Israeli spyware firm NSO Group says its Chief Executive Shalev Hulio is stepping down with immediate effect, with Chief Operating Officer Yaron Shohat appointed to oversee a reorganisation of the company before a successor is named. From a report: A source in the company confirmed that around 100 employees will be let go as part of the firm's reorganisation, and that Shohat will lead the company until the board appoints a new CEO. The surveillance firm, which makes Pegasus software, has been contending with legal action after allegations that its tools were misused by governments and other agencies to hack mobile phones.

NSO has said its technology is intended to help catch terrorists, paedophiles and hardened criminals and is sold to "vetted and legitimate" government clients, although it keeps its client list confidential. "The company's products remain in high demand with governments and law enforcement agencies because of its cutting-edge technology and proven ability to assist these customers in fighting crime and terror," Shohat said in a statement.

For decades, you could test a computer chip's mettle by how small and tightly packed its electronic circuitry was. Now Intel believes another dimension is as big a deal: how artfully a group of such chips can be packaged into a single, more powerful processor. From a report: At the Hot Chips conference Monday, Intel Chief Executive Pat Gelsinger will shine a spotlight on the company's packaging prowess. It's a crucial element to two new processors: Meteor Lake, a next-generation Core processor family member that'll power PCs in 2023, and Ponte Vecchio, the brains of what's expected to be the world's fastest supercomputer, Aurora.

"Meteor Lake will be a huge technical innovation," thanks to how it packages, said Real World Tech analyst David Kanter. For decades, staying on the cutting edge of chip progress meant miniaturizing chip circuitry. Chipmakers make that circuitry with a process called photolithography, using patterns of light to etch tiny on-off switches called transistors onto silicon wafers. The smaller the transistors, the more designers can add for new features like accelerators for graphics or artificial intelligence chores. Now Intel believes building these chiplets into a package will bring the same processing power boost as the traditional photolithography technique.

Facebook's parent company Meta is heading into another political battle over the planned introduction of end-to-end encryption (E2EE) in its Messenger chat platform. From a report: The UK's home secretary, Priti Patel, makes this clear in an op-ed for Tory mouthpiece The Telegraph this week, saying it would be a "grotesque betrayal" if the company didn't consider issues of child safety while introducing E2EE. Similar arguments are likely to be raised in the US, too. Meta has been working on adding E2EE to Messenger for years, and recently confirmed that it aims to encrypt all chats and calls on the platform by default next year. (It currently only offers default E2EE on its other big chat platform, WhatsApp, though users can opt-in to E2EE on Messenger on a chat-by-chat basis.)

The move is reigniting decades-old debates in politics and tech about the right way to balance user privacy and safety. In the US, these arguments have been heightened by the potential for police to issues search warrants for user chats in order to enforce new abortion laws after the overturn of Roe v. Wade. In the UK, arguments over encryption tend to focus on child safety and the dissemination of of child sexual abuse material, or CSAM. "A great many child predators use social media platforms such as Facebook to discover, target and sexually abuse children," writes Patel in her op-ed. "It is vital that law enforcement have access to the information they need to identify the children in these images and safeguard them from vile predators."

Here's an interesting statistic spotted by Fortune. "Eight out of the 10 largest private employers in the U.S. are tracking productivity metrics for their employees, according to an examination from The New York Times."

"Some of this software measures active time, watches for keyboard pauses, and even silently counts keystrokes." J.P. Morgan, Barclays Bank, and UnitedHealth Group all track employees, The Times reported, seeing everything from how long it takes to write an email to keyboard activity. There are repercussions if workers aren't meeting expectations: a prodding note, a skipped bonus, or a work-from-home day taken away, to name a few. For employers surrendering in the fight to return to the office, such surveillance is a way to maintain a sense of control. As Paul Wartenberg, who installs monitor systems, told The Times, "If we're going to give up on bringing people back to the office, we're not going to give up on managing productivity....

