Android

Millions of Android Phones and TVs May Come with Preinstalled Malware (arstechnica.com) 19

"Multiple lines of Android devices came with preinstalled malware," reports Ars Technica, "that couldn't be removed without users taking heroic measures."

Their article cites two reports released Thursday — one from Trend Micro and one from TechCrunch: Trend Micro researchers following up on a presentation delivered at the Black Hat security conference in Singapore reported that as many as 8.9 million phones comprising as many as 50 different brands were infected with malware... ["It's highly likely that more devices have been preinfected," the report clarified, "but have not exchanged communication with the Command & Control server, have not been used or activated by the threat actor, or have yet to be distributed to the targeted country or market... The threat actor has spread this malware over the last five years. "]

"Guerrilla" opens a backdoor that causes infected devices to regularly communicate with a remote command-and-control server to check if there are any new malicious updates for them to install. These malicious updates collect data about the users that the threat actor, which Trend Micro calls the Lemon Group, can sell to advertisers. Guerrilla then surreptitiously installs aggressive ad platforms that can deplete battery reserves and degrade the user experience... Guerrilla is a massive platform with nearly a dozen plugins that can hijack users' WhatsApp sessions to send unwanted messages, establish a reverse proxy from an infected phone to use the network resources of the affected mobile device, and inject ads into legitimate apps...

TechCrunch detailed several lines of Android-based TV boxes sold through Amazon that are laced with malware. The TV boxes, reported to be T95 models with an h616, report to a command-and-control server that, just like the Guerrilla servers, can install any application the malware creators want. The default malware preinstalled on the boxes is known as a clickbot. It generates advertising revenue by surreptitiously tapping on ads in the background...

Android devices that come with malware straight out of the factory box are, unfortunately, nothing new. Ars has reported on such incidents at least five times in recent years (here, here, here, here, and here). All the affected models were in the budget tier.

People in the market for an Android phone should steer toward known brands like Samsung, Asus, or OnePlus, which generally have much more reliable quality assurance controls on their inventory. To date, there have never been reports of higher-end Android devices coming with malware preinstalled. There are similarly no such reports for iPhones.

Music

A Group of Workers at Bandcamp Just Voted to Unionize (bandcampunited.org) 23

Bandcamp is music streaming platform helping fans support independent musicians. And Bandcamp United describes itself as "a union of workers at Bandcamp — we are project managers, we are engineers, we are designers, we are vinyl campaign managers, we are support staff, we are editors and writers..."

Friday Bandcamp United issued this statement: Today, a majority of eligible Bandcamp workers voted 31-7 in favor of forming Bandcamp United, a union represented by the Office and Professional Employees International Union (OPEIU). The vote results now await certification by the National Labor Relations Board, with a collective bargaining process to follow.

Below is a joint statement from Bandcamp co-founder Ethan Diamond and Bandcamp United:

â "Bandcamp United and Bandcamp management are committed to working together to continue to advance fair economic conditions for our workers and the artists who rely on us. We look forward to negotiating with an open mind and working in good faith to promote the best interests of all of our staff and the artist and label community we serve."

Google

Google Pushes New Domains Onto the Internet, and the Internet Pushes Back (arstechnica.com) 50

A recent move by Google to populate the Internet with eight new top-level domains is prompting concerns that two of the additions could be a boon to online scammers who trick people into clicking on malicious links. From a report: Two weeks ago, Google added eight new TLDs to the Internet, bringing the total number of TLDs to 1,480, according to the Internet Assigned Numbers Authority, the governing body that oversees the DNS Root, IP addressing, and other Internet protocol resources. Two of Google's new TLDs -- .zip and .mov -- have sparked scorn in some security circles. While Google marketers say the aim is to designate "tying things together or moving really fast" and "moving pictures and whatever moves you," respectively, these suffixes are already widely used to designate something altogether different. Specifically, .zip is an extension used in archive files that use a compression format known as zip. The format .mov, meanwhile, appears at the end of video files, usually when they were created in Apple's QuickTime format. Many security practitioners are warning that these two TLDs will cause confusion when they're displayed in emails, on social media, and elsewhere. The reason is that many sites and software automatically convert strings like "arstechnica.com" or "mastodon.social" into a URL that, when clicked, leads a user to the corresponding domain. The worry is that emails and social media posts that refer to a file such as setup.zip or vacation.mov will automatically turn them into clickable links -- and that scammers will seize on the ambiguity.
IT

