An anonymous reader quotes a report from MacRumors: Apple yesterday announced that end-to-end encryption is coming to even more sensitive types of iCloud data, including device backups, messages, photos, and more, meeting the longstanding demand of both users and privacy groups who have rallied for the company to take the significant step forward in user privacy. iCloud end-to-end encryption, or what Apple calls "Advanced Data Protection," encrypts users' data stored in iCloud, meaning only a trusted device can decrypt and read the data. iCloud data in accounts with Advanced Data Protection can only be read by a trusted device, not Apple, law enforcement, or government entities.

While privacy groups and apps applaud Apple for the expansion of end-to-end encryption in iCloud, governments have reacted differently. In a statement to The Washington Post, the FBI, the largest intelligence agency in the world, said it's "deeply concerned with the threat end-to-end and user-only-access encryption pose." Speaking generally about end-to-end encryption like Apple's Advanced Data Protection feature, the bureau said that it makes it harder for the agency to do its work and that it requests "lawful access by design": "This hinders our ability to protect the American people from criminal acts ranging from cyber-attacks and violence against children to drug trafficking, organized crime, and terrorism," the bureau said in an emailed statement. "In this age of cybersecurity and demands for 'security by design,' the FBI and law enforcement partners need 'lawful access by design.'"

Former FBI official Sasha O'Connell also weighed in, telling The New York Times "it's great to see companies prioritizing security, but we have to keep in mind that there are trade-offs, and one that is often not considered is the impact it has on decreasing law enforcement access to digital evidence."

Nobody is immune to being scammed online -- not even the people running the scams. From a report: Cybercriminals using hacking forums to buy software exploits and stolen login details keep falling for cons and are getting ripped off thousands of dollars at a time, a new analysis has revealed. And what's more, when the criminals complain that they are being scammed, they're also leaving a trail of breadcrumbs of their own personal information that could reveal their real-world identities to police and investigators. Hackers and cybercriminals often gather on specific forums and marketplaces to do business with each other. They can advertise upcoming work they need help with, sell databases of people's stolen passwords and credit card information, or tout new security vulnerabilities that can be used to break into people's devices or systems. However, these deals often don't go to plan.

The new research, published today by cybersecurity firm Sophos, examines these failed transactions and the complaints people have made about them. "Scammers scamming scammers on criminal forums and marketplaces is much bigger than we originally thought it was," says Matt Wixey, a researcher with Sophos X-Ops who studied the marketplaces. Wixey examined three of the most prominent cybercrime forums: the Russian-language forums Exploit and XSS, plus the English-language BreachForums, which replaced RaidForums when it was seized by US law enforcement in April. While the sites operate in slightly different ways, they all have "arbitration" rooms where people who think they've been scammed or wronged by other criminals can complain. For instance, if someone purchases malware and it doesn't work, they may moan to the site's administrators. The complaints sometimes lead to people getting their money back, but more often act as a warning for other users, Wixey says. In the past 12 months -- the period the research covers -- criminals on the forums have lost more than $2.5 million to other scammers, the analysis says. Some people complain about losing as little as $2, while the median scams on each of the sites ranges from $200 to $600, according to the research, which is being presented at the BlackHat Europe security conference.

"The Perl Advent Calendar has come a long way since it's first year in 2000," says an announcement on Reddit. But in fact the online world now has many daily advent calendars aimed at programmers — offering tips about their favorite language or coding challenges.

• The HTMHell site — which bills itself as "a collection of bad practices in HTML, copied from real websites" — decided to try publishing 24 original articles for their 2022 HTMHell Advent Calendar. Elsewhere on the way there's the Web Performance Calendar, promising daily articles for speed geeks. And the 24 Days in December blog comes to life every year with new blog posts for PHP users.

• The JVM Advent Calendar brings a new article daily about a JVM-related topic. And there's also a C# Advent calendar promising two new blog posts about C# every day up to (and including) December 25th.

• The Perl Advent Calendar offers fun stories about Perl tools averting December catastrophes up at the North Pole. (Day One's story — "Silent Mite" — described Santa's troubles building software for a ninja robot alien toy, since its embedded hardware support contract prohibited unwarrantied third-party code, requiring a full code rewrite using Perl's standard library.) Other stories so far this December include "Santa is on GitHub" and "northpole.cgi"

• The code quality/security software company SonarSource has a new 2022 edition of their Code Security Advent Calendar — their seventh consecutive year — promising "daily challenges until December 24th. Get ready to fill your bag of security tricks!" (According to a blog post the challenges are being announced on Twitter and on Mastadon.

