processing. But the newer Anti-Lag+ system -- which was first rolled out for a handful of games last month -- updates this system by "applying frame alignment within the game code itself," according to AMD. That method leads to additional lag reduction of up to 10 ms, according to AMD's data. That additional lag reduction could offer players a bit of a competitive advantage in these games (with the usual arguments about whether that advantage is "unfair" or not). But it's Anti-Lag+'s particular method of altering the "game code itself" that sets off warning bells for the Valve Anti-Cheat (VAC) system. After AMD added Anti-Lag+ support for Counter-Strike 2 in a version 23.10.1 update last week, VAC started issuing bans to unsuspecting AMD users that activated the feature.

"AMD's latest driver has made their 'Anti-Lag/+' feature available for CS2, which is implemented by detouring engine dll functions," Valve wrote on social media Friday. "If you are an AMD customer and play CS2, DO NOT ENABLE ANTI-LAG/+; any tampering with CS code will result in a VAC ban." Beyond Valve, there are also widespread reports of Anti-Lag+ triggering crashes or account bans in competitive online games like Modern Warfare 2 and Apex Legends. But Nvidia users haven't reported any similar problems with the company's Reflex system, which uses SDK-level code adjustments to further reduce input lag in games including Counter-Strike 2.

An anonymous Slashdot reader shared this report from Fortune: What would Drew Houston, CEO of Silicon Valley software giant Dropbox, say to fellow CEOs — like Google's Sundar Pichai or Meta's Mark Zuckerberg — who seem to believe that three days a week in-person is crucial for company culture?

"I'd say, 'your employees have options,'" Houston told Fortune this past week. "They're not resources to control."

While Dropbox used to work near-entirely at its Bay Area headquarters, Houston has completely warmed to a distributed model since the pandemic — and is mystified as to why other leaders haven't joined him. (Houston founded Dropbox in 2007, the year after he graduated from MIT, and has been its CEO ever since.) "From a product design perspective, customers are our employees. We've stitched together this working model based on primary research," he told Fortune at Dropbox's WIP Conference — its first in-person event since 2019 — in New York on Tuesday. "We've just been handed the keys that unlock this whole future of work, which is actually here."

In April 2021, right when most of the country became eligible for vaccines and people began reconvening again across the globe, Dropbox encouraged the opposite. It officially announced its intent to go Virtual First, which meant employees were free to work remotely 90% of the time, only commuting in for the occasional meeting or happy hour... Granted, not everyone got to appreciate the perks. In April, Dropbox laid off 500 employees — 16% of its staff — due to "slowing growth" and "the A.I. era" requiring a reallocation of resources....

Houston and his team have found, in practice, a handful of two- or three-day offsites per quarter — 10% of the year — works best for their people. Crucially, it provides that oft-referenced cultural connect and brainstorming time that pro-office zealots insist upon, without exhausting workers out with a commute grind or needless hours in drab conference rooms.

T2 SDE is not just a Linux distribution, but "a flexible Open Source System Development Environment or Distribution Build Kit," according to a 2022 announcement of its support for 25 CPU architectures, variants, and C libraries. ("Others might even name it Meta Distribution. T2 allows the creation of custom distributions with state of the art technology, up-to-date packages and integrated support for cross compilation.")

And while working on it, Berlin-based T2 Linux developer René Rebe (long-time Slashdot reader ReneR) discovered random illegal instruction speculation on AMD Ryzen 7000-Series and Epyc Zen 4 CPU.

ReneR writes: Merged to Linux 6.6 Git is a fix for the bug now known at AMD as Erratum 1485.

The discovery was possible through continued high CPU load cross-compiling the T2 Linux distribution with support for all CPU architectures from ARM, MIPS, PowerPC, RISC-V to x86 (and more) for 33 build variants. With sustained high CPU load and various instruction sequences being compiled, pseudo random illegal instruction errors were observed and subsequently analyzed.

ExactCODE Research GmbH CTO René Rebe is thrilled that working with AMD engineers lead to a timely mitigation to increase system stability of the still new and highest performance Zen4 platform.
"I found real-world code that might be similar or actually trigger the same bugs in the CPU that are also used for all the Spectre Meltdown and other side-channel security vulnerability mitigations," Rebe says in a video announcement on YouTube.