Nvidia Announces a $299 RTX 4060 With the 4060 Ti Arriving May 24 For $399 (theverge.com) 50

Nvidia has officially announced its RTX 4060 family of GPUs. This includes the RTX 4060 Ti, which will debut next week on May 24th starting at $399, and -- perhaps the biggest news -- the RTX 4060, which will be available in July for just $299, $30 less than the RTX 3060's original retail price. A 16GB version of the RTX 4060 Ti is also due in July for $499. From a report: Nvidia's 60-class GPUs are the most popular among PC gamers on Steam, and the launch of the RTX 4060 family marks the first time we've seen Nvidia's latest RTX 40-series cards available under the $500 price point, let alone under $300. The $399 RTX 4060 Ti will ship on May 24th with just 8GB of VRAM, while a 16GB model is due in July priced at $499. There's an ongoing debate over the value of 8GB cards in the PC gaming community right now, particularly with the arrival of more demanding games that really push the limits of GPU memory even at 1080p (if you want all the max settings enabled, that is). It's a much bigger issue at 1440p and, of course, 4K resolutions, but Nvidia appears to be positioning its RTX 4060 Ti card for the 1080p market. [...] Specs-wise, the RTX 4060 Ti will be a 22 teraflop card with AV1 encoder support and more efficient energy usage. The total graphics power is 160 watts on both the RTX 4060 Ti 8GB and 16GB models, with Nvidia claiming the average gaming power usage will be around 140 watts. The RTX 3060 Ti had a total graphics power of 200 watts, and Nvidia says it uses 197 watts during games on average, so there are some impressive power efficiency improvements here.
Google

Google Will Disable Third-Party Cookies For 1% of Chrome Users in Q1 2024 (techcrunch.com) 70

An anonymous reader shares a report: Google's Privacy Sandbox aims to replace third-party cookies with a more privacy-conscious approach, allowing users to manage their interests and grouping them into cohorts based on similar browsing patterns. That's a major change for the online advertising industry, and after years of talking about it and releasing various experiments, it's about to get real for the online advertising industry. Starting in early 2024, Google plans to migrate 1% of Chrome users to Privacy Sandbox and disable third-party cookies for them, the company announced today. Google's plan to completely deprecate third-party cookies in the second half of 2024 remains on track.

In addition, with the launch of the Chrome 115 release in July, Google is making Privacy Sandbox's relevance and measurement APIs generally available to all Chrome users, making it easy for developers to test these APIs with live traffic. Google doesn't plan to make any significant changes to the API after this release. Deprecating third-party cookies for 1% of Chrome users doesn't sound like it would have a major impact, but as Google's Victor Wong, who leads product for Private Advertising Technology within Privacy Sandbox, told me, it will help developers assess their real-world readiness for the larger changes coming in late 2024. To get ready for this, developers will also be able to simulate their third-party cookie deprecation readiness starting in Q4 2023, when they'll be able to test their solutions by moving a configurable percentage of their users to Privacy Sandbox.

Security

Malware Turns Home Routers Into Proxies For Chinese State-Sponsored Hackers (arstechnica.com) 28

An anonymous reader quotes a report from Ars Technica: Researchers on Tuesday unveiled a major discovery -- malicious firmware that can wrangle a wide range of residential and small office routers into a network that stealthily relays traffic to command-and-control servers maintained by Chinese state-sponsored hackers. A firmware implant, revealed in a write-up from Check Point Research, contains a full-featured backdoor that allows attackers to establish communications and file transfers with infected devices, remotely issue commands, and upload, download, and delete files. The implant came in the form of firmware images for TP-Link routers. The well-written C++ code, however, took pains to implement its functionality in a "firmware-agnostic" manner, meaning it would be trivial to modify it to run on other router models.

