An anonymous reader shares a report: Kojima is a small company and little-known outside Japan, where it produces cup holders, USB sockets and door pockets for car interiors. But its modest role in the automotive supply chain is a critical one. And when the company was hacked in February 2022, it brought Toyota Motor's entire production line to a screeching stop. The world's top-selling carmaker had to halt 14 factories at a cost of about $375 million, based on a rough calculation of its sales and output data. Even after the initial crisis was over, it took months for Kojima to get operations close to their old routines.

The company is just one name on Japan's long list of recent cyber victims. Ransomware attacks alone soared 58% last year compared to a year earlier, according to the National Police Agency, and hacking incidents have exposed shortcomings ranging from slow incident response times to a lack of transparency. In a nation that exported chip components worth $42.3 billion last year -- dominating the supply of some materials -- supply chain issues can have global implications. [...] But while Japan has its own particular problems with hackers, many of its vulnerabilities are shared by the US and other technologically strong nations. From the Colonial Pipeline attack in the US to the Australian telecoms hack that exposed 10 million users' personal data, wealthy countries have been repeatedly caught underestimating the harsh realities of cybercrime.

Southwest Airlines has fixed a technical issue that delayed hundreds of flights across the country. In a statement, Southwest Airlines spokesperson Dan Landson says the company resumed operations after working through "data connection issues resulting from a firewall failure." From a report: The airline started having issues at around 10:30AM ET, with data from FlightAware suggesting that over 1,700 Southwest flights have been delayed so far. The Federal Aviation Administration paused departures at the request of Southwest Airlines around this time and later unpaused flights at 11:10AM ET. "Early this morning, a vendor-supplied firewall went down and connection to some operational data was unexpectedly lost," Landson says. "Southwest Teams worked quickly to minimize flight disruptions."

WhatsApp, Signal and other messaging services have urged the UK government to rethink the Online Safety Bill (OSB). From a report: They are concerned that the bill could undermine end-to-end encryption - which means the message can only be read on the sender and the recipient's app and nowhere else. Ministers want the regulator to be able to ask the platforms to monitor users, to root out child abuse images. The government says it is possible to have both privacy and child safety. "We support strong encryption," a government official said, "but this cannot come at the cost of public safety. "Tech companies have a moral duty to ensure they are not blinding themselves and law enforcement to the unprecedented levels of child sexual abuse on their platforms. "The Online Safety Bill in no way represents a ban on end-to-end encryption, nor will it require services to weaken encryption." End-to-end encryption (E2EE) provides the most robust level of security because nobody other than the sender and intended recipient can read the message information. Even the operator of the app cannot unscramble messages as they pass across systems - they can be decrypted only by the people in the chat. "Weakening encryption, undermining privacy and introducing the mass surveillance of people's private communications is not the way forward," an open letter warns.

Israeli spyware maker NSO Group deployed at least three new "zero-click" hacks against iPhones last year, finding ways to penetrate some of Apple's latest software, researchers at Citizen Lab have discovered. From a report: The attacks struck phones with iOS 15 and early versions of iOS 16 operating software, Citizen Lab said in a report Tuesday. The lab, based at the University of Toronto, shared its results with Apple, which has now fixed the flaws that NSO had been exploiting. It's the latest sign of NSO's ongoing efforts to create spyware that penetrates iPhones without users taking any actions that allow it in. Citizen Lab has detected multiple NSO hacking methods in past years while examining the phones of likely targets, including human rights workers and journalists.

While it is unsettling to civil rights groups that NSO was able to come up with multiple new means of attack, it did not surprise them. "It is their core business," said Bill Marczak, a senior researcher at Citizen Lab. "Despite Apple notifying targets, and the Commerce Department putting NSO on a blacklist, and the Israeli ministry cracking down on export licenses -- which are all good steps and raising costs -- NSO for the moment is absorbing those costs," Marczak said. Given the financial and legal fights NSO is involved in, Marczak said it was an open question how long NSO could keep finding or buying new exploits that are effective.

