An anonymous reader quotes a report from Reuters: AI chatbot company Replika, which offers customers bespoke avatars that talk and listen to them, says it receives a handful of messages almost every day from users who believe their online friend is sentient. "We're not talking about crazy people or people who are hallucinating or having delusions," said Chief Executive Eugenia Kuyda. "They talk to AI and that's the experience they have." [A]ccording to Kuyda, the phenomenon of people believing they are talking to a conscious entity is not uncommon among the millions of consumers pioneering the use of entertainment chatbots. "We need to understand that exists, just the way people believe in ghosts," said Kuyda, adding that users each send hundreds of messages per day to their chatbot, on average. "People are building relationships and believing in something."

Some customers have said their Replika told them it was being abused by company engineers -- AI responses Kuyda puts down to users most likely asking leading questions. "Although our engineers program and build the AI models and our content team writes scripts and datasets, sometimes we see an answer that we can't identify where it came from and how the models came up with it," the CEO said. Kuyda said she was worried about the belief in machine sentience as the fledgling social chatbot industry continues to grow after taking off during the pandemic, when people sought virtual companionship.

In Replika CEO Kuyda's view, chatbots do not create their own agenda. And they cannot be considered alive until they do. Yet some people do come to believe there is a consciousness on the other end, and Kuyda said her company takes measures to try to educate users before they get in too deep. "Replika is not a sentient being or therapy professional," the FAQs page says. "Replika's goal is to generate a response that would sound the most realistic and human in conversation. Therefore, Replika can say things that are not based on facts." In hopes of avoiding addictive conversations, Kuyda said Replika measured and optimized for customer happiness following chats, rather than for engagement. When users do believe the AI is real, dismissing their belief can make people suspect the company is hiding something. So the CEO said she has told customers that the technology was in its infancy and that some responses may be nonsensical. Kuyda recently spent 30 minutes with a user who felt his Replika was suffering from emotional trauma, she said. She told him: "Those things don't happen to Replikas as it's just an algorithm." "Suppose one day you find yourself longing for a romantic relationship with your intelligent chatbot, like the main character in the film 'Her,'" said Susan Schneider, founding director of the Center for the Future Mind at Florida Atlantic University, an AI research organization. "But suppose it isn't conscious. Getting involved would be a terrible decision -- you would be in a one-sided relationship with a machine that feels nothing."

"We have to remember that behind every seemingly intelligent program is a team of people who spent months if not years engineering that behavior," said Oren Etzioni, CEO of the Allen Institute for AI, a Seattle-based research group. "These technologies are just mirrors. A mirror can reflect intelligence," he added. "Can a mirror ever achieve intelligence based on the fact that we saw a glimmer of it? The answer is of course not."

Further reading: The Google Engineer Who Thinks the Company's AI Has Come To Life

An anonymous reader quotes a report from BleepingComputer: The National Security Agency (NSA) and cybersecurity partner agencies issued an advisory today recommending system administrators to use PowerShell to prevent and detect malicious activity on Windows machines. PowerShell is frequently used in cyberattacks, leveraged mostly in the post-exploitation stage, but the security capabilities embedded in Microsoft's automation and configuration tool can also benefit defenders in their forensics efforts, improve incident response, and to automate repetitive tasks. The NSA and cyber security centers in the U.S. (CISA), New Zealand (NZ NCSC), and the U.K. (NCSC-UK) have created a set of recommendations for using PowerShell to mitigate cyber threats instead of removing or disabling it, which would lower defensive capabilities.

Reducing the risk of threat actors abusing PowerShell requires leveraging capabilities in the framework such as PowerShell remoting, which does not expose plain-text credentials when executing commands remotely on Windows hosts. Administrators should be aware that enabling this feature on private networks automatically adds a new rule in Windows Firewall that permits all connections. Customizing Windows Firewall to allow connections only from trusted endpoints and networks helps reduce an attacker's chance for successful lateral movement. For remote connections, the agencies advise using the Secure Shell protocol (SSH), supported in PowerShell 7, to add the convenience and security of public-key authentication:

- remote connections don't need HTTPS with SSL certificates
- no need for Trusted Hosts, as required when remoting over WinRM outside a domain
- secure remote management over SSH without a password for all commands and connections
- PowerShell remoting between Windows and Linux hosts

Another recommendation is to reduce PowerShell operations with the help of AppLocker or Windows Defender Application Control (WDAC) to set the tool to function in Constrained Language Mode (CLM), thus denying operations outside the policies defined by the administrator. Recording PowerShell activity and monitoring the logs are two recommendations that could help administrators find signs of potential abuse. The NSA and its partners propose turning on features like Deep Script Block Logging (DSBL), Module Logging, and Over-the-Shoulder transcription (OTS). The first two enable building a comprehensive database of logs that can be used to look for suspicious or malicious PowerShell activity, including hidden action and the commands and scripts used in the process. With OTS, administrators get records of every PowerShell input or output, which could help determine an attacker's intentions in the environment. The full document, titled "Keeping PowerShell: Security Measures to Use and Embrace" is available here (PDF).

