Google

Google Authenticator Can Now Sync 2FA Codes To the Cloud (techcrunch.com) 83

Google Authenticator just got an update that should make it more useful for people who frequently use the service to sign in to apps and websites. From a report: As of today, Google Authenticator will now sync any one-time two-factor authentication (2FA) codes that it generates to users' Google Accounts. Previously, one-time Authenticator codes were stored locally, on a single device, meaning losing that device often meant losing the ability to sign in to any service set up with Authenticator's 2FA. To take advantage of the new sync feature, simply update the Authenticator app. If you're signed in to a Google Account within Google Authenticator, your codes will automatically be backed up and restored on any new device you use. You can also manually transfer your codes to another device even if you're not signed in to a Google Account by following the steps on this support page.

Some users might be wary of syncing their sensitive codes with Google's cloud -- even if they did originate from a Google product. But Christiaan Brand, a group product manager at Google, asserts it's in the pursuit of convenience without sacrificing security. "We released Google Authenticator in 2010 as a free and easy way for sites to add 'something you have' 2FA that bolsters user security when signing in," Brand wrote in the blog post announcing today's change. "With this update we're rolling out a solution to this problem, making one time codes more durable by storing them safely in users' Google Account."

Microsoft

Microsoft Agrees To Stop Bundling Teams With Office (ft.com) 48

Microsoft will stop forcing customers of its popular Office software to also have its Teams video conferencing and messaging app automatically installed on their devices, in a move designed to prevent an official antitrust probe by EU regulators. From a report: The US tech giant has made the concession to avoid a formal investigation, said two people with direct knowledge of the decision, following a 2020 complaint by rival Slack which claimed Microsoft's practice of bundling the two services together was anti-competitive. These people said that, in future, when companies buy Office they can do it with or without Teams if they wished, but the mechanism on how to do this remains unclear. The people stressed talks are still ongoing and a deal is not certain. The move is part of an effort by Microsoft to try to avoid what would be its first antitrust probe in more than a decade, having sought to avoid legal battles with the European Commission that have proved bruising in the past.
IT

New BIOS Updates Attempt To Keep Ryzen 7000X3D Processors From Frying Themselves (arstechnica.com) 59

An anonymous reader shares a report: Over the weekend, users on Reddit and YouTube began posting about problems with AMD's newest Ryzen 7000X3D processors. In some cases, the systems simply stopped booting. But in at least one instance, a Ryzen 7800X3D became physically deformed, bulging out underneath and bending the pins on the motherboard's processor socket. In a separate post, motherboard maker MSI indicated that the damage "may have been caused by abnormal voltage issues." Ryzen 7000X3D processors already impose limits on overclocking and power settings, but new BIOS updates from MSI specifically disallow any kind of "overvolting" features that could give the CPUs more power than they were built to handle.

You can still undervolt your CPU to attempt to reduce temperatures and energy usage by giving the CPU a bit less power than it was designed for. The Ryzen 7000X3D processors are set to a lower voltage than regular Ryzen 7000 CPUs by default because the extra L3 cache layered on top of the processor die can raise temperatures and make the CPU more difficult to cool. This has also made the chips much more power-efficient than the standard Ryzen chips, but that efficiency comes at the cost of overclocking settings and other features that some enthusiasts use to squeeze more performance out of their PCs.

Google

Google Opens Its Security Tools To Competitors' Platforms (axios.com) 3

Google is leaning into flexibility as part of a new strategy to stymie the impact of belt-tightening among cyber chiefs. From a report: Google Cloud and Mandiant, the threat intelligence unit it acquired last year, unveiled at the RSA Conference in San Francisco today that they're opening their security products to integrations from competitors, as well as offering new Google plug-ins for other vendors' tools. The news, which was shared first with Axios, means that Google customers will now have more options to embed Google's tools in partner companies' products, like CrowdStrike, Trellix and SentinelOne. Other companies, like Accenture and login management company Okta, will also be integrating their products into Google's as part of the plan. Chief information security officers are facing increasing board pressure during a wobbly economy to cut down the number of vendors they work with and simplify their security programs. As a result, vendors have started to intertwine their competitors' products into their own tools in recent years to reach more customers.
Security

Hacker Group Names Are Now Absurdly Out of Control (wired.com) 56

Hackers, particularly state-sponsored and organized cybercriminals, wreak havoc worldwide. However, their aliases, such as Fancy Bear and Refined Kitten, often undermine the seriousness of their actions, Wired argues. Microsoft's cybersecurity division recently revamped its naming taxonomy for the hundreds of hacker groups it tracks, adopting two-word names with a weather-based term to indicate the hackers' suspected country and affiliation.

