An anonymous reader quotes a report from Ars Technica: Following Google's beta rollout of the feature in October, passkeys are now hitting Chrome stable M108. "Passkey" is built on industry standards and backed by all the big platform vendors -- Google, Apple, Microsoft -- along with the FIDO Alliance. Google's latest blog says: "With the latest version of Chrome, we're enabling passkeys on Windows 11, macOS, and Android." The Google Password Manager on Android is ready to sync all your passkeys to the cloud, and if you can meet all the hardware requirements and find a supporting service, you can now sign-in to something with a passkey. [...]

Now that this is actually up and running on Chrome 108 and a supported OS, you should be able to see the passkey screen under the "autofill" section of the Chrome settings (or try pasting chrome://settings/passkeys into the address bar). Next up we'll need more websites and services to actually support using a passkey instead of a password to sign in. Google Account support would be a good first step -- right now you can use a passkey for two-factor authentication with Google, but you can't replace your password yet. Everyone's go-to example of passkeys is the passkeys.io demo site, which we have a walkthrough of here.

Robots may be the future, but robotic arms are apparently no good at using an old and steadfast form of technology: the barcode. Barcodes can be hard to find and might be affixed to oddly shaped products, Amazon said in a press release Friday, something robots can't troubleshoot very well. As a result, the company says it has a plan to kill the barcode. From a report: Using pictures of items in Amazon warehouses and training a computer model, the e-commerce giant has developed a camera system that can monitor items flowing one-by-one down conveyor belts to make sure they match their images. Eventually, Amazon's AI experts and roboticists want to combine the technology with robots that identify items while picking them up and turning them around.

"Solving this problem, so robots can pick up items and process them without needing to find and scan a barcode, is fundamental," said Nontas Antonakos, an applied science manager in Amazon's computer vision group in Berlin. "It will help us get packages to customers more quickly and accurately." The system, called multi-modal identification, isn't going to fully replace barcodes soon. It's currently in use in facilities in Barcelona, Spain, and Hamburg, Germany, according to Amazon. Still, the company says it's already speeding up the time it takes to process packages there. The technology will be shared across Amazon's businesses, so it's possible you could one day see a version of it at a Whole Foods or another Amazon-owned chain with in-person stores.

A US government probe into how many mobile phones belonging to diplomats and government workers have been infected with spyware could "easily run to the hundreds," according to a member of the House Intelligence Committee. From a report: Jim Himes, a Democrat representative from Connecticut, told Bloomberg News that the Biden administration is "just beginning to get an inkling of the magnitude of the problem." He predicted that the probe could find that spyware was used against "hundreds" of federal personnel in "multiple countries." Himes was a lead author of a September letter calling on the federal government to better protect US diplomats overseas from spyware and publicly detail instances of such abuse. He received a letter last month written jointly by the Departments of Commerce and State that confirmed commercial spyware has targeted US government personnel serving overseas.

"Spyware technology has sort of moved beyond our ability to ensure that the communications of our diplomats are protected, or even the locations and contacts and photographs of our diplomats are protected. And that's obviously a huge vulnerability," he said. The official confirmation follows a Reuters report from last year that the iPhones of at least nine State Department employees were hacked with spyware developed by Israel's NSO Group. The employees were either based in Uganda or focused on issues related to the country, according to the report.

An anonymous reader quotes a report from the Associated Press: The leading hospital in India's capital limped back to normalcy on Wednesday after a cyberattack crippled its operations for nearly two weeks. Online registration of patients resumed Tuesday after the hospital was able to access its server and recover lost data. The hospital worked with federal authorities to restore the system and strengthen its defenses. It's unclear who conducted the Nov. 23 attack on the All India Institute of Medical Sciences or where it originated.