An anonymous reader writes: Security researchers are examining newly discovered Mac ransomware samples from the notorious gang LockBit, marking the first known example of a prominent ransomware group toying with macOS versions of its malware. Spotted by MalwareHunterTeam, the samples of ransomware encryptors seem to have first cropped up in the malware analysis repository VirusTotal in November and December 2022, but went unnoticed until yesterday. LockBit seems to have created both a version of the encryptor targeting newer Macs running Apple processors and older Macs that ran on Apple's PowerPC chips.

Researchers say the LockBit Mac ransomware appears to be more of a first foray than anything that's fully functional and ready to be used. But the tinkering could indicate future plans, especially given that more businesses and institutions have been incorporating Macs, which could make it more appealing for ransomware attackers to invest time and resources so they can target Apple computers. "It's unsurprising but concerning that a large and successful ransomware group has now set their sights on macOS," says longtime Mac security researcher and Objective-See Foundation founder Patrick Wardle. "It would be naive to assume that LockBit won't improve and iterate on this ransomware, potentially creating a more effective and destructive version."

For now, Wardle notes that LockBit's macOS encryptors seem to be in a very early phase and still have fundamental development issues like crashing on launch. And to create truly effective attack tools, LockBit will need to figure out how to circumvent macOS protections, including validity checks that Apple has added in recent years for running new software on Macs. "In some sense, Apple is ahead of the threat, as recent versions of macOS ship with a myriad of built-in security mechanisms aimed to directly thwart, or at least reduce the impact of, ransomware attacks," Wardle says. "However, well-funded ransomware groups will continue to evolve their malicious creations."

The Seattle Times reports: After losing their jobs at one of Seattle's biggest tech companies, some workers find themselves facing an unexpected question: Do you want to return to the company that just let you go?

There's a catch. Those offers, from third-party recruiters eager to place workers at the companies they just left, are for contract positions rather than staff positions. They would come with an end date, a lower salary, no benefits and no stock options.

For workers the messages range from insensitive to insulting. "We all just got the shock of our life, the last thing I need is for you to continue to ask me to go to a company that just let me go," said one former Microsoft worker who was laid off in March and asked to remain anonymous during the job hunt. Another worker who was laid off from Amazon in January and also asked to remain anonymous out of concern for future job prospects said they've heard from several recruiters looking specifically for people with Amazon experience. In one response, the former Amazonian passed this message to the recruiter: "Tell Amazon if they want an engineer, they can just not fire me later this month...."

Because companies and recruiters cast such a wide net, workers who were recently cut are still getting caught in the pool of potential candidates — whether they want to be or not... [T]ech companies often ask recruiters to find workers who have already worked at their company, particularly when hiring for a contract position that would require a worker to get up to speed quickly, said Nabeel Chowdhury, senior vice president at recruiting firm 24 Seven Talent. That's what happened with the former Amazon worker. One recruiter sent a message that began "Reaching out to see if you might be open to returning to Amazon on a contract position?"
One former Microsoft worker told the Seattle Times "I do have a sense of pride. There's no way I want to go back ... making half the amount."

Bleeping Computer warned this week about compromised web sites "that display fake Google Chrome automatic update errors that distribute malware to unaware visitors." The campaign has been underway since November 2022, and according to NTT's security analyst Rintaro Koike, it shifted up a gear after February 2023, expanding its targeting scope to cover users who speak Japanese, Korean, and Spanish. BleepingComputer has found numerous sites hacked in this malware distribution campaign, including adult sites, blogs, news sites, and online stores...

If a targeted visitor browses the site, the scripts will display a fake Google Chrome error screen stating that an automatic update that is required to continue browsing the site failed to install. "An error occurred in Chrome automatic update. Please install the update package manually later, or wait for the next automatic update," reads the fake Chrome error message. The scripts will then automatically download a ZIP file called 'release.zip' that is disguised as a Chrome update the user should install.