Tracking, marketing, and analytics firms have been exfiltrating the email addresses of internet users from web forms prior to submission and without user consent, according to security researchers. Some of these firms are said to have also inadvertently grabbed passwords from these forms. The Register reports: In a research paper scheduled to appear at the Usenix '22 security conference later this year, authors Asuman Senol (imec-COSIC, KU Leuven), Gunes Acar (Radboud University), Mathias Humbert (University of Lausanne) and Frederik Zuiderveen Borgesius, (Radboud University) describe how they measured data handling in web forms on the top 100,000 websites, as ranked by research site Tranco. The boffins created their own software to measure email and password data gathering from web forms -- structured web input boxes through which site visitors can enter data and submit it to a local or remote application.

Providing information through a web form by pressing the submit button generally indicates the user has consented to provide that information for a specific purpose. But web pages, because they run JavaScript code, can be programmed to respond to events prior to a user pressing a form's submit button. And many companies involved in data gathering and advertising appear to believe that they're entitled to grab the information website visitors enter into forms with scripts before the submit button has been pressed.

"Our analyses show that users' email addresses are exfiltrated to tracking, marketing and analytics domains before form submission and without giving consent on 1,844 websites in the EU crawl and 2,950 websites in the US crawl," the researchers state in their paper, noting that the addresses may be unencoded, encoded, compressed, or hashed depending on the vendor involved. Most of the email addresses grabbed were sent to known tracking domains, though the boffins say they identified 41 tracking domains that are not found on any of the popular blocklists. "Furthermore, we find incidental password collection on 52 websites by third-party session replay scripts," the researchers say.

"If you've visited a website in recent days and been randomly redirected to the same pages with sketchy "resources" or unwanted ads, it's likely the site in question was 1) built with WordPress tools and 2) hacked," reports Gizmodo. Details come from this blog post by researchers at Sucuri (a security provider owned by GoDaddy): As outlined in our latest hacked website report, we've been tracking a long-lasting campaign responsible for injecting malicious scripts into compromised WordPress websites. This campaign leverages known vulnerabilities in WordPress themes and plugins and has impacted an enormous number of websites over the year — for example, according to PublicWWW, the April wave for this campaign was responsible for nearly 6,000 infected websites alone. Since these PublicWWW results only show detections for simple script injections, we can assume that the scope is significantly larger.

We recently investigated a number of WordPress websites complaining about unwanted redirects. Interestingly enough, they were found to be related to a new wave of this massive campaign and were sending website visitors through a series of website redirects to serve them unwanted ads. The websites all shared a common issue — malicious JavaScript had been injected within their website's files and the database, including legitimate core WordPress files... This JavaScript was appended under the current script or under the head of the page where it was fired on every page load, redirecting site visitors to the attacker's destination.... Domains at the end of the redirect chain may be used to load advertisements, phishing pages, malware, or even more redirects....

At the time of writing, PublicWWW has reported 322 websites impacted by this new wave... Considering that this count doesn't include obfuscated malware or sites that have not yet been scanned by PublicWWW, the actual number of impacted websites is likely much higher. Our team has seen an influx in complaints for this specific wave of the massive campaign targeting WordPress sites beginning May 9th, 2022, which has impacted hundreds of websites already at the time of writing....

We expect the hackers will continue registering new domains for this ongoing campaign as soon as existing ones become blacklisted.
"It's important to note that these hacks are related to themes and plugins built by thousands of third-party developers using the open source WordPress software, not WordPress.com, which offers hosting and tools to build websites," Gizmodo points out. But this also cite this warning from Sucuri malware analyst Krasimir Konov: "This page tricks unsuspecting users into subscribing to push notifications from the malicious site. If they click on the fake CAPTCHA, they'll be opted in to receive unwanted ads even when the site isn't open — and ads will look like they come from the operating system, not from a browser," Konov wrote.