It took Rebe a tremendous amount of research, and he says now that "all the excessive work changed my mind. Mitigations equals considered harmful... If you want stable, reliable computational results — no, you can't do this. Because as Spectre Meltdown and all the other security issues have proven, the CPUs are nowadays as complex as complex software systems..."

An anonymous reader shared this report from Neowin: The various versions of Windows have used Kerberos as its main authentication protocol for over 20 years. However, in certain circumstances, the OS has to use another method, NTLM (NT LAN Manager). Today, Microsoft announced that it is expanding the use of Kerberos, with the plan to eventually ditch the use of NTLM altogether.

In a blog post, Microsoft stated that NTLM continues to be used by some businesses and organizations for Windows authentication because it "doesn't require local network connection to a Domain Controller." It also is "the only protocol supported when using local accounts" and it "works when you don't know who the target server is." Microsoft states:

These benefits have led to some applications and services hardcoding the use of NTLM instead of trying to use other, more modern authentication protocols like Kerberos. Kerberos provides better security guarantees and is more extensible than NTLM, which is why it is now a preferred default protocol in Windows. The problem is that while businesses can turn off NTLM for authentication, those hardwired apps and services could experience issues. That's why Microsoft has added two new authentication features to Kerberos.
Microsoft's blog post calls it "the evolution of Windows authentication," arguing that "As Windows evolves to meet the needs of our ever-changing world, the way we protect users must also evolve to address modern security challenges..." So, "our team is building new features for Windows 11."

• Initial and Pass Through Authentication Using Kerberos, or IAKerb, "a public extension to the industry standard Kerberos protocol that allows a client without line-of-sight to a Domain Controller to authenticate through a server that does have line-of-sight."

• A local Key Distribution Center (KDC) for Kerberos, "built on top of the local machine's Security Account Manager so remote authentication of local user accounts can be done using Kerberos."

• "We are also fixing hard-coded instances of NTLM built into existing Windows components... shifting these components to use the Negotiate protocol so that Kerberos can be used instead of NTLM... NTLM will continue to be available as a fallback to maintain existing compatibility."

• "We are also introducing improved NTLM auditing and management functionality to give your organization more insight into your NTLM usage and better control for removing it."

"Reducing the use of NTLM will ultimately culminate in it being disabled in Windows 11. We are taking a data-driven approach and monitoring reductions in NTLM usage to determine when it will be safe to disable."

Matthew Sparkes reports via NewScientist: A prominent cryptography expert has told New Scientist that a US spy agency could be weakening a new generation of algorithms designed to protect against hackers equipped with quantum computers. Daniel Bernstein at the University of Illinois Chicago says that the US National Institute of Standards and Technology (NIST) is deliberately obscuring the level of involvement the US National Security Agency (NSA) has in developing new encryption standards for "post-quantum cryptography" (PQC). He also believes that NIST has made errors -- either accidental or deliberate -- in calculations describing the security of the new standards. NIST denies the claims.

Bernstein alleges that NIST's calculations for one of the upcoming PQC standards, Kyber512, are "glaringly wrong," making it appear more secure than it really is. He says that NIST multiplied two numbers together when it would have been more correct to add them, resulting in an artificially high assessment of Kyber512's robustness to attack. "We disagree with his analysis," says Dustin Moody at NIST. "It's a question for which there isn't scientific certainty and intelligent people can have different views. We respect Dan's opinion, but don't agree with what he says." Moody says that Kyber512 meets NIST's "level one" security criteria, which makes it at least as hard to break as a commonly used existing algorithm, AES-128. That said, NIST recommends that, in practice, people should use a stronger version, Kyber768, which Moody says was a suggestion from the algorithm's developers.

