Linux developers are in the process of patching a high-severity vulnerability that, in certain cases, allows the installation of malware that runs at the firmware level, giving infections access to the deepest parts of a device where they're hard to detect or remove. ArsTechnica: The vulnerability resides in shim, which in the context of Linux is a small component that runs in the firmware early in the boot process before the operating system has started. More specifically, the shim accompanying virtually all Linux distributions plays a crucial role in secure boot, a protection built into most modern computing devices to ensure every link in the boot process comes from a verified, trusted supplier. Successful exploitation of the vulnerability allows attackers to neutralize this mechanism by executing malicious firmware at the earliest stages of the boot process before the Unified Extensible Firmware Interface firmware has loaded and handed off control to the operating system.

The vulnerability, tracked as CVE-2023-40547, is what's known as a buffer overflow, a coding bug that allows attackers to execute code of their choice. It resides in a part of the shim that processes booting up from a central server on a network using the same HTTP that the the web is based on. Attackers can exploit the code-execution vulnerability in various scenarios, virtually all following some form of successful compromise of either the targeted device or the server or network the device boots from. "An attacker would need to be able to coerce a system into booting from HTTP if it's not already doing so, and either be in a position to run the HTTP server in question or MITM traffic to it," Matthew Garrett, a security developer and one of the original shim authors, wrote in an online interview. "An attacker (physically present or who has already compromised root on the system) could use this to subvert secure boot (add a new boot entry to a server they control, compromise shim, execute arbitrary code)."

Disney Plus has started to inform subscribers about new changes to its terms of service that will, among other things, make it harder for people to access the service using log-in credentials that aren't actually theirs. From a report:The updated terms come a few months after Disney Plus implemented similar measures for its Canadian subscribers and just days after Hulu sent out similar notices to users about changes to its own TOS and its plans to stop password sharing in the coming weeks. Like Hulu's terms of service, the changes to Disney Plus' agreement are dated January 25th and are already in effect for new customers. Per Disney Plus' emails, existing subscribers can expect the new restrictions to go into effect on March 14th.

An anonymous reader quotes a report from Tom's Hardware: According to a recent report published by the Aargauer Zeitung (h/t Golem.de), around three million smart toothbrushes have been infected by hackers and enslaved into botnets. The source report says this sizable army of connected dental cleansing tools was used in a DDoS attack on a Swiss company's website. The firm's site collapsed under the strain of the attack, reportedly resulting in the loss of millions of Euros of business. In this particular case, the toothbrush botnet was thought to have been vulnerable due to its Java-based OS. No particular toothbrush brand was mentioned in the source report. Normally, the toothbrushes would have used their connectivity for tracking and improving user oral hygiene habits, but after a malware infection, these toothbrushes were press-ganged into a botnet.

Stefan Zuger from the Swiss branch of the global cybersecurity firm Fortinet provided the publication with a few tips on what people could do to protect their own toothbrushes -- or other connected gadgetry like routers, set-top boxes, surveillance cameras, doorbells, baby monitors, washing machines, and so on. "Every device that is connected to the Internet is a potential target -- or can be misused for an attack," Zuger told the Swiss newspaper. The security expert also explained that every connected device was being continually probed for vulnerabilities by hackers, so there is a real arms race between device software/firmware makers and cyber criminals. Fortinet recently connected an 'unprotected' PC to the internet and found it took only 20 minutes before it became malware-ridden. UPDATE 1/7/24: This attack "didn't actually happen," writes Jason Koebler via 404 Media. "There are no additional details about this apparent attack, and most of the article cites general research by a publicly traded cybersecurity company called Fortinet which has detected malicious, hijacked internet of things devices over the years. A search on Fortinet's website shows no recent published research about hacked smart toothbrushes."

The cybersecurity firm Fortinet said in a statement: "To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred. FortiGuard Labs has not observed Mirai or other IoT botnets target toothbrushes or similar embedded devices."

The U.S. has announced new visa restrictions for individuals and companies misusing commercial spyware to surveil, harass or intimidate journalists, activists and other dissidents. Citing a senior Biden administration official, Reuters adds that the new policy will also apply to investors and operators of the commercial spyware believed to be misused. At least 50 U.S. officials have been targeted by private hacking tools in recent years.

An anonymous reader shares a report: An underground website called OnlyFake is claiming to use "neural networks" to generate realistic looking photos of fake IDs for just $15, radically disrupting the marketplace for fake identities and cybersecurity more generally. This technology, which 404 Media has verified produces fake IDs nearly instantly, could streamline everything from bank fraud to laundering stolen funds. In our own tests, OnlyFake created a highly convincing California driver's license, complete with whatever arbitrary name, biographical information, address, expiration date, and signature we wanted. The photo even gives the appearance that the ID card is laying on a fluffy carpet, as if someone has placed it on the floor and snapped a picture, which many sites require for verification purposes. 404 Media then used another fake ID generated by this site to successfully step through the identity verification process on OKX. OKX is a cryptocurrency exchange that has recently appeared in multiple court records because of its use by criminals.