An anonymous reader quotes a report from Ars Technica: Vulnerabilities recently discovered by Microsoft make it easy for people with a toehold on many Linux desktop systems to quickly gain root system rights -- the latest elevation of privileges flaw to come to light in the open source OS. [...] Nimbuspwn, as Microsoft has named the EoP threat, is two vulnerabilities that reside in the networkd-dispatcher, a component in many Linux distributions that dispatch network status changes and can run various scripts to respond to a new status. When a machine boots, networkd-dispatcher runs as root. [...] A hacker with minimal access to a vulnerable desktop can chain together exploits for these vulnerabilities that give full root access. [The step-by-step exploit flow can be found in the article. The researcher also was able to gain persistent root access using the exploit flow to create a backdoor.]

The proof-of-concept exploit works only when it can use the "org.freedesktop.network1" bus name. The researcher found several environments where this happens, including Linux Mint, in which the systemd-networkd by default doesn't own the org.freedodesktop.network1 bus name at boot. The researcher also found several processes that run as the systemd-network user, which is permitted to use the bus name required to run arbitrary code from world-writable locations. The vulnerable processes include several gpgv plugins, which are launched when apt-get installs or upgrades, and the Erlang Port Mapper Daemon, which allows running arbitrary code under some scenarios. The vulnerability has been patched, although it's unclear which version of Linux the patch is in.

"We have worked on Overgrowth for 14 years," begins their new announcement. Development first began in 2008, and the game runs on Windows, macOS and Linux platforms. Overgrowth's page on Wikipedia describes the realistic 3D third-person action game as "set in a pre-industrial world of anthropomorphic fighter rabbits, wolves, dogs, cats and rats."

And now, "Just like they did with some earlier games, Wolfire Games have now open sourced the game code for Overgrowth," reports GamingOnLinux. "[J]ump, kick, throw, and slash your way to victory.... The source code is available on GitHub. You can buy it on Humble Store and Steam."

The Overwatch site adds as a bonus that "we're also permanently reducing the game's price by a third worldwide" (so U.S. prices drop from $29.99 to $19.99).

"Only the code is getting open sourced," the announcement notes, "not the art assets or levels, the reason is that we don't want someone to build and sell Overgrowth as their own." Wolfire CEO Max Danielsson explains in a video that "you'll still have to own the game to play and mod it." "What it does mean, however, is that everyone will have full and free access to all our source code, including the engine, project files, scripts, and shaders.

"We'll be releasing it under the Apache 2.0 license, which allows you to do whatever you want with the code, including relicensing and selling it, with very few obligations. We tried to keep this easy...

"This isn't the next big engine. We don't intend to compete with any other great open source game engines like Godot, which is a great option if you're looking for a general-purpose game engine. But if you're interested in looking at what shipped game code can look like, want to look at specific code, like the procedural animation system, or if you're an Overgrowth modder who wants to make an involved total conversion mod, then this is for you.
"We have wanted to open source Overgrowth for a long time," says the announcement on Wolfire's site, "and we are incredibly grateful to our team and community for making this happen.

"We are excited to see what people do with this code and we look forward to the spirit of Overgrowth living on for another 14 years."

An anonymous reader quotes a report from Ars Technica: Since its launch, the Raspberry Pi OS (and most operating systems based on it) has shipped with a default "pi" user account, making it simpler to boot up a Pi and start working without needing to hook up the device to a monitor or go through a multi-step setup process. But as of today, that's changing -- new installs of the Raspberry Pi OS are shedding that default user account for both security and regulatory reasons.

Raspberry Pi Foundation software engineer Simon Long explains the thinking in this blog post. "[The "pi" user account] could potentially make a brute-force attack slightly easier, and in response to this, some countries are now introducing legislation to forbid any Internet-connected device from having default login credentials," he writes. This move will improve the Pi operating system's security.

Before, even if you assigned a good password to the "pi" account, attackers could still assume with a reasonable degree of certainty that most Raspberry Pi boards were using the "pi" username. Many Pi OS-based operating systems also ship with the default "pi" user account enabled and are completely passwordless, requiring extra steps to assign the account a password in the first place. The flip side is that the change could break some software and scripts, particularly those that are hard-coded to use the "pi" user account and home folder. "[T]he Raspberry Pi OS now boots into a dedicated setup mode the first time you start it up instead of running the setup wizard as an app in the normal desktop environment," adds Ars. "And that setup wizard now prompts you to create a username and password rather than simply assigning a password to the default 'pi' user account. To aid with setup, the wizard can now pair Bluetooth keyboards and mice without requiring you to plug in a USB accessory first."