NIST is currently in a period of public consultation and hopes to reveal the final standards for PQC algorithms next year so that organizations can begin to adopt them. The Kyber algorithm seems likely to make the cut as it has already progressed through several layers of selection. Given its secretive nature, it is difficult to say for sure whether or not the NSA has influenced the PQC standards, but there have long been suggestions and rumors that the agency deliberately weakens encryption algorithms. In 2013, The New York Times reported that the agency had a budget of $250 million for the task, and intelligence agency documents leaked by Edward Snowden in the same year contained references to the NSA deliberately placing a backdoor in a cryptography algorithm, although that algorithm was later dropped from official standards.

According to the New York Times, Chinese-owned bitcoin mining operations in the United States are causing security concerns due to their proximity to important sites and the potential for cyber threats. The Crypto Times reports: There are some mining facilities close to critical sites such as Microsoft data center for Pentagon's Air Force nuclear's missile base in Wyoming USA. Officials in U.S. fear Chinese espionage activities at these places. These mining operations began after China banned bitcoin mining in 2021. These individuals sometimes maintain connections with the Chinese Communist Party or state-owned companies which may be kept concealed through multiple layers of companies.

Texas has turned out to be a haven for Chinese-linked Bitcoin mining, with some US states having restrictions but Texas offers incentives. This might pose a threat to the power grid or essential infrastructure. A new concern has recently been raised in a report related to a potential cyber strike on the US infrastructure by China in case a major conflict arose.

Computer networking company Sandvine has scrapped an effort to sell US law enforcement agencies a controversial internet surveillance technology that tracks encrypted messages and laid off most of the employees involved in the initiative, Bloomberg News reported Friday, citing four people with knowledge of the matter. From the report: Sandvine had pitched the new product, called "Digital Witness," to governments and law enforcement agencies in Europe, the Middle East, Asia and North America. It was marketed as a tool to covertly monitor people's internet use and encrypted messages sent using popular applications such as Meta Platform's WhatsApp and Signal, according to the people, who asked not to be identified to discuss confidential matters.

Sandvine had already provided trial versions of the technology in the US, these people said. But a combination of broader economic woes and lingering concern over the company's previous work with authoritarian governments hindered the product's success, the people said. Sandvine declined to comment when asked about Digital Witness. The company's marketing materials indicate the product is sold only to law enforcement and government agencies, and it is still listed on Sandvine's website.

India is rolling back its earlier plan to impose restrictions on laptop imports, months after abruptly announcing such plans which came under criticism from industry and Washington. From a report: "India will not impose restrictions on laptop imports," Trade Secretary Sunil Barthwal told a press conference on Friday. He said the government "only wants importers to be on close watch." The import licensing regime, announced on Aug. 3, aimed to "ensure trusted hardware and systems" enter India, but it was delayed by three months after objections from industry and criticism by Washington.

The UK's Financial Conduct Authority (FCA) has fined Equifax a smidge over $13.6 million for severe failings that put millions of consumers at risk of financial crime. From a report: The regulator branded the entire debacle "entirely preventable" -- from Equifax's failure to promptly notify regulators to the way in which it misled the public over the severity of a security breach back in 2017. The original fine should have been greater; the true sum was $19,428,836 but the company received a 30 percent discount for agreeing to the penalty early into the proceedings. It also received a 15 percent credit for good behavior during the investigation.

After first opening the investigation in 2017, the FCA's fine comes after the ICO wasted less time imposing a penalty of $609,092 in 2018. "Cybersecurity and data protection are of growing importance to the security and stability of financial services," said Jessica Rusu, FCA chief data, information, and intelligence officer. "Firms not only have a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information. The Consumer Duty makes it clear that firms must raise their standards."

There's a new Cisco vulnerability in its Emergency Responder product: "This vulnerability is due to the presence of static user credentials for the root account that are typically reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user." Bruce Schneier adds: "This is not the first time Cisco products have had hard-coded passwords made public. You'd think it would learn."

Jessica Lyons Hardcastle reports via The Register: The European Telecommunications Standards Institute (ETSI) may open source the proprietary encryption algorithms used to secure emergency radio communications after a public backlash over security flaws found this summer. "The ETSI Technical Committee in charge of TETRA algorithms is discussing whether to make them public," Claire Boyer, a spokesperson for the European standards body, told The Register. The committee will discuss the issue at its next meeting on October 26, she said, adding: "If the consensus is not reached, it will go to a vote."

