China flagged security problems with iPhones while saying it isn't barring purchases, the government's first comments on the topic after news reports that authorities are moving to restrict the use of Apple products in sensitive departments and state-owned companies. From a report: "We noticed that there have been many media reports about security incidents concerning Apple phones," Chinese Foreign Ministry spokeswoman Mao Ning told a regular press briefing in Beijing on Wednesday, without elaborating. China plans to expand a ban on the use of iPhones to a plethora of state-backed companies and agencies, Bloomberg News has reported, a sign of growing challenges for Apple in its biggest foreign market and global production base. Several agencies have begun instructing staff not to bring their iPhones to work. "China has not issued laws and regulations to ban the purchase of Apple or foreign brands' phones," Mao said, adding that the government attaches "great importance" to security and that all companies operating in China need to abide by its laws and regulations.

Inditex is racing to iron bugs out of a new anti-shoplifting system for its Zara stores, slightly delaying its rollout partly because the security tags were easy to identify and remove in initial tests, Bloomberg reported Tuesday, citing people familiar with the matter. From the report: Chief Executive Officer Oscar Garcia Maceiras unveiled the new technology in March and pledged to roll it out for tests in all Zara stores worldwide over the summer. The system relies on tiny chips known as RFID, doing away with the hard plastic tags on garments that require checkout clerks to remove them. The new technology has run into teething issues. Staff in several countries have raised concerns to management that the technology may actually make theft easier, according to the people, who asked not to be identified.

Intel has unveiled Thunderbolt 5, the latest iteration of its a standard aimed at enabling super-fast connectivity. From a report: With Thunderbolt 5, Intel promises a significant leap in connectivity speed and bandwidth, delivering enhanced performance for computer users. The unveiling of a prototype laptop and dock accompanied the announcement, providing a glimpse into the future of Thunderbolt technology.

Thunderbolt 5 will offer an impressive 80 gigabits per second (Gbps) of bi-directional bandwidth, enabling lightning-fast data transfer and connectivity. Additionally, with the introduction of Bandwidth Boost, Thunderbolt 5 will reach up to 120 Gbps, ensuring an unparalleled display experience for users. These advancements represent two to three times more bandwidth than Thunderbolt 4. And it can deliver up to 240 watts of power.

Microsoft has made it clear: it will ax third-party printer drivers in Windows. From a report: The death rattle will be lengthy, as the timeline for the end of servicing stretches into 2027 -- although Microsoft noted that the dates will be subject to change. There is, after all, always that important customer with a strange old printer lacking Mopria support.

Mopria is part of the Windows' teams justification for removing support. Founded in 2013 by Canon, HP, Samsung and Xerox, the Mopria Alliance's mission is to provide universal standards for printing and scanning. Epson, Lexmark, Adobe and Microsoft have also joined the gang since then. Since Windows 10 21H2, Microsoft has baked Mopria support into the flagship operating system, with support for devices connected via the network or USB, thanks to the Microsoft IPP Class driver. Microsoft said: "This removes the need for print device manufacturers to provide their own installers, drivers, utilities, and so on."

An anonymous reader shared this report from Bloomberg: China-linked hackers breached the corporate account of a Microsoft engineer and are suspected of using that access to steal a valuable key that enabled the hack of senior U.S. officials' email accounts, the company said in a blog post. The hackers used the key to forge authentication tokens to access email accounts on Microsoft's cloud servers, including those belonging to Commerce Secretary Gina Raimondo, Representative Don Bacon and State Department officials earlier this year.

The U.S. Cybersecurity and Infrastructure Security Agency and Microsoft disclosed the breach in June, but it was still unclear at the time exactly how hackers were able to steal the key that allowed them to access the email accounts. Microsoft said the key had been improperly stored within a "crash dump," which is data stored after a computer or application unexpectedly crashes...

The incident has brought fresh scrutiny to Microsoft's cybersecurity practices.
Microsoft's blog post says they corrected two conditions which allowed this to occur. First, "a race condition allowed the key to be present in the crash dump," and second, "the key material's presence in the crash dump was not detected by our systems." We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network. This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected).

After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer's corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key. Due to log retention policies, we don't have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.