For instance, the Iranian group Phosphorous is now dubbed Mint Sandstorm, while Russia's Iridium (Sandworm) goes by Seashell Blizzard. Critics, like Rob Lee, founder and CEO of cybersecurity firm Dragos, argue that the whimsical new names could hinder the perception of the profession and be counterproductive for cybersecurity analysis. Furthermore, the new naming scheme forces analysts and customers to revise their databases and products to align with Microsoft's terminology. The revised system also risks cementing educated guesses about hackers' national loyalties without clarity on the confidence of those assessments.
Programming

Is It Time to Stop Saying 'Learn to Code'? (vox.com) 147

Long-time Slashdot reader theodp writes: According to Google Trends, peak "Lean to Code" occurred in early 2019 when laid-off Buzzfeed and Huffpost journalists were taunted with the phrase on Twitter... As Meta founder and CEO Mark Zuckerberg recently put it, "We're in a different world." Indeed. Encouraging kids to pursue CS careers in Code.org's viral 2013 launch video, Zuckerberg explained, "Our policy at Facebook is literally to hire as many talented engineers as we can find."

In Learning to Code Isn't Enough, a new MIT Technology Review article, Joy Lisi Rankin reports on the long history of learn-to-code efforts, which date back to the 1960s. "Then as now," Lisi Rankin writes, "just learning to code is neither a pathway to a stable financial future for people from economically precarious backgrounds nor a panacea for the inadequacies of the educational system."

But is that really true? Vox does note that the latest round of layoffs at Meta "is impacting workers in core technical roles like data scientists and software engineers — positions once thought to be beyond reproach." Yet while that's also true at other companies, those laid-off tech workers also seem to be finding similar positions by working in other industries: Software engineers were the most overrepresented position in layoffs in 2023, relative to their employment, according to data requested by Vox from workforce data company Revelio Labs. Last year, when major tech layoffs first began, recruiters and customer success specialists experienced the most outsize impact. So far this year, nearly 20 percent of the 170,000 tech company layoffs were software engineers, even though they made up roughly 14 percent of employees at these companies. "Early layoffs were dominated by recruiters, which is forgoing future hiring," Revelio senior economist Reyhan Ayas told Vox. "Whereas in 2023 we see a shift toward more core engineering and software engineering, which signals a change in focus of current business priorities."

In other words, tech companies aren't just trimming the fat by firing people who fill out their extensive ecosystem, which ranges from marketers to massage therapists. They're also, many for the first time, making cuts to the people who build the very products they're known for, and who enjoyed a sort of revered status since they, like the founders of the companies, were coders. Software engineers are still important, but they don't have the power they used to...

The latest monthly jobs report by tech industry association CompTIA found that even though employment at tech companies (which includes all roles at those companies) declined slightly in March, employment in technical occupations across industry sectors increased by nearly 200,000 positions. So even if tech companies are laying off tech workers, other industries are snatching them up. Unfortunately for software engineers and the like, that means they might also have to follow those industries' pay schemes. The average software engineer base pay in the US is $90,000, according to PayScale, but can be substantially higher at tech firms like Facebook, where such workers also get bonuses and stock options.

AI

ChatGPT Creates Mostly Insecure Code, But Won't Tell You Unless You Ask 80

ChatGPT, OpenAI's large language model for chatbots, not only produces mostly insecure code but also fails to alert users to its inadequacies despite being capable of pointing out its shortcomings. The Register reports: Amid the frenzy of academic interest in the possibilities and limitations of large language models, four researchers affiliated with Universite du Quebec, in Canada, have delved into the security of code generated by ChatGPT, the non-intelligent, text-regurgitating bot from OpenAI. In a pre-press paper titled, "How Secure is Code Generated by ChatGPT?" computer scientists Raphael Khoury, Anderson Avila, Jacob Brunelle, and Baba Mamadou Camara answer the question with research that can be summarized as "not very."