Rather than painstakingly crafting a fake ID by hand -- a highly skilled criminal profession that can take years to master -- or waiting for a purchased one to arrive in the mail with the risk of interception, OnlyFake lets essentially anyone generate fake IDs in minutes that may seem real enough to bypass various online verification systems. Or at least fool some people. "The era of rendering documents using Photoshop is coming to an end," an announcement posted to OnlyFake's Telegram account reads. As well as "neural networks," the service claims to use "generators" which create up to 20,000 documents a day. The service's owner, who goes by the moniker John Wick, told 404 Media that hundreds of documents can be generated at once using data from an Excel table.

Microsoft's Visual Studio Code editor now includes a voice command that launches GitHub Copilot Chat just by saying "Hey Code."

But one Linux blog notes that the editor has suddenly stopped supporting Ubuntu 18.04 LTS — "a move causing issues for scores of developers." VS Code 1.86 (aka the 'January 2024' update) saw Microsoft bump the minimum build requirements for the text editor's popular remote dev tools to â¥glibc 2.28 — but Ubuntu 18.04 LTS uses glibc 2.27, ergo they no longer work.

While Ubuntu 18.04 is supported by Canonical until 2028 (through ESM) a major glibc upgrade is unlikely. Thus, this "breaking change" is truly breaking workflows...

It seems affected developers were caught off-guard as this (rather impactful) change was not signposted before, during, or after the VS Code update (which is installed automatically for most, and the update was pushed out to Ubuntu 18.04 machines). Indeed, most only discovered this issue after update was installed, they tried to connect to a remote server, and discovered it failed. The resulting error message does mention deprecation and links to an FAQ on the VS Code website with workarounds (i.e. downgrade).

But as one developer politely put it.... "It could have checked the libc versions and refused the update. Now, many people are screwed in the middle of their work."
The article points out an upgrade to Ubuntu 20.04 LTS will address the problem. On GitHub a Microsoft engineer posted additional options from VS Code's documentation: If you are unable to upgrade your Linux distribution, the recommended alternative is to use our web client. If you would like to use the desktop version, then you can download the VS Code release 1.85. Depending on your platform, make sure to disable updates to stay on that version.
Microsoft then locked the thread on GitHub as "too heated" and limited conversation to just collaborators.

In a related thread someone suggested installing VS Code's Flatpak, which was still on version 1.85 — and then disabling updates. But soon Microsoft had locked that thread as well as "too heated," again limiting conversation to collaborators.

Mozilla claims in a new 74-page research report that Microsoft "repeatedly uses harmful design" and "dark patterns" to push users toward Microsoft Edge and away from rival browsers like Mozilla's Firefox or Google's Chrome browser. PCMag: "Microsoft uses the harmful preselection, visual interference, trick wording, and disguised ads patterns to skew user choice," the report argues, adding that "Microsoft's harmful design practices mean users are unable to download, install, use, or set as default an alternative browser without interference." The researchers claim this harms consumers because they can experience "distortion of choice," lose trust in the broader tech industry, and even possibly experience "emotional distress" as a result of Microsoft's efforts.

For the study, user experiences were tested on Windows 10 Home and Windows 11 Pro as well as the Windows 11 Home Insider Preview Version. The UK-based testers did not attempt to use a VPN to change or hide their IP addresses during their investigation. While Microsoft recently said it will allow users in the European Union to uninstall Edge as part of its efforts to comply with the Digital Markets Act (DMA), it's unclear whether US, UK, or other users around the globe could ever get the same option. Some Windows 11 users can remove five other apps that come preinstalled, however.

Google has removed links to page caches from its search results page, the company's search liaison Danny Sullivan has confirmed. From a report: "It was meant for helping people access pages when way back, you often couldn't depend on a page loading," Sullivan wrote on X. "These days, things have greatly improved. So, it was decided to retire it."

The cache feature historically let you view a webpage as Google sees it, which is useful for a variety of different reasons beyond just being able to see a page that's struggling to load. SEO professionals could use it to debug their sites or even keep tabs on competitors, and it can also be an enormously helpful news gathering tool, giving reporters the ability to see exactly what information a company has added (or removed) from a website, and a way to see details that people or companies might be trying to scrub from the web. Or, if a site is blocked in your region, Google's cache can work as a great alternative to a VPN.