• Just as the Perl community spawned another language named Perl 6 — now called Raku — there's also a Raku-themed advent calendar. (It's now at a new URL, though it's been running since 2009.) Day Three's post tells the story of Santa and the Rakupod Wranglers.

• "24 Pull Requests" dares participants to make 24 pull requests before December 24th. (The site's tagline is "giving back to open source for the holidays.") Over the years tens of thousands of developers (and organizations) have participated — and this year they're also encouraging organizers to hold hack events.

• The Advent of JavaScript and Advent of CSS sites promise 24 puzzles delivered by email (though you'll have to pay if you also want them to email you the solutions!)

• TryHackMe.com has its own set of darily cybersecurity puzzles (and even a few prizes).

• For 2022 Oslo-based Bekk Consulting (a "strategic internet consulting company") is offering an advent calendar of their own. A blog post says its their sixth annual edition, and promises "new original articles, podcasts, tutorials, listicles and videos every day up until Christmas Eve... all written and produced by us - developers, designers, project managers, agile coaches, management consultants, specialists and generalists."

Whether you participate or not, the creation of programming-themed advent calendar sites is a long-standing tradition among geeks, dating back more than two decades. (Last year Smashing magazine tried to compile an exhaustive list of the various sites serving all the different developer communities.)

But no list would be complete without mentioning Advent of Code. This year's programming puzzles involve everything from feeding Santa's reindeer and loading Santa's sleigh. The site's About page describes it as "an Advent calendar of small programming puzzles for a variety of skill sets and skill levels that can be solved in any programming language you like."

Now in its eighth year, the site's daily two-part programmig puzzles have a massive online following. This year's Day One puzzle was solved by 178,628 participants...

Axios reports: "Although a quantum computer isn't expected until 2030, at the earliest, updating current encryption standards will take just as long," writes Axios, "creating a high-stakes race filled with unanswerable questions for national security and cybersecurity officials alike." As scientists, academics and international policymakers attended the first-ever Quantum World Congress conference in Washington this week, alarmism around the future of secure data was undercut by foundational questions of what quantum computing will mean for the world. "We don't even know what we don't know about what quantum can do," said Michael Redding, chief technology officer at Quantropi, during a panel about cryptography at the Quantum World Congress....

Some governments are believed to have already started stealing enemies' encrypted secrets now, so they can unlock them as soon as quantum computing is available. "It's the single-largest economic national-security issue we have ever faced as a Western society," said Denis Mandich, chief technology officer at Qrypt and a former U.S. intelligence official, at this week's conference. "We don't know what happens if they actually decrypt, operationalize and monetize all the data that they already have."

"Graduate students at Northeastern University were able to organize and beat back an attempt at introducing invasive surveillance devices that were quietly placed under desks at their school," reports Motherboard: Early in October, Senior Vice Provost David Luzzi installed motion sensors under all the desks at the school's Interdisciplinary Science & Engineering Complex (ISEC), a facility used by graduate students and home to the "Cybersecurity and Privacy Institute" which studies surveillance. These sensors were installed at night — without student knowledge or consent — and when pressed for an explanation, students were told this was part of a study on "desk usage," according to a blog post by Max von Hippel, a Privacy Institute PhD candidate who wrote about the situation for the Tech Workers Coalition's newsletter....

Students began to raise concerns about the sensors, and an email was sent out by Luzzi attempting to address issues raised by students.... Luzzi wrote, the university had deployed "a Spaceti occupancy monitoring system" that would use heat sensors at groin level to "aggregate data by subzones to generate when a desk is occupied or not." Luzzi added that the data would be anonymized, aggregated to look at "themes" and not individual time at assigned desks, not be used in evaluations, and not shared with any supervisors of the students. Following that email, an impromptu listening session was held in the ISEC. At this first listening session, Luzzi asked that grad student attendees "trust the university since you trust them to give you a degree...."