But tracking these remote workers' every move doesn't seem to be telling employers much. "We're in this era of measurement but we don't know what we should be measuring," Ryan Fuller, former vice president for workplace intelligence at Microsoft, told the Times.
From the New York Times' article. (Alternate URLs here, here, and here.) In lower-paying jobs, the monitoring is already ubiquitous: not just at Amazon, where the second-by-second measurements became notorious, but also for Kroger cashiers, UPS drivers and millions of others.... Now digital productivity monitoring is also spreading among white-collar jobs and roles that require graduate degrees. Many employees, whether working remotely or in person, are subject to trackers, scores, "idle" buttons, or just quiet, constantly accumulating records. Pauses can lead to penalties, from lost pay to lost jobs.

Some radiologists see scoreboards showing their "inactivity" time and how their productivity stacks up against their colleagues'.... Public servants are tracked, too: In June, New York's Metropolitan Transportation Authority told engineers and other employees they could work remotely one day a week if they agreed to full-time productivity monitoring. Architects, academic administrators, doctors, nursing home workers and lawyers described growing electronic surveillance over every minute of their workday.

They echoed complaints that employees in many lower-paid positions have voiced for years: that their jobs are relentless, that they don't have control — and in some cases, that they don't even have enough time to use the bathroom. In interviews and in hundreds of written submissions to The Times, white-collar workers described being tracked as "demoralizing," "humiliating" and "toxic." Micromanagement is becoming standard, they said. But the most urgent complaint, spanning industries and incomes, is that the working world's new clocks are just wrong: inept at capturing offline activity, unreliable at assessing hard-to-quantify tasks and prone to undermining the work itself....

But many employers, along with makers of the tracking technology, say that even if the details need refining, the practice has become valuable — and perhaps inevitable. Tracking, they say, allows them to manage with newfound clarity, fairness and insight. Derelict workers can be rooted out. Industrious ones can be rewarded. "It's a way to really just focus on the results," rather than impressions, said Marisa Goldenberg, [who] said she used the tools in moderation...

[I]n-person workplaces have embraced the tools as well. Tommy Weir, whose company, Enaible, provides group productivity scores to Fortune 500 companies, aims to eventually use individual scores to calibrate pay.

Distributed denial-of-service (or DDoS) attacks "are increasing in frequency and growing in size exponentially," reports Google Cloud's blog.

Recently an attacker tried to hit one of their customers with 46 million requests per second. The blog post describes it as the largest attack of its kind reported to date, "at least 76% larger than the previously reported record. To give a sense of the scale of the attack, that is like receiving all the daily requests to Wikipedia (one of the top 10 trafficked websites in the world) in just 10 seconds." Starting around 9:45 a.m. PT on June 1, 2022, an attack of more than 10,000 requests per second (rps) began targeting our customer's HTTP/S Load Balancer. Eight minutes later, the attack grew to 100,000 requests per second. Cloud Armor Adaptive Protection detected the attack and generated an alert containing the attack signature by assessing the traffic across several dozen features and attributes. The alert included a recommended rule to block on the malicious signature....

Our customer's network security team deployed the Cloud Armor-recommended rule into their security policy, and it immediately started blocking the attack traffic. In the two minutes that followed, the attack began to ramp up, growing from 100,000 rps to a peak of 46 million rps. Since Cloud Armor was already blocking the attack traffic, the target workload continued to operate normally. Over the next few minutes, the attack started to decrease in size, ultimately ending 69 minutes later at 10:54 a.m.

Presumably the attacker likely determined they were not having the desired impact while incurring significant expenses to execute the attack.... The attack leveraged encrypted requests (HTTPS) which would have taken added computing resources to generate. Although terminating the encryption was necessary to inspect the traffic and effectively mitigate the attack, the use of HTTP Pipelining required Google to complete relatively few TLS handshakes.... The attack was stopped at the edge of Google's network, with the malicious requests blocked upstream from the customer's application.
While 22% of the source IPs corresponded to Tor exit nodes, the actual traffic coming from Tor nodes represented just 3% of attack traffic, the blog post points out.

And ultimately despite the attack, "the customer's service stayed online and continued serving their end-users."

