The US Federal Communications Commission is continuing its battle against illegal robocalls. In its latest move, the agency on Wednesday issued cease-and-desist warnings to two more companies. From a report: The warning letters indicate that voice service providers SIPphony and Vultik must "end their apparent support of illegal robocall traffic or face serious consequences," according to an FCC announcement. The FCC says its investigations show that Vultik and SIPphony have allowed illegal robocalls to originate from their networks. Each provider must take immediate action and inform the FCC of the active steps it's taking to mitigate illegal robocalls. If either fails to comply with steps and rules outlined in the letters, its call traffic may be permanently blocked.

Last month, The Guardian closed its offices after being hit by a "highly sophisticated" ransomware attack. In an update to staff, Guardian group chief Anna Bateson and newspaper editor-in-chief Katharine Viner said intruders were able to access the personal data of UK employees. Engadget reports: They described the incident as a "highly sophisticated cyber-attack involving unauthorised third-party access to parts of our network," most likely triggered by a "phishing" attempt in which the victim is tricked, often via email, into downloading malware. The Guardian said it had no reason to believe the personal data of readers and subscribers had been accessed. It is not believed that the personal data of Guardian US and Guardian Australia staff has been accessed either. However, the message to staff said there had been no evidence of data being exposed online, so the risk of fraud is considered to be low.

The attack was detected on 20 December and affected parts of the company's technology infrastructure. Staff, most of whom have been working from home since the attack, have been able to maintain production of a daily newspaper, while online publishing has been unaffected. The Guardian has been using external experts to gauge the extent of the attack and to recover its systems. Although the Guardian expects some critical systems to be back up and running "within the next two weeks," a return to office working has been postponed until early February in order to allow IT staff to focus on network and system restoration.

An anonymous reader quotes a report from TechCrunch: A government watchdog has published a scathing rebuke of the Department of the Interior's cybersecurity posture, finding it was able to crack thousands of employee user accounts because the department's security policies allow easily guessable passwords like 'Password1234'. The report by the Office of the Inspector General for the Department of the Interior, tasked with oversight of the U.S. executive agency that manages the country's federal land, national parks and a budget of billions of dollars, said that the department's reliance on passwords as the sole way of protecting some of its most important systems and employees' user accounts has bucked nearly two decades of the government's own cybersecurity guidance of mandating stronger two-factor authentication. It concludes that poor password policies puts the department at risk of a breach that could lead to a "high probability" of massive disruption to its operations.

The inspector general's office said it launched its investigation after a previous test of the agency's cybersecurity defenses found lax password policies and requirements across the Department of the Interior's dozen-plus agencies and bureaus. The aim this time around was to determine if the department's security defenses were enough to block the use of stolen and recovered passwords. [...] To make their point, the watchdog spent less than $15,000 on building a password-cracking rig -- a setup of a high-performance computer or several chained together -- with the computing power designed to take on complex mathematical tasks, like recovering hashed passwords. Within the first 90 minutes, the watchdog was able to recover nearly 14,000 employee passwords, or about 16% of all department accounts, including passwords like 'Polar_bear65' and 'Nationalparks2014!'. The watchdog also recovered hundreds of accounts belonging to senior government employees and other accounts with elevated security privileges for accessing sensitive data and systems. Another 4,200 hashed passwords were cracked over an additional eight weeks of testing. [...]

The watchdog said it curated its own custom wordlist for cracking the department's passwords from dictionaries in multiple languages, as well as U.S. government terminology, pop culture references, and other publicly available lists of hashed passwords collected from past data breaches. By doing so, the watchdog demonstrated that a well-resourced cybercriminal could have cracked the department's passwords at a similar rate, the report said. The watchdog found that close to 5% of all active user account passwords were based on some variation of the word "password" and that the department did not "timely" wind down inactive or unused user accounts, leaving at least 6,000 user accounts vulnerable to compromise. The report also criticized the Department of the Interior for "not consistently" implementing or enforcing two-factor authentication, where users are required to enter a code from a device that they physically own to prevent attackers from logging in using just a stolen password.