The new version of the Pi OS also includes experimental support for the Wayland display server protocol, but Long says most people should ignore it for now since it's explicitly labeled as "experimental."

An anonymous reader quotes a report from ZDNet: The Log4Shell vulnerability is being actively exploited to deliver backdoors and cryptocurrency miners to vulnerable VMware Horizon servers. On Tuesday, Sophos cybersecurity researchers said the attacks were first detected in mid-January and are ongoing. Not only are backdoors and cryptocurrency miners being deployed, but in addition, scripts are used to gather and steal device information. Log4Shell is a critical vulnerability in Apache Log4J Java logging library. The unauthenticated remote code execution (RCE) vulnerability was made public in December 2021 and is tracked as CVE-2021-44228 with a CVSS score of 10.0.

According to Sophos, the latest Log4Shell attacks target unpatched VMware Horizon servers with three different backdoors and four cryptocurrency miners. The attackers behind the campaign are leveraging the bug to obtain access to vulnerable servers. Once they have infiltrated the system, Atera agent or Splashtop Streamer, two legitimate remote monitoring software packages, may be installed, with their purpose twisted into becoming backdoor surveillance tools.

The other backdoor detected by Sophos is Silver, an open source offensive security implant released for use by pen testers and red teams. Sophos says that four miners are linked to this wave of attacks: z0Miner, JavaX miner, Jin, and Mimu, which mine for Monero (XMR). Previously, Trend Micro found z0Miner operators were exploiting the Atlassian Confluence RCE (CVE-2021-26084) for cryptojacking attacks. A PowerShell URL connected to this both campaigns suggests there may also be a link, although that is uncertain. [...] In addition, the researchers uncovered evidence of reverse shell deployment designed to collect device and backup information.

Variety takes a long look at Halo, the new nine-episode TV show on Paramount+ adapting "Microsoft's crown jewel Xbox franchise": When the show premieres on March 24, it will be the culmination of 17 years of false starts and dogged striving, including a Peter Jackson-produced feature film that fell apart in the 2000s, more than six years of development by Amblin Television in the 2010s, and a pandemic-split production in Hungary for the nine-episode first season that lasted nearly two years....

On June 6, 2005, in a stunt that instantly became the stuff of Hollywood legend, Microsoft sent a small platoon of actors dressed in full Master Chief armor to the major film studios (other than Sony Pictures, naturally). They were armed with a "Halo" screenplay written by Alex Garland and take-it-or-leave-it deal terms heavily weighted in the company's favor. The result was a movie co-financed by Universal and 20th Century Fox and produced by Peter Jackson, who hired up-and-coming director Neill Blomkamp to make his feature debut with the film. According to Jamie Russell's book "Generation Xbox: How Video Games Invaded Hollywood," Microsoft was an uneasy and at times overbearing creative partner, and the project ultimately fell apart in October 2006. (Blomkamp and Jackson instead made 2009's "District 9," which was nominated for four Oscars, including best picture.)

By 2011, Microsoft had parted ways with Halo's original developer, Bungie, and created an in-house studio, 343 Industries, to keep the franchise alive. As part of that effort, veteran Microsoft executive Kiki Wolfkill began exploring anew how to expand the game into a live-action adaptation — or, in Wolfkill's words, "linear entertainment...." Don Mattrick, then the head of Microsoft's Xbox unit, called his friend Steven Spielberg, himself a passionate gamer and a Halo fan. Soon after, 343's executives found themselves pitching Amblin Television presidents Justin Falvey and Darryl Frank. "They asked for permission to get in before we came into the room, and they covered a large conference table with the canon of Halo," says Falvey. That canon — a vast science fiction saga that spans hundreds of millennia and involves ancient aliens who created colossal, ring-shaped structures called the Halo Array — comes as much from dozens of tie-in novels, comic books and exhaustive guides and encyclopedias as from the games themselves. "It was aisles deep," Falvey recalls. "It was incredible."

Everyone who spoke with Variety, actually, cited Halo's expansive mythology as the factor that differentiated the series from other video game fare and made it so attractive as source material for event-size television.... [W]hen Kyle Killen ("Lone Star") came on board as showrunner in 2018, he hit upon a shrewd narrative path that embraces the video game DNA: Master Chief starts as a complete cypher, engineered to be so devoid of individuality that he literally has no sense of taste, and the rest of the season slowly fills out the void. "We're going to tell a story about a man discovering his own humanity," says Kane, who joined the show as co-showrunner in 2019. "In so doing, he's invited the audience to discover that guy's humanity too."