After that, the students at the Privacy Institute, which specialize in studying surveillance and reversing its harm, started removing the sensors, hacking into them, and working on an open source guide so other students could do the same. Luzzi had claimed the devices were secure and the data encrypted, but Privacy Institute students learned they were relatively insecure and unencrypted.... After hacking the devices, students wrote an open letter to Luzzi and university president Joseph E. Aoun asking for the sensors to be removed because they were intimidating, part of a poorly conceived study, and deployed without IRB approval even though human subjects were at the center of the so-called study.
von Hippel notes that many members of the computer science department were also in a union, and thus networked together for a quick mass response. Motherboard writes that the controversy ultimately culminated with another listening session in which Luzzi "struggles to quell concerns that the study is invasive, poorly planned, costly, and likely unethical."

"Afterwards, von Hippel took to Twitter and shares what becomes a semi-viral thread documenting the entire timeline of events from the secret installation of the sensors to the listening session occurring that day. Hours later, the sensors are removed..."

An anonymous reader quotes a report from TechCrunch: The Cuba ransomware gang extorted more than $60 million in ransom payments from victims between December 2021 and August 2022, a joint advisory from CISA and the FBI has warned. The latest advisory is a follow-up to a flash alert (PDF) released by the FBI in December 2021, which revealed that the gang had earned close to $44 million in ransom payments after attacks on more than 49 entities in five critical infrastructure sectors in the United States. Since, the Cuba ransomware gang has brought in an additional $60 million from attacks against 100 organizations globally, almost half of the $145 million it demanded in ransom payments from these victims. "Since the release of the December 2021 FBI Flash, the number of U.S. entities compromised by Cuba ransomware has doubled, with ransoms demanded and paid on the increase," the two federal agencies said on Thursday.

Cuba ransomware actors, which have been active since 2019, continue to target U.S. entities in critical infrastructure, including financial services, government facilities, healthcare and public health, critical manufacturing and information technology. [...] FBI and CISA added that the ransomware gang has modified its tactics, techniques and procedures since the start of the year and has been linked to the RomCom malware, a custom remote access trojan for command and control, and the Industrial Spy ransomware. The advisory notes that the group -- which cybersecurity company Profero previously linked to Russian-speaking hackers -- typically extorts victims by threatening to leak stolen data. While this data was typically leaked on Cuba's dark web leak site, it began selling stolen data on Industrial Spy's online market in May this year. CISA and the FBI are urging at-risk organizations to prioritize patching known exploited vulnerabilities, to train employees to spot and report phishing attacks and to enable and enforce phishing-resistant multi-factor authentication.

This month Road & Track looked at "increased cybersecurity measures" automakers are adding to car systems — and how it's affecting the vendors of "aftermarket" enhancements: As our vehicles start to integrate more complex systems such as Advanced Driver Assist Systems and over-the-air updates, automakers are growing wary of what potential bad actors could gain access to by way of hacking. Whether those hacks come in an attempt to retrieve personal customer data, or to take control of certain aspects of these integrated vehicles, automakers want to leave no part of that equation unchecked. "I think there are very specific reasons why the OEMs are taking encryption more seriously," HP Tuners director of marketing Eddie Xu told R&T. "There's personal identifiable data on vehicles, there's more considerations now than just engine control modules controlling the engine. It's everything involved."

In order to prevent this from becoming a potential safety or legal issue, companies like Ford have moved to heavily encrypt their vehicle's software. S650 Mustang chief engineer Ed Krenz specifically noted that the new FNV architecture can detect when someone attempts to modify any of the vehicle's coding, and that it can respond by shutting down an individual vehicle system or the vehicle entirely if that's what is required.

That sort of total lockout presents an interesting challenge for [car performance] tuners who rely on access to things like engine and transmission control modules to create their products.
Last month Ford acknowledged tuners would find the S650 Mustang "much more difficult," the article points out. And they add that Dodge also "intends to lock down the Engine Control Units of its upcoming electric muscle car offerings, though it will offer performance upgrades via its own over-the-air network."

"We don't want to lock the cars and say you can't modify them," Dodge CEO Kuniskis told Carscoops. "We just want to lock them and say modify them through us so that we know it's done right."

Thanks to long-time Slashdot reader schwit1 for submitting the article.