It's a free and open-source, cross-platform FTP application that allows secure file transfering — and it's making an old-school protocol cool again, according to a recent blog post.

Started about 21 years ago — and downloaded by millions each year — FileZilla remains "committed to their role in liberating technology, by making it accessible, open and also secure," according to the blog post. But it also explains how FileZilla has beefed up that security through a collaboration with the internet freedom nonprofit, the Open Technology Fund (or "OTF"): Over the past year, FileZilla has utilised support from OTF to undertake two activities that enhanced and ensured the security of their tools. The first was integrating FileZilla Server with Let's Encrypt, a free, automated, and open source certificate authority that ensures secure communication between the two end-points sending or receiving a file via FileZilla.... Secondly, FileZilla ran a penetration test, a service offered by OTF's Red Team Lab. A team of independent researchers attempted to force access to the FileZilla server to see if they could gain control. These researchers were highly skilled, and the testing was extensive. The team conducting the test only found very minor security vulnerabilities that FileZilla were able to fix immediately. As a result of this process, anyone wanting to use the FileZilla software can trust that it has been cross-scrutinised by a third party and found to be secure....

FileZilla respects users' confidentiality: they do not track your behaviour, nor sell your data to other companies. While they do have advertisements on their website, they are posted exactly as advertisements would be posted in a newspaper. Nobody knows that you are reading the advertisements, or that you decided to call or connect to the advertised website. The advertisement has simply been attached to the webpage, without any underlying tracking.... . "Our mission hasn't changed in over 20 years: design, develop, maintain and enhance free tools to securely transfer files with ease and reliability," said Tim Kosse, FileZilla Lead Developer. This decision was a political one taken by FileZilla, to always preserve the freedom of their tools, and of their users. "We aren't the typical commercial open-source venture that starts doing things for free, and over time, closes this and that to make money" said Roberto Galoppini, FileZilla Director of Strategy. "While you might not see FileZilla listed at the NYSE [New York Stock Exchange] any time soon, the freedom of our tools will never be questioned...."

[I]f you work in an industry that requires the secure transfer of sensitive files, or if you simply have personal photographs or videos you want to keep confidential, using proprietary platforms to share or store them can put your information at risk of being exposed.... FileZilla offers an alternative that is secure and private. Their tools are developed by a team that is deeply invested in protecting users' confidentiality, and liberating technology is central to their work and decision-making....

At the same time, projects like FileZilla remind us that there exists a global community of technologists, activists, coders, bloggers, journalists, software developers, and mindful internet users making internet freedom a lived reality and daily practice. Supporting, experimenting with and using free and open source tools, such as the FileZilla client and server, enables us to disinvest from the capitalist pursuit of corporate control of technology and unchecked surveillance of our data.

Rather, we can step into alignment with an alternative, parallel narrative being created by a community of resistance that is grounded in principles of cooperation, solidarity, commons and openness.

Slashdot reader storagedude writes: Hackers are stealing cookies from current or recent web sessions to bypass multi-factor authentication (MFA), according to an eSecurity Planet report.

The attack method, reported by Sophos researchers, is already growing in use. The "cookie-stealing cybercrime spectrum" is broad, the researchers wrote, ranging from "entry-level criminals" to advanced adversaries, using various techniques.

Cybercriminals collect cookies or buy stolen credentials "in bulk" on dark web forums. Ransomware groups also harvest cookies and "their activities may not be detected by simple anti-malware defenses because of their abuse of legitimate executables, both already present and brought along as tools," the researchers wrote.

Browsers allow users to maintain authentication, remember passwords and autofill forms. That might seem convenient, but attackers can exploit this functionality to steal credentials and skip the login challenge.

Behind the scenes, browsers use SQLite database files that contain cookies. These cookies are composed of key-value pairs, and the values often contain critical information such as tokens and expiration dates.

Adversaries know the exact name and location of these files for all major browsers such as Chrome, Firefox, and even Brave, on various operating systems. That's why the attack can be scripted. It's not uncommon to find such scripts along with other modules in info-stealing and other malware.