The attack was followed by a series of failed attempts to hack India's top medical research organization, the Indian Council of Medical Research. This raised further concerns about the vulnerability of India's health system to attacks at a time when the government is pushing hospitals to digitize their records. More than 173,000 hospitals have registered with a federal program to digitize health records since its launch in September 2021. The program assigns patients numbers that are linked to medical information stored by hospitals on their own servers or in cloud-based storage. Experts fear that hospitals may not have the expertise to ensure digital security.

"Digitizing an entire health care system without really safeguarding it can pretty much kill an entire hospital. It suddenly stops functioning," said Srinivas Kodali, a researcher with the Free Software Movement of India. That is what happened to the hospital in New Delhi. Healthcare workers couldn't access patient reports because the servers that store laboratory data and patient records had been hacked and corrupted. The hospital normally treats thousands of people a day, many of whom travel from distant places to access affordable care. Always crowded, queues at the hospital grew even longer and more chaotic. Sandeep Kumar, who accompanied his ill father, said the digital attack meant that appointments couldn't be booked online, and that doctors could do little when they saw patients because they couldn't access their medical history.

Contestants hacked the Samsung Galaxy S22 again during the second day of the consumer-focused Pwn2Own 2022 competition in Toronto, Canada. They also demoed exploits targeting zero-day vulnerabilities in routers, printers, smart speakers, and Network Attached Storage (NAS) devices from HP, NETGEAR, Synology, Sonos, TP-Link, Canon, Lexmark, and Western Digital. BleepingComputer reports: Security researchers representing the vulnerability research company Interrupt Labs were the ones to demonstrate a successful exploit against Samsung's flagship device on Wednesday. They executed an improper input validation attack and earned $25,000, 50% of the total cash award, because this was the third time the Galaxy S22 was hacked during the competition.

On the first day of Pwn2Own Toronto, the STAR Labs team and a contestant known as Chim demoed two other zero-day exploits as part of successful improper input validation attacks against the Galaxy S22. In all three cases, according to the contest rules, the devices ran the latest version of the Android operating system with all available updates installed.

The second day of Pwn2Own Toronto wrapped up with Trend Micro's Zero Day Initiative awarding $281,500 for 17 unique bugs across multiple categories. This brings the first two days of Pwn2Own total to $681,250 awarded for 46 unique zero-days, as ZDI's Head of Threat Awareness Dustin Childs revealed. The full schedule for Pwn2Own Toronto 2022's second day and the results for each challenge are available here. You can also find the complete schedule of the competition here.

An anonymous reader quotes a report from MacRumors: Apple yesterday announced that end-to-end encryption is coming to even more sensitive types of iCloud data, including device backups, messages, photos, and more, meeting the longstanding demand of both users and privacy groups who have rallied for the company to take the significant step forward in user privacy. iCloud end-to-end encryption, or what Apple calls "Advanced Data Protection," encrypts users' data stored in iCloud, meaning only a trusted device can decrypt and read the data. iCloud data in accounts with Advanced Data Protection can only be read by a trusted device, not Apple, law enforcement, or government entities.

While privacy groups and apps applaud Apple for the expansion of end-to-end encryption in iCloud, governments have reacted differently. In a statement to The Washington Post, the FBI, the largest intelligence agency in the world, said it's "deeply concerned with the threat end-to-end and user-only-access encryption pose." Speaking generally about end-to-end encryption like Apple's Advanced Data Protection feature, the bureau said that it makes it harder for the agency to do its work and that it requests "lawful access by design": "This hinders our ability to protect the American people from criminal acts ranging from cyber-attacks and violence against children to drug trafficking, organized crime, and terrorism," the bureau said in an emailed statement. "In this age of cybersecurity and demands for 'security by design,' the FBI and law enforcement partners need 'lawful access by design.'"

Former FBI official Sasha O'Connell also weighed in, telling The New York Times "it's great to see companies prioritizing security, but we have to keep in mind that there are trade-offs, and one that is often not considered is the impact it has on decreasing law enforcement access to digital evidence."