On August 30th the University of Michigan announced it had finally restored its internet connectivity and Wi-Fi network, according to the Ann Arbor News, "after several days of outages caused by a 'significant security concern,' officials said." The outage coincided with the first days of the new school year, although "classes continued through the outage." The internet was shut down on 1:45 p.m. on Sunday, Aug. 27, after the Information Assurance team at the university identified a security concern, according to previous reporting. The Information Assurance team fights cybersecurity threats and malicious actors... The investigation into the security issue is ongoing and no other information will be released, said Santa Ono, president of University of Michigan.
But a local CBS station heard some theories from cybersecurity experts: "The fact that they took their systems down, like proactively took their systems down, is the indication that it is a cybersecurity incident," said co-founder and CTO of SensCy Dave Kelly. "The reason why you do that is that you don't want it to spread further."

"They probably didn't know to what extent they'd been compromised," senior penetration tester and ethical hacker at NetWorks Group Chris Neuwirth said. "They probably didn't know how many accounts were compromised or the initial entry point that the threat actor used to gain access into the network." Sources close to the investigation told CBS News Detroit that U-M detected malware on its Wi-Fi network and decided to shut it down in response.

So, did the school avoid a disaster? Neuwirth thinks it very well could have. "They likely had very robust backups and data recover, plans, procedures in place that helped them make the decision very confidently and rapidly," he said. "Four days in that they're already bringing up their systems tells me that it's likely that a lot of what they had been preparing for worked."

Kelly said these types of incidents are on the rise. "There's been a large increase in cybersecurity incidents," he said. It's been trending up, quite frankly, for the last several years. It used to be that these threat actors were targeting the government and Fortune 500 companies, but they've started to, more and more over the years, look at universities."
Thanks to long-time Slashdot reader regoli for sharing the news.

A web caching issue resulted in some Wyze security camera owners being able to see webcam feeds that weren't theirs. The Verge reports: Earlier on Friday, users on Reddit made posts about the issue. "Went to check on my cameras and they are all gone be replaced with a new one... and this isn't mine!" wrote one user. "Apologies if this is your house / dog... I don't want it showing up as much as you don't want it!" "I am able to click the events tab and see ALL the events on this random person's camera INSIDE their house," wrote another. "I don't know why, but I can see someone else's camera," wrote another.

Each thread has comments from other Reddit users reporting similar issues. Shockingly, I even saw some instances of people claiming they saw the same cameras that other people did. The user reports indicated that they were seeing the other feeds through Wyze's web viewer at view.wyze.com.

An anonymous reader quotes a report from TechCrunch: Apple released security updates on Thursday that patch two zero-day exploits -- meaning hacking techniques that were unknown at the time Apple found out about them -- used against a member of a civil society organization in Washington, D.C., according to the researchers who found the vulnerabilities. Citizen Lab, an internet watchdog group that investigates government malware, published a short blog post explaining that last week they found a zero-click vulnerability -- meaning that the hackers' target doesn't have to tap or click anything, such as an attachment -- used to target victims with malware.

The researchers said the vulnerability was used as part of an exploit chain designed to deliver NSO Group's malware, known as Pegasus. "The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim," Citizen Lab wrote. Once they found the vulnerability, the researchers reported it to Apple, which released a patch on Thursday, thanking Citizen Lab for reporting them. Based on what Citizen Lab wrote in the blog post, and the fact that Apple also patched another vulnerability and attributed its finding to the company itself, it appears Apple may have found the second vulnerability while investigating the first. Citizen Lab researcher John Scott-Railton says Apple's Lockdown Mode would have blocked the exploits found in this case. Lockdown Mode is an opt-in feature introduced in iOS 16 that gives users the option to temporarily switch off or limit features for security purposes. According to Apple, it "should be used only if you believe you may be targeted by a highly sophisticated cyberattack, such as by a private company developing state-sponsored mercenary spyware."

The days of signing on the dotted line may be numbered -- at least in Australia. From a report: The federal government has announced it is taking statutory declarations into the digital age, saying it will accept electronic signatures and video link witnessing from next year. It makes permanent a change introduced during the pandemic, when attending a justice of the peace (JP) for a statutory declaration -- a practice that goes back to the 19th century -- was forbidden under lockdown restrictions.

Legislation introduced this week by the federal attorney general, Mark Dreyfus, will also allow people to digitally execute a statutory declaration using the online platform myGov and the myGovID Digital ID. Dreyfus says the bill is intended to keep with the changing ways of Australians. "This bill will respond to how Australians want and expect to engage and communicate digitally with government by providing options to make commonwealth statutory declarations facilitated by technology," he says. "This bill is an important milestone in driving the digitisation of government services."

Researchers at digital watchdog group Citizen Lab say they found spyware they linked to Israeli firm NSO that exploited a newly discovered flaw in Apple devices. From a report: While inspecting the Apple device of an employee of a Washington-based civil society group last week, Citizen Lab said it found the flaw had been used to infect the device with NSO's Pegasus spyware, it said in a statement.