The main purpose of the malware appears to relay traffic between an infected target and the attackers' command and control servers in a way that obscures the origins and destinations of the communication. With further analysis, Check Point Research eventually discovered that the control infrastructure was operated by hackers tied to Mustang Panda, an advanced persistent threat actor that both the Avast and ESET security firms say works on behalf of the Chinese government.

The researchers discovered the implant while investigating a series of targeted attacks against European foreign affairs entities. The chief component is a backdoor with the internal name Horse Shell. The three main functions of Horse Shell are: a remote shell for executing commands on the infected device; file transfer for uploading and downloading files to and from the infected device; and the exchange of data between two devices using SOCKS5, a protocol for proxying TCP connections to an arbitrary IP address and providing a means for UDP packets to be forwarded. The SOCKS5 functionality seems to be the ultimate purpose of the implant. By creating a chain of infected devices that establish encrypted connections with only the closest two nodes (one in each direction), it's difficult for anyone who stumbles upon one of them to learn the origin or ultimate destination or the true purpose of the infection. As Check Point researchers wrote:
"Learning from history, router implants are often installed on arbitrary devices with no particular interest, with the aim to create a chain of nodes between the main infections and real command and control," Check Point researchers wrote in a shorter write-up. "In other words, infecting a home router does not mean that the homeowner was specifically targeted, but rather that they are only a means to a goal."
Security

Wemo Won't Fix Smart Plug Vulnerability Allowing Remote Operation (arstechnica.com) 56

An anonymous reader shares a report: IoT security research firm Sternum has discovered (and disclosed) a buffer overflow vulnerability in the Wemo Mini Smart Plug V2. The firm's blog post is full of interesting details about how this device works (and doesn't), but a key takeaway is that you can predictably trigger a buffer overflow by passing the device a name longer than its 30-character limit -- a limit enforced solely by Wemo's own apps -- with third-party tools. Inside that overflow you could inject operable code. If your Wemo is connected to the wider Internet, it could be compromised remotely.

The other key takeaway is that Wemo-maker Belkin told Sternum that it would not be patching this flaw because the Mini Smart Plug V2 is "at the end of its life and, as a result, the vulnerability will not be addressed." We've reached out to Belkin to ask if it has comments or updates. Sternum states that it notified Belkin on January 9, received a response on February 22, and disclosed the vulnerability on March 14.

Cellphones

Re-Victimization From Police-Auctioned Cell Phones (krebsonsecurity.com) 31

An anonymous reader quotes a report from KrebsOnSecurity: Countless smartphones seized in arrests and searches by police forces across the United States are being auctioned online without first having the data on them erased, a practice that can lead to crime victims being re-victimized, a new study found (PDF). In response, the largest online marketplace for items seized in U.S. law enforcement investigations says it now ensures that all phones sold through its platform will be data-wiped prior to auction.

Researchers at the University of Maryland last year purchased 228 smartphones sold "as-is" from PropertyRoom.com, which bills itself as the largest auction house for police departments in the United States. Of phones they won at auction (at an average of $18 per phone), the researchers found 49 had no PIN or passcode; they were able to guess an additional 11 of the PINs by using the top-40 most popular PIN or swipe patterns. Phones may end up in police custody for any number of reasons -- such as its owner was involved in identity theft -- and in these cases the phone itself was used as a tool to commit the crime. "We initially expected that police would never auction these phones, as they would enable the buyer to recommit the same crimes as the previous owner," the researchers explained in a paper released this month. "Unfortunately, that expectation has proven false in practice."