Microsoft has revealed that a Premium cut of its Teams cloudy collaborationware suite will debut in early February, and some features that are currently included in Microsoft 365 will move to the new -- more costly -- product. From a report: As Microsoft's licensing guide clarifies: "some Teams features will move from Teams licenses to Teams Premium licenses." Those features are:
Live translated captions;
Timeline markers in Teams meeting recordings for when a user left or joined meetings;
Custom organization Together mode scenes;
Virtual Appointments - SMS notifications;
Virtual Appointments - Organizational analytics in the Teams admin center;
Virtual Appointments - Scheduled queue view.

Academic researchers have discovered serious vulnerabilities in the core of Threema, an instant messenger that its Switzerland-based developer says provides a level of security and privacy "no other chat service" can offer. From a report: Despite the unusually strong claims and two independent security audits Threema has received, the researchers said the flaws completely undermine assurances of confidentiality and authentication that are the cornerstone of any program sold as providing end-to-end encryption, typically abbreviated as E2EE. Threema has more than 10 million users, which include the Swiss government, the Swiss army, German Chancellor Olaf Scholz, and other politicians in that country. Threema developers advertise it as a more secure alternative to Meta's WhatsApp messenger. It's among the top Android apps for a fee-based category in Switzerland, Germany, Austria, Canada, and Australia. The app uses a custom-designed encryption protocol in contravention of established cryptographic norms.

Researchers from the Zurich-based ETH research university reported on Monday that they found seven vulnerabilities in Threema that seriously call into question the true level of security the app has offered over the years. Two of the vulnerabilities require no special access to a Threema server or app to cryptographically impersonate a user. Three vulnerabilities require an attacker to gain access to a Threema server. The remaining two can be exploited when an attacker gains access to an unlocked phone, such as at a border crossing. "In totality, our attacks seriously undermine Threema's security claims," the researchers wrote. "All the attacks can be mitigated, but in some cases, a major redesign is needed."

Two of the US government's leading security agencies are building a machine learning-based analytics environment to defend against rapidly evolving threats and create more resilient infrastructures for both government entities and private organizations. From a report: The Department of Homeland Security (DHS) -- in particular its Science and Technology Directorate research arm -- and Cybersecurity and Infrastructure Security Agency (CISA) picture a multicloud collaborative sandbox that will become a training ground for government boffins to test analytic methods and technologies that rely heavily on artificial intelligence and machine learning techniques. It also will include an automated machine learning "loop" through which workloads -- think exporting and tuning data -- will flow.

The CISA Advanced Analytics Platform for Machine Learning (CAP-M) -- previously known as CyLab -- will drive problem solving around cybersecurity that encompasses both on-premises and cloud environments, according to the agencies. "Fully realized, CAP-M will feature a multi-cloud environment and multiple data structures, a logical data warehouse to facilitate access across CISA data sets, and a production-like environment to enable realistic testing of vendor solutions," DHS and CISA wrote in a one-page description of the project. "While initially supporting cyber missions, this environment will be flexible and extensible to support data sets, tools, and collaboration for other infrastructure security missions."

Hackers have disrupted access to the websites of Denmark's central bank and seven private banks in the country this week, according to the central bank and an IT firm that serves the industry. From a report: The websites of the central bank and Bankdata, a company that develops IT solutions for the financial industry, were hit by so-called distributed denials of service (DDoS), which direct traffic towards targeted servers in a bid to knock them offline. A spokesperson for the central bank said its website was working normally on Tuesday afternoon and the attack did not impact the bank's other systems or day-to-day operations. Access to the websites of seven private banks was briefly restricted on Tuesday after the DDoS attack on Bankdata, a company spokesperson said. The banks included two of Denmark's largest, Jyske Bank and Sydbank, he said.

An anonymous reader quotes a report from Motherboard: A team of security researchers managed to gain "super administrative access" into Reviver, the company behind California's new digital license plates which launched last year. That access allowed them to track the physical GPS location of all Reviver customers and change a section of text at the bottom of the license plate designed for personalized messages to whatever they wished, according to a blog post from the researchers. "An actual attacker could remotely update, track, or delete anyone's REVIVER plate," Sam Curry, a bug bounty hunter, wrote in the blog post. Curry wrote that he and a group of friends started finding vulnerabilities across the automotive industry. That included Reviver.