Shiftall, the Japan-based VR hardware creator, is no longer owned by Panasonic, as the company has been effectively sold off to the Tokyo-based company CREEK & RIVER. From a report: As first noted by tech analyst and YouTuber Brad Lynch, Panasonic today announced it has transferred all shares of Shiftall to the Tokyo-based company CREEK & RIVER Co., Ltd., which specializes in outsourcing, consulting, content management and distribution services. Acquired by Panasonic in 2018, Shiftall primarily focused on niche consumer devices, but shifted over the years to focusing on VR hardware, such as its MeganeX PC VR headset, HaritoraX wireless body trackers, FlipVR motion controllers, and mutalk soundproof microphones.

Software developer Alex debunked the myth of a 381 km x 381 km maximum PDF size. While limitations exist in reader apps, the format itself allows for much larger documents, she found. She even created a PDF exceeding Germany's size.

Cybercriminals are selling ready-made "pig-butchering" scam kits on the dark web to conduct "DeFi savings" cryptocurrency fraud, according to Sophos. The kits expedite scamming worldwide. In these scams, criminals build online relationships then persuade victims to invest in fake crypto schemes, manipulating them to drain digital wallets. The bundled kits contain websites enabling wallet access via Ethereum blockchain plus chat support posing as technical staff. Victims open legitimate crypto apps but enter malicious sites letting criminals steal funds. The report details the mass distribution of these DIY crypto fraud kits.

wiredmikey writes: Web security and CDN giant Cloudflare said it was hacked by a threat actor using stolen credentials to access internal systems, code repositories, along with an AWS environment, as well as Atlassian Jira and Confluence. The goal of the attack, Cloudflare says, was to obtain information on the company's infrastructure, likely to gain a deeper foothold.

According to Cloudflare, more than 5,000 individual production credentials were rotated following the incident, close to 5,000 systems were triaged, test and staging systems were physically segmented, and every machine within the Cloudflare global network was reimaged and rebooted.

Identity management company Okta said on Thursday in a message to employees that it would lay off 400 employees, about 7% of the company's headcount. From a report: CEO Todd McKinnon said in his message that the "reality is that costs are still too high." Okta is only the latest tech company to trim headcount in the opening weeks of 2024. Nearly 24,000 tech workers lost their jobs in January alone, even as many tech companies saw their stock prices continue to grow.

Apple has discontinued support for the mid-2012 13-inch MacBook Pro, the last model to include an optical drive. Products are considered obsolete when Apple ceased distribution over 7 years ago, making service and parts unavailable. The laptop was removed from Apple's lineup in 2016 but remained compatible with macOS until Big Sur in 2020. While optical drives had already fallen out of favor, the phase out marks the end of an era for pro users requiring discs for media production.

"China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike," said FBI Director Christopher Wray in a prepared testimony before the House Select Committee on the Chinese Communist Party. NBC News reports: Wray also argued that "there has been far too little public focus" that Chinese hackers are targeting critical infrastructure in the U.S. such as water treatment plants, electrical grids, oil and natural gas pipelines, and transportation systems, according to the prepared remarks. "And the risk that poses to every American requires our attention -- now," his prepared testimony said.

As Wray testified, the Justice Department and FBI announced they had disabled a Chinese hacking operation that had infected hundreds of small office and home routers with botnet malware that targeted critical infrastructure. The DOJ said the hackers, known to the private sector as "Volt Typhoon," used privately owned small routers that were infected with "KV botnet" malware to conceal further Chinese hacking activities against U.S. and foreign victims. Wray addressed the malware in his testimony, emphasizing that it targets critical infrastructure in the U.S. [...]

At Wednesday's hearing, the director of the federal Cybersecurity and Infrastructure Security Agency, Jen Easterly, testified that Americans should expect efforts by China to wage influence campaigns online relating to the 2024 election. However, Easterly added that she was confident that voting systems and other election infrastructure are well-defended. "To be very clear, Americans should have confidence in the integrity of our election infrastructure because of the enormous amount of work that's been done by state and local election officials, by the federal government, by vendors, by the private sector since 2016," Easterly said in her testimony.

Wray emphasized in the remarks that the "cyber onslaught" of Chinese hackers "goes way beyond prepositioning for future conflict," saying in the prepared remarks that every day the hackers are "actively attacking" U.S. economic security, engaging in "wholesale theft of our innovation, and our personal and corporate data." "And they don't just hit our security and economy. They target our freedoms, reaching inside our borders, across America, to silence, coerce, and threaten our citizens and residents," the excerpts said.