Beyond what you would expect from unwiped second hand phones -- every text message, picture, email, browser history, location history, etc. -- the 61 phones they were able to access also contained significant amounts of data pertaining to crime -- including victims' data -- the researchers found. [...] Also, the researchers found that many of the phones clearly had personal information on them regarding previous or intended targets of crime: A dozen of the phones had photographs of government-issued IDs. Three of those were on phones that apparently belonged to sex workers; their phones contained communications with clients.
"We informed [PropertyRoom] of our research in October 2022, and they responded that they would review our findings internally," said Dave Levin, an assistant professor of computer science at University of Maryland. "They stopped selling them for a while, but then it slowly came back, and then we made sure we won every auction. And all of the ones we got from that were indeed wiped, except there were four devices that had external SD [storage] cards in them that weren't wiped."
Security

Alleged Russian Hacker Charged in $200 Million Ransomware Spree (bloomberg.com) 16

A Russian man was charged by US authorities in connection with his alleged role with multiple ransomware gangs that attacked hospitals, schools and police departments. From a report: Mikhail Pavlovich Matveev, who was known online as Wazawaka, was an active member of three ransomware gangs that collectively demanded $400 million from victims and received nearly $200 million in ransom payments, according to the Department of Justice. Ransomware groups typically hack into computer networks and deploy malicious software that encrypts computers and makes them unusable. The groups demand extortion payments in cryptocurrency and threaten to leak stolen data online if the ransom is not paid.

Matveev was allegedly a member of the Lockbit, Babuk and Hive ransomware gangs. Those groups are "ranked among the most active and destructive cybercriminal threats in the world," Philip Sellinger, the US attorney for the district of New Jersey, wrote in an indictment. Matveev, along with other members of the ransomware gangs, attacked as many as 2,800 victims in the US and around the world, Sellinger wrote. The alleged victims include the Metropolitan Police Department in the District of Columbia, which was attacked with ransomware in 2021. The hackers proceeded to publish dozens of stolen personnel files. The groups also targeted churches and nonprofits, the Department of Justice said.

Google

Google To Delete Inactive Accounts Starting December (reuters.com) 42

Alphabet's Google on Tuesday said it would delete accounts that had remained unused for two years starting December, in a bid to prevent security threats including hacks. From a report: The company said that if a Google account had not been used or signed into for at least two years, it might delete the account and content across Google Workspace, which includes Gmail, Docs, Drive, Meet and Calendar, as well as YouTube and Google Photos. The policy change only applies to personal Google Accounts and not to those for organizations like schools or businesses. In 2020, Google had said it would remove content stored in an inactive account, but not delete the account itself. Starting Tuesday, Google will send multiple notifications to the account email address and recovery mail of the inactive accounts before deletion.
Microsoft

Microsoft Is Scanning the Inside of Password-Protected Zip Files For Malware (arstechnica.com) 130

An anonymous reader quotes a report from Ars Technica: Microsoft cloud services are scanning for malware by peeking inside users' zip files, even when they're protected by a password, several users reported on Mastodon on Monday. Compressing file contents into archived zip files has long been a tactic threat actors use to conceal malware spreading through email or downloads. Eventually, some threat actors adapted by protecting their malicious zip files with a password the end user must type when converting the file back to its original form. Microsoft is one-upping this move by attempting to bypass password protection in zip files and, when successful, scanning them for malicious code.

While analysis of password-protected in Microsoft cloud environments is well-known to some people, it came as a surprise to Andrew Brandt. The security researcher has long archived malware inside password-protected zip files before exchanging them with other researchers through SharePoint. On Monday, he took to Mastodon to report that the Microsoft collaboration tool had recently flagged a zip file, which had been protected with the password "infected." "While I totally understand doing this for anyone other than a malware analyst, this kind of nosy, get-inside-your-business way of handling this is going to become a big problem for people like me who need to send their colleagues malware samples," Brandt wrote. "The available space to do this just keeps shrinking and it will impact the ability of malware researchers to do their jobs."

Fellow researcher Kevin Beaumont joined the discussion to say that Microsoft has multiple methods for scanning the contents of password-protected zip files and uses them not just on files stored in SharePoint but all its 365 cloud services. One way is to extract any possible passwords from the bodies of email or the name of the file itself. Another is by testing the file to see if it's protected with one of the passwords contained in a list. "If you mail yourself something and type something like 'ZIP password is Soph0s', ZIP up EICAR and ZIP password it with Soph0s, it'll find (the) password, extract and find (and feed MS detection)," he wrote.
"A Google representative said the company doesn't scan password-protected zip files, though Gmail does flag them when users receive such a file," notes Ars.