TETRA is the Terrestrial Trunked Radio protocol, which is used in Europe, the UK, and other countries to secure radio communications used by government agencies, law enforcement, military and emergency services organizations. In July, a Netherlands security biz uncovered five vulnerabilities in TETRA, two deemed critical, that could allow criminals to decrypt communications, including in real-time, to inject messages, deanonymize users, or set the session key to zero for uplink interception. At the time ETSI downplayed the flaws, which it said had been fixed last October, and noted that "it's not aware of any active exploitation of operational networks."

At the time ETSI downplayed the flaws, which it said had been fixed last October, and noted that "it's not aware of any active exploitation of operational networks." It did, however, face criticism from the security community over its response to the vulnerabilities -- and the proprietary nature of the encryption algorithms, which makes it more difficult for proper pentesting of the emergency network system. "This whole idea of secret encryption algorithms is crazy, old-fashioned stuff," said security author Kim Zetter who first reported the story. "It's very 1960s and 1970s and quaint. If you're not publishing [intentionally] weak algorithms, I don't know why you would keep the algorithms secret."

French technology company Shadow has confirmed a data breach involving customers' personal information. TechCrunch: The Paris-headquartered startup, which offers gaming through its cloud-based PC service, said in an email to customers this week that hackers had accessed their personal information after a successful social engineering attack targeted the company. "At the end of September, we were the victim of a social engineering attack targeting one of our employees," Shadow CEO Eric Sele said in the email, seen by TechCrunch. "This highly sophisticated attack began on the Discord platform with the downloading of malware under cover of a game on the Steam platform, proposed by an acquaintance of our employee, himself a victim of the same attack."

Shadow said that though its security team took unspecified "immediate action," the hackers were able to connect to the management interface of one of the company's software-as-a-service (SaaS) providers to obtain customers' private data. That data includes full names, email addresses, dates of birth, billing addresses and credit card expiry dates. Shadow says no passwords or sensitive banking data were compromised.

After Microsoft recently imposed storage limits for photos in a user's OneDrive account, Microsoft has now reversed course after receiving a barrage of backlash. From a report: In August, Microsoft announced that photos in a user's OneDrive Gallery and in each of their saved photo albums would count separately toward the company's cloud-based limit of five gigabytes, according to Neowin. The update was expected to roll out on October 16, which would force some users to encounter storage ceilings as the extra data was added to their OneDrive, preventing additional files from syncing. Customers were surprised by the abrupt policy change, so surprised in fact that the company caved to user backlash and recently announced that the change was no longer on the table.

"On August 31, 2023, we began to communicate an upcoming update to our cloud storage infrastructure that would result in a change in how OneDrive photos and photo albums data is counted against your overall cloud storage quota," Microsoft said in an email to customers, which has also been posted to the company's Support page. "This change was scheduled to start rolling out on October 16, 2023. Based on the feedback we received, we have adjusted our approach, we will no longer roll out this update."

Microsoft says Chinese state-backed hackers are exploiting a "critical"-rated zero-day vulnerability in Atlassian software to break into customer systems. From a report: The technology giant's threat intelligence team said in a post on X, formerly Twitter, that it has observed a nation-state threat actor it calls Storm-0062 exploiting a recently disclosed critical flaw in Atlassian Confluence Data Center and Server. Microsoft has previously identified Storm-0062 as a China-based state-sponsored hacker.

Microsoft said it observed in-the-wild abuse of the maximum rated 10.0 vulnerability, tracked as CVE-2023-22515, since September 14, some three weeks before Atlassian's public disclosure on October 4. A bug is considered a zero-day when the vendor -- in this case Atlassian -- has zero time to fix the bug before it is exploited. Atlassian updated its advisory this week to confirm it has "evidence to suggest that a known nation-state actor" is exploiting the bug, which the company says could allow a remote attacker to create unauthorized administrator accounts to access Confluence servers. Atlassian's Confluence is a widely popular collaborative wiki system used by corporations around the world to organize and share work.