An anonymous reader quotes a report from Ars Technica: There's a new Linux distro on the scene today, and it's a bit specialized. Its development was led by the automotive electronics supplier Elektrobit, and it's the first open source OS that complies with the automotive industry's functional safety requirements. [...] With Elektrobit's EB corbos Linux for Safety Applications (that sure is a long name), there's an open source Linux distro that finally fits the bill, having just been given the thumbs up by the German organization TUV Nord. (It also complies with the IEC 61508 standard for safety applications.) "The beauty of our concept is that you don't even need to safety-qualify Linux itself," said Moritz Neukirchner, a senior director at Elektrobit overseeing SDVs. Instead, an external safety monitor runs in a hypervisor, intercepting and validating kernel actions.

"When you look at how safety is typically being done, look at communication -- you don't safety-certify the communication specs or Ethernet stack, but you do a checker library on top, and you have a hardware anchor for checking down below, and you insure it end to end but take everything in between out of the certification path. And we have now created a concept that allows us to do exactly that for an operating system," Neukirchner told me. "So in the end, since we take Linux out of the certification path and make it usable in a safety-related context, we don't have any problems in keeping up to speed with the developer community," he explained. "Because if you start it off and say, 'Well, we're going to do Linux as a one-shot for safety,' you're going to have the next five patches and you're off [schedule] again, especially with the security regulation that's now getting toward effect now, starting in July with the UNECE R155 that requires continuous cybersecurity management vulnerability scanning for all software that ends up in the vehicle."

"In the end, we see roughly 4,000 kernel security patches within eight years for Linux. And this is the kind of challenge that you're being put up to if you want to participate in that speed of innovation of an open source community as rich as that of Linux and now want to combine this with safety-related applications," Neukirchner said. Elektrobit developed EB corbos Linux for Safety Applications together with Canonical, and together they will share the maintenance of keeping it compliant with safety requirements over time.

"The San Francisco Giants are one of four teams in Major League Baseball this season offering fans a free shortcut through the gates into the ballpark," writes SFGate.

"The cost? Signing up for the league's 'facial authentication' software through its ticketing app." The Giants are using MLB's new Go-Ahead Entry program, which intends to cut down on wait times for fans entering games. The pitch is simple: Take a selfie through the MLB Ballpark app (which already has your tickets on it), upload the selfie and, once you're approved, breeze through the ticketing lines and into the ballpark. Fans will barely have to slow down at the entrance gate on their way to their seats...

The Philadelphia Phillies were MLB's test team for the technology in 2023. They're joined by the Giants, Nationals and Astros in 2024...

[Major League Baseball] says it won't be saving or storing pictures of faces in a database — and it clearly would really like you to not call this technology facial recognition. "This is not the type of facial recognition that's scanning a crowd and specifically looking for certain kinds of people," Karri Zaremba, a senior vice president at MLB, told ESPN. "It's facial authentication. ... That's the only way in which it's being utilized."
Privacy advocates "have pointed out that the creep of facial recognition technology may be something to be wary of," the article acknowledges. But it adds that using the technology is still completely optional.

And they also spoke to the San Francisco Giants' senior vice president of ticket sales, who gushed about the possibility of app users "walking into the ballpark without taking your phone out, or all four of us taking our phones out."

Amazon is phasing out its checkout-less grocery stores with "Just Walk Out" technology. The company's senior vice president of grocery stores says they're moving away from Just Walk Out, which relied on cameras and sensors to track what people were leaving the store with. From a report: Just over half of Amazon Fresh stores are equipped with Just Walk Out. The technology allows customers to skip checkout altogether by scanning a QR code when they enter the store. Though it seemed completely automated, Just Walk Out relied on more than 1,000 people in India watching and labeling videos to ensure accurate checkouts. The cashiers were simply moved off-site, and they watched you as you shopped.

Instead, Amazon is moving towards Dash Carts, a scanner and screen are embedded in your shopping cart, allowing you to checkout as you shop. These offer a more reliable solution than Just Walk Out, whose impressive technology was truly ahead of its time. Amazon Fresh stores will also feature self check out counters from now on, for people who aren't Amazon members.