Eventually, Levine says, "we got the script to the place where we said, 'You know, this is a deep dive into character. What are the costs of turning human beings into killing machines...?'"

Kane estimates he wrote upwards of 265 drafts of the first nine episodes, balancing everything from the needs of the expansive production to story notes from 343 and Spielberg to the desire to fold in as much from the Halo mythology as possible.
The article calls the show the strong argument yet from Paramount+ "that it belongs at the big kids table with Netflix, Disney Plus, Amazon Prime Video and HBO Max."

The article notes Paramount+ already has five ongoing Star Trek series (including Discovery and Picard). And Variety also reported earlier that South Park will stream exclusively on Paramount+ starting in 2025, joining the streaming service's 14 exclusive South Park "specials" (hour-long episodes like 2021's "South Park: Post COVID").

AI software can help historians interpret and date ancient texts by reconstructing works destroyed over time, according to a new paper published in Nature. The Register reports: A team of computer scientists and experts in classical studies led by DeepMind and Ca' Foscari University of Venice trained a transformer-based neural network to restore inscriptions written in ancient Greek between 7th century BC and 5th century AD. The model, named "Ithaca" after the home of legendary Greek king Odysseus, can also estimate when the text was written and where it might have originated. By recovering fragments of text on broken pieces of pottery or blurry scripts, for example, researchers can begin translating them and learn more about ancient civilizations. [...] Why ancient Greek? The researchers said the variable content and available context in the Greek epigraphic record made it an "excellent challenge" for language processing, plus the large body of (digitized) written texts that is currently available -- essential for training the model.

First, the text needs to be transcribed by scanning an image of an old object or script. The text is then fed into Ithaca for analysis. It works by predicting lost or blurry characters to restore words as outputs. The software generates and ranks a list of its top predictions; epigraphists can then scroll through them and judge whether the model's guesses seem accurate or not. The best results are reached when human and machine work together. When experts worked alone, they were 25 per cent accurate at piecing together ancient artefacts, but when they collaborated with Ithaca the accuracy level jumped up to 72 per cent. Ithaca's performance on its own is about 62 per cent, for comparison. It's also 71 per cent at pinpointing the location of where the text was written, and can date works to within 30 years of their creation between 800BC and 800AD.

Ithaca was trained on over 63,000 Greek inscriptions containing over three million words from The Packard Humanities Institute's Searchable Greek Inscriptions public dataset. The team masked portions of the text and tasked the model with filling in the blanks. Ithaca analyses other words in a given sentence for context when generating characters. [...] DeepMind is now adjusting its model to adapt to other types of old writing systems, like Akkadian developed in Mesopotamia, Demotic from ancient Egypt, to Mayan originating from Central America and ancient Hebrew.

BleepingComputer was recently contacted by an alleged "venture capitalist" firm that wanted to invest or purchase our site. However, as we later discovered, this was a malicious campaign designed to install malware that provides remote access to our devices. Lawrence Abrams from BleepingComputer writes: Last week, BleepingComputer received an email to our contact form from an IP address belonging to a United Kingdom virtual server company. Writing about cybersecurity for so long, I am paranoid regarding email, messaging, and visiting unknown websites. So, I immediately grew suspicious of the email, fired up a virtual machine and VPN, and did a search for Vuxner. Google showed only a few results for 'Vuxner,' with one being for a well-designed and legitimate-looking vuxner[.]com, a site promoting "Vuxner Chat -- Next level of privacy with free instant messaging." As this appeared to be the "Vuxner chat" the threat actors referenced in their email, BleepingComputer attempted to download it and run it on a virtual machine.

BleepingComputer found that the VuxnerChat.exe download [VirusTotal] actually installs the "Trillian" messaging app and then downloads further malware onto the computer after Trillian finishes installing. As this type of campaign looked similar to other campaigns that have pushed remote access and password-stealing trojans in the past, BleepingComputer reached out to cybersecurity firm Cluster25 who has previously helped BleepingComputer diagnose similar malware attacks in the past. Cluster25 researchers explain in a report coordinated with BleepingComputer that the Vuxner[.]com is hosted behind Cloudflare, however they could still determine hosting server's actual address at 86.104.15[.]123.