"One other thing readers should remember: password-protected zip files provide minimal assurance that content inside the archives can't be read. As Beaumont noted, ZipCrypto, the default means for encrypting zip files in Windows, is trivial to override. A more dependable way is to use an AES-256 encryptor built into many archive programs when creating 7z files."
Television

Startup Plans To Give Away 500,000 Free 4K TVs. The Catch? The Sets Have a Second Screen That Constantly Shows Ads (variety.com) 190

Ilya Pozin made a bunch of money when Viacom bought Pluto TV, the free video-streaming company he co-founded, for $340 million four years ago. Since exiting Pluto about a year after that deal closed, Pozin has been working on another startup venture -- one he thinks will be a much bigger deal. From a report: On Monday, Pozin's brainchild, Telly, comes out of stealth after two years in development. Telly wants to ship out thousands (and eventually millions) of free 4K HDTVs, which would cost more than $1,000 at retail, according Pozin. The 55-inch main screen is a regular TV panel, with three HDMI inputs and an over-the-air tuner, plus an integrated soundbar. The Telly TVs don't actually run any streaming apps that let you access services like Netflix, Prime Video or Disney+; instead, they're bundled with a free Chromecast with Google TV adapter.

What's new and different: The unit has a 9-inch-high second screen, affixed to the bottom of the set, which is real estate Telly will use for displaying news, sports scores, weather or stocks, or even letting users play video games. And, critically, Telly's second screen features a dedicated space on the right-hand side that will display advertising -- ads you can't skip past and ads that stay on the screen the whole time you're watching TV... and even when you're not.

Cloud

Only Cloud Providers Get Security Right. Can IT Vendors Catch Up? (esecurityplanet.com) 136

Slashdot reader storagedude writes: If cloud service providers are the only ones who can get security right, will everyone eventually move to the cloud?

That's one of the questions longtime IT systems architect Henry Newman asks in a new article on eSecurity Planet.

"The concept of zero trust has been around since 2010, when Forrester Research analyst John Kindervag created the zero trust security model. Yet two years after the devastating Colonial Pipeline attack and strong advocacy from the U.S. government and others, we are still no closer to seeing zero trust architecture widely adopted," Newman writes. "The only exception, it seems, has been cloud service providers, who boast an enviable record when it comes to cybersecurity, thanks to rigorous security practices like Google's continuous patching."

"As security breaches continue to happen hourly, sooner or later zero trust requirements are going to be forced upon all organizations, given the impact and cost to society. The Biden Administration is already pushing ambitious cybersecurity legislation, but it's unlikely to get very far in the current Congress. I am very surprised that the cyber insurance industry has not required zero trust architecture already, but perhaps the $1.4 billion Merck judgment that went against the industry last week will begin to change that.

"The central question is, can any organization implement a full zero trust stack, buy hardware and software from various vendors and put it together, or will we all have to move to cloud service providers (CSPs) to get zero trust security?

"Old arguments that cloud profit margins will eventually make on-premises IT infrastructure seem like the cheaper alternative failed to anticipate an era when security became so difficult that only cloud service providers could get it right."

Cloud service providers have one key advantage when it comes to security, Newman notes: They control, write and build much of their software and hardware stacks.

Newman concludes: "I am somewhat surprised that cloud service providers don't tout their security advantages more than they do, and I am equally surprised that the commercial off-the-shelf vendors do not band together faster than they have been to work on zero trust. But what surprises me the most is the lack of pressure on everyone to move to zero trust and get a leg or two up on the current attack techniques and make the attack plane much smaller than it is."

Open Source

Despite Layoffs, Open Source and Linux Skills are Still in Demand (zdnet.com) 36

ZDNet reports that Jim Zemlin, executive director at the Linux Foundation, recently noted rounds of tech-industry layoffs "in the name of cost-cutting." But then Zemlin added that "open source is countercyclical to these trends. The Linux Foundation itself, for instance, had its best first quarter ever."