An anonymous reader quotes a report from TorrentFreak: In May 2022, Italian police claimed that thousands of people had unwittingly subscribed to a pirate IPTV service being monitored by the authorities. When users tried to access illegal streams, a warning message claimed that they had already been tracked. With fines now being received through the mail, police are making some extraordinary claims about how this was made possible. [...] Today's general consensus is that hitting site operators is much more effective but whenever the opportunity appears, undermining user confidence should be part of the strategy. Italian police have been following the same model by shutting down pirate IPTV services (1,2,3) and warning users they're up next.

Letters recently sent to homes in Italy reveal that police were not bluffing. A copy letter obtained by Iilsole24ore identifies the send as the Nucleo Speciale Tutela Privacy e Frodi Tecnologiche, a Guardia di Finanza unit specializing in IT-related crime. It refers to an anti-IPTV police operation in May. The operation targeted around 500 pirate IPTV resources including websites and Telegram channels. At the time, police also reported that 310+ pieces of IPTV infrastructure, including primary and balancing servers distributing illegal streams, were taken offline. Police also claimed that a tracking system made it possible to identify the users of the pirate streams. The letter suggests extraordinary and potentially unprecedented tactics.

The letters state that Italian authorities were able to track the IPTV users by "arranging for the redirection of all Internet service providers' national connections" so that subscribers placed their orders on a police-controlled server configured to record their activity. In comments to Iilsole24ore, Gian Luca Berruti, head of investigations at the Guardia di Finanza, describes the operation as "decisive" in the fight against cybercrime. Currently deployed to Italy's National Cybersecurity Agency, Berruti references "innovative investigative techniques" supported by "new technological tools." Technical details are not being made public, but it's claimed that IPTV users were tracked by "tracing of all connections to pirate sites (IPs) combined, in real-time," and "cross-referencing telematic information with that derived from the payment mechanisms used." The police operation in May was codenamed Operazione:Dottor Pezzotto. A Telegram channel with exactly the same branding suffered a traffic collapse at exactly the same time. "The letters refer to an administrative copyright infringement fine of just 154 euros or 'in case of recidivism' a total of 1,032 euros," notes the report. "However, if people pay their fines within 60 days, the amounts are reduced to 51 euros and 344 euros respectively."

"Around 1,600 people are believed to have been targeted in this first wave of letters but according to Andrea Duillo, CEO of Sky Italia, this is just the start."

The Boston Globe reports that "More money is starting to flow into the nascent field of quantum computing in Boston, turning academic research at MIT and Harvard labs into startups."

In September, Northeastern University announced it will build a $10 million lab at its Burlington campus to explore applications for quantum technology, and to train students to work with it. And companies based in other countries are setting up outposts here to hire quantum-savvy techies....

"It's still pretty early" for quantum computing, says Russ Wilcox, a partner at the venture capital firm Pillar. "But a number of companies are starting to experiment to learn how to make use of it. The key factor is that the field is progressing at an exponential rate." In 2018, his firm made an early investment in Zapata Computing, a Boston startup building software for quantum computers and selling services — including ways to analyze the new cybersecurity risks that a powerful new class of computers could introduce....

In the current fiscal year, the federal government budgeted about $900 million to advance the field of quantum information science, which includes quantum computing....

[S]everal local venture capital firms are getting comfortable with placing bets on the quantum computing sector. Glasswing's Rudina Seseri says that her firm is "seeing momentum pick up," although the sector is "still in the warm-up phase, not yet in the first inning." But some of the technology being developed by startups, she says, "is so meaningful that if they get the technology to work at scale, they will be incredibly valuable."

That said, much of the revenue available to these companies today comes from researchers in academic and corporate labs trying to understand the potential of quantum computers. Sam Liss, an executive director in Harvard's Office of Technology Development, thinks that "the large commercial opportunities for quantum are still a long way off." The OTD helps attract corporate funding to Harvard research labs, and also helps to license technologies created in those labs to the private sector. "Technologies have a way of getting oversold and overhyped," Liss says. "We all recognize that this is going to take some time."

Large companies like Amazon, Google, and IBM are trying to move the field forward, and startups are beginning to demonstrate their new approaches. In the startup realm, Liss says, we're seeing enough new companies being formed and attracting funding "to support a thesis that this will be a big thing."