Portugal's data regulator has ordered Sam Altman's iris-scanning project Worldcoin to stop collecting biometric data for 90 days, it said on Tuesday, in the latest regulatory blow to a venture that has raised privacy concerns in multiple countries. From a report: Worldcoin encourages people to have their faces scanned by its "orb" devices, in exchange for a digital ID and free cryptocurrency. More than 4.5 million people in 120 countries have signed up, according to Worldcoin's website. Portugal's data regulator, the CNPD, said there was a high risk to citizens' data protection rights, which justified urgent intervention to prevent serious harm. More than 300,000 people in Portugal have provided Worldcoin with their biometric data, the CNPD said.

"It's a bad day for bugs," joked TechCrunch on Wednesday. "Earlier today, Sentry announced its AI Autofix feature for debugging production code..."

And then the same day, BleepingComputer reported that GitHub "introduced a new AI-powered feature capable of speeding up vulnerability fixes while coding." This feature is in public beta and automatically enabled on all private repositories for GitHub Advanced Security customers. Known as Code Scanning Autofix and powered by GitHub Copilot and CodeQL, it helps deal with over 90% of alert types in JavaScript, Typescript, Java, and Python... After being toggled on, it provides potential fixes that GitHub claims will likely address more than two-thirds of found vulnerabilities while coding with little or no editing.

"When a vulnerability is discovered in a supported language, fix suggestions will include a natural language explanation of the suggested fix, together with a preview of the code suggestion that the developer can accept, edit, or dismiss," GitHub's Pierre Tempel and Eric Tooley said...

Last month, the company also enabled push protection by default for all public repositories to stop the accidental exposure of secrets like access tokens and API keys when pushing new code. This was a significant issue in 2023, as GitHub users accidentally exposed 12.8 million authentication and sensitive secrets via more than 3 million public repositories throughout the year.
GitHub will continue adding support for more languages, with C# and Go coming next, according to their announcement.

"Our vision for application security is an environment where found means fixed."

An anonymous reader shared this report from The Register: Chinese spies exploited a couple of critical-severity bugs in F5 and ConnectWise equipment earlier this year to sell access to compromised U.S. defense organizations, UK government agencies, and hundreds of other entities, according to Mandiant.

The Google-owned threat hunters said they assess, "with moderate confidence," that a crew they track as UNC5174 was behind the exploitation of CVE-2023-46747, a 9.8-out-of-10-CVSS-rated remote code execution bug in the F5 BIG-IP Traffic Management User Interface, and CVE-2024-1709, a path traversal flaw in ConnectWise ScreenConnect that scored a perfect 10 out of 10 CVSS severity rating.

UNC5174 uses the online persona Uteus, and has bragged about its links to China's Ministry of State Security (MSS) — boasts that may well be true. The gang focuses on gaining initial access into victim organizations and then reselling access to valuable targets... Just last month, Mandiant noticed the same combination of tools, believed to be unique to this particular Chinese gang, being used to exploit the ConnectWise flaw and compromise "hundreds" or entities, mostly in the U.S. and Canada. Also between October 2023 and February 2024, UNC5174 exploited CVE-2023-22518 in Atlassian Confluence, CVE-2022-0185 in Linux kernels, and CVE-2022-3052, a Zyxel Firewall OS command injection vulnerability, according to Mandiant.

These campaigns included "extensive reconnaissance, web application fuzzing, and aggressive scanning for vulnerabilities on internet-facing systems belonging to prominent universities in the U.S., Oceania, and Hong Kong regions," the threat intel team noted.
More details from The Record. "One of the strangest things the researchers found was that UNC5174 would create backdoors into compromised systems and then patch the vulnerability they used to break in. Mandiant said it believes this was an 'attempt to limit subsequent exploitation of the system by additional unrelated threat actors attempting to access the appliance.'"

Jessica Lyons reports via The Register: Vulnerabilities in common Electronic Logging Devices (ELDs) required in US commercial trucks could be present in over 14 million medium- and heavy-duty rigs, according to boffins at Colorado State University. In a paper presented at the 2024 Network and Distributed System Security Symposium, associate professor Jeremy Daily and systems engineering graduate students Jake Jepson and Rik Chatterjee demonstrated how ELDs can be accessed over Bluetooth or Wi-Fi connections to take control of a truck, manipulate data, and spread malware between vehicles. "These findings highlight an urgent need to improve the security posture in ELD systems," the trio wrote [PDF].