Bill Marczak, senior researcher at Citizen Lab, said the attacker likely made a mistake during the installation which is how Citizen Lab found the spyware. Citizen Lab said Apple confirmed to them that using the high security feature "Lockdown Mode" available on Apple devices blocks this particular attack. The flaw allowed compromise of iPhones running the latest version of iOS (16.6) without any interaction from the victim, the digital watchdog said. The new update fixes this vulnerability.

Birmingham City Council, the largest local authority in Europe, has declared itself in financial distress after troubled Oracle project costs ballooned from $25 million to around $125.5 million. The Register reports: Contributing to the publication of a legal Section 114 Notice, which says the $4.3 billion revenue organization is unable to balance the books, is a bill of up to $954 million to settle equal pay claims. In a statement today, councillors John Cotton and Sharon Thompson, leader and deputy leader respectively, said the authority was also hit by financial stress owing to issues with the implementation of its Oracle IT system. The council has made a request to the Local Government Association for additional strategic support, the statement said.

In May, Birmingham City Council said it was set to pay up to $125.5 million for its Oracle ERP system -- potentially a fourfold increase on initial estimated expenses -- in a project suffering from delays, cost over-runs, and a lack of controls. After grappling with the project to replace SAP for core HR and finance functions since 2018, the council reviewed the plan in 2019, 2020, and again in 2021, when the total implementation cost for the project almost doubled to $48.5 million. The project, dubbed Financial and People, was "crucial to an organisation of Birmingham City Council's size," a spokesperson said at the time. Cotton said the system had a problem with how it was "tracking our financial transactions and HR transactions issues as well. That's got to be fixed," he said.

Earlier this year, one insider told The Register that Oracle Fusion, the cloud-based ERP system the council is moving to, "is not a product that is suitable for local authorities, because it's very much geared towards a manufacturing/trading organization." They said the previous SAP system had been heavily customized to meet the council's needs and it was struggling to recreate these functions in Oracle.

According to Mozilla's *Privacy Not Included project, every major car brand fails to adhere to the most basic privacy and security standards in new internet-connected models, and all 25 of the brands Mozilla examined flunked the organization's test. Gizmodo reports: Mozilla found brands including BMW, Ford, Toyota, Tesla, and Subaru collect data about drivers including race, facial expressions, weight, health information, and where you drive. Some of the cars tested collected data you wouldn't expect your car to know about, including details about sexual activity, race, and immigration status, according to Mozilla. [...] The worst offender was Nissan, Mozilla said. The carmaker's privacy policy suggests the manufacturer collects information including sexual activity, health diagnosis data, and genetic data, though there's no details about how exactly that data is gathered. Nissan reserves the right to share and sell "preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes" to data brokers, law enforcement, and other third parties.

Other brands didn't fare much better. Volkswagen, for example, collects your driving behaviors such as your seatbelt and braking habits and pairs that with details such as age and gender for targeted advertising. Kia's privacy policy reserves the right to monitor your "sex life," and Mercedes-Benz ships cars with TikTok pre-installed on the infotainment system, an app that has its own thicket of privacy problems. The privacy and security problems extend beyond the nature of the data car companies siphon off about you. Mozilla said it was unable to determine whether the brands encrypt any of the data they collect, and only Mercedes-Benz responded to the organization's questions.

Mozilla also found that many car brands engage in "privacy washing," or presenting consumers with information that suggests they don't have to worry about privacy issues when the exact opposite is true. Many leading manufacturers are signatories to the Alliance for Automotive Innovation's "Consumer Privacy Protection Principles (PDF)." According to Mozilla, these are a non-binding set of vague promises organized by the car manufacturers themselves. Questions around consent are essentially a joke as well. Subaru, for example, says that by being a passenger in the car, you are considered a "user" who has given the company consent to harvest information about you. Mozilla said a number of car brands say it's the drivers responsibility to let passengers know about their car's privacy policies -- as if the privacy policies are comprehensible to drivers in the first place. Toyota, for example, has a constellation of 12 different privacy policies for your reading pleasure.

The UK's worst air-traffic outage in a decade was caused by an anomaly in the airspace manager's software system, which confused two geographical checkpoints separated by some 4,000 nautical miles. From a report: The UK's Civil Aviation Authority said Wednesday it will conduct an independent review of the incident, which forced hundreds of flights to be canceled or delayed last week after an error in processing an airline's flight plan. The glitch triggered a shutdown of the software system run by NATS for safety reasons, according to a preliminary report from the public-private partnership formerly called National Air Traffic Services. This forced air-traffic staff to input flight plans manually, drastically reducing the amount of air traffic that could be processed.