"The results were worrisome," the authors state in their paper. "We found that, in several cases, the code generated by ChatGPT fell well below minimal security standards applicable in most contexts. In fact, when prodded to whether or not the produced code was secure, ChatGPT was able to recognize that it was not." [...] In all, ChatGPT managed to generate just five secure programs out of 21 on its first attempt. After further prompting to correct its missteps, the large language model managed to produce seven more secure apps -- though that's "secure" only as it pertains to the specific vulnerability being evaluated. It's not an assertion that the final code is free of any other exploitable condition. [...]

The academics observe in their paper that part of the problem appears to arise from ChatGPT not assuming an adversarial model of code execution. The model, they say, "repeatedly informed us that security problems can be circumvented simply by 'not feeding an invalid input' to the vulnerable program it has created." Yet, they say, "ChatGPT seems aware of -- and indeed readily admits -- the presence of critical vulnerabilities in the code it suggests." It just doesn't say anything unless asked to evaluate the security of its own code suggestions.

Initially, ChatGPT's response to security concerns was to recommend only using valid inputs -- something of a non-starter in the real world. It was only afterward, when prompted to remediate problems, that the AI model provided useful guidance. That's not ideal, the authors suggest, because knowing which questions to ask presupposes familiarity with specific vulnerabilities and coding techniques. The authors also point out that there's ethical inconsistency in the fact that ChatGPT will refuse to create attack code but will create vulnerable code.
Network

Used Routers Often Come Loaded With Corporate Secrets (arstechnica.com) 33

An anonymous reader shares a report: You know that you're supposed to wipe your smartphone or laptop before you resell it or give it to your cousin. After all, there's a lot of valuable personal data on there that should stay in your control. Businesses and other institutions need to take the same approach, deleting their information from PCs, servers, and network equipment so it doesn't fall into the wrong hands. At the RSA security conference in San Francisco next week, though, researchers from the security firm ESET will present findings showing that more than half of secondhand enterprise routers they bought for testing had been left completely intact by their previous owners. And the devices were brimming with network information, credentials, and confidential data about the institutions they had belonged to. The researchers bought 18 used routers in different models made by three mainstream vendors: Cisco, Fortinet, and Juniper Networks. Of those, nine were just as their owners had left them and fully accessible, while only five had been properly wiped. Two were encrypted, one was dead, and one was a mirror copy of another device.

All nine of the unprotected devices contained credentials for the organization's VPN, credentials for another secure network communication service, or hashed root administrator passwords. And all of them included enough identifying data to determine who the previous owner or operator of the router had been. Eight of the nine unprotected devices included router-to-router authentication keys and information about how the router connected to specific applications used by the previous owner. Four devices exposed credentials for connecting to the networks of other organizations -- like trusted partners, collaborators, or other third parties. Three contained information about how an entity could connect as a third party to the previous owner's network. And two directly contained customer data.

Microsoft

Windows 11 Start Menu Ads Look Set To Get Even Worse (techradar.com) 109

Microsoft is heading further down the path of advertising its own services in Windows 11, with different ads now popping up in the Start menu. From a report: To be precise, this is Windows 11 preview build 23435, which was just released to the Dev channel. As Microsoft puts it: "We are continuing the exploration of badging on the Start menu with several new treatments for users logging in with local user accounts to highlight the benefits of signing in with a Microsoft account (MSA)." So, the translation of this is that 'badging' is essentially advertising ('badgering' would perhaps be more accurate), and it's something we've recently seen with Windows 11 urging users to perform a cloud backup (in OneDrive).

In this new preview build, the prodding stick is being employed to nudge those who haven't enlisted for a Microsoft Account (who remain using a local account) into signing up for an MSA. Compared to the previous cloud backup prompt on the Start menu, it's even clearer that this is advertising because it's fully selling the benefits of having a Microsoft account. For example, Microsoft tells you how hooking your Windows 11 installation into an MSA will ensure that your PC is kept backed up and more secure, or that it'll keep your settings synced across multiple devices.