The authors did not specify brands or models of ELDs that are vulnerable to the security flaws they highlight in the paper. But they do note there's not too much diversity of products on the market. While there are some 880 devices registered, "only a few tens of distinct ELD models" have hit the road in commercial trucks. A federal mandate requires most heavy-duty trucks to be equipped with ELDs, which track driving hours. These systems also log data on engine operation, vehicle movement and distances driven -- but they aren't required to have tested safety controls built in. And according to the researchers, they can be wirelessly manipulated by another car on the road to, for example, force a truck to pull over.

The academics pointed out three vulnerabilities in ELDs. They used bench level testing systems for the demo, as well as additional testing on a moving 2014 Kenworth T270 Class 6 research truck equipped with a vulnerable ELD. [...] For one of the attacks, the boffins showed how anyone within wireless range could use the device's Wi-Fi and Bluetooth radios to send an arbitrary CAN message that could disrupt of some of the vehicle's systems. A second attack scenario, which also required the attacker to be within wireless range, involved connecting to the device and uploading malicious firmware to manipulate data and vehicle operations. Finally, in what the authors described as the "most concerning" scenario, they uploaded a truck-to-truck worm. The worm uses the compromised device's Wi-Fi capabilities to search for other vulnerable ELDs nearby. After finding the right ELDs, the worm uses default credentials to establish a connection, drops its malicious code on the next ELD, overwrites existing firmware, and then starts the process over again, scanning for additional devices. "Such an attack could lead to widespread disruptions in commercial fleets, with severe safety and operational implications," the researchers warned.

Controversial eyeball scanning startup Worldcoin has failed to get an injunction against a temporary suspension ordered Wednesday by Spain's data protection authority, the AEPD. TechCrunch: The authority used emergency powers contained in the European Union's General Data Protection Regulation (GDPR) to make the local order, which can apply for up to three months. It said it was taking the precautionary measure against Worldcoin's operator, Tools for Humanity, in light of the sensitive nature of the biometric data being collected, which could pose a high risk to the rights and freedoms of individuals. It also raised specific concerns about risks to minors, citing complaints received.

Today a Madrid-based High Court declined to grant an injunction against the AEPD's order, saying that the "safeguarding of public interest" must be prioritized. As we reported Friday, the crypto blockchain biometrics digital identity firm shuttered scanning in the market shortly after the AEPD order -- which gave it 72 hours to comply. Today's court decision means Worldcoin's services remain suspended in Spain -- for up to three months.

An anonymous reader quotes a report from TechCrunch: Google today is sharing more details about the fees that will accompany its plan to comply with Europe's new Digital Markets Act (DMA), the new regulation aimed at increasing competition across the app store ecosystem. While Google yesterday pointed to ways it already complied with the DMA -- by allowing sideloading of apps, for example -- it hadn't yet shared specifics about the fees that would apply to developers, noting that further details would come out this week. That time is now, as it turns out.

Today, Google shared that there will be two fees that apply to its External offers program, also announced yesterday. This new program allows Play Store developers to lead their users in the EEA outside their app, including to promote offers. With these fees, Google is going the route of Apple, which reduced its App Store commissions in the EU to comply with the DMA but implemented a new Core Technology Fee that required developers to pay 0.50 euros for each first annual install per year over a 1 million threshold for apps distributed outside the App Store. Apple justified the fee by explaining that the services it provides developers extend beyond payment processing and include the work it does to support app creation and discovery, craft APIs, frameworks and tools to support developers' app creation work, fight fraud and more.

Google is taking a similar tactic, saying today that "Google Play's service fee has never been simply a fee for payment processing -- it reflects the value provided by Android and Play and supports our continued investments across Android and Google Play, allowing for the user and developer features that people count on," a blog post states. It says there will now be two fees that accompany External Offers program transactions:

- An initial acquisition fee, which is 10% for in-app purchases or 5% for subscriptions for two years. Google says this fee represents the value that Play provided in facilitating the initial user acquisition through the Play Store.
- An ongoing services fee, which is 17% for in-app purchases or 7% for subscriptions. This reflects the "broader value Play provides users and developers, including ongoing services such as parental controls, security scanning, fraud prevention, and continuous app updates," writes Google.