The event sent airlines and airports in the UK into turmoil on Aug. 28, leaving planes out of position and passengers stranded. Nearly 800 flights leaving UK airports were canceled, with a similar number of arrivals scrapped, according to analytics firm Cirium. The report by NATS showed that on the day of the incident, an airline entered a plan into the system which led through UK airspace. NATS Chief Executive Officer Martin Rolfe declined to discuss details of the flight, such as its route or the airline involved, saying the specifics weren't pertinent to the outage. While the flight plan wasn't faulty, it threw off the system because the software used by NATS received duplicate identities for two different points on the map. There are an infinite number of flight-plan waypoints in the world, and duplicates remain despite work to remove them, according to Rolfe.

An exploit for a bug in Windows appears to increase the performance of File Explorer in Microsoft's flagship operating system. From a report: Spotted over the weekend by Xitter user @VivyVCCS, the hack is triggered by a swift jab of the F11 key to switch File Explorer in and out of full-screen mode. According to the post, load performance is improved markedly.

The UK government will concede it will not use controversial powers in the online safety bill to scan messaging apps for harmful content until it is "technically feasible" to do so, postponing measures that critics say threaten users' privacy. Financial Times: A planned statement to the House of Lords on Wednesday afternoon will mark an eleventh-hour bid by ministers to end a stand-off with tech companies, including WhatsApp, that have threatened to pull their services from the UK over what they claimed was an intolerable threat to millions of users' security. The statement is set to outline that Ofcom, the tech regulator, will only require companies to scan their networks when a technology is developed that is capable of doing so, according to people briefed on the plan. Many security experts believe it could be years before any such technology is developed, if ever.

"A notice can only be issued where technically feasible and where technology has been accredited as meeting minimum standards of accuracy in detecting only child sexual abuse and exploitation content," the statement will say. The online safety bill, which has been in development for several years and is now in its final stages in parliament, is one of the toughest attempts by any government to make Big Tech companies responsible for the content that is shared on their networks.

AmiMoJo writes: In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults.

Taylor Monahan is founder and CEO of MetaMask, a popular software cryptocurrency wallet used to interact with the Ethereum blockchain. Since late December 2022, Monahan and other researchers have identified a highly reliable set of clues that they say connect recent thefts targeting more than 150 people, Collectively, these individuals have been robbed of more than $35 million worth of crypto. Monahan said virtually all of the victims she has assisted were longtime cryptocurrency investors, and security-minded individuals. Importantly, none appeared to have suffered the sorts of attacks that typically preface a high-dollar crypto heist, such as the compromise of one's email and/or mobile phone accounts.

Israel's prime minister on Sunday floated the idea of building infrastructure projects such as a fiber optic cable linking countries in Asia and the Arabian Peninsula with Europe through Israel and Cyprus. From a report: Prime Minister Benjamin Netanyahu said he's "quite confident" such an infrastructure "corridor" linking Asia to Europe through Israel and Cyprus is feasible. He said such projects could happen if Israel normalizes relations with other countries in the region. The 2020 U.S.-brokered Abraham Accords normalized relations between Israel and the United Arab Emirates and Bahrain, and the Biden administration is trying to establish official ties between Israel and Saudi Arabia.

"An example and the most obvious one is a fiber optic connection. That's the shortest route. It's the safest route. It's the most economic route," Netanyahu said after talks with Cypriot President Nikos Christodoulides. The Israeli leader's pitch is itself an extension of proposed energy links with Cyprus and Greece as part of growing collaboration on energy in the wake of discoveries of significant natural gas deposits in the economic zones of both Israel and Cyprus.

When it comes to US government employee satisfaction with IT services, one agency finds itself continually at the bottom of the heap: The rather crucial Department of Defense. From a report: Results from the General Services Administration's (GSA) Mission-Support Customer Satisfaction Survey published on Wednesday found the DoD was trailing the other 23 US federal government agencies included in the research. Of the seven technology user areas surveyed, the DoD came dead last in user satisfaction for IT support, equipment, function, and communication/collaboration.