California launched the option to buy digital license plates in October. Reviver is the sole provider of these plates, and says that the plates are legal to drive nationwide, and "legal to purchase in a growing number of states." [...] In the blog post, Curry writes the researchers were interested in Reviver because the license plate's features meant it could be used to track vehicles. After digging around the app and then a Reviver website, the researchers found Reviver assigned different roles to user accounts. Those included "CONSUMER" and "CORPORATE." Eventually, the researchers identified a role called "REVIVER," managed to change their account to it, which in turn granted them access to all sorts of data and capabilities, which included tracking the location of vehicles. "We could take any of the normal API calls (viewing vehicle location, updating vehicle plates, adding new users to accounts) and perform the action using our super administrator account with full authorization," Curry writes. "We could additionally access any dealer (e.g. Mercedes-Benz dealerships will often package REVIVER plates) and update the default image used by the dealer when the newly purchased vehicle still had DEALER tags." Reviver told Motherboard in a statement that it patched the issues identified by the researchers. "We are proud of our team's quick response, which patched our application in under 24 hours and took further measures to prevent this from occurring in the future. Our investigation confirmed that this potential vulnerability has not been misused. Customer information has not been affected, and there is no evidence of ongoing risk related to this report. As part of our commitment to data security and privacy, we also used this opportunity to identify and implement additional safeguards to supplement our existing, significant protections," the statement read.

"Cybersecurity is central to our mission to modernize the driving experience and we will continue to work with industry-leading professionals, tools, and systems to build and monitor our secure platforms for connected vehicles," it added.

Raspberry Pi is launching a new camera module for use with its diminutive DIY computers -- the Camera Module 3. Its upgraded Sony IMX708 sensor is higher resolution, but perhaps more important is that the new module supports high dynamic range photography and autofocus. Alongside it, Raspberry Pi is also releasing a new camera board for use with M12-mount lenses. From a report: Combined, the new features mean the Camera Module 3 should be able to take more detailed photographs (especially in low light), and can focus on objects as little as 5cm away. The autofocus uses a Phase Detection Autofocus (PDAF) system, with Contrast Detection Autofocus used as a backup. In contrast, previous versions of the camera module had fixed-focus lenses, which Raspberry Pi CEO Eben Upton writes were "optimized to focus at infinity" and could only take a "reasonably sharp image" of objects around a meter away.

The new module's sensor has a resolution of 11.9 megapixels (compared to 8.1 megapixels for the last version), and has a higher horizontal resolution that should allow it to film HD video. HDR support means the Camera Module 3 can take several exposures of the same scene, and combine them so that both darker and lighter parts of an image are properly exposed (at the expense of some resolution) -- a trick commonly performed by just about every smartphone. Prices start at $25 for the Camera Module 3 with a standard field-of-view, while the ultra-wide angle version with a 102-degree field of view is $35.

Identity thieves have been exploiting a glaring security weakness in the website of Experian, one of the big three consumer credit reporting bureausBrian Krebs reported Monday. From the report: Normally, Experian requires that those seeking a copy of their credit report successfully answer several multiple choice questions about their financial history. But until the end of 2022, Experian's website allowed anyone to bypass these questions and go straight to the consumer's report. All that was needed was the person's name, address, birthday and Social Security number. In December, KrebsOnSecurity heard from Jenya Kushnir, a security researcher living in Ukraine who said he discovered the method being used by identity thieves after spending time on Telegram chat channels dedicated to the cashing out of compromised identities.

"I want to try and help to put a stop to it and make it more difficult for [ID thieves] to access, since [Experian is] not doing shit and regular people struggle," Kushnir wrote in an email to KrebsOnSecurity explaining his motivations for reaching out. "If somehow I can make small change and help to improve this, inside myself I can feel that I did something that actually matters and helped others." Kushnir said the crooks learned they could trick Experian into giving them access to anyone's credit report, just by editing the address displayed in the browser URL bar at a specific point in Experian's identity verification process.

"Envy the lumberjacks, for they perform the happiest, most meaningful work on earth," writes the Washington Post.