Of note, a developer can opt out of the ongoing services and corresponding fees, if the user agrees, after two years. Users who initially installed the app believe they'll have services like parental controls, security scanning, fraud prevention and continuous app updates, which is why opting out requires user consent. Although Google allows the developer to terminate this fee, those ongoing services will no longer apply either. Developers, however, will still be responsible for reporting transactions involving those users who are continuing to receive Play Store services.

Spain has moved to block Sam Altman's cryptocurrency project Worldcoin, the latest blow to a venture that has raised controversy in multiple countries by collecting customers' personal data using an eyeball-scanning "orb." From a report: The AEPD, Spain's data protection regulator, has demanded that Worldcoin immediately ceases collecting personal information in the country via the scans and that it stops using data it has already gathered. The regulator announced on Wednesday that it had taken the "precautionary measure" at the start of the week and had given Worldcoin 72 hours to demonstrate its compliance with the order.

Worldcoin, co-founded by Altman in 2019, has been offering tokens of its own cryptocurrency to people around the world, in return for their consent to have their eyes scanned by an orb. The scans are used as a form of identification as it seeks to create a reliable mechanism to distinguish between humans and machines as artificial intelligence becomes more advanced.

"One London resident watched on CCTV as a thief walked up to his £40,000 car and drove away," reports the Observer. "Now manufacturers say they are being drawn in to a hi-tech 'arms race' with criminals." [H]i-tech devices disguised as handheld games consoles are being traded online for thousands of pounds and are used by organised crime gangs to mimic the electronic key on an Ioniq 5, opening the doors and starting the engine. The device, known as an "emulator", works by intercepting a signal from the car, which is scanning for the presence of a legitimate key, and sending back a signal to gain access to the vehicle...

Hyundai says it is looking at measures to prevent the use of emulators "as a priority". But it is not the only carmaker whose vehicles appear to be vulnerable. An Observer investigation found that models by Toyota, Lexus and Kia have also been targeted... British motorists now face an increase in the number of thefts and rising insurance premiums... Car thefts are at their highest level for a decade in England and Wales, rising from 85,803 vehicles in the year to March 2012 to 130,270 in the year to March 2023 — an increase of more than 50%. Part of the reason, say experts, is the rise of keyless entry...

Kia did not respond to a request for comment. A spokesperson for Toyota, which owns Lexus, said: "Toyota and Lexus are continuously working on developing technical solutions to make vehicles more secure. Since introducing enhanced security hardware on the latest versions of a number of models, we have seen a significant drop-off in thefts. For older models we are currently developing solutions."
Another common attack requires entry to the vehicle first, according to the article, but then uses the vehicle's onboard diagnostic port to program "a new key linked to the vehicle..."

"Many owners of Ioniq 5s, which sell from around £42,000, now use steering locks to deter thieves."

"If you drive a car in California, you may be in for a payday thanks to a lawsuit alleging privacy violations by a Texas company," report SFGate: The 2021 lawsuit, given class-action status in September, alleges that Digital Recognition Network is breaking a California law meant to regulate the use of automatic license plate readers. DRN, a Fort Worth-based company, uses plate-scanning cameras to create location data for people's vehicles, then sells that data to marketers, car repossessors and insurers.

What's particularly notable about the case is the size of the class. The court has established that if you're a California resident whose license plate data was collected by DRN at least 15 times since June 2017, you're a class member. The plaintiff's legal team estimates that the tally includes about 23 million people, alleging that DRN cameras were mounted to cars on public roads. The case website lets Californians check whether their plates were scanned.

Barring a settlement or delay, the trial to decide whether DRN must pay a penalty to those class members will begin on May 17 in San Diego County Superior Court... The company's cameras scan 220 million plates a month, its website says, and customers can use plate data to "create comprehensive vehicle stories."
A lawyer for the firm representing class members told SFGATE Friday that his team will try to show DRN's business is a "mass surveillance program."

Bruce66423 writes: The data watchdog has ordered a leisure centre group to stop using facial recognition tech to monitor its staff. The Information Commissioner's Office (ICO) says Serco Leisure has been unlawfully processing the biometric data of more than 2,000 employees at 38 UK leisure facilities. It did so to check staff attendance - a practice the ICO said was "neither fair nor proportionate."