For example, the latest version of the Emotet botnet targets cookies and credentials stored by browsers, which include saved credit cards. According to the Sophos researchers, "Google's Chrome browser uses the same encryption method to store both multi-factor authentication cookies and credit card data."

To gain initial access, attackers can also perform phishing and spear-phishing campaigns to implant droppers that can deploy cookie-stealer malware stealthily.

The cookies are then used for post-exploitation and lateral movements. Cybercriminals can use them to change passwords and emails associated with user accounts, or trick the victims into downloading additional malware, or even deploy other exploitation tools such as Cobalt Strike and Impacket kit.

Users should not use built-in features to save passwords unless the browser encrypts them with, at least, a master password. It's recommended that users uncheck the setting called "remember passwords," and users should probably not allow persistent sessions as well.

Developers can be part of the problem if they don't secure authentication cookies properly. Such cookies must have a short expiration date. Otherwise, the persistent authentication could turn into a persistent threat. You can have great security processes and still get hacked because the cookies do not have the necessary flags (e.g., HttpOnly, Secure attribute). For example, authentication cookies must be sent using SSL/TLS channels. Otherwise the data could be sent in plain text and attackers would only have to sniff traffic to intercept credentials.

"On Monday, Apple told employees at its headquarters in Cupertino, California, that they would have to return to the office at least three days a week by September 5," according to a columnist for Inc. First reported by Bloomberg, Tim Cook told employees in an email that they would be expected to be in the office on Tuesdays and Thursdays, with teams choosing a third day that works best for them...

Apple SVP of software Craig Federighi followed up Cook's email with one of his own, saying that he "can't wait to experience the special energy of having all of us back in the office together again!" That's great, but I imagine a lot of the people who work in the software organization are wondering whether that "special energy" actually makes them more productive, or if it's just a thing managers feel as they watch employees be productive at their desks... [T]hat's not the same thing as actual collaboration.
Here's the article's main point: [M]any companies — especially Apple — had their best two years ever when most of their employees were working from home. If anything, it seems as though the evidence pointing to the idea that it was better for the company.... Apple's market cap in March 2020 was $1.1 trillion. Today, it's just shy of three times that....

[I]t's as if Apple hasn't learned anything.
Apple's memo did say that some employees — "depending on your role" — would have the option of working fully remotely "for up to four weeks a year."

IoT Times brings an update on "the race to create a new set of encryption standards." Last month, it was announced that a specialized security algorithm co-authored by security experts of NXP, IBM, and Arm had been selected by the U.S. Government's National Institute of Standards and Technology (NIST) to become part of an industry global standard designed to counter quantum threats.
IoT Times interviews the cryptography expert who co-created the Crystals-Kyber lattice-based algorithm selected by NIST — Joppe W. Bos, a senior principal cryptographer at the Competence Center for Cryptography and Security at NXP Semiconductors.

And what worries his colleagues at the semiconductor company isn't the "imminent threat of quantum computers," Bos says, but an even closer and more practical deadline: "the timeline for these post-quantum crypto standards." "Two weeks ago, NIST announced the winners of these new public standards, the post-quantum crypto standards, and their timeline is that in 2024, so in roughly two years, the winners will be converted into standards. And as soon as the standards are released, our customers will expect NXP Semiconductors, as one of the leaders in crypto and security, to already have support for these standards, because we are, of course, at the start of the chain for many end products. Our secure elements, our secure platforms, SOCs, are one of the first things that need to be integrated into larger platforms that go into end products. Think about industrial IoT. Think about automotive applications. So, our customers already expect us to support post-quantum crypto standards in 2024, and not only support but, for many companies, being able to compute the functional requirements of the standard.

"It took over ten years to settle down on the best methods for RSA and ECC, and now we have a much shorter timeline to get ready for post-quantum crypto."
"When you ask the experts, it ranges from one to five decades until we can see quantum computers big enough to break our current crypto," Bos says in the interview. So he stresses that they're not driven by a few of quantum computers. "The right question to ask, at least for us at NXP is, when is this new post-quantum crypto standard available? Because then, our customers will ask for post-quantum support, and we need to be ready.