Brian Krebs writes via KrebsOnSecurity: Peter is an IT manager for a technology manufacturer that got hit with a Russian ransomware strain called "Zeppelin" in May 2020. He'd been on the job less than six months, and because of the way his predecessor architected things, the company's data backups also were encrypted by Zeppelin. After two weeks of stalling their extortionists, Peter's bosses were ready to capitulate and pay the ransom demand. Then came the unlikely call from an FBI agent. "Don't pay," the agent said. "We've found someone who can crack the encryption." Peter, who spoke candidly about the attack on condition of anonymity, said the FBI told him to contact a cybersecurity consulting firm in New Jersey called Unit 221B, and specifically its founder -- Lance James. Zeppelin sprang onto the crimeware scene in December 2019, but it wasn't long before James discovered multiple vulnerabilities in the malware's encryption routines that allowed him to brute-force the decryption keys in a matter of hours, using nearly 100 cloud computer servers.

In an interview with KrebsOnSecurity, James said Unit 221B was wary of advertising its ability to crack Zeppelin ransomware keys because it didn't want to tip its hand to Zeppelin's creators, who were likely to modify their file encryption approach if they detected it was somehow being bypassed. This is not an idle concern. There are multiple examples of ransomware groups doing just that after security researchers crowed about finding vulnerabilities in their ransomware code. "The minute you announce you've got a decryptor for some ransomware, they change up the code," James said. But he said the Zeppelin group appears to have stopped spreading their ransomware code gradually over the past year, possibly because Unit 221B's referrals from the FBI let them quietly help nearly two dozen victim organizations recover without paying their extortionists. [...]

The researchers said their break came when they understood that while Zeppelin used three different types of encryption keys to encrypt files, they could undo the whole scheme by factoring or computing just one of them: An ephemeral RSA-512 public key that is randomly generated on each machine it infects. "If we can recover the RSA-512 Public Key from the registry, we can crack it and get the 256-bit AES Key that encrypts the files!" [James and co-author Joel Lathrop wrote in a blog post]. "The challenge was that they delete the [public key] once the files are fully encrypted. Memory analysis gave us about a 5-minute window after files were encrypted to retrieve this public key." Unit 221B ultimately built a "Live CD" version of Linux that victims could run on infected systems to extract that RSA-512 key. From there, they would load the keys into a cluster of 800 CPUs donated by hosting giant Digital Ocean that would then start cracking them. The company also used that same donated infrastructure to help victims decrypt their data using the recovered keys. A more technical writeup on Unit 221B's discoveries (cheekily titled "0XDEAD ZEPPELIN") is available here.

Australia will consider banning ransomware payments in a bid to undermine the cybercriminal business model, a government minister said on Sunday. From a report: Clare O'Neil, the minister for home affairs and cybersecurity, confirmed to Australia's public broadcaster ABC that the government was looking at criminalizing extortion payments as part of the government's cyber strategy. The announcement follows several large security incidents affecting the country, including most significantly the data breach of Medibank, one of the country's largest health insurance providers.

Earlier this month Medibank stated it would not be making a ransom payment after hackers gained access to the data of 9.7 million current and former customers, including 1.8 million international customers living abroad. All of the data which the criminals accessed "could have been taken," the company said. This includes sensitive health care claims data for around 480,000 individuals, including information about drug addiction treatments and abortions. O'Neil's interview followed the AFP's commissioner Reece Kershaw announcing that they had identified the individual perpetrators of the Medibank hack, and that a group based in Russia was to blame. Further reading: After Ransomware Gang Releases Sensitive Medical Data, Australia Vows Consequences.

This week the Adacore blog shared a story about the NVIDIA Security Team: Like many other security-oriented teams in our industry today, they were looking for a measurable answer to the increasingly hostile cybersecurity environment and started questioning their software development and verification strategies. "Testing security is pretty much impossible. It's hard to know if you're ever done," said Daniel Rohrer, VP of Software Security at NVIDIA.

In my opinion, this is the most important point of the case study — that test-oriented software verification simply doesn't work for security. Once you come out of the costly process of thoroughly testing your software, you can have a metric on the quality of the features that you provide to the users, but there's not much you can say about security.

Rohrer continues, "We wanted to emphasize provability over testing as a preferred verification method." Fortunately, it is possible to prove mathematically that your code behaves in precise accordance with its specification. This process is known as formal verification, and it is the fundamental paradigm shift that made NVIDIA investigate SPARK, the industry-ready solution for software formal verification.