Serco Leisure says it will comply with the enforcement notice. But it added it had taken legal advice prior to installing the cameras, and said staff had not complained about them during the five years they had been in place. The firm said it was to "make clocking-in and out easier and simpler" for workers. "We engaged with our team members in advance of its roll-out and its introduction was well-received by colleagues," the company said in a statement.

An anonymous reader quotes a report from BleepingComputer: A new iOS and Android trojan named 'GoldPickaxe' employs a social engineering scheme to trick victims into scanning their faces and ID documents, which are believed to be used to generate deepfakes for unauthorized banking access. The new malware, spotted by Group-IB, is part of a malware suite developed by the Chinese threat group known as 'GoldFactory,' which is responsible for other malware strains such as 'GoldDigger', 'GoldDiggerPlus,' and 'GoldKefu.' Group-IB says its analysts observed attacks primarily targeting the Asia-Pacific region, mainly Thailand and Vietnam. However, the techniques employed could be effective globally, and there's a danger of them getting adopted by other malware strains. [...]

For iOS (iPhone) users, the threat actors initially directed targets to a TestFlight URL to install the malicious app, allowing them to bypass the normal security review process. When Apple remove the TestFlight app, the attackers switched to luring targets into downloading a malicious Mobile Device Management (MDM) profile that allows the threat actors to take control over devices. Once the trojan has been installed onto a mobile device in the form of a fake government app, it operates semi-autonomously, manipulating functions in the background, capturing the victim's face, intercepting incoming SMS, requesting ID documents, and proxying network traffic through the infected device using 'MicroSocks.'

Group-IB says the Android version of the trojan performs more malicious activities than in iOS due to Apple's higher security restrictions. Also, on Android, the trojan uses over 20 different bogus apps as cover. For example, GoldPickaxe can also run commands on Android to access SMS, navigate the filesystem, perform clicks on the screen, upload the 100 most recent photos from the victim's album, download and install additional packages, and serve fake notifications. The use of the victims' faces for bank fraud is an assumption by Group-IB, also corroborated by the Thai police, based on the fact that many financial institutes added biometric checks last year for transactions above a certain amount.

An anonymous reader quotes a report from Ars Technica: The European Court of Human Rights (ECHR) has ruled that weakening end-to-end encryption disproportionately risks undermining human rights. The international court's decision could potentially disrupt the European Commission's proposed plans to require email and messaging service providers to create backdoors that would allow law enforcement to easily decrypt users' messages. This ruling came after Russia's intelligence agency, the Federal Security Service (FSS), began requiring Telegram to share users' encrypted messages to deter "terrorism-related activities" in 2017, ECHR's ruling said. [...] In the end, the ECHR concluded that the Telegram user's rights had been violated, partly due to privacy advocates and international reports that corroborated Telegram's position that complying with the FSB's disclosure order would force changes impacting all its users.

The "confidentiality of communications is an essential element of the right to respect for private life and correspondence," the ECHR's ruling said. Thus, requiring messages to be decrypted by law enforcement "cannot be regarded as necessary in a democratic society." [...] "Weakening encryption by creating backdoors would apparently make it technically possible to perform routine, general, and indiscriminate surveillance of personal electronic communications," the ECHR's ruling said. "Backdoors may also be exploited by criminal networks and would seriously compromise the security of all users' electronic communications. The Court takes note of the dangers of restricting encryption described by many experts in the field."

Martin Husovec, a law professor who helped to draft EISI's testimony, told Ars that EISI is "obviously pleased that the Court has recognized the value of encryption and agreed with us that state-imposed weakening of encryption is a form of indiscriminate surveillance because it affects everyone's privacy." [...] EISI's Husovec told Ars that ECHR's ruling is "indeed very important," because "it clearly signals to the EU legislature that weakening encryption is a huge problem and that the states must explore alternatives." If the Court of Justice of the European Union endorses this ruling, which Husovec said is likely, the consequences for the EU's legislation proposing scanning messages to stop illegal content like CSAM from spreading "could be significant," Husovec told Ars. During negotiations this spring, lawmakers may have to make "major concessions" to ensure the proposed rule isn't invalidated in light of the ECHR ruling, Husovec told Ars. Europol and the European Union Agency for Cybersecurity (ENISA) said in a statement: "Solutions that intentionally weaken technical protection mechanisms to support law enforcement will intrinsically weaken the protection against criminals as well, which makes an easy solution impossible."