"Or at least they think they do. Farmers, too." Agriculture, logging and forestry have the highest levels of self-reported happiness — and lowest levels of self-reported stress — of any major industry category, according to our analysis of more than 13,000 time journals from the Bureau of Labor Statistics' American Time Use Survey. (Additional reporting sharpened our focus on lumberjacks and foresters, but almost everyone who works on farms or in forests stands out.)

The time-use survey typically asks people to record what they were doing at any given time during the day. But in four recent surveys, between 2010 and 2021, they also asked a subset of those people — more than 13,000 of them — how meaningful those activities were, or how happy, sad, stressed, pained and tired they felt on a six-point scale.... [H]appiness and meaning aren't always correlated. Heath-care and social workers rate themselves as doing the most meaningful work of anybody (apart from the laudable lumberjacks), but they rank lower on the happiness scale. They also rank high on stress.

The most stressful sectors are the industry including finance and insurance, followed by education and the broad grouping of professional and technical industries, a sector that includes the single most stressful occupation: lawyers. Together, they paint a simple picture: A white collar appears to come with significantly more stress than a blue one.
The Post credits "adjacency to nature" as boosting the happiness in forestry-related professions (as well as many recreational activities). The Post spoke to one forestry advocate who even argued that "Forestry forces you to work on a slower time scale. It pushes you to have a generational outlook."

"A new Linux malware downloader created using SHC (Shell Script Compiler) has been spotted in the wild," reports the site Bleeping Computer, "infecting systems with Monero cryptocurrency miners and DDoS IRC bots...

"The analysts say the attacks likely rely on brute-forcing weak administrator account credentials over SSH on Linux servers.... " According to ASEC researchers, who discovered the attack, the SHC loader was uploaded to VirusTotal by Korean users, with attacks generally focused on Linux systems in the same country.... When the SHC malware downloader is executed, it will fetch multiple other malware payloads and install them on the device. One of the payloads is an XMRig miner that is downloaded as a TAR archive from a remote URL and extracted to "/usr/local/games/" and executed....

The second payload retrieved, dropped, and loaded by the SHC malware downloader is a Perl-based DDoS IRC bot. The malware connects to the designated IRC server using configuration data and goes through a username-based verification process. If successful, the malware awaits commands from the IRC server, including DDoS-related actions such as TCP Flood, UDP Flood, and HTTP Flood, port scanning, Nmap scanning, sendmail commands, process killing, log cleaning, and more.

ASEC warns that attacks like these are typically caused by using weak passwords on exposed Linux servers.

"We are seeing, across the gamut, products that impact our privacy, products that create cybersecurity risks, that have overarchingly long-term environmental impacts, disposable products, and flat-out just things that maybe should not exist."

That's the CEO of the how-to repair site iFixit, introducing their third annual "Worst in Show" ceremony for the products displayed at this year's CES. But the show's slogan promises it's also "calling out the most troubling trends in tech." For example, the EFF's executive director started with two warnings. First, "If it's communicating with your phone, it's generally communicating to the cloud too." But more importantly, if a product is gathering data about you and communicating with the cloud, "you have to ask yourself: is this company selling something to me, or are they selling me to other people? And this year, as in many past years at CES, it's almost impossible to tell from the products and the advertising copy around them! They're just not telling you what their actual business model is, and because of that — you don't know what's going on with your privacy."

After warning about the specific privacy implications of a urine-analyzing add-on for smart toilets, they noted there was a close runner-up for the worst privacy: the increasing number of scam products that "are basically based on the digital version of phrenology, like trying to predict your emotions based upon reading your face or other things like that. There's a whole other category of things that claim to do things that they cannot remotely do."

To judge the worst in show by environmental impact, Consumer Reports sent the Associate Director for their Product Sustainability, Research and Testing team, who chose the 55-inch portable "Displace TV" for being powered only by four lithium-ion batteries (rather than, say, a traditional power cord).

And the "worst in show" award for repairability went to the Ember Mug 2+ — a $200 travel mug "with electronics and a battery inside...designed to keep your coffee hot." Kyle Wiens, iFixit's CEO, first noted it was a product which "does not need to exist" in a world which already has equally effective double-insulated, vaccuum-insulated mugs and Thermoses. But even worse: it's battery powered, and (at least in earlier versions) that battery can't be easily removed! (If you email the company asking for support on replacing the battery, Wiens claims that "they will give you a coupon on a new, disposable coffee mug. So this is the kind of product that should not exist, doesn't need to exist, and is doing active harm to the world.