Back in 2018, a Proof-of-Concept (POC) exercise was conducted. Two low-level security-sensitive applications were converted from C to SPARK in only three months. After an evaluation of the return on investment, the team concluded that even with the new technology ramp-up (training, experimentation, discovery of new tools, etc.), gains in application security and verification efficiency offered an attractive trade-off. They realized major improvements in the security robustness of both applications (See NVIDIA's Offensive Security Research D3FC0N talk for more information on the results of the evaluation).

As the results of the POC validated the initial strategy, the use of SPARK spread rapidly within NVIDIA. There are now over fifty developers trained and numerous components implemented in SPARK, and many NVIDIA products are now shipping with SPARK components.

Thursday the Kudelski Group's cybersecurity division released "a tool for Linux that allows creation of multiple hidden volumes on a storage device in such a way that it is very difficult, even under forensic inspection, to prove the existence of such volumes."

"Each volume is encrypted with a different secret key, scrambled across the empty space of an underlying existing storage medium, and indistinguishable from random noise when not decrypted." Even if the presence of the Shufflecake software itself cannot be hidden — and hence the presence of secret volumes is suspected — the number of volumes is also hidden. This allows a user to create a hierarchy of plausible deniability, where "most hidden" secret volumes are buried under "less hidden" decoy volumes, whose passwords can be surrendered under pressure. In other words, a user can plausibly "lie" to a coercive adversary about the existence of hidden data, by providing a password that unlocks "decoy" data.

Every volume can be managed independently as a virtual block device, i.e. partitioned, formatted with any filesystem of choice, and mounted and dismounted like a normal disc. The whole system is very fast, with only a minor slowdown in I/O throughput compared to a bare LUKS-encrypted disk, and with negligible waste of memory and disc space.

You can consider Shufflecake a "spiritual successor" of tools such as Truecrypt and Veracrypt, but vastly improved. First of all, it works natively on Linux, it supports any filesystem of choice, and can manage up to 15 nested volumes per device, so to make deniability of the existence of these partitions really plausible.
"The reason why this is important versus "simple" disc encryption is best illustrated in the famous XKCD comic 538," quips Slashdot reader Gaglia (in the original submission. But the big announcement from Kudelski Security Research calls it "a tool aimed at helping people whose freedom of expression is threatened by repressive authorities or dangerous criminal organizations, in particular: whistleblowers, investigative journalists, and activists for human rights in oppressive regimes.

"Shufflecake is FLOSS (Free/Libre, Open Source Software). Source code in C is available and released under the GNU General Public License v3.0 or superior.... The current release is still a non-production-ready prototype, so we advise against using it for really sensitive operations. However, we believe that future work will sensibly improve both security and performance, hopefully offering a really useful tool to people who live in constant danger of being interrogated with coercive methods to reveal sensitive information.

In an press release published earlier today, the National Security Agency (NSA) says it will be making a strategic shift to memory safe programming languages. The agency is advising organizations explore such changes themselves by utilizing languages such as C#, Go, Java, Ruby, or Swift. From the report: The "Software Memory Safety" Cybersecurity Information Sheet (PDF) highlights how malicious cyber actors can exploit poor memory management issues to access sensitive information, promulgate unauthorized code execution, and cause other negative impacts. "Memory management issues have been exploited for decades and are still entirely too common today," said Neal Ziring, Cybersecurity Technical Director. "We have to consistently use memory safe languages and other protections when developing software to eliminate these weaknesses from malicious cyber actors."

Microsoft and Google have each stated that software memory safety issues are behind around 70 percent of their vulnerabilities. Poor memory management can lead to technical issues as well, such as incorrect program results, degradation of the program's performance over time, and program crashes. NSA recommends that organizations use memory safe languages when possible and bolster protection through code-hardening defenses such as compiler options, tool options, and operating system configurations. The full report is available here (PDF).

Western security advisers are warning delegates at the COP27 climate summit not to download the host Egyptian government's official smartphone app, amid fears it could be used to hack their private emails, texts and even voice conversations. From a report: Policymakers from Germany, France and Canada were among those who had downloaded the app by November 8, according to two separate Western security officials briefed on discussions within these delegations at the U.N. climate summit.