However, this ZIP file contains a Monero miner that will utilize the device's CPU resources to mine cryptocurrency for the threat actors. Upon launch, the malware copies itself to C:\Program Files\Google\Chrome as "updater.exe" and then launches a legitimate executable to perform process injection and run straight from memory. According to VirusTotal, the malware uses the "BYOVD" (bring your own vulnerable driver) technique to exploit a vulnerability in the legitimate WinRing0x64.sys to gain SYSTEM privileges on the device.

The miner persists by adding scheduled tasks and performing Registry modifications while excluding itself from Windows Defender. Additionally, it stops Windows Update and disrupts the communication of security products with their servers by modifying the IP addresses of the latter in the HOSTS file. This hinders updates and threat detection and may even disable an AV altogether.

"Earlier this week, Google released an emergency security update for the Chrome browser due to a vulnerability that is being actively exploited in the wild," reports Hot Hardware: On Friday, Google highlighted CVE-2023-2033, reported by Clément Lecigne of Google's own Threat Analysis Group (TAG). This vulnerability is a 'type confusion' bug in the JavaScript engine for Chromium browsers useing the V8 Javascript engine. In short, type confusion is a bug that allows memory to be accessed with the wrong type, allowing for the reading or writing of memory out of bounds. The CVE page says that an attacker could create an HTML page that allows the exploitation of heap corruption.

While there is no Common Vulnerability Scoring System (CVSS) score attached to the vulnerability yet, Google is tracking this as a "high" severity issue. This is likely due in part to the fact that "Google is aware that an exploit for CVE-2023-2033 exists in the wild."
The article notes that Chrome updates are generally done automatically, but you can also check for updates by clicking Chrome's three-dots menu in the top-right corner, then "Help" and "About Chrome."

"The Spectre vulnerability that has haunted hardware and software makers since 2018 continues to defy efforts to bury it," reports the Register: On Thursday, Eduardo (sirdarckcat) Vela Nava, from Google's product security response team, disclosed a Spectre-related flaw in version 6.2 of the Linux kernel. The bug, designated medium severity, was initially reported to cloud service providers — those most likely to be affected — on December 31, 2022, and was patched in Linux on February 27, 2023.

"The kernel failed to protect applications that attempted to protect against Spectre v2, leaving them open to attack from other processes running on the same physical core in another hyperthread," the vulnerability disclosure explains. The consequence of that attack is potential information exposure (e.g., leaked private keys) through this pernicous problem....

Spectre v2 — the variant implicated in this particular vulnerability — relies on timing side-channels to measure the misprediction rates of indirect branch prediction in order to infer the contents of protected memory. That's far from optimal in a cloud environment with shared hardware... The bug hunters who identified the issue found that Linux userspace processes to defend against Spectre v2 didn't work on VMs of "at least one major cloud provider."

Silicon Valley had $74.9 billion in venture-capital investments just in 2022, reports the Washington Post (citing data from PitchBook). With 3,206 deals, "that's about $45.36 billion and 1,058 deals more than New York, the second highest region for VC fundraising." And in addition, the Silicon Valley region "was also the home of 86% of start-ups, up from 53% last year, funded by famed start-up accelerator Y Combinator."

And yet Silicon Valley's share of U.S. venture capital investments last year was its lowest since 2012, "as lenient remote work policies and a spate of layoffs have fueled the departures of workers and cleared the way for rising investment in other tech hubs across the United States, notably Austin and Miami.... [N]early 250,000 people left the Silicon Valley region during the pandemic, according to census data from April 1, 2020, to July 1, 2022." Funding for companies in Miami has nearly quadrupled in the past three years, totaling $5.39 billion in 2022, while deal volume jumped 81 percent. Austin venture capital investments rose 77 percent to $4.95 billion with the number of deals jumping 23 percent. New York, Seattle, Philadelphia, Chicago, Denver and Houston also saw relatively large increases in investment and deals, data shows....