"The standard really drives our development and defines our roadmap."

But speaking of the standard's "functional requirements", in the original story submission Slashdot reader dkatana raised an interesting point. There's already billions of low-powered IoT devices in the world.

Will they all have the memory and processing power to use this new lattice-based encryption?

The USB Rubber Ducky "has a new incarnation, released to coincide with the Def Con hacking conference this year," reports The Verge. From the report: To the human eye, the USB Rubber Ducky looks like an unremarkable USB flash drive. Plug it into a computer, though, and the machine sees it as a USB keyboard -- which means it accepts keystroke commands from the device just as if a person was typing them in. The original Rubber Ducky was released over 10 years ago and became a fan favorite among hackers (it was even featured in a Mr. Robot scene). There have been a number of incremental updates since then, but the newest Rubber Ducky makes a leap forward with a set of new features that make it far more flexible and powerful than before.

With the right approach, the possibilities are almost endless. Already, previous versions of the Rubber Ducky could carry out attacks like creating a fake Windows pop-up box to harvest a user's login credentials or causing Chrome to send all saved passwords to an attacker's webserver. But these attacks had to be carefully crafted for specific operating systems and software versions and lacked the flexibility to work across platforms. The newest Rubber Ducky aims to overcome these limitations.

It ships with a major upgrade to the DuckyScript programming language, which is used to create the commands that the Rubber Ducky will enter into a target machine. While previous versions were mostly limited to writing keystroke sequences, DuckyScript 3.0 is a feature-rich language, letting users write functions, store variables, and use logic flow controls (i.e., if this... then that). That means, for example, the new Ducky can run a test to see if it's plugged into a Windows or Mac machine and conditionally execute code appropriate to each one or disable itself if it has been connected to the wrong target. It also can generate pseudorandom numbers and use them to add variable delay between keystrokes for a more human effect. Perhaps most impressively, it can steal data from a target machine by encoding it in binary format and transmitting it through the signals meant to tell a keyboard when the CapsLock or NumLock LEDs should light up. With this method, an attacker could plug it in for a few seconds, tell someone, "Sorry, I guess that USB drive is broken," and take it back with all their passwords saved.

MIT Technology Review obtained Prince's investor presentation for the "RedPill Phone," which promises more than it could possibly deliver. From the report: Erik Prince's pitch to investors was simple -- but certainly ambitious: pay just 5 million euros and cure the biggest cybersecurity and privacy plagues of our day. The American billionaire -- best known for founding the notorious private military firm Blackwater, which became globally infamous for killing Iraqi civilians and threatening US government investigators -- was pushing Unplugged, a smartphone startup promising "free speech, privacy, and security" untethered from dominant tech giants like Apple and Google. In June, Prince publicly revealed the new phone, priced at $850. But before that, beginning in 2021, he was privately hawking the device to investors -- using a previously unreported pitch deck that has been obtained by MIT Technology Review. It boldly claims that the phone and its operating system are "impenetrable" to surveillance, interception, and tampering, and its messenger service is marketed as "impossible to intercept or decrypt."

Boasting falsely that Unplugged has built "the first operating system free of big tech monetization and analytics," Prince bragged that the device is protected by "government-grade encryption." Better yet, the pitch added, Unplugged is to be hosted on a global array of server farms so that it "can never be taken offline." One option is said to be a server farm "on a vessel" located in an "undisclosed location on international waters, connected via satellite to Elon Musk's StarLink." An Unplugged spokesperson explained that "they benefit in having servers not be subject to any governmental law." The Unplugged investor pitch deck is a messy mix of these impossible claims, meaningless buzzwords, and outright fiction. While none of the experts I spoke with had yet been able to test the phone or read its code, because the company hasn't provided access, the evidence available suggests Unplugged will fall wildly short of what's promised.