Other Western governments have advised officials not to download the app, said another official from a European government. All of the officials spoke on the condition of anonymity to discuss international government deliberations. The potential vulnerability from the Android app, which has been downloaded thousands of times and provides a gateway for participants at COP27, was confirmed separately by four cybersecurity experts who reviewed the digital application for POLITICO. The app is being promoted as a tool to help attendees navigate the event. But it risks giving the Egyptian government permission to read users' emails and messages. Even messages shared via encrypted services like WhatsApp are vulnerable, according to POLITICO's technical review of the application, and two of the outside experts.

IBM has engaged in talks with the Biden administration on potential export controls for quantum computers as the company continues investing in the emerging technology. From a report: IBM recommended that any regulations, if developed, cover potentially problematic uses of quantum computing rather than limiting the technology based simply on processing power, said Dario Gil, head of IBM Research. Quantum technology will likely be subject to constraints like export controls, Gil said. "We will continue to be an active participant in that dialogue," he said.

Quantum computing is an experimental field with the potential to accelerate processing power and upend current cybersecurity standards. The Biden administration is exploring the possibility of new export controls that would limit China's access to quantum along with other powerful emerging technologies, Bloomberg News reported last month. IBM has installed quantum infrastructure in countries like Germany and Japan, but not China, Gil said. Big Blue has invested millions in the field, and is unveiling a new quantum processor this week that is more than three times more powerful, measured by qubits, than its version announced last year.

An anonymous reader quotes a report from the New York Times: The user on Gab who identifies as Nora Berka resurfaced in August after a yearlong silence on the social media platform, reposting a handful of messages with sharply conservative political themes before writing a stream of original vitriol. The posts mostly denigrated President Biden and other prominent Democrats, sometimes obscenely. They also lamented the use of taxpayer dollars to supportUkraine in its war against invading Russian forces, depicting Ukraine's president as a caricature straight out of Russian propaganda. The fusion of political concerns was no coincidence. The account was previously linked to the same secretive Russian agency that interfered in the 2016 presidential election and again in 2020, the Internet Research Agency in St. Petersburg, according to the cybersecurity group Recorded Future. It is part of what the group and other researchers have identified as a new, though more narrowly targeted, Russian effort ahead ofTuesday's midterm elections. The goal, as before, is to stoke anger among conservative voters and to undermine trust in the American electoral system. This time, it also appears intended to undermine the Biden administration's extensive military assistance to Ukraine.

"It's clear they are trying to get them to cut off aid and money to Ukraine," said Alex Plitsas, a former Army soldier and Pentagon information operations official now with Providence Consulting Group, a business technology company. The campaign -- using accounts that pose as enraged Americans like Nora Berka -- have added fuel to the most divisive political and cultural issues in the country today. It has specifically targeted Democratic candidates in the most contested races, including the Senate seats up for grabs in Ohio, Arizona and Pennsylvania, calculating that a Republican majority in the Senate and the House of Representatives could help the Russian war effort. The campaigns show not only how vulnerable the American political system remains to foreign manipulation but also how purveyors of disinformation have evolved and adapted to efforts by the major social media platforms to remove or play down false or deceptive content. The agencies urged people not to like, discuss or share posts online from unknown or distrustful sources. They did not identify specific efforts, but social media platforms and researchers who track disinformation have recently uncovered a variety of campaigns by Russia, China and Iran.

These are much smaller campaigns than those in the 2016 election, where inauthentic accounts reached millions of voters across the political spectrum on Facebook and other major platforms. The efforts are no less pernicious, though, in reaching impressionable users who can help accomplish Russian objectives, researchers said. "The audiences are much, much smaller than on your other traditional social media networks," said Brian Liston, a senior intelligence analyst with Recorded Future who identified the Nora Berka account. "But you can engage the audiences in much more targeted influence ops because those who are on these platforms are generally U.S. conservatives who are maybe more accepting of conspiratorial claims." Some characteristics of an inauthentic user to look out for include: no profile picture, no identifying biographical details, and posts exclusively on political issues that often include false or misleading posts and little engagement. They may also link to obscure websites like electiontruth.net, which Recorded Future said was almost certainly linked to the Russian campaign.

A new article from Wired calls Rust "the 'viral' secure programming language that's taking over tech."

"Rust makes it impossible to introduce some of the most common security vulnerabilities. And its adoption can't come soon enough...." [A] growing movement to write software in a language called Rust is gaining momentum because the code is goof-proof in an important way. By design, developers can't accidentally create the most common types of exploitable security vulnerabilities when they're coding in Rust, a distinction that could make a huge difference in the daily patch parade and ultimately the world's baseline cybersecurity....