As Hilary Carter, SVP of research and communications at the Linux Foundation, said in her keynote speech at Open Source Summit North America in Vancouver, Canada: "In spite of what the headlines are saying, the facts are 57% of organizations are adding workers this year." Carter was quoting figures from the Linux Foundation's latest job survey, which was released at the event.

Other research also points to brighter signs in tech employment trends. CompTIA's recent analysis of the latest Bureau of Labor Statistics (BLS) data suggests the tech unemployment rate climbed by just 2.3% in April. In fact, more organizations plan to increase their technical staff levels rather than decrease.

The demand for skilled tech talent remains strong, particularly in fast-developing areas, such as cloud and containers, cybersecurity, and artificial intelligence and machine learning. So, what do these all areas of technology have in common? The answer is they're all heavily dependent on open source and Linux technologies.

While layoffs are happening at Microsoft, Amazon, Google, IBM, and even Red Hat, "the Linux Foundation found senior technical roles are seeing the biggest cuts," the article points out. "New hiring is focused on developers and IT managers." And companies are also spending more on training for existing technical staff, "driven by the fact that there aren't enough experts in hot technologies, such as Kubernetes and generative AI, to go around." Interestingly, a college degree is no longer seen as such a huge benefit. Businesses responding to the Linux Foundation's research felt upskilling (91%) and certifications (77%) are more important than a university education (58%) when it comes to addressing technology needs.
Cellphones

Millions of Mobile Phones Come Pre-Infected With Malware, Say Researchers (theregister.com) 45

Trend Micro researchers at Black Hat Asia are warning that millions of Android devices worldwide come pre-infected with malicious firmware before the devices leave their factories. "This hardware is mainly cheapo Android mobile devices, though smartwatches, TVs, and other things are caught up in it," reports The Register. From the report: This insertion of malware began as the price of mobile phone firmware dropped, we're told. Competition between firmware distributors became so furious that eventually the providers could not charge money for their product. "But of course there's no free stuff," said [Trend Micro researcher Fyodor Yarochkin], who explained that, as a result of this cut-throat situation, firmware started to come with an undesirable feature -- silent plugins. The team analyzed dozens of firmware images looking for malicious software. They found over 80 different plugins, although many of those were not widely distributed. The plugins that were the most impactful were those that had a business model built around them, were sold on the underground, and marketed in the open on places like Facebook, blogs, and YouTube.

The objective of the malware is to steal info or make money from information collected or delivered. The malware turns the devices into proxies which are used to steal and sell SMS messages, take over social media and online messaging accounts, and used as monetization opportunities via adverts and click fraud. One type of plugin, proxy plugins, allow the criminal to rent out devices for up to around five minutes at a time. For example, those renting the control of the device could acquire data on keystrokes, geographical location, IP address and more. "The user of the proxy will be able to use someone else's phone for a period of 1200 seconds as an exit node," said Yarochkin. He also said the team found a Facebook cookie plugin that was used to harvest activity from the Facebook app.

Through telemetry data, the researchers estimated that at least millions of infected devices exist globally, but are centralized in Southeast Asia and Eastern Europe. A statistic self-reported by the criminals themselves, said the researchers, was around 8.9 million. As for where the threats are coming from, the duo wouldn't say specifically, although the word "China" showed up multiple times in the presentation, including in an origin story related to the development of the dodgy firmware. Yarochkin said the audience should consider where most of the world's OEMs are located and make their own deductions.

The team confirmed the malware was found in the phones of at least 10 vendors, but that there was possibly around 40 more affected. For those seeking to avoid infected mobile phones, they could go some way of protecting themselves by going high end. That is to say, you'll find this sort of bad firmware in the cheaper end of the Android ecosystem, and sticking to bigger brands is a good idea though not necessarily a guarantee of safety. "Big brands like Samsung, like Google took care of their supply chain security relatively well, but for threat actors, this is still a very lucrative market," said Yarochkin.