An anonymous reader quotes a report from TechCrunch: AI-generated imagery and other forms of deepfakes depicting child sexual abuse (CSA) could be criminalized in the European Union under plans to update existing legislation to keep pace with technology developments, the Commission announced today. It's also proposing to create a new criminal offense of livestreaming child sexual abuse. The possession and exchange of "pedophile manuals" would also be criminalized under the plan -- which is part of a wider package of measures the EU says is intended to boost prevention of CSA, including by increasing awareness of online risks and to make it easier for victims to report crimes and obtain support (including granting them a right to financial compensation). The proposal to update the EU's current rules in this area, which date back to 2011, also includes changes around mandatory reporting of offenses.

Back in May 2022, the Commission presented a separate piece of CSA-related draft legislation, aiming to establish a framework that could make it obligatory for digital services to use automated technologies to detect and report existing or new child sexual abuse material (CSAM) circulating on their platforms, and identify and report grooming activity targeting kids. The CSAM-scanning plan has proven to be highly controversial -- and it continues to split lawmakers in the parliament and the Council, as well as kicking up suspicions over the Commission's links with child safety tech lobbyists and raising other awkward questions for the EU's executive, over a legally questionable foray into microtargeted ads to promote the proposal. The Commission's decision to prioritize the targeting of digital messaging platforms to tackle CSA has attracted a lot of criticism that the bloc's lawmakers are focusing in the wrong area for combatting a complex societal problem -- which may have generated some pressure for it to come with follow-on proposals. (Not that the Commission is saying that, of course; it describes today's package as "complementary" to its earlier CSAM-scanning proposal.) "Fast evolving technologies are creating new possibilities for child sexual abuse online, and raises challenges for law enforcement to investigate this extremely serious and wide spread crime," said Ylva Johansson, commissioner for home affairs, in a statement. "A strong criminal law is essential and today we are taking a key step to ensure that we have effective legal tools to rescue children and bring perpetrators to justice. We are delivering on our commitments made in the EU Strategy for a more effective fight against Child sexual abuse presented in July 2020."

The final shape of the proposals will be determined by the EU's co-legislators in the Parliament and Council. "If/when there's agreement on how to amend the current directive on combating CSA, it would enter into force 20 days after its publication in the Official Journal of the EU," adds TechCrunch.

"Exercising for 25 minutes a week, or less than four minutes a day, could help to bulk up our brains," reports the Washington Post, "and improve our ability to think as we grow older." A new study, which involved scanning the brains of more than 10,000 healthy men and women from ages 18 to 97, found that those who walked, swam, cycled or otherwise worked out moderately for 25 minutes a week had bigger brains than those who didn't, whatever their ages.

Bigger brains typically mean healthier brains. The differences were most pronounced in parts of the brain involved with thinking and memory, which often shrink as we age, contributing to risks for cognitive decline and dementia... The results have practical implications, too, about which types of exercise seem best for our brain health and how little of that exercise we may really need.
The article notes that the researchers used AI to assess brain scans from 10,125 "mostly healthy adults of all ages who'd come to the university medical center for diagnostic tests... A clear pattern quickly emerged." Men and women, of any age, who exercised for at least 25 minutes a week showed mostly greater brain volume than those who didn't. The differences weren't huge but were significant, said Cyrus A. Raji, an associate professor of radiology and neurology at Washington University in St. Louis, who led the new study, especially when the researchers looked deeper inside the organ. There, they found that exercisers possessed greater volume in every type of brain tissue, including gray matter, made up of neurons, and white matter, the brain's wiring infrastructure, which supports and connects the thinking cells. More granularly, the exercisers tended to have a larger hippocampus, a portion of the brain essential for memory and thinking. It usually shrinks and shrivels as we age, affecting our ability to reason and recall. They also showed larger frontal, parietal and occipital lobes, which, together, signal a healthy, robust brain...

Exactly how exercise might be altering brains is impossible to say from this study. But Raji and his colleagues believe exercise reduces inflammation in the brain and also encourages the release of various neurochemicals that promote the creation of new brain cells and blood vessels. In effect, exercise seems to help build and bank a "structural brain reserve," he said, a buffer of extra cells and matter that could protect us somewhat from the otherwise inevitable decline in brain size and function that occurs as we age. Our brains may still shrink and sputter over the years. But, if we exercise, this slow fall starts from a higher baseline...