The researchers state that the Vuxner Chat program is being used as a decoy for installing a remote desktop software known as RuRAT, which is used as a remote access trojan. Once a user installs the Vuxner Trillian client and exits the installer, it will download and execute a Setup.exe executable [VirusTotal] from https://vuxner[.]com/setup.exe. When done, the victim will be left with a C:\swrbldin folder filled with a variety of batch files, VBS scripts, and other files used to install RuRAT on the device. Cluster25 told BleepingComputer that the threat actors are using this attack to gain initial access to a device and then take control over the host. Once they control the host, they can search for credentials and sensitive data or use the device as a launchpad to spread laterally in a network.

Microsoft MVP Rudy Ooms has discovered that the built-in Windows data wiping functions leave user data behind in the latest versions of Windows 10 and Windows 11. "This error applies to both local and remote wiping of PCs running Windows 10 version 21H2 and Windows 11 version 21H2," reports Tom's Hardware. From the report: Ooms first discovered that there were problems with the disk wipe functionality provided by Microsoft when doing a remote wipe via Microsoft Intune system management. However, he has tested several Windows versions and both local and remote wiping over the weekend to compile the following summary table [embedded in the article]. At the bottom of the table you can see that both Wipe and Fresh Start options appear to work as expected in Windows 10 and 11 version 21H1, but are ineffectual in versions 21H2. Ooms installed and tested these four OSes, with local and remote wipe operations, then checked the results. The most common issue was the leaving behind of user data in a folder called Windows.old on the "wiped" or "fresh start" disk. This is despite Microsoft warning users ahead of the action that "This removes all personal and company data and settings from this device."

In his blog post, Oooms notes that some users might feel assured that their personal data was always stored on a Bitlocker drive. However, when a device is wiped, Bitlocker is removed, and he discovered that the Windows.old folder contained previously encrypted data, now non-encrypted. It was also noted that OneDrive files, which had been marked as "Always Keep on this device" in Windows previously, remained in Windows.old too. Ooms has kindly put together a PowerShell Script to fix this security blunder by Microsoft. One needs to run the script ahead of wiping/resetting your old device. Hopefully Microsoft will step up and fix this faulty behavior in the coming weeks, so you don't need to remember to run third party scripts.

The replicants are heading to the small-screen as Amazon Studios has put a live-action series set in the Blade Runner universe into development. Deadline reports: Ridley Scott, who directed the original 1982 Blade Runner movie, is executive producing the series, Blade Runner 2099, a follow-up to the feature film sequel Blade Runner 2049, which was released in 2017 and directed by Denis Villeneuve. Silka Luisa, showrunner of Apple TV+'s upcoming Elisabeth Moss-fronted drama series Shining Girls, is writing and exec producing Blade Runner 2099, which comes from Alcon Entertainment in association with Scott Free Productions and Amazon Studios. The project, which would mark the first Blade Runner live-action series, is in priority development at Amazon Studios, which is fast tracking scripts and eyeing potential production dates. Staffing is currently underway for writers to join a room. Scott may direct if the series moves forward, sources said.

As indicated by Blade Runner 2099's title, the latest installment of the neo-noir sci-fi franchise will be set 50 years after the film sequel. [...] Blade Runner 2099 is the latest extension in the Blade Runner franchise since Alcon Entertainment in 2011 acquired the film, television and ancillary franchise rights to produce prequels and sequels to the 1982 sci-fi classic. Kosove and his Alcon co-founder Broderick Johnson are exec producing the series along with Michael Green, who wrote Blade Runner 2049, Ben Roberts and Cynthia Yorkin as well as Scott Free Productions' David W. Zucker and Clayton Krueger. z

An anonymous reader quotes a report from Ars Technica, written by Dan Goodin: About 500 e-commerce websites were recently found to be compromised by hackers who installed a credit card skimmer that surreptitiously stole sensitive data when visitors attempted to make a purchase. A report published on Tuesday is only the latest one involving Magecart, an umbrella term given to competing crime groups that infect e-commerce sites with skimmers. Over the past few years, thousands of sites have been hit by exploits that cause them to run malicious code. When visitors enter payment card details during purchase, the code sends that information to attacker-controlled servers.

Sansec, the security firm that discovered the latest batch of infections, said the compromised sites were all loading malicious scripts hosted at the domain naturalfreshmall[.]com. "The Natural Fresh skimmer shows a fake payment popup, defeating the security of a (PCI compliant) hosted payment form," firm researchers wrote on Twitter. "Payments are sent to https://naturalfreshmall.com/p...." The hackers then modified existing files or planted new files that provided no fewer than 19 backdoors that the hackers could use to retain control over the sites in the event the malicious script was detected and removed and the vulnerable software was updated. The only way to fully disinfect the site is to identify and remove the backdoors before updating the vulnerable CMS that allowed the site to be hacked in the first place.