Security

Discord Discloses Data Breach After Support Agent Got Hacked (bleepingcomputer.com) 7

Discord has informed users of a data breach that occurred after a third-party support agent's account was compromised, exposing user email addresses, messages exchanged with Discord support, and any attachments sent as part of the tickets. Discord immediately disabled the account and worked with the customer service partner to prevent similar incidents in the future, but users are advised to stay vigilant for any suspicious activity. BleepingComputer reports: "Due to the nature of the incident, it is possible that your email address, the contents of customer service messages and any attachments sent between you and Discord may have been exposed to a third party," Discord said in letters sent to affected users. "As soon as Discord was made aware of the issue, we deactivated the compromised account and completed malware checks on the affected machine."

They also worked with the customer service partner to implement effective measures to prevent similar incidents in the future. "While we believe the risk is limited, it is recommended that you be vigilant for any suspicious messages or activity, such as fraud or phishing attempts," the company said.

Security

Microsoft Will Take Nearly a Year To Finish Patching New 0-Day Secure Boot Bug (arstechnica.com) 48

An anonymous reader quotes a report from Ars Technica: Earlier this week, Microsoft released a patch to fix a Secure Boot bypass bug used by the BlackLotus bootkit we reported on in March. The original vulnerability, CVE-2022-21894, was patched in January, but the new patch for CVE-2023-24932 addresses another actively exploited workaround for systems running Windows 10 and 11 and Windows Server versions going back to Windows Server 2008. The BlackLotus bootkit is the first-known real-world malware that can bypass Secure Boot protections, allowing for the execution of malicious code before your PC begins loading Windows and its many security protections. Secure Boot has been enabled by default for over a decade on most Windows PCs sold by companies like Dell, Lenovo, HP, Acer, and others. PCs running Windows 11 must have it enabled to meet the software's system requirements.

Microsoft says that the vulnerability can be exploited by an attacker with either physical access to a system or administrator rights on a system. It can affect physical PCs and virtual machines with Secure Boot enabled. We highlight the new fix partly because, unlike many high-priority Windows fixes, the update will be disabled by default for at least a few months after it's installed and partly because it will eventually render current Windows boot media unbootable. The fix requires changes to the Windows boot manager that can't be reversed once they've been enabled. Additionally, once the fixes have been enabled, your PC will no longer be able to boot from older bootable media that doesn't include the fixes. On the lengthy list of affected media: Windows install media like DVDs and USB drives created from Microsoft's ISO files; custom Windows install images maintained by IT departments; full system backups; network boot drives including those used by IT departments to troubleshoot machines and deploy new Windows images; stripped-down boot drives that use Windows PE; and the recovery media sold with OEM PCs.

Not wanting to suddenly render any users' systems unbootable, Microsoft will be rolling the update out in phases over the next few months. The initial version of the patch requires substantial user intervention to enable -- you first need to install May's security updates, then use a five-step process to manually apply and verify a pair of "revocation files" that update your system's hidden EFI boot partition and your registry. These will make it so that older, vulnerable versions of the bootloader will no longer be trusted by PCs. A second update will follow in July that won't enable the patch by default but will make it easier to enable. A third update in "first quarter 2024" will enable the fix by default and render older boot media unbootable on all patched Windows PCs. Microsoft says it is "looking for opportunities to accelerate this schedule," though it's unclear what that would entail.

IT

Google Drive Gets a Desperately Needed 'Spam' Folder for Shared Files (arstechnica.com) 9

Fifteen years after launching Google Docs and Sheets with file sharing, Google is adding what sounds like adequate safety controls to the feature. From a report: Google Drive (the file repository interface that contains your Docs, Sheets, and Slides files) is finally getting a spam folder and algorithmic spam filters, just like Gmail has. It sounds like the update will provide a way to limit Drive's unbelievably insecure behavior of allowing random people to add files to your Drive account without your consent or control. Because Google essentially turned Drive file-sharing into email, Google Drive needs every spam control that Gmail has. Anyone with your email address can "share" a file with you, and a ton of spammers already have your email address. Previously, Drive assumed that all shared files were legitimate and wanted, with the only "control" being "security by obscurity" and hoping no one else knew your email address.