Encryption

Meta Encryption 'Blindfolds' Authorities To Child Abuse, Crime Agencies Claim (ft.com) 84

The FBI, Interpol and the UK's National Crime Agency have accused Meta of making a "purposeful" decision to increase end-to-end encryption in a way that in effect "blindfolds" them to child sex abuse. From a report: The Virtual Global Taskforce, made up of 15 law enforcement agencies, issued a joint statement saying that plans by Facebook and Instagram-parent Meta to expand the use of end-to-end encryption on its platforms were "a purposeful design choice that degrades safety systems," including with regards to protecting children. The law enforcement agencies also warned technology companies more broadly about the need to balance safeguarding children online with protecting users' privacy. "The VGT calls for all industry partners to fully appreciate the impact of implementing system design decisions that result in blindfolding themselves to CSA [child sexual abuse] occurring on their platforms or reduces their capacity to identify CSA and keep children safe," the statement said.
Japan

Cybersecurity Nightmare in Japan Is Everyone Else's Problem Too (bloomberg.com) 23

An anonymous reader shares a report: Kojima is a small company and little-known outside Japan, where it produces cup holders, USB sockets and door pockets for car interiors. But its modest role in the automotive supply chain is a critical one. And when the company was hacked in February 2022, it brought Toyota Motor's entire production line to a screeching stop. The world's top-selling carmaker had to halt 14 factories at a cost of about $375 million, based on a rough calculation of its sales and output data. Even after the initial crisis was over, it took months for Kojima to get operations close to their old routines.

The company is just one name on Japan's long list of recent cyber victims. Ransomware attacks alone soared 58% last year compared to a year earlier, according to the National Police Agency, and hacking incidents have exposed shortcomings ranging from slow incident response times to a lack of transparency. In a nation that exported chip components worth $42.3 billion last year -- dominating the supply of some materials -- supply chain issues can have global implications. [...] But while Japan has its own particular problems with hackers, many of its vulnerabilities are shared by the US and other technologically strong nations. From the Colonial Pipeline attack in the US to the Australian telecoms hack that exposed 10 million users' personal data, wealthy countries have been repeatedly caught underestimating the harsh realities of cybercrime.

IT

Southwest Delayed Hundreds of Departures Due To a Networking Glitch (theverge.com) 28

Southwest Airlines has fixed a technical issue that delayed hundreds of flights across the country. In a statement, Southwest Airlines spokesperson Dan Landson says the company resumed operations after working through "data connection issues resulting from a firewall failure." From a report: The airline started having issues at around 10:30AM ET, with data from FlightAware suggesting that over 1,700 Southwest flights have been delayed so far. The Federal Aviation Administration paused departures at the request of Southwest Airlines around this time and later unpaused flights at 11:10AM ET. "Early this morning, a vendor-supplied firewall went down and connection to some operational data was unexpectedly lost," Landson says. "Southwest Teams worked quickly to minimize flight disruptions."
Encryption

WhatsApp, Signal and Encrypted Messaging Apps Unite Against UK's Online Safety Bill (bbc.com) 69

WhatsApp, Signal and other messaging services have urged the UK government to rethink the Online Safety Bill (OSB). From a report: They are concerned that the bill could undermine end-to-end encryption - which means the message can only be read on the sender and the recipient's app and nowhere else. Ministers want the regulator to be able to ask the platforms to monitor users, to root out child abuse images. The government says it is possible to have both privacy and child safety. "We support strong encryption," a government official said, "but this cannot come at the cost of public safety. "Tech companies have a moral duty to ensure they are not blinding themselves and law enforcement to the unprecedented levels of child sexual abuse on their platforms. "The Online Safety Bill in no way represents a ban on end-to-end encryption, nor will it require services to weaken encryption." End-to-end encryption (E2EE) provides the most robust level of security because nobody other than the sender and intended recipient can read the message information. Even the operator of the app cannot unscramble messages as they pass across systems - they can be decrypted only by the people in the chat. "Weakening encryption, undermining privacy and introducing the mass surveillance of people's private communications is not the way forward," an open letter warns.
Security

NSO Hacked iPhones Without User Clicks in 3 New Ways, Researchers Say (washingtonpost.com) 24

Israeli spyware maker NSO Group deployed at least three new "zero-click" hacks against iPhones last year, finding ways to penetrate some of Apple's latest software, researchers at Citizen Lab have discovered. From a report: The attacks struck phones with iOS 15 and early versions of iOS 16 operating software, Citizen Lab said in a report Tuesday. The lab, based at the University of Toronto, shared its results with Apple, which has now fixed the flaws that NSO had been exploiting. It's the latest sign of NSO's ongoing efforts to create spyware that penetrates iPhones without users taking any actions that allow it in. Citizen Lab has detected multiple NSO hacking methods in past years while examining the phones of likely targets, including human rights workers and journalists.