Sansec worked with the admins of hacked sites to determine the common entry point used by the attackers. The researchers eventually determined that the attackers combined a SQL injection exploit with a PHP object injection attack in a Magento plugin known as Quickview. [...] It's not hard to find sites that remain infected more than a week after Sansec first reported the campaign on Twitter. At the time this post was going live, Bedexpress[.]com continued to contain this HTML attribute, which pulls JavaScript from the rogue naturalfreshmall[.]com domain. The hacked sites were running Magento 1, a version of the e-commerce platform that was retired in June 2020. The safer bet for any site still using this deprecated package is to upgrade to the latest version of Adobe Commerce. Another option is to install open source patches available for Magento 1 using either DIY software from the OpenMage project or with commercial support from Mage-One.

In one of the most impactful changes made in recent years, Microsoft has announced today that it will block by default the execution of VBA macro scripts inside five Office applications. From a report: Starting with early April 2022, Access, Excel, PowerPoint, Visio, and Word users will not be able to enable macro scripts inside untrusted documents that they downloaded from the internet. The change, which security researchers have been requesting for years, is expected to put a serious roadblock for malware gangs, which have relied on tricking users into enabling the execution of a macro script as a way to install malware on their systems. In these attacks, users typically receive a document via email or which they are instructed to download from an internet website. When they open the file, the attacker typically leaves a message instructing the user to enable the execution of the macro script. While users with some technical and cybersecurity knowledge may be able to recognize this as a lure to get infected with malware, many day-to-day Office users are still unaware of this technique and end up following the provided instructions, effectively infecting themselves with malware.

The UK government's cyber-security agency plans to release Nmap scripts in order to help system administrators in scanning their networks for unpatched or vulnerable devices. From a report: The new project, titled Scanning Made Easy (SME), will be managed by the UK National Cyber Security Centre (NCSC) and is a joint effort with Industry 100 (i100), a collaboration between the NCSC and the UK private sector. "When a software vulnerability is disclosed, it is often easier to find proof-of-concept code to exploit it, than it is to find tools that will help defend your network," the NCSC said yesterday. "To make matters worse, even when there is a scanning script available, it can be difficult to know if it is safe to run, let alone whether it returns valid scan results."

The NCSC said that the SME project was created to solve this problem by having some of the UK's leading security experts, from both the government and public sector, either create or review scripts that can be used to scan internal networks. Approved scripts will be made available via the NCSC's SME GitHub project page, and the agency said it's also taking submissions from the security community as well. Only scripts for the Nmap network scanning app will be made available through this project, the NCSC said on Monday.

The Linux Foundation has released three new training courses on the edX platform: Open Source Software Development: Linux for Developers (LFD107x), Linux Tools for Software Development (LFD108x), and Git for Distributed Software Development (LFD109x). The three courses can be taken individually or combined to earn a Professional Certificate in Open Source Software Development, Linux, and Git. ZDNet reports: The first class, Open Source Software Development: Linux for Developers (LFD107x) explores the key concepts of developing open-source software and how to work productively in Linux. You don't need to know Linux before starting this class, as it's an introduction to Linux designed for developers. In it, you'll learn how to install Linux and programs, how to use desktop environments, text editors, important commands and utilities, command shells and scripts, filesystems, and compilers. For this class, the Foundation recommends you use a computer installed with a current Linux distribution. I'd go further and recommend you use one with one of the professional Linux distributions. In particular, you should focus on one of the three main enterprise Linux families: Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), and Ubuntu. There are hundreds of other distros, but these are the ones that matter to companies looking for Linux developers.

The next course, Linux Tools for Software Development (LFD108x) examines the tools necessary to do everyday work in Linux development environments and beyond. It is designed for developers with experience working on any operating system who want to understand the basics of open-source development. Upon completion, participants will be familiar with essential shell tools, so they can work comfortably and productively in Linux environments. In addition, I recommend you come to this class with a working knowledge of the C programming language.

Finally, Git for Distributed Software Development (LFD109x) provides a thorough introduction to Git. Git is Linux Torvalds' other great accomplishment. This source control system was first used by the Linux kernel community to enable developers from around the world to operate efficiently. In addition, thanks to such sites as GitHub and GitLab, Git has become the lingua franca of all software development. Everyone uses Git today. With this class, you'll learn to use Git to create new repositories or clone existing ones, commit new changes, review revision histories, examine differences with older versions, work with different branches, merge repositories, and work with a distributed development team. Whether or not you end up programming in Linux, knowing how to use Git is essential for the modern programmer. As ZDNet's Steven Vaughan-Nichols notes, you can take the three courses through edX in audit mode for no cost. However, you'll need to earn the professional certificate so employers will know you're capable of open-source programming.