Lukasz Siewierski, a member of Google's Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. From a report: The post is just a list of the keys, but running each one through APKMirror or Google's VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart's Onn tablets. [...] Esper Senior Technical Editor Mishaal Rahman, as always, has been posting great info about this on Twitter. As he explains, having an app grab the same UID as the Android system isn't quite root access, but it's close and allows an app to break out of whatever limited sandboxing exists for system apps. These apps can directly communicate with (or, in the case of malware, spy on) other apps across your phone. Imagine a more evil version of Google Play Services, and you get the idea.

Google today announced two new performance settings in its Chrome browser: Memory Saver and Energy Saver. From a report: The Memory Saver mode promises to reduce Chrome's memory usage by up to 30% by putting inactive tabs to sleep. The tabs will simply reload when you need them again. The Energy Saver mode, meanwhile, limits background activity and visual effects for sites with animations and videos when your laptop's battery level drops below 20%.

WankerWeasel writes: Apple today introduced three advanced security features focused on protecting against threats to user data in the cloud, representing the next step in its ongoing effort to provide users with even stronger ways to protect their data. With iMessage Contact Key Verification, users can verify they are communicating only with whom they intend. With Security Keys for Apple ID, users have the choice to require a physical security key to sign in to their Apple ID account. And with Advanced Data Protection for iCloud, which uses end-to-end encryption to provide Apple's highest level of cloud data security, users have the choice to further protect important iCloud data, including iCloud Backup, Photos, Notes, and more.

An anonymous reader quotes a report from Insider: Deserted downtowns have been haunting US cities since the beginning of the pandemic. Before the pandemic, 95% of offices were occupied. Today that number is closer to 47%. Employees' not returning to downtown offices has had a domino effect: Less foot traffic, less public-transit use, and more shuttered businesses have caused many downtowns to feel more like ghost towns. Even 2 1/2 years later, most city downtowns aren't back to where they were prepandemic. [...] The increased cancellations of office leases have cratered the office real-estate market. A study led by Arpit Gupta, a professor of finance at New York University's Stern School of Business, characterized the value wipeout as an "apocalypse." It estimated that $453 billion in real-estate value would be lost across US cities, with a 17-percentage-point decline in lease revenue from January 2020 to May 2022. The shock to real-estate valuations has been sharp: One building in San Francisco's Mission District that sold for $397 million in 2019 is on the market for about $155 million, a 60% decline.

Other key indicators that economists use to measure the economic vitality of downtowns include office vacancy rates, public-transportation ridership, and local business spending. Across the country, public-transportation ridership remains stuck at about 70% of prepandemic levels. If only 56% of employees of financial firms in New York are in the office on a given day, the health of a city's urban core is negatively affected. The second-order effects of remote work and a real-estate apocalypse are still playing out, but it isn't looking good. Declines in real-estate valuations lead to lower property taxes, which affects the revenue collected to foot the bill of city budgets. Declines in foot traffic have deteriorated business corridors; a recent survey by the National League of Cities suggested cities expect at least a 2.5% decline in sales-tax receipts and a 4% decline in revenue for fiscal 2022. "The solution to the office-housing conundrum seems obvious: Turn commercial spaces like offices into housing. Empty offices can become apartments to ease housing pressure while also bringing more people back to downtown areas," reports Insider. "But after two years, few buildings have been converted." According to the report, it's being hampered by hard-to-justify construction costs and local housing rules.

"Overall, combating the death of downtowns requires a reworking of how we think about cities and the value they provide," the report says. "The urban author Jane Jacobs proclaimed in her famous 1958 article for Fortune magazine, 'Downtown Is for People,' that "'there is no logic that can be superimposed on the city; people make it, and it is to them, not buildings, that we must fit our plans.'"

"The economic health of cities is intrinsically linked to how space is used or unused, and right now downtowns are undergoing a massive shift. Despite the sluggish movement, it's in cities' best interest to figure out how to quickly convert office-centric downtowns into something more suitable for everyone."