Ivanti warned on Wednesday that hackers are exploiting another previously undisclosed zero-day vulnerability affecting its widely used corporate VPN appliance. From a report: Since early December, ââChinese state-backed hackers have been exploiting Ivanti Connect Secure's flaws -- tracked as CVE-2023-46805 and CVE-2024-21887 -- to break into customer networks and steal information. Ivanti is now warning that it has discovered two additional flaws -- tracked as CVE-2024-21888 and CVE-2024-21893 -- affecting its Connect Secure VPN product. The former is described as a privilege escalation vulnerability, while the latter -- known as a zero-day because Ivanti had no time to fix the bug before hackers began exploiting it -- is a server-side bug that allows an attacker access to certain restricted resources without authentication. In its updated disclosure, Ivanti said it has observed "targeted" exploitation of the server-side bug. Germany's Federal Office for Information Security, known as the BSI, said in a translated advisory on Wednesday that it has knowledge of "multiple compromised systems."

A highly sensitive cache of code, infrastructure diagrams, internal passwords, and other technical information belonging to cryptocurrency giant Binance has been sitting on a publicly accessible GitHub repository for months, 404 Media has learned. From a report: Binance only managed to have GitHub remove the data under a copyright takedown request last week, but not before 404 Media and other people managed to view it. Although there is no public evidence this data was accessed or used by malicious parties, the cache contained a wealth of information that could be useful to hackers looking to compromise Binance's systems.

"This account is using our client's internal code which poses significant risk to Binancec. and causes severe financial harm to Binance and user's confusion/harm," a section of the takedown request, available on GitHub, reads. Another section says the GitHub repository is "hosting and distributing leaks of internal code which poses significant risk to BINANCE." For example, one diagram included in a folder called "binance-infra-2.0" shows the interlocking between different parts of Binance's various dependencies. The cache also contains a wealth of scripts and code. Some of that code appears to relate to how Binance implements passwords and multi-factor authentication. The code includes comments in both English and Chinese.

An anonymous reader shares a report: In a somewhat groundbreaking yet bizarre scientific feat, MIT biotechnology PhD student researcher Lauren "Ren" Ramlan has coaxed a simulation of the humble E. coli bacteria into a rudimentary screen capable of displaying the iconic video game. However, before you get too excited about playing games in a petri dish, there's a catch. According to Ramlan's simulation, displaying a single frame of Doom on these bioluminescent bacteria -- should anyone attempt to do this with the real thing -- would take roughly 70 minutes, with a full reset to the bacteria's original state taking a whopping eight hours and 20 minutes.

Dubbed a step into the world of biological screens, Ramlan engineered a system where the bacteria would function as 1-bit pixels, toggling between light and dark states. This bio-display utilizes a well plate in a 32x48 array, each containing genetically modified E. coli that can be induced to fluoresce, creating a grid of pixel-like structures.

Tom Warren, writing for The Verge: Last week, I turned on my PC, installed a Windows update, and rebooted to find Microsoft Edge automatically open with the Chrome tabs I was working on before the update. I don't use Microsoft Edge regularly, and I have Google Chrome set as my default browser. Bleary-eyed at 9AM, it took me a moment to realize that Microsoft Edge had simply taken over where I'd left off in Chrome. I never imported my data into Microsoft Edge, nor did I confirm whether I wanted to import my tabs. But here was Edge automatically opening after a Windows update with all the Chrome tabs I'd been working on. I didn't even realize I was using Edge at first, and I was confused why all my tabs were suddenly logged out.

After the shock wore off, I looked to make sure I hadn't accidentally allowed this behavior. I found a setting in Microsoft Edge that imports data from Google Chrome on each launch. "Always have access to your recent browsing data each time you browse on Microsoft Edge," reads Microsoft's description of the feature in Edge. This setting was disabled, and I had never been asked to turn it on. So I went to install the same Windows update on a laptop, which actually resulted in it failing and my having to do a system restore. Once the system restore was complete, the same thing happened. Edge opened automatically with all of my Chrome tabs. I haven't been able to replicate the behavior on other PCs, but a number of X users replied to my post about this saying they have experienced the same thing in the past.

Dan Goodin, reporting for ArsTechnica: ChatGPT is leaking private conversations that include login credentials and other personal details of unrelated users, screenshots submitted by an Ars reader on Monday indicated. Two of the seven screenshots the reader submitted stood out in particular. Both contained multiple pairs of usernames and passwords that appeared to be connected to a support system used by employees of a pharmacy prescription drug portal. An employee using the AI chatbot seemed to be troubleshooting problems they encountered while using the portal.

"THIS is so f-ing insane, horrible, horrible, horrible, i cannot believe how poorly this was built in the first place, and the obstruction that is being put in front of me that prevents it from getting better," the user wrote. "I would fire [redacted name of software] just for this absurdity if it was my choice. This is wrong." Besides the candid language and the credentials, the leaked conversation includes the name of the app the employee is troubleshooting and the store number where the problem occurred. The entire conversation goes well beyond what's shown in the redacted screenshot above. A link Ars reader Chase Whiteside included showed the chat conversation in its entirety. The URL disclosed additional credential pairs. The results appeared Monday morning shortly after reader Whiteside had used ChatGPT for an unrelated query.