"There's no doubt that [Silicon Valley's] sort of exemplary, center-of-the-universe status has really absorbed some blows," said Mark Muro, senior fellow at Brookings Institution. Miami and Austin both benefited from fewer restrictions during the coronavirus pandemic. Early on, cryptocurrency and Web3 — a broad term for the next generation of the internet that would give people more control and ownership — were major drivers of Miami's growth. Seattle benefited from having Amazon and Microsoft in its backyard, attracting more enterprise technology and also biotech, said Kyle Stanford, lead venture capital analyst at PitchBook. "A redistribution [of funding] has definitely started. The pandemic, the fleeing of start-ups and remote work helped catalyze growth in those smaller markets," he said.

Brianne Kimmel, founder of investment firm Worklife Ventures, has noticed a change in identity for the Silicon Valley region as many tech workers have moved out of San Francisco to other places like Austin or Seattle. "That's really created room for young, very technical, traditional hacker types to come to San Francisco," she said. "It's giving the city a personality it may have lost in years prior."
The Post got this assessment from a VC company partner focused on investing in AI and software infrastructure. "Five years ago, 90 percent of companies would've been founded in San Francisco. Now it might be more like 70 percent, with others starting in places like Seattle and New York."

CIO magazine reports on "a growing number of managers and executives dropping degree requirements from job descriptions." Figures from the 2022 study The Emerging Degree Reset from The Burning Glass Institute quantify the trend, reporting that 46% of middle-skill and 31% of high-skill occupations experienced material degree resets between 2017 and 2019. Moreover, researchers calculated that 63% of those changes appear to be "'structural resets' representing a measured and potentially permanent shift in hiring practices" that could make an additional 1.4 million jobs open to workers without college degrees over the next five years.

Despite such statistics and testimony from Taylor and other IT leaders, the debate around whether a college education is needed in IT isn't settled. Some say there's no need for degrees; others say degrees are still preferred or required.... IBM is among the companies whose leaders have moved away from degree requirements; Big Blue is also one of the earliest, largest, and most prominent proponents of the move, introducing the term "new collar jobs" for the growing number of positions that require specific skills but not a bachelor's degree....

Not all are convinced that dropping degree requirements is the way to go, however. Jane Zhu, CIO and senior vice president at Veritas Technologies, says she sees value in degrees, value that isn't always replicated through other channels. "Though we don't necessarily require degrees for all IT roles here at Veritas, I believe that they do help candidates demonstrate a level of formal education and commitment to the field and provide a foundation in fundamental concepts and theories of IT-related fields that may not be easily gained through self-study or on-the-job training," she says. "Through college education, candidates have usually acquired basic technical knowledge, problem-solving skills, the ability to collaborate with others, and ownership and accountability. They also often gain an understanding of the business and social impacts of their actions."
The article notes an evolving trend of "more openness to skills-based hiring for many technical roles but a desire for a bachelor's degree for certain positions, including leadership." (Kelli Jordan, vice president of IBMer Growth and Development tells CIO that more than half of the job openings posted by IBM no longer require degrees.)

Thanks to Slashdot reader snydeq for sharing the article.

Several government cybersecurity agencies united to urge secure-by-design and secure-by-default software. Releasing "joint guidance" for software manufactuers were two U.S. security agencies — the FBI and the NSA — joined with the U.S. Cybersecurity and Infrastructure Security Agency and the cybersecurity authorities of Australia, Canada, the United Kingdom, Germany, Netherlands, and New Zealand. "To create a future where technology and associated products are safe for customers," they wrote in a joint statement, "the authoring agencies urge manufacturers to revamp their design and development programs to permit only secure-by-design and -default products to be shipped to customers."

The Washington Post reports: Software manufacturers should put an end to default passwords, write in safer programming languages and establish vulnerability disclosure programs for reporting flaws, a collection of U.S. and international government agencies said in new guidelines Thursday. [The guidelines also urge rigorous code reviews.]