Google's search results on desktop will load in a continuous scroll instead of dividing into pages, the company has announced. From a report: The move follows a similar change made on mobile in October last year, but isn't quite an "infinite" scroll. Instead, Google will load six pages of results into a single scroll before offering users a "See more" button to show more results. Google says the change is rolling out first for English searches in the US, but judging by the rollout of the feature on mobile it seems safe to expect to see additional markets and languages added over time.

Competitive Excel clearly is not the NFL, but it does have the beginnings of a fan base. From a report: This was just the second year of the World Championship, but it's already streaming on ESPN3. This year's edition has 30,000 views on YouTube. Supporters of Michael Jarman, the No. 3 seed in this year's competition, call themselves the "Jarmy Army." A few months ago, an all-star game of sorts aired on ESPN2, and this month, ESPNU will televise the collegiate championship. The tournament begins with a 128-player field and proceeds March Madness -- style, in one-on-one, single-elimination contests. The format lends itself to frequent upsets: This year, the No. 2 seed was eliminated in the third round. In each match, players work as fast as possible -- they're generally given about 30 minutes -- to answer a series of progressively more difficult questions testing both their puzzle-solving skills and their fluency with Excel.

The questions all revolve around the same scenario. In the quarterfinal, for example, the questions all had to do with a fictional country transitioning from dictatorship to democracy. The first and easiest question asked players to calculate how many votes were cast for the purple party. The championship case, which was far more difficult, centered on a 100x100 chessboard. This year's total prize money was $10,000. Naturally, a large proportion of Excel competitors work in Excel-heavy jobs; the field included plenty of finance bros, data analysts, mathematicians, actuaries, and engineers. All but one of the eight finalists had over the course of their lives spent thousands of hours working in Excel (the other is a Google Sheets guy), and half of them had spent more than 10,000. The tournament is not particularly diverse. Of the eight finalists, Deaton was the only woman. In the field of 128, she told me, she counted no more than a dozen, which didn't surprise her, given how heavily male the relevant occupations skew.

An anonymous reader shares a report: KmsdBot, a cryptomining botnet that could also be used for denial-of-service (DDOS) attacks, broke into systems through weak secure shell credentials. It could remotely control a system, it was hard to reverse-engineer, didn't stay persistent, and could target multiple architectures. KmsdBot was a complex malware with no easy fix. That was the case until researchers at Akamai Security Research witnessed a novel solution: forgetting to put a space between an IP address and a port in a command. And it came from whoever was controlling the botnet.

With no error-checking built in, sending KmsdBot a malformed command -- like its controllers did one day while Akamai was watching -- created a panic crash with an "index out of range" error. Because there's no persistence, the bot stays down, and malicious agents would need to reinfect a machine and rebuild the bot's functions. It is, as Akamai notes, "a nice story" and "a strong example of the fickle nature of technology." KmsdBot is an intriguing modern malware. It's written in Golang, partly because Golang is difficult to reverse-engineer. When Akamai's honeypot caught the malware, it defaulted to targeting a company that created private Grand Theft Auto Online servers. It has a cryptomining ability, though it was latent while the DDOS activity was running. At times, it wanted to attack other security companies or luxury car brands.

An anonymous reader quotes a report from KrebsOnSecurity: In December 2021, Google filed a civil lawsuit against two Russian men thought to be responsible for operating Glupteba, one of the Internet's largest and oldest botnets. The defendants, who initially pursued a strategy of counter suing Google for tortious interference in their sprawling cybercrime business, later brazenly offered to dismantle the botnet in exchange for payment from Google. The judge in the case was not amused, found for the plaintiff, and ordered the defendants and their U.S. attorney to pay Google's legal fees. The lawyer for the defendants, New York-based cybercrime defense attorney Igor Litvak, filed a motion to reconsider (PDF), asking the court to vacate the sanctions against him. He said his goal is to get the case back into court. "The judge was completely wrong to issue sanctions," Litvak told KrebsOnSecurity. "From the beginning of the case, she acted as if she needed to protect Google from something. If the court does not decide to vacate the sanctions, we will have to go to the Second Circuit (Court of Appeals) and get justice there."