[B]ecause Rust produces more secure code [than C] and, crucially, doesn't worsen performance to do it, the language has been steadily gaining adherents and now is at a turning point. Microsoft, Google, and Amazon Web Services have all been utilizing Rust since 2019, and the three companies formed the nonprofit Rust Foundation with Mozilla and Huawei in 2020 to sustain and grow the language. And after a couple of years of intensive work, the Linux kernel took its first steps last month to implement Rust support. "It's going viral as a language," says Dave Kleidermacher, vice president of engineering for Android security and privacy. "We've been investing in Rust on Android and across Google, and so many engineers are like, 'How do I start doing this? This is great'...."

By writing new software in Rust instead, even amateur programmers can be confident that they haven't introduced any memory-safety bugs into their code.... These types of vulnerabilities aren't just esoteric software bugs. Research and auditing have repeatedly found that they make up the majority of all software vulnerabilities. So while you can still make mistakes and create security flaws while programming in Rust, the opportunity to eliminate memory-safety vulnerabilities is significant....

"Yes, it's a lot of work, it will be a lot of work, but the tech industry has how many trillions of dollars, plus how many talented programmers? We have the resources," says Josh Aas, executive director of the Internet Security Research Group, which runs the memory-safety initiative Prossimo as well as the free certificate authority Let's Encrypt. "Problems that are merely a lot of work are great."
Here's how Dan Lorenc, CEO of the software supply-chain security company Chainguard, explains it to Wired. "Over the decades that people have been writing code in memory-unsafe languages, we've tried to improve and build better tooling and teach people how to not make these mistakes, but there are just limits to how much telling people to try harder can actually work.

"So you need a new technology that just makes that entire class of vulnerabilities impossible, and that's what Rust is finally bringing to the table."

An anonymous reader quotes a report from TechCrunch: Pharmaceutical giant AstraZeneca has blamed "user error" for leaving a list of credentials online for more than a year that exposed access to sensitive patient data. Mossab Hussein, chief security officer at cybersecurity startup SpiderSilk, told TechCrunch that a developer left the credentials for an AstraZeneca internal server on code sharing site GitHub in 2021. The credentials allowed access to a test Salesforce cloud environment, often used by businesses to manage their customers, but the test environment contained some patient data, Hussein said. Some of the data related to AZ&ME applications, which offers discounts to patients who need medications. TechCrunch provided details of the exposed credentials to AstraZeneca, and the GitHub repository containing the credentials was inaccessible hours later. In a statement, AstraZeneca spokesperson Patrick Barth told TechCrunch: "The protection of personal data is extremely important to us and we strive for the highest standards and compliance with all applicable rules and laws. Due to an [sic] user error, some data records were temporarily available on a developer platform. We stopped access to this data immediately after we have been [sic] informed. We are investigating the root cause as well as assessing our regulatory obligations."

It's unclear if anyone was able to access the data, or if any data was exfiltrated.

According to a new report, almost half of Android-based mobile phones used by U.S. state and local government employees are running outdated versions of the operating system, exposing them to hundreds of vulnerabilities that can be leveraged for attacks. From a report: These statistics come from a report by cybersecurity firm Lookout, based on an analysis of 200 million devices and 175 million applications from 2021 to H2 2022. The report additionally warns of a rise in all threat metrics, including attempted phishing attacks against government employees, reliance on unmanaged mobile devices, and liability points in mission-critical networks. Outdated versions of mobile operating systems allow attackers to exploit vulnerabilities that can be used to breach targets, run code on the device, plant spyware, steal credentials, and more. For example, last week, Apple released iOS 16.1, fixing an actively exploited zero-day memory corruption flaw used by hackers against iPhone users to achieve arbitrary code execution with kernel privileges.

Lookout reports that ten months after iOS 15 had been made available to users, 5% of federal government employees and 30% of state and local government devices were running older versions of the operating system. The situation is much worse for Android, as ten months after the release of version 12, approximately 30% of federal devices and almost 50% of state and local government devices still needed to upgrade to the latest versions, thus remaining vulnerable to bugs that can be exploited in attacks. It should be noted that Android 13 is the latest version of the operating system, but it was released after the first half of 2022, from which this data was collected.