The "principles and approaches" document, which isn't mandatory but lays out the agencies' views on securing software, is the first major step by the Biden administration as part of its push to make software products secure as part of the design process, and to make their default settings secure as well. It's part of a potentially contentious multiyear effort that aims to shift the way software makers secure their products. It was a key feature of the administration's national cybersecurity strategy, which was released last month and emphasized shifting the burden of security from consumers — who have to manage frequent software updates — to the companies that make often insecure products... The administration has also raised the prospect of legislation on secure-by-design and secure-by-default, but officials have said it could be years away....

The [international affairs think tank] Atlantic Council's Cyber Statecraft Initiative has praised the Biden administration's desire to address economic incentives for insecurity. Right now, the costs of cyberattacks fall on users more than they do tech providers, according to many policymakers. "They're on a righteous mission," Trey Herr, director of the Atlantic Council initiative, told me. If today's guidelines are the beginning of the discussion on secure-by-design and secure-by-default, Herr said, "this is a really strong start, and an important one."

"It really takes aim at security features as a profit center," which for some companies has led to a lot of financial growth, Herr said. "I do think that's going to rub people the wrong way and quick, but that's good. That's a good fight."
In the statement CISA's director says consumers also have a role to play in this transition. "As software now powers the critical systems and services we collectively rely upon every day, consumers must demand that manufacturers prioritize product safety above all else."

Among other things, the new guidelines say that manufacturers "are encouraged make hard tradeoffs and investments, including those that will be 'invisible' to the customers, such as migrating to programming languages that eliminate widespread vulnerabilities."

An anonymous reader shares a report from KrebsOnSecurity: KrebsOnSecurity received a nice bump in traffic this week thanks to tweets from the Federal Bureau of Investigation (FBI) and the Federal Communications Commission (FCC) about "juice jacking," a term first coined here in 2011 to describe a potential threat of data theft when one plugs their mobile device into a public charging kiosk. It remains unclear what may have prompted the alerts, but the good news is that there are some fairly basic things you can do to avoid having to worry about juice jacking.

The term juice jacking crept into the collective paranoia of gadget geeks in the summer of 2011, thanks to the headline for a story here about researchers at the DEFCON hacker convention in Vegas who'd set up a mobile charging station designed to educate the unwary to the reality that many mobile devices were set up to connect to a computer and immediately sync data by default. Since then, Apple, Google and other mobile device makers have changed the way their hardware and software works so that their devices no longer automatically sync data when one plugs them into a computer with a USB charging cable. Instead, users are presented with a prompt asking if they wish to trust a connected computer before any data transfer can take place. On the other hand, the technology needed to conduct a sneaky juice jacking attack has become far more miniaturized, accessible and cheap. And there are now several products anyone can buy that are custom-built to enable juice jacking attacks. [...]

How seriously should we take the recent FBI warning? An investigation by the myth-busting site Snopes suggests the FBI tweet was just a public service announcement based on a dated advisory. Snopes reached out to both the FBI and the FCC to request data about how widespread the threat of juice jacking is in 2023. "The FBI replied that its tweet was a 'standard PSA-type post' that stemmed from the FCC warning," Snopes reported. "An FCC spokesperson told Snopes that the commission wanted to make sure that their advisory on "juice-jacking," first issued in 2019 and later updated in 2021, was up-to-date so as to ensure 'the consumers have the most up-to-date information.' The official, who requested anonymity, added that they had not seen any rise in instances of consumer complaints about juice-jacking." The best way to protect yourself from juice jacking is by using your own gear to charge and transfer data from your device(s) to another.

"Juice jacking isn't possible if a device is charged via a trusted AC adapter, battery backup device, or through a USB cable with only power wires and no data wires present," says security researcher Brian Krebs. "If you lack these things in a bind and still need to use a public charging kiosk or random computer, at least power your device off before plugging it in."