Meanwhile, Google said the court's decision will have significant ramifications for online crime, adding that it's observed a 78 percent reduction in the number of hosts infected by Glupteba since its technical and legal attacks on the botnet last year.

"While Glupteba operators have resumed activity on some non-Google platforms and IoT devices, shining a legal spotlight on the group makes it less appealing for other criminal operations to work with them," reads a blog post from Google's General Counsel Halimah DeLaine Prado and vice president of engineering Royal Hansen. "And the steps [Google] took last year to disrupt their operations have already had significant impact."

Microsoft has released an out-of-band update to nudge laggards toward Windows 11 amid a migration pace that company executives would undoubtedly prefer is rather faster. From a report: The software giant is offering an option of upgrading to Windows 11 as an out of box experience to its Windows 10 22H2 installed base, the main aim being to smooth their path forward to the latest operating system. "On November 30, 2022, an out-of-band update was released to improve the Windows 10, version 2004, 20H2, 21H1, 21H2, and 22H2 out-of-box experience (OOBE). It provides eligible devices with the option to upgrade to Windows 11 as part of the OOBE process. This update will be available only when an OOBE update is installed."

The update, KB5020683, applies only to Windows 10 Home and Professional versions 2004, 20H2, 21H1, 22H2. There are some pre-requisites that Microsoft has listed here before users can make the move to Windows 11. The operating system was released on October 5 last year but shifting stubborn consumers onto this software has proved challenging for top brass at Microsoft HQ in Redmond. According to Statcounter, a web analytics service that has tracking code installed on 1.5 million websites and records a page view for each, some 16.12 percent of Windows users had installed Windows 11 in November, higher than the 15.44 percent in the prior month, but likely still not close to the figures that Microsoft was hoping for.

Axios reports: "Although a quantum computer isn't expected until 2030, at the earliest, updating current encryption standards will take just as long," writes Axios, "creating a high-stakes race filled with unanswerable questions for national security and cybersecurity officials alike." As scientists, academics and international policymakers attended the first-ever Quantum World Congress conference in Washington this week, alarmism around the future of secure data was undercut by foundational questions of what quantum computing will mean for the world. "We don't even know what we don't know about what quantum can do," said Michael Redding, chief technology officer at Quantropi, during a panel about cryptography at the Quantum World Congress....

Some governments are believed to have already started stealing enemies' encrypted secrets now, so they can unlock them as soon as quantum computing is available. "It's the single-largest economic national-security issue we have ever faced as a Western society," said Denis Mandich, chief technology officer at Qrypt and a former U.S. intelligence official, at this week's conference. "We don't know what happens if they actually decrypt, operationalize and monetize all the data that they already have."

"A group of about 20 quality assurance testers at Activision Blizzard's Albany location won their bid for a union Friday afternoon," reports the Washington Post: The workers join the Game Workers Alliance, a union at the gaming company that already includes testers from Wisconsin-based Raven Software. Amanda Laven, a Blizzard Albany quality assurance tester, said that the union vote comes just about a year after the testers first began collecting signatures for a union. "We knew we were gonna win, but it's still extremely exciting and gratifying, especially because tomorrow marks the first anniversary of when we started organizing," Laven said.

The testers are the lowest paid workers at Blizzard Albany, formerly called Vicarious Visions, a studio known for its work on the Guitar Hero and Crash Bandicoot franchises. The Game Workers Alliance is the first union at a major video game company in the U.S., and Friday's news marks the union's second significant win in an industry that has historically not organized....

The Blizzard Albany testers took their cues from seeing testers at Call of Duty-maker Raven petition the company and gather signatures. On May 28, Raven testers won their bid to unionize. They're currently undergoing bargaining efforts for a contract.