[...] The UP Phone's operating system, called LibertOS, is a proprietary version of Google's Android, according to an Unplugged spokesperson. It's running on an unclear mix of hardware that a company spokesperson says they've designed on their own. Even just maintaining a unique Android "fork" -- a version of the operating system that departs from the original, like a fork in the road -- is a difficult endeavor that can cost massive money and resources, experts warn. For a small startup, that can be an insurmountable challenge. [...] Another key issue is life span. Apple's iPhones are considered the most secure consumer device on the market due in part to the fact that the company offers security updates to some of its older phones for six years, longer than virtually all competitors. When support for a phone ends, security vulnerabilities go unaddressed, and the phone is no longer secure. There is no information available on how long UP Phones will receive security support. "There are two things happening here," says Allan Liska, a cyberintelligence analyst at the cybersecurity firm Recorded Future. "There are the actual attempts to make real secure phones, and then there is the marketing BS. Distinguishing between those two can be really hard."

"When I worked in US intelligence, we [penetrated] a number of phone companies overseas," says Liska. "We were inside those phone companies. We could easily track people based on where they connected to the towers. So when you talk about being impenetrable, that's wrong. This is a phone, and the way that phones work is they triangulate to cell towers, and there is always latitude and longitude for exactly where you're sitting," he adds. "Nothing you do to the phone is going to change that."

The UP Phone is due out in November 2022.

Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. Krebs on Security reports: The missives -- which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction -- state that the user's account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer. While the phishing message attached to the invoice is somewhat awkwardly worded, there are many convincing aspects of this hybrid scam.

For starters, all of the links in the email lead to paypal.com. Hovering over the "View and Pay Invoice" button shows the button indeed wants to load a link at paypal.com, and clicking that link indeed brings up an active invoice at paypal.com. Also, the email headers in the phishing message (PDF) show that it passed all email validation checks as being sent by PayPal, and that it was sent through an Internet address assigned to PayPal. Both the email and the invoice state that "there is evidence that your PayPal account has been accessed unlawfully."

Several readers have shared this report: In February, when the Def Con hacker conference released its annual transparency report, the public learned that one of the most prominent figures in the field of social engineering had been permanently banned from attending. For years, Chris Hadnagy had enjoyed a high-profile role as the leader of the conference's social engineering village. But Def Con's transparency report stated that there had been multiple reports of him violating the conference's code of conduct. In response, Def Con banned Hadnagy from the conference for life; in 2022, the social engineering village would be run by an entirely new team. Now, Hadnagy has filed a lawsuit against the conference alleging defamation and infringement of contractual relations. The lawsuit was filed in the United States District Court for the Eastern District of Pennsylvania on August 3rd and names Hadnagy as the plaintiff, with Def Con Communications and the conference founder, Jeff Moss, also known as "The Dark Tangent," as defendants. Moss was reportedly served papers in Las Vegas while coordinating the conference this year.

There are few public details about the incidents that caused Hadnagy's ban, as is common in harassment cases. In the transparency report announcing the permanent ban, Def Con organizers were deliberately vague about the reported behavior. "After conversations with the reporting parties and Chris, we are confident the severity of the transgressions merits a ban from DEF CON," organizers wrote in their post-conference transparency report following the previous year's conference. Def Con's Code of Conduct is minimal, focusing almost entirely on a "no-harassment" policy. "Harassment includes deliberate intimidation and targeting individuals in a manner that makes them feel uncomfortable, unwelcome, or afraid," the text reads. "Participants asked to stop any harassing behavior are expected to comply immediately. We reserve the right to respond to harassment in the manner we deem appropriate."

Qualcomm is taking another run at the market for server processors, Bloomberg News reported Thursday, citing people familiar with its plans, betting it can tap a fast-growing industry and decrease its reliance on smartphones. From a report: The company is seeking customers for a product stemming from last year's purchase of chip startup Nuvia, according to the people, who asked not to be identified because the discussions are private. Amazon.com AWS business, one of the biggest server chip buyers, has agreed to take a look at Qualcomm's offerings, they said. Chief Executive Officer Cristiano Amon is trying to turn Qualcomm into a broader provider of semiconductors, rather than just the top maker of smartphone chips. But an earlier push into the server market was abandoned four years ago under his predecessor. At the time, the company was trying to cut costs and placate investors after fending off a hostile takeover by Broadcom.