The "right to repair" movement has made considerable inroads over the past five years, partially due to support from the Biden FTC. State-level legislation aimed at dismantling repair monopolies has made progress, despite industry lobbying efforts to weaken the proposals (e.g., Kathy Hochul in New York State). Federal legislation, however, faces challenges in a troubled Congress. In response, a bipartisan group of 28 state attorneys general has penned a letter to key congressional committee leaders, urging them to advance stalled right to repair bills. From the letter: "The Right-to-Repair is a bipartisan issue that impacts every consumer, household, and farm in a time of increasing inflation. It is about ensuring that consumers have choices as to who, where, when and at what cost their vehicles can be repaired. It is about ensuring that farmers can repair their tractors for a reasonable price and quickly enough to harvest their crops."

The stock market, real estate and cryptocurrencies did poorly in 2022, but the global luxury goods market grew 20 percent. People may have had less, but they spent more on fine arts and collectibles that serve no function except to provide pleasure. From a report: The culture is bursting with new material -- every day, thousands of new books are published and 100,000 new songs are released on Spotify -- but the old stuff offers a sweeter emotional payoff for many. It could be tapes or posters or pictures or comics or coins or sports cards or memorabilia. It might be from their childhood or the childhood they never had, or it might merely express a longing to be anywhere but 2023. The common element is this: People like to own a thing from a thing they love. For Mr. Carlson and millions like him, the nostalgia factory is working overtime.

When Mr. Carlson first began to look for sealed VHS cassettes, they were considered so much plastic trash. "Back to the Future," "The Goonies," "Blade Runner," were about $20 each on eBay. He put them on a shelf, little windows into his past, and started an Instagram account called Rare and Sealed. Then tapes began to get scarcer and much more expensive. People trapped at home had lots of money to spend during the pandemic. But it was more than that. Objects with a bit of history have an obvious attraction in a high-tech world. The current cultural tumult, with its boom in fake images, endless arguments over everything and now the debut of imperious A.I. chatbots, increases the appeal of things that can't be plugged in. At the same time, advances in technology mean it is ever easier to buy expensive things online. Bids at auctions routinely reach tens, even hundreds, of thousands of dollars.

An anonymous reader quotes a report from TechCrunch: The hackers who breached data storage giant Western Digital claim to have stolen around 10 terabytes of data from the company, including reams of customer information. The extortionists are pushing the company to negotiate a ransom -- of "minimum 8 figures" -- in exchange for not publishing the stolen data. On April 3, Western Digital disclosed "a network security incident" saying hackers had exfiltrated data after hacking into "a number of the Company's systems." At the time, Western Digital provided few details about exactly what data the hackers stole, saying in a statement that the hackers "obtained certain data from its systems and [Western Digital] is working to understand the nature and scope of that data."

One of the hackers spoke with TechCrunch and provided more details, with the goal of verifying their claims. The hacker shared a file that was digitally signed with Western Digital's code-signing certificate, showing they could now digitally sign files to impersonate Western Digital. Two security researchers also looked at the file and agreed it is signed with the company's certificate. The hackers also shared phone numbers allegedly belonging to several company executives. TechCrunch called the numbers. Most of the calls rang but went to automated voicemail messages. Two of the phone numbers had voicemail greetings that mentioned the names of the executives that the hackers claimed were associated with the numbers. The two phone numbers are not public.

Screenshots shared by the hacker show a folder from a Box account apparently belonging to Western Digital, an internal email, files stored in a PrivateArk instance (a cybersecurity product), and a screenshot of a group call where one of the participants is identified as Western Digital's chief information security officer. They also said they were able to steal data from the company's SAP Backoffice, a backend interface that helps companies manage e-commerce data. The hacker said that their goal when they hacked Western Digital was to make money, though they decided against using ransomware to encrypt the company's files. [...] If Western Digital doesn't get back to them, the hacker said, they are ready to start publishing the stolen data on the website of the ransomware gang Alphv. The hacker said they are not directly affiliated with Alphv but "I know them to be professional." Western Digital said they're declining to comment or answer questions about the hacker's claims.