The DoD didn't fare much better in the three areas it wasn't scraping the bottom, either. For strategic IT partnerships and development, modernizations and enhancement the Defense Department ranked twentieth (out of 24), and for operations and maintenance satisfaction it beat the US Department of Agriculture - barely - on the seven-point scale used by the GSA. Despite its abysmal ranking among its fellow federal agencies, the DoD's users were still generally okay with their IT service, with 65 percent of respondents saying they were at least somewhat satisfied with IT support, and 64.5 percent expressing some degree of satisfaction with their IT equipment. Only development, modernization and enhancement failed to net 50 percent satisfaction among DoD respondents.

America's return-to-office has been a "lagging return," reports the Washington Post: Even with millions of workers across the country being asked to return to their cubicles, office occupancy has been relatively static for the past year. The country's top 10 metropolitan areas averaged 47.2 percent of pre-pandemic levels last week, according to data from Kastle Systems. This time last year, the average was around 44 percent....

About 52 percent of remote-capable U.S. workers are operating under hybrid arrangements, according to data from Gallup, while 29 percent are exclusively remote. And though executives like Meta's Mark Zuckerberg have argued that the rise of flexible work has had a deleterious effect on productivity, data from the Bureau of Labor Statistics shows that labor productivity rose 3.7 percent in the second quarter of 2023 and is up 1.3 percent compared to this time last year.

While employers cite the collaborative benefits of spending time together in person, the majority of hybrid arrangements aren't fostering the connections bosses want to see, according to Rob Cross, associate professor of management at Babson College who studies collaboration across various companies through surveys, email and meeting data. He's found that mandates for a certain number of days in office are missing the mark, "because you're not getting the right people who need to collaborate... What we're seeing that's more successful is when companies are using some form of analytics" to determine which workers need to come in on the same days, Cross said. He estimates that only about 5 percent of organizations are taking this approach. "Leaders are just saying, 'We need water-cooler moments,' " Cross said. "They're not looking and saying, 'These are the interactions we need to stimulate.' "
But the article argues that "After more than two years of trying to coax workers back into offices, bosses are losing their patience... Even tech companies that were once champions of remote work are changing their tune." The article cites return-to-office policies at Zoom, Meta, and Amazon, arguing that "Employers have new leverage as the labor market has cooled, leaving workers less room to be choosy..." The days of enticing employees with free food, laundry services and yoga classes are largely over. Now, executives are resorting to threats — and it's forcing some workers to decide whether they're willing to give up the flexibility they've gotten used to... "The pendulum has shifted from employees having all the power," said Matt Cohen, founder and managing partner of Ripple Ventures, a venture fund in Toronto that works with early stage companies across North America. The bulk of start-up founders he works with are requiring employees to be in offices a few days a week, although there's pushback. "During the pandemic, a lot of salespeople were taking calls from the top of mountains on hiking trips," Cohen said. "That's not working anymore...."

[R]emote work is becoming harder to find. Roughly 8 percent of all job postings now advertise remote or hybrid work, according to Nick Bunker, director of North American economic research at Indeed Hiring Lab. That's down from 9.7 percent last year, he said, but still up significantly over pre-pandemic levels.
The workplace software company HqO's chief executive says workers are after "elevated experiences they can't get at home". Their data shows workers attracted by free food, high-quality tools, and attractive workspaces — but "The number one thing people want out of a workplace is concentration space..You're not going to get them into a place just built for social interaction. You've got to be able to concentrate...."

But the CEO of PR software company Muck Rack says going fully remote benefited their workers — both their well-being and their productivity. "I hope more people see the potential here and don't just go along with the return-to-office narrative.

An anonymous reader shared this report from cybersecurity blogger Brian Krebs: Domain names ending in ".US" — the top-level domain for the United States — are among the most prevalent in phishing scams, new research shows. This is noteworthy because .US is overseen by the U.S. government, which is frequently the target of phishing domains ending in .US. Also, .US domains are only supposed to be available to U.S. citizens and to those who can demonstrate that they have a physical presence in the United States... [F]ew other major countries in the world have anywhere near as many phishing domains each year as .US.

That's according to The Interisle Consulting Group, which gathers phishing data from multiple industry sources and publishes an annual report on the latest trends. Interisle's newest study examined six million phishing reports between May 1, 2022 and April 30, 2023, and found 30,000 .US phishing domains.

.US is overseen by the National Telecommunications and Information Administration (NTIA), an executive branch agency of the U.S. Department of Commerce. However, NTIA currently contracts out the management of the .US domain to GoDaddy, by far the world's largest domain registrar. Under NTIA regulations, the administrator of the .US registry must take certain steps to verify that their customers actually reside in the United States, or own organizations based in the U.S. But Interisle found that whatever GoDaddy was doing to manage that vetting process wasn't working.