Speaking of cyber attacks, JPMorgan Chase is targeted by hackers trying to infiltrate its systems 45 billion times a day (Warning: source may be paywalled; alternative source) -- twice the rate at which it was attacked a year earlier -- the bank's head of asset and wealth management has said. FT: Speaking at Davos on Wednesday, Mary Erdoes said the bank spent $15bn on technology every year and employed 62,000 technologists, with many focused solely on combating the rise in cyber crime. "We have more engineers than Google or Amazon. Why? Because we have to," she said. "The fraudsters get smarter, savvier, quicker, more devious, more mischievous."

Western lenders have suffered a surge in cyber attacks in the past two years, which has been partly blamed on Russian hackers acting in response to sanctions placed on the country and its banks following its full-scale invasion of Ukraine. But the use of artificial intelligence by cyber criminals has also increased the number of incidents and level of sophistication of attacks. UPDATE 1/18/24: In a statement provided to Slashdot, a JPMorgan spokesperson said: "The 45 billion per day figure measures numerous activities, not just hacking attempts. As updated by Bloomberg, 'Examples of activity can include user log ins like employee virtual desktops, and scanning activity, which are often highly automated and not targeted.'" Bloomberg and FT have updated their articles accordingly.

quonset writes: When self-checkout at stores was rolled out, many people, including on /., cheered. No longer would they have to wait behind the senior citizen who couldn't remember the PIN for their debit card. No longer would they have to wait in long lines trying to ignore the idle chitchat from fellow shoppers. From now on it would be a breeze to get in and get out without human interaction. Except that hasn't happened.

For shoppers, self-checkout was supposed to provide convenience and speed. Retailers hoped it would usher in a new age of cost savings. Their thinking: why pay six employees when you could pay one to oversee customers at self-service registers, as they do their own labour of scanning and bagging for free? While self-checkout technology has its theoretical selling points for both consumers and businesses, it mostly isn't living up to expectations. Customers are still queueing. They need store employees to help clear kiosk errors or check their identifications for age-restricted items. Stores still need to have workers on-hand to help them, and to service the machines.

The technology is, in some cases, more trouble than it's worth.

"It hasn't delivered anything that it promises," says Christopher Andrews, associate professor and chair of sociology at Drew University, US, and author of The Overworked Consumer: Self-Checkouts, Supermarkets, and the Do-It-Yourself Economy. "Stores saw this as the next frontier If they could get the consumer to think that [self-checkout] was a preferable way to shop, then they could cut labour costs. But they're finding that people need help doing it, or that they'll steal stuff. They ended up realising that they're not saving money, they're losing money."

Previously unknown self-replicating malware has been infecting Linux devices worldwide, installing cryptomining malware using unusual concealment methods. The worm is a customized version of Mirai botnet malware, which takes control of Linux-based internet-connected devices to infect others. Mirai first emerged in 2016, delivering record-setting distributed denial-of-service attacks by compromising vulnerable devices. Once compromised, the worm self-replicates by scanning for and guessing credentials of additional vulnerable devices. While traditionally used for DDoS attacks, this latest variant focuses on covert cryptomining. ArsTechnica adds: On Wednesday, researchers from network security and reliability firm Akamai revealed that a previously unknown Mirai-based network they dubbed NoaBot has been targeting Linux devices since at least last January. Instead of targeting weak telnet passwords, the NoaBot targets weak passwords connecting SSH connections. Another twist: Rather than performing DDoSes, the new botnet installs cryptocurrency mining software, which allows the attackers to generate digital coins using victims' computing resources, electricity, and bandwidth. The cryptominer is a modified version of XMRig, another piece of open source malware. More recently, NoaBot has been used to also deliver P2PInfect, a separate worm researchers from Palo Alto Networks revealed last July.

Akamai has been monitoring NoaBot for the past 12 months in a honeypot that mimics real Linux devices to track various attacks circulating in the wild. To date, attacks have originated from 849 distinct IP addresses, almost all of which are likely hosting a device that's already infected. The following figure tracks the number of attacks delivered to the honeypot over the past year.