Instant messaging platform Discord says it was cooperating with U.S. law enforcement's investigation into a leak of secret U.S. documents that has grabbed attention around the world. From a report: The statement comes as questions continue to swirl over who leaked the documents, whether they are genuine and whether the intelligence assessments in them are reliable. The documents, which carry markings suggesting that they are highly classified, have led to a string of stories about the war in Ukraine, protests in Israel and how the U.S. surveils friend and foe alike. The source of the documents is not publicly known, but reporting by the open-source investigative site Bellingcat has traced their earliest appearance to Discord, a communications platform popular with gamers. Discord's statement suggested it was already in touch with investigators. The White House also urged social media companies on Thursday to prevent the circulation of information that could hurt national security.

The Ethereum blockchain, the most important commercial highway in the digital-asset sector, successfully implemented a widely anticipated software upgrade. From a report: The so-called Shanghai update enables investors to queue up to withdraw Ether coins that they had pledged to help operate the network in return for rewards, a process called staking. Tim Beiko, who helps to co-ordinate the development of Ethereum, posted on Twitter on Wednesday that the upgrade is now "official." The network revamp -- also known as Shapella -- is designed to let people exit an Ether staking investment and has stirred debate on whether the appeal of the largest token after Bitcoin will increase over time.

"Ethereum is updating and navigating with great skill -- so far anyway -- and cementing its position as the No. 2 crypto," said Aaron Brown, a crypto investor who writes for Bloomberg Opinion. He added that the network is "moving to the future much faster than Bitcoin." About 1.2 million of Ether tokens -- worth approximately $2.3 billion at current prices -- are expected to be withdrawn over the next five days, according to researcher Coin Metrics. Some $36.7 billion of Ether is locked up for staking, data from Staking Rewards shows.

Hyper-volumetric DDoS (distributed denial of service) attacks in the first quarter of 2023 have shifted from relying on compromised IoT devices to leveraging breached Virtual Private Servers (VPS). BleepingComputer reports: According to internet security company Cloudflare, the newer generation of botnets gradually abandoned the tactic of building large swarms of individually weak IoT devices and are now shifting towards enslaving vulnerable and misconfigured VPS servers using leaked API credentials or known exploits. This approach helps the threat actors build high-performance botnets easier and often quicker, which can be up to 5,000 times stronger than IoT-based botnets.

"The new generation of botnets uses a fraction of the amount of devices, but each device is substantially stronger," explains Cloudflare in the report. "Cloud computing providers offer virtual private servers to allow start ups and businesses to create performant applications. The downside is that it also allows attackers to create high-performance botnets that can be as much as 5,000x stronger." Cloudflare has been working with key cloud computing providers and partners to crack down on these emerging VPS-based threats and says it has succeeded in taking down substantial portions of these novel botnets.

An anonymous reader shares a report: About a year ago, Google announced its Assured Open Source Software (Assured OSS) service, a service that helps developers defend against supply chain security attacks by regularly scanning and analyzing some of the world's most popular software libraries for vulnerabilities. Today, Google is launching Assured OSS into general availability with support for well over a thousand Java and Python packages -- and while Google didn't initially disclose pricing when it first announced the service, the company has now revealed that it will be available for free.

Software development has long depended on third-party libraries (which are often maintained by only a single developer), but it wasn't until the industry got hit with a number of high-profile exploits that everyone (including the White House) perked up and started taking software supply chain security seriously. Now, you can't attend an open source conference without hearing about Software Bills of Materials (SBOMs), artifact registries and similar topics. It's no surprise then that Google, which has long been at the forefront of releasing open-source products, launched a service like Assured OSS.

Google promises that it will constantly keep these libraries up to date (without creating forks) and continuously scan for known vulnerabilities, do fuzz tests to discover new ones and then fix these issues and contribute these fixes back upstream. The company notes that when it first launched the service with around 250 Java libraries, it was responsible for discovering 48% of the new CVEs for these libraries and subsequently addressing them.