"The interesting thing is people care so much about their $200 coffee mug, the new feature is 'Find My iPhone' support. So not only is it harming the environment, it's also spying on where you're located!"

The founder of SecuRepairs.org first warned about "the vast ecosystem of smart, connected products that are running really low-quality, vulnerable software that make our persons and our homes and businesses easy targets for hackers." But for the worst in show for cybersecurity award, they then chose Roku's new Smart TV, partly because smart TVs in general "are a problematic category when it comes to cybersecurity, because they're basically surveillance devices, and they're not created with security in mind." And partly because to this day it's hard to tell if Roku has fixed or even acknowledged its past vulnerabilities — and hasn't implemented a prominent bug bounty program. "They're not alone in this. This is a problem that affects electronics makers of all different shapes and sizes at CES, and it's something that as a society, we just need to start paying a lot more attention to."

And US Pirg's "Right to Repair" campaign director gave the "Who Asked For This" award to Neutrogena's "SkinStacks" 3D printer for edible skin-nutrient gummies — which are personalized after phone-based face scans. ("Why just sell vitamins when you could also add in proprietary refills and biometic data harvesting.")

America's Federal Trade Commission "took an a bold move on Thursday aimed at shifting the balance of power from companies to workers," reports NPR: The agency proposed a new rule that would prohibit employers from imposing noncompete agreements on their workers, a practice it called exploitative and widespread, affecting some 30 million American workers. "The freedom to change jobs is core to economic liberty and to a competitive, thriving economy," said FTC Chair Lina M. Khan in a statement. "Noncompetes block workers from freely switching jobs, depriving them of higher wages and better working conditions, and depriving businesses of a talent pool that they need to build and expand."

Noncompete agreements restrict workers from quitting their jobs and taking new jobs at rival companies or starting up similar businesses of their own within a certain time period — typically between six months and two years. They're used across a broad array of industries, including in high-paying white-collar fields such as banking and tech, but also in many low-wage sectors as well, as President Biden has pointed out.

"These aren't just high-paid executives or scientists who hold secret formulas for Coca-Cola so Pepsi can't get their hands on it," Biden said in a speech about competition in 2021. "A recent study found one in five workers without a college education is subject to non-compete agreements...." The FTC estimates that a ban on noncompete agreements could increase wages by nearly $300 billion a year by allowing workers to pursue better opportunities.

The rule does not take effect immediately. The public has 60 days to offer comment on the proposed rule, after which a final rule could be published and then enforced some months after that.
Thanks to Slashdot reader couchslug for submitting the story.

Amazon Simple Storage Service (S3) will now automatically encrypt all new objects added on buckets on the server side, using AES-256 by default. BleepingComputer reports: While the server-side encryption system has been available on AWS for over a decade, the tech giant has enabled it by default to bolster security. Administrators will not have to take any actions for the new encryption system to affect their buckets, and Amazon promises it won't have any negative performance impact. Administrators may leave the system to encrypt at the default 256-bit AES or choose one of the alternative methods, namely SSE-C or SSE-KMS.

The first option (SSE-C) gives bucket owners control of the keys, while the second (SSE-KMS) lets Amazon do the key management. However, bucket owners can set different permissions for each KMS key to maintain more granular control over the asset access system. To confirm that the changes have been applied to your buckets, admins can configure CloudTrail to log data events at no extra cost. Then perform a test object upload, and look in the event logs for the "SSEApplied": "Default_SSE_S3." field in the log for the uploaded file. To retroactively encrypt objects already in S3 buckets, follow this official guide. "This change puts another security best practice into effect automatically -- with no impact on performance and no action required on your side," reads Amazon's announcement.

"S3 buckets that do not use default encryption will now automatically apply SSE-S3 as the default setting. Existing buckets currently using S3 default encryption will not change."