This time around, Qualcomm has Nuvia, staffed with chip designers from companies such as Apple. Amon, who acquired the business for about $1.4 billion in 2021, has said that its work will help revitalize Qualcomm's high-end offerings for smartphones. But Nuvia was founded as a provider of technology for the server industry. The market for cloud computing infrastructure -- the kind of equipment that Amazon, Google and Microsoft use to whisk data around the world -- generated $73.9 billion last year, according to research firm IDC. That was up 8.8% from 2020. The owners of giant cloud data centers have long relied on Intel's chip technology for their servers. But they're increasingly embracing processors that use designs from Arm, a key partner in phone chips for San Diego-based Qualcomm.

Nvidia is upgrading its GeForce Now game streaming service to support 1440p resolution at 120fps in a Chrome or Edge browser. GeForce Now members on the RTX 3080 tier of the service will be able to access the new browser gameplay options today by selecting 1440p on the GeForce Now web version. From a report: Nvidia originally launched its RTX 3080 GeForce Now membership tier last year, offering streams of up to 1440p resolution with 120fps on PCs and Macs or 4K HDR at 60fps on Nvidia's Shield TV. Previously, you had to download the dedicated Mac or Windows apps to access 1440p resolution and 120fps support, as the web version was limited to 1080p at 60fps.

An anonymous reader quotes a report from Bleeping Computer: North Korean hackers from the Lazarus group have been using a signed malicious executable for macOS to impersonate Coinbase and lure in employees in the financial technology sector. The name of the false document was "Coinbase_online_careers_2022_07." When launched, it displays the decoy PDF above and loads a malicious DLL that ultimately allows the threat actor to send commands to the infected device. Security researchers at cybersecurity company ESET found that the hackers also had malware ready for macOS systems. They said that the malicious file is compiled for Macs with both Intel and Apple silicon, meaning that users of both older and newer models were targeted. In a thread on Twitter, they note that the malware drops three files [...].

ESET linked the recent macOS malware to Operation In(ter)ception, a Lazarus campaign that targeted high-profile aerospace and military organizations in a similar way. Looking at the macOS malware, the researchers noticed that it was signed on July 21 (as per the timestamp value) with a certificate issued in February to a developer using the name Shankey Nohria and team identifier 264HFWQH63. On August 12, the certificate had not been revoked by Apple. However, the malicious application was not notarized -- an automatic process that Apple uses to check software for malicious components. Compared to the previous macOS malware attributed to the Lazarus group of hackers, ESET researchers observed that the downloader component connects to a different command and control (C2) server, which was no longer responding at the time of the analysis.

Multiple people who appear to be employees of Microsoft have exposed sensitive login credentials to the company's own infrastructure on GitHub, potentially offering attackers a gateway into internal Microsoft systems, according to a cybersecurity research firm that found the exposed credentials. Motherboard reports: "We continue to see that accidental source code and credential leakages are part of the attack surface of a company, and it's becoming more and more difficult to identify in a timely and accurate manner. This is a very challenging issue for most companies these days," Mossab Hussein, chief security officer at cybersecurity firm spiderSilk which discovered the issue, told Motherboard in an online chat. Hussein provided Motherboard with seven examples in total of exposed Microsoft logins. All of these were credentials for Azure servers. Azure is Microsoft's cloud computer service and is similar to Amazon Web Services. All of the exposed credentials were associated with an official Microsoft tenant ID. A tenant ID is a unique identifier linked to a particular set of Azure users. One of the GitHub users also listed Microsoft on their profile.