While it is unsettling to civil rights groups that NSO was able to come up with multiple new means of attack, it did not surprise them. "It is their core business," said Bill Marczak, a senior researcher at Citizen Lab. "Despite Apple notifying targets, and the Commerce Department putting NSO on a blacklist, and the Israeli ministry cracking down on export licenses -- which are all good steps and raising costs -- NSO for the moment is absorbing those costs," Marczak said. Given the financial and legal fights NSO is involved in, Marczak said it was an open question how long NSO could keep finding or buying new exploits that are effective.

Security

LockBit Ransomware Samples For Apple Macs Hint At New Risks For MacOS Users (wired.com) 20

An anonymous reader writes: Security researchers are examining newly discovered Mac ransomware samples from the notorious gang LockBit, marking the first known example of a prominent ransomware group toying with macOS versions of its malware. Spotted by MalwareHunterTeam, the samples of ransomware encryptors seem to have first cropped up in the malware analysis repository VirusTotal in November and December 2022, but went unnoticed until yesterday. LockBit seems to have created both a version of the encryptor targeting newer Macs running Apple processors and older Macs that ran on Apple's PowerPC chips.

Researchers say the LockBit Mac ransomware appears to be more of a first foray than anything that's fully functional and ready to be used. But the tinkering could indicate future plans, especially given that more businesses and institutions have been incorporating Macs, which could make it more appealing for ransomware attackers to invest time and resources so they can target Apple computers. "It's unsurprising but concerning that a large and successful ransomware group has now set their sights on macOS," says longtime Mac security researcher and Objective-See Foundation founder Patrick Wardle. "It would be naive to assume that LockBit won't improve and iterate on this ransomware, potentially creating a more effective and destructive version."

For now, Wardle notes that LockBit's macOS encryptors seem to be in a very early phase and still have fundamental development issues like crashing on launch. And to create truly effective attack tools, LockBit will need to figure out how to circumvent macOS protections, including validity checks that Apple has added in recent years for running new software on Macs. "In some sense, Apple is ahead of the threat, as recent versions of macOS ship with a myriad of built-in security mechanisms aimed to directly thwart, or at least reduce the impact of, ransomware attacks," Wardle says. "However, well-funded ransomware groups will continue to evolve their malicious creations."

IT

Recruiters Try Asking Laid Off Tech Workers to Return to the Same Companies as Contractors (seattletimes.com) 169

The Seattle Times reports: After losing their jobs at one of Seattle's biggest tech companies, some workers find themselves facing an unexpected question: Do you want to return to the company that just let you go?

There's a catch. Those offers, from third-party recruiters eager to place workers at the companies they just left, are for contract positions rather than staff positions. They would come with an end date, a lower salary, no benefits and no stock options.

For workers the messages range from insensitive to insulting. "We all just got the shock of our life, the last thing I need is for you to continue to ask me to go to a company that just let me go," said one former Microsoft worker who was laid off in March and asked to remain anonymous during the job hunt. Another worker who was laid off from Amazon in January and also asked to remain anonymous out of concern for future job prospects said they've heard from several recruiters looking specifically for people with Amazon experience. In one response, the former Amazonian passed this message to the recruiter: "Tell Amazon if they want an engineer, they can just not fire me later this month...."

Because companies and recruiters cast such a wide net, workers who were recently cut are still getting caught in the pool of potential candidates — whether they want to be or not... [T]ech companies often ask recruiters to find workers who have already worked at their company, particularly when hiring for a contract position that would require a worker to get up to speed quickly, said Nabeel Chowdhury, senior vice president at recruiting firm 24 Seven Talent. That's what happened with the former Amazon worker. One recruiter sent a message that began "Reaching out to see if you might be open to returning to Amazon on a contract position?"