The Federal Communications Commission isn't done dragging data breach policy into the modern era. From a report: The agency has proposed rules that would improve reporting for breaches at carriers. Most notably, the move would scrap a mandatory wait of seven business days before a telecom can warn customers about a security incident. Hackers would have a shorter window of opportunity to abuse your data without your knowledge, to put it another way.

The proposal would also clarify that carriers must notify the FCC, FBI and Secret Service of any reportable data breaches. Providers would likewise have to alert customers to inadvertent breaches, such as leaving account info exposed. The Commission is simultaneously asking for public input on whether or not breach alerts should include specific information to help people take action. such as the nature of the compromised data.

The PS5 looks to have a design fault that can take months to appear and only seems to happen if you use the console while it's in a vertical orientation. From a report: As Wololo reports, hardware repair specialists working on PS5 consoles that fail to boot are finding the problem is caused by the liquid metal thermal interface Sony used on the custom AMD Zen 2 CPU. When the PS5 is oriented in a vertical position, over time the liquid metal is moving and spilling out on to the components surrounding the CPU. This also means the liquid metal is no longer evenly spread across the chip it's meant to help cool.

Cloud computing giant Rackspace has confirmed hackers accessed customer data during last month's ransomware attack. From a report: The attack, which Rackspace first confirmed on December 6, impacted the company's hosted Exchange email environment, forcing the web giant to shut down the hosted email service following the incident. At the time, Rackspace said it was unaware "what, if any, data was affected." In its latest incident response update published on Friday, Rackspace admitted that the hackers gained access to the personal data of 27 customers. Rackspace said the hackers accessed PST files, typically used to store backup and archived copies of emails, calendar events and contacts from Exchange accounts and email inboxes.

Rackspace said about 30,000 customers used its hosted Exchange service -- which it will now discontinue -- at the time of the ransomware attack. "We have already communicated our findings to these customers proactively, and importantly, according to Crowdstrike, there is no evidence that the threat actor actually viewed, obtained, misused, or disseminated any of the 27 Hosted Exchange customers' emails or data in the PSTs in any way," said Rackspace. The company added that customers that haven't been contacted directly can "be assured" that their data was not accessed by attackers.

An anonymous reader quotes a report from Bleeping Computer: Slack suffered a security incident over the holidays affecting some of its private GitHub code repositories. The immensely popular Salesforce-owned IM app is used by an estimated 18 million users at workplaces and digital communities around the world. BleepingComputer has come across a security incident notice issued by Slack on December 31st, 2022. The incident involves threat actors gaining access to Slack's externally hosted GitHub repositories via a "limited" number of Slack employee tokens that were stolen. While some of Slack's private code repositories were breached, Slack's primary codebase and customer data remain unaffected, according to the company.

The wording from the notice [1, 2] published on New Year's eve is as follows: "On December 29, 2022, we were notified of suspicious activity on our GitHub account. Upon investigation, we discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository. Our investigation also revealed that the threat actor downloaded private code repositories on December 27. No downloaded repositories contained customer data, means to access customer data, or Slack's primary codebase."

Slack has since invalidated the stolen tokens and says it is investigating "potential impact" to customers. At this time, there is no indication that sensitive areas of Slack's environment, including production, were accessed. Out of caution, however, the company has rotated the relevant secrets. "Based on currently available information, the unauthorized access did not result from a vulnerability inherent to Slack. We will continue to investigate and monitor for further exposure," states Slack's security team. The good news, with regards to the most recent security update is that no action needs to be taken by customers, for now.

CircleCI, a company whose development products are popular with software engineers, has urged users to rotate their secrets following a breach of the company's systems. From a report: The San Francisco-headquartered DevOps company said in an advisory published late Wednesday it is currently investigating the security incident -- its most recent in recent years. "We wanted to make you aware that we are currently investigating a security incident, and that our investigation is ongoing," CircleCI CTO Rob Zuber. "At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well."

CircleCI, which claims its technology is used by more than a million software engineers, is advising users to rotate "any and all secrets" stored in CircleCI, including those stored in project environment variables or in contexts. Secrets are passwords or private keys that are used to connect and authenticate servers together. For projects using API tokens, CircleCI said it has invalidated these tokens and users will be required to replace them.