Three of the seven login credentials were still active when spiderSilk discovered them, with one seemingly uploaded just days ago at the time of writing. The other four sets of credentials were no longer active but still highlighted the risk of workers accidentally uploading keys for internal systems. Microsoft refused to elaborate on what systems the credentials were protecting when asked multiple times by Motherboard. But generally speaking, an attacker may have an opportunity to move onto other points of interest after gaining initial access to an internal system. One of the GitHub profiles with exposed and active credentials makes a reference to the Azure DevOps code repository. Highlighting the risk that such credentials may pose, in an apparently unrelated hack in March attackers gained access to an Azure DevOps account and then published a large amount of Microsoft source code, including for Bing and Microsoft's Cortana assistant. "We've investigated and have taken action to secure these credentials," said a Microsoft spokesperson in a statement. "While they were inadvertently made public, we haven't seen any evidence that sensitive data was accessed or the credentials were used improperly. We're continuing to investigate and will continue to take necessary steps to further prevent inadvertent sharing of credentials."

VideoLan, the developer of popular media player VLC, says Indian telecom operators have been blocking its website since February of this year in a move that is potentially impacting some users in one of the open source firm's largest markets. From a report: "Most major ISPs [internet service providers] are banning the site, with diverse techniques," VideoLan president and lead developer Jean-Baptiste Kempf said of the blocking in India, in an email to TechCrunch. India represents 10% of all VLC users worldwide, he said. The website's traffic has seen an overall drop of 20% as a result of the blocking in India. [...] VLC, downloaded over 3.5 billion times worldwide, is a local media player that doesn't require internet access or connection to any particular service online for the vast majority of its features. But by blocking the website, India is pushing its citizens to "shady websites that are running hacked version of VLC. So they are endangering their own citizens with this ban," Kempf added.

An anonymous reader quotes a report from Ars Technica: A successful phishing attack at SMS services company Twilio may have exposed the phone numbers of roughly 1,900 users of the secure messaging app Signal -- but that's about the extent of the breach, says Signal, noting that no further user data could be accessed. In a Twitter thread and support document, Signal states that a recent successful (and deeply resourced) phishing attack on Twilio allowed access to the phone numbers linked with 1,900 users. That's "a very small percentage of Signal's total users," Signal writes, and all 1,900 affected users will be notified (via SMS) to re-register their devices. Signal, like many app companies, uses Twilio to send SMS verification codes to users registering their Signal app.

With momentary access to Twilio's customer support console, attackers could have potentially used the verification codes sent by Twilio to activate Signal on another device and thereby send or receive new Signal messages. Or an attacker could confirm that these 1,900 phone numbers were actually registered to Signal devices. No other data could be accessed, in large part because of Signal's design. Message history is stored entirely on user devices. Contact and block lists, profile details, and other user data require a Signal PIN to access. And Signal is asking users to enable registration lock, which prevents Signal access on new devices until the user's PIN is correctly entered. "The kind of telecom attack suffered by Twilio is a vulnerability that Signal developed features like registration lock and Signal PINs to protect against," Signal's support document reads. The messaging app notes that while Signal doesn't "have the ability to directly fix the issues affecting the telecom ecosystem," it will work with Twilio and other providers "to tighten up their security where it matters for our users."

If you're using Zoom on a Mac, it's time for a manual update. The video conferencing software's latest update fixes an auto-update vulnerability that could have allowed malicious programs to use its elevated installing powers, granting escalated privileges and control of the system. From a report: The vulnerability was first discovered by Patrick Wardle, founder of the Objective-See Foundation, a nonprofit Mac OS security group. Wardle detailed in a talk at Def Con last week how Zoom's installer asks for a user password when installing or uninstalling, but its auto-update function, enabled by default, doesn't need one. Wardle found that Zoom's updater is owned by and runs as the root user. It seemed secure, as only Zoom clients could connect to the privileged daemon, and only packages signed by Zoom could be extracted. The problem is that by simply passing the verification checker the name of the package it was looking for ("Zoom Video ... Certification Authority Apple Root CA.pkg"), this check could be bypassed. That meant malicious actors could force Zoom to downgrade to a buggier, less-secure version or even pass it an entirely different package that could give them root access to the system.