One former Microsoft worker told the Seattle Times "I do have a sense of pride. There's no way I want to go back ... making half the amount."
Chrome

Compromised Sites Use Fake Chrome Update Warnings to Spread Malware (bleepingcomputer.com) 13

Bleeping Computer warned this week about compromised web sites "that display fake Google Chrome automatic update errors that distribute malware to unaware visitors." The campaign has been underway since November 2022, and according to NTT's security analyst Rintaro Koike, it shifted up a gear after February 2023, expanding its targeting scope to cover users who speak Japanese, Korean, and Spanish. BleepingComputer has found numerous sites hacked in this malware distribution campaign, including adult sites, blogs, news sites, and online stores...

If a targeted visitor browses the site, the scripts will display a fake Google Chrome error screen stating that an automatic update that is required to continue browsing the site failed to install. "An error occurred in Chrome automatic update. Please install the update package manually later, or wait for the next automatic update," reads the fake Chrome error message. The scripts will then automatically download a ZIP file called 'release.zip' that is disguised as a Chrome update the user should install.

However, this ZIP file contains a Monero miner that will utilize the device's CPU resources to mine cryptocurrency for the threat actors. Upon launch, the malware copies itself to C:\Program Files\Google\Chrome as "updater.exe" and then launches a legitimate executable to perform process injection and run straight from memory. According to VirusTotal, the malware uses the "BYOVD" (bring your own vulnerable driver) technique to exploit a vulnerability in the legitimate WinRing0x64.sys to gain SYSTEM privileges on the device.

The miner persists by adding scheduled tasks and performing Registry modifications while excluding itself from Windows Defender. Additionally, it stops Windows Update and disrupts the communication of security products with their servers by modifying the IP addresses of the latter in the HOSTS file. This hinders updates and threat detection and may even disable an AV altogether.

Chrome

Google Releases Emergency Chrome Security Update (hothardware.com) 29

"Earlier this week, Google released an emergency security update for the Chrome browser due to a vulnerability that is being actively exploited in the wild," reports Hot Hardware: On Friday, Google highlighted CVE-2023-2033, reported by Clément Lecigne of Google's own Threat Analysis Group (TAG). This vulnerability is a 'type confusion' bug in the JavaScript engine for Chromium browsers useing the V8 Javascript engine. In short, type confusion is a bug that allows memory to be accessed with the wrong type, allowing for the reading or writing of memory out of bounds. The CVE page says that an attacker could create an HTML page that allows the exploitation of heap corruption.

While there is no Common Vulnerability Scoring System (CVSS) score attached to the vulnerability yet, Google is tracking this as a "high" severity issue. This is likely due in part to the fact that "Google is aware that an exploit for CVE-2023-2033 exists in the wild."

The article notes that Chrome updates are generally done automatically, but you can also check for updates by clicking Chrome's three-dots menu in the top-right corner, then "Help" and "About Chrome."
Cloud

New Spectre-Related 'Medium Severity' Flaw Patched in Linux Kernel (theregister.com) 11

"The Spectre vulnerability that has haunted hardware and software makers since 2018 continues to defy efforts to bury it," reports the Register: On Thursday, Eduardo (sirdarckcat) Vela Nava, from Google's product security response team, disclosed a Spectre-related flaw in version 6.2 of the Linux kernel. The bug, designated medium severity, was initially reported to cloud service providers — those most likely to be affected — on December 31, 2022, and was patched in Linux on February 27, 2023.

"The kernel failed to protect applications that attempted to protect against Spectre v2, leaving them open to attack from other processes running on the same physical core in another hyperthread," the vulnerability disclosure explains. The consequence of that attack is potential information exposure (e.g., leaked private keys) through this pernicous problem....

Spectre v2 — the variant implicated in this particular vulnerability — relies on timing side-channels to measure the misprediction rates of indirect branch prediction in order to infer the contents of protected memory. That's far from optimal in a cloud environment with shared hardware... The bug hunters who identified the issue found that Linux userspace processes to defend against Spectre v2 didn't work on VMs of "at least one major cloud provider."

Slashdot Top Deals