An anonymous reader quotes a report from BleepingComputer: A previously undocumented data wiper named CryWiper is masquerading as ransomware, but in reality, destroys data beyond recovery in attacks against Russian mayor's offices and courts. CryWiper was first discovered by Kaspersky this fall, where they say the malware was used in an attack against a Russian organization. [...] CryWiper is a 64-bit Windows executable named 'browserupdate.exe' written in C++, configured to abuse many WinAPI function calls. Upon execution, it creates scheduled tasks to run every five minutes on the compromised machine.

Next, it contacts a command and control server (C2) with the name of the victim's machine. The C2 responds with either a "run" or "do not run" command, determining whether the wiper will activate or stay dormant. Kaspersky reports seeing execution delays of 4 days (345,600 seconds) in some cases, likely added in the code to help confuse the victim as to what caused the infection. CryWiper will stop critical processes related to MySQL, MS SQL database servers, MS Exchange email servers, and MS Active Directory web services to free locked data for destruction.

Next, the malware deletes shadow copies on the compromised machine to prevent the easy restoration of the wiped files. CryWiper also modifies the Windows Registry to prevent RDP connections, likely to hinder intervention and incident response from remote IT specialists. Finally, the wiper will corrupt all enumerated files except for ".exe", ".dll", "lnk", ".sys", ".msi", and its own ".CRY", while also skipping System, Windows, and Boot directories to prevent rendering the computer completely unusable. After this step, CryWiper will generate ransom notes named 'README.txt,' asking for 0.5 Bitcoin (approximately $8,000) in exchange for a decrypter. Unfortunately, this is a false promise, as the corrupted data cannot be restored.

An anonymous reader quotes a report from TechCrunch: The Cuba ransomware gang extorted more than $60 million in ransom payments from victims between December 2021 and August 2022, a joint advisory from CISA and the FBI has warned. The latest advisory is a follow-up to a flash alert (PDF) released by the FBI in December 2021, which revealed that the gang had earned close to $44 million in ransom payments after attacks on more than 49 entities in five critical infrastructure sectors in the United States. Since, the Cuba ransomware gang has brought in an additional $60 million from attacks against 100 organizations globally, almost half of the $145 million it demanded in ransom payments from these victims. "Since the release of the December 2021 FBI Flash, the number of U.S. entities compromised by Cuba ransomware has doubled, with ransoms demanded and paid on the increase," the two federal agencies said on Thursday.

Cuba ransomware actors, which have been active since 2019, continue to target U.S. entities in critical infrastructure, including financial services, government facilities, healthcare and public health, critical manufacturing and information technology. [...] FBI and CISA added that the ransomware gang has modified its tactics, techniques and procedures since the start of the year and has been linked to the RomCom malware, a custom remote access trojan for command and control, and the Industrial Spy ransomware. The advisory notes that the group -- which cybersecurity company Profero previously linked to Russian-speaking hackers -- typically extorts victims by threatening to leak stolen data. While this data was typically leaked on Cuba's dark web leak site, it began selling stolen data on Industrial Spy's online market in May this year. CISA and the FBI are urging at-risk organizations to prioritize patching known exploited vulnerabilities, to train employees to spot and report phishing attacks and to enable and enforce phishing-resistant multi-factor authentication.

A security flaw on the Florida Department of Revenue website exposed at least hundreds of taxpayers' Social Security numbers and bank account numbers, a security researcher found. From a report: Kamran Mohsin said the security flaw -- now fixed -- allowed him, or anyone else who was logged in to the state's business tax registration website, to access, modify and delete the personal data of business owners whose information is on file with the state's tax authority by modifying the part of the web address that contains the taxpayers' application number. Mohsin said that application numbers are sequential, allowing anyone to enumerate taxpayers' information by incrementing the application number by a single digit. Mohsin said there were more than 713,000 applications in the system, which the department did not dispute when reached for comment.