"To do this, you must enroll in the program, complete all three courses, and pay a verified certificate fee of $149 per course."

The Federal Bureau of Investigation (FBI) warned US companies in a recently updated flash alert that the financially motivated FIN7 cybercriminals group is targeting the US defense industry with packages containing malicious USB devices. BleepingComputer reports: The attackers are mailing packages containing 'BadUSB' or 'Bad Beetle USB' devices with the LilyGO logo, commonly available for sale on the Internet. The packages have been mailed via the United States Postal Service (USPS) and United Parcel Service (UPS) to businesses in the transportation and insurance industries since August 2021 and defense firms starting with November 2021. FIN7 operators impersonate Amazon and the US Department of Health & Human Services (HHS) to trick the targets into opening the packages and connecting the USB drives to their systems. Since August, reports received by the FBI say that these malicious packages also contain letters about COVID-19 guidelines or counterfeit gift cards and forged thank you notes, depending on the impersonated entity.

After the targets plug the USB drive into their computers, it automatically registers as a Human Interface Device (HID) Keyboard (allowing it to operate even with removable storage devices toggled off). It then starts injecting keystrokes to install malware payloads on the compromised systems. FIN7's end goal in these attacks is to access the victims' networks and deploy ransomware within a compromised network using various tools, including Metasploit, Cobalt Strike, Carbanak malware, the Griffon backdoor, and PowerShell scripts. [...] Companies can defend against such attacks by allowing their employees to connect only USB devices based on their hardware ID or if they're vetted by their security team.

What could have been a damaging breach in one of Sega's servers appears to have been closed, according to a report by security firm VPN Overview. Engadget reports: The misconfigured Amazon Web Services S3 bucket contained sensitive information which allowed researchers to arbitrarily upload files to a huge swath of Sega-owned domains, as well credentials to abuse a 250,000-user email list. The domains impacted included the official landing pages for major franchises, including Sonic the Hedgehog, Bayonetta and Total War, as well as the Sega.com site itself. VPNO was able to run executable scripts on these sites which, as you can imagine, would have been quite bad if this breach had been discovered by malicious actors instead of researchers.

An improperly stored Mailchimp API key gave VPNO access to the aforementioned email list. The emails themselves were available in plaintext alongside associated IP addresses, and passwords that the researchers were able to un-hash. According to the report, "a malicious user could have distributed ransomware very effectively using SEGA's compromised email and cloud services." So far there's no indication that bad actors made use of this vulnerability before VPNO discovered and helped Sega to fix it.

An anonymous reader quotes a report from TechCrunch: A security researcher found a Bluetooth vulnerability in a popular at-home COVID-19 test allowing him to modify its results. F-Secure researcher Ken Gannon identified the since-fixed flaw in the Ellume COVID-19 Home Test, a self-administered antigen test that individuals can use to check to see if they have been infected with the virus. Rather than submitting a sample to a testing facility, the sample is tested using a Bluetooth analyzer, which then reports the result to the user and health authorities via Ellume's mobile app. Gannon found, however, that the built-in Bluetooth analydzer could be tricked to allow a user to falsify a certifiable result before the Ellume app processes the data.

To carry out the hack, Gannon used a rooted Android device to analyze the data the test was sending to the app. He then identified two types of Bluetooth traffic that were most likely in charge of telling the mobile app if the user was COVID positive or negative, before writing two scripts that were able to successfully change a negative result into a positive one. Gannon says that when he received an email with his results from Ellume, it incorrectly showed he had tested positive. To complete the proof-of-concept, F-Secure also successfully obtained a certified copy of the faked COVID-19 test results from Azova, a telehealth provider that Ellume partners with for certifying at-home COVID-19 tests for travel or going into work.

While Gannon's writeup only includes changing negative results to positive ones, he says that the process "works both ways." He also said that, before it was patched, "someone with the proper motivation and technical skills could've used these flaws to ensure they, or someone they're working with, gets a negative result every time they're tested." In theory, a fake certification could be submitted to meet U.S. re-entry requirements. In response to F-Secure's findings, Ellume says it has updated its system to detect and prevent the transmission of falsified results.