Drive shows any shared files in your shared documents folder, notifies you of the share on your phone, highlights the "new recent file" at the top of the Drive interface, lists the file in searches, and sends you an email about it, all without any indication that you know the file sharer at all. For years, some people in my life have been inundated with shared Google Drive files containing porn, ads, dating site scams, and malware. For a long time, there was nothing you could do to support affected users other than disabling Drive notifications, telling them to ignore the highlighted porn ads at the top of their Drive account, and warning them to never click on the "shared files" folder.

Privacy

Toyota Japan Exposed Data on Millions of Vehicles For a Decade (techcrunch.com) 15

Toyota Japan has apologized after admitting to leaving millions of customers' vehicle details on the public internet for a decade. From a report: The car maker said in a notice that it will notify about 2.15 million customers whose personal and vehicle information were left exposed to the internet after a "cloud misconfiguration" was discovered recently in April. Toyota said that the exposed data includes: registered email addresses; vehicle-unique chassis and navigation terminal numbers; the location of vehicles and what time they were there; and videos from the vehicle's "drive recorder" which records footage from the car. Toyota said the data spilling from its Connected Cloud (TC) was initially exposed in November 2013, but pertains only to vehicles in Japan, according to the company. The company's connected service provides Toyota customers with information about their vehicle, provides in-car entertainment services, and helps to notify authorities in the event of an accident or breakdown.
Data Storage

Pure Storage: No More Hard Drives Will Be Sold After 2028 (blocksandfiles.com) 154

An anonymous reader shares a report: In the latest blast of the HDD vs SSD culture wars, a Pure Storage exec is predicting that no more hard disk drives will be sold after 2028 because of electricity costs and availability, as well as NAND $/TB declines. Shawn Rosemarin, VP R&D within the Customer Engineering unit at Pure, told B&F: "The ultimate trigger here is power. It's just fundamentally coming down to the cost of electricity." Not the declining cost of SSDs and Pure's DFMs dropping below the cost of disks, although that plays a part. In his view: "Hard drive technology is 67 years old. We need to herald this technology that went from five megabytes the size of this room to where we are today. And even the latest HAMR technology, putting a laser on the top of the head in order to heat up the platters, is pretty remarkable ... But we're at the end of that era."

HDD vendors sing a different tune, of course. Back in 2021, HDD vendor Seagate said the SSD most certainly would not kill disk drives. There's a VAST vs Infinidat angle to it as well, with the former also stating disk drive IO limitations would cripple the use of larger disk drives in petabyte-scale data stores, with Infidat blasting back that it "must be joking." Gartner has had a look in too, claiming that enterprise SSDs will hit 35 percent of HDD/SSD exabytes shipped by 2026 - though that would make Rosemarin's 2028 cutoff unlikely. Pure recently stated SSDs would kill HDDs in a crossover event that would happen "soon." Rosemarin, meanwhile, continued his argument: "Our CEO in many recent events has quoted that 3 percent of the world's power is in datacenters. Roughly a third of that is storage. Almost all of that is spinning disk.

So if I can eliminate the spinning disk, and I can move to flash, and I can in essence reduce the power consumption by 80 or 90 percent while moving density by orders of magnitude in an environment where NAND pricing continues to fall, it's all becoming evident that hard drives go away." Are high electricity prices set to continue? "I think the UK's power has gone up almost 5x recently. And here's the thing ... when they go up, they very seldom if ever come down ... I've been asked many times do I think the cost of electricity will drop over time. And, frankly, while I wish it would and I do think there are technologies like nuclear that could help us over time. I think it'll take us several years to get there. We're already seeing countries putting quotas on electricity, and this is a really important one -- we've already seen major hyperscalers such as one last summer who tried to enter Ireland [and] was told you can't come here, we don't have enough power for you. The next logical step from that is OK, so now if you're a company and I start to say, well, we only have so much power, so I'm gonna give you X amount of kilowatts per X amount of employees, or I'm gonna give you X amount of kilowatts for X amount of revenue that you contribute to the GDP of the country or whatever metric is acceptable."

Slashdot Top Deals