An anonymous reader quotes a report from The Guardian: The world's insects are hurtling down the path to extinction, threatening a "catastrophic collapse of nature's ecosystems," according to the first global scientific review. More than 40% of insect species are declining and a third are endangered, the analysis found. The rate of extinction is eight times faster than that of mammals, birds and reptiles. The total mass of insects is falling by a precipitous 2.5% a year, according to the best data available, suggesting they could vanish within a century. The planet is at the start of a sixth mass extinction in its history, with huge losses already reported in larger animals that are easier to study. But insects are by far the most varied and abundant animals, outweighing humanity by 17 times. They are "essential" for the proper functioning of all ecosystems, the researchers say, as food for other creatures, pollinators and recyclers of nutrients.

Insect population collapses have recently been reported in Germany and Puerto Rico, but the review strongly indicates the crisis is global. The researchers set out their conclusions in unusually forceful terms for a peer-reviewed scientific paper: "The [insect] trends confirm that the sixth major extinction event is profoundly impacting [on] life forms on our planet. The analysis, published in the journal Biological Conservation, says intensive agriculture is the main driver of the declines, particularly the heavy use of pesticides. Urbanization and climate change are also significant factors. "One of the biggest impacts of insect loss is on the many birds, reptiles, amphibians and fish that eat insects," the study says, noting a recent study in Puerto Rico where there was a 98% fall in ground insects over 35 years. Butterflies and moths are among the worst hit.

Apple on Thursday released iOS 12.1.4, an iPhone update that fixes a Group FaceTime bug that allowed users to eavesdrop on each other. The update is a available for the iPhone 5S and later, iPad Air and later, and iPod touch 6th generation. From a report: Last week, Apple turned off Group FaceTime after a bug was identified that allowed iPhone users to call another device via the FaceTime video chat service and hear audio on the other end before the recipient had answered the call. It essentially turned any iPhone into a hot mic without the user's knowledge. Apple on Friday said it'd fixed the vulnerability on its servers and that it'd issue a software update to re-enable Group FaceTime. Apple also apologized to users who were affected and said it takes the security of its products "extremely seriously."

An anonymous reader shares a report: New interface styles and feature improvements are available in version 6.2 of LibreOffice -- the most popular open-source office suite -- released Thursday by The Document Foundation. As with any software update, bug fixes and feature enhancements are present, making this release a significant upgrade, particularly for users coming from Microsoft Office, or working with files created with those programs. LibreOffice now supports SVG-based icons for toolbars in the Breeze, Colibre, and Elementary icon sets as an experimental feature, to better support HiDPI displays increasingly found in notebook PCs. The Elementary icon set was also improved significantly, adding a 32px PNG version, and fixing inconsistencies between the 16, 24, and 32px versions, as well as adding more icons across the set to prevent reverting to defaults. In LibreOffice 6.2, the "Tabbed" interface is now available for Writer, Calc, Impress, and Draw, and is considered sufficiently stable to be a default option. This interface mimics the oft-maligned "Ribbon interface" in Office 2007. The "traditional" Office-style toolbar is default, though the Tabbed interface can be enabled through the "View > User Interface" menus.

Linuz Henze, a credible researcher, has revealed an exploit that in a single button press can reveal the passwords in a Mac's keychain. From a report: Keychain is where macOS stores most of the passwords used on the machine, ranging from iMessage private encryption keys to certificates, secured notes, Wi-Fi, and other Apple hardware passwords, app passwords, and web passwords. A pre-installed app called Keychain Access enables users to view the entire list of stored items, unlocking each one individually by repeatedly entering the system password, but Henze's KeySteal exploit grabs everything with a single press of a "Show me your secrets" button.

While the demo is run on a 2014 MacBook Pro without Apple's latest security chips, Henze says that it works "without root or administrator privileges and without password prompts, of course." It appears to work on the Mac's login and system keychains, but not iCloud's keychain. Generally, white hat security researchers publicly reveal flaws like this only after informing the company and giving it ample time to fix the issues. But Henze is refusing to assist Apple because it doesn't offer paid bug bounties for macOS.

Grant Thompson, the teenager that reported the FaceTime bug last week, will be eligible for the Apple bug bounty program. "Apple's bug bounty system is typically invite-only and limited to specific categories of security flaws, like accessing iCloud account data or demonstrating ways for iPhone apps to escape the security sandbox of iOS," reports 9to5Mac. "It appears the company is making an exception here given the embarrassingly public nature of the case, although further details about the reward have yet to be discussed." From the report: The FaceTime bug that made waves as result of 9to5Mac's coverage last week was actually first reported to Apple by Grant Thompson and his mother in Arizona a week earlier. However, deficiencies in the Apple bug reporting process meant that the report was not acted upon by the company. Instead, the teenager made headlines when his mother shared their Apple communications on Twitter. Their claims were later proved to be legitimate.

Around January 22, Apple Support directed them to file a Radar bug report, which meant the mother had to first register a developer account as an ordinary customer. Even after following the indicated steps, it does not appear that Apple's product or engineering teams were aware of the problem until its viral explosion a week later. CNBC reports that an unnamed "high-level Apple executive" met with the Thompsons at their home in Tucson, Arizona on Friday. They apparently discussed how Apple could improve its bug reporting process and indicated that Grant would be eligible for the Apple bug bounty program.

Mozilla has halted the rollout of v65 update to Firefox browser on Windows platform after learning about an issue with certain antivirus products. Users of Firefox 65, an update which was released last week, reported seeing "Your connection is not secure" error warnings when visiting popular sites. From a report: The issue mostly affected Firefox 65 users running AVG or Avast antivirus. The message appeared when users visited an HTTPS website and stated the 'Certificate is not trusted because the issuer is unknown' and that 'The server might not be sending the inappropriate intermediate certificates'.

The problem, reported on Mozilla's bug report page and first spotted by Techdows, is due to the HTTPS-filtering feature in Avast and AVG antivirus. Avast owns AVG. The bug prevented users from visiting any HTTPS site with Firefox 65. To limit the impact on users, Mozilla decided to temporarily halt all automatic updates on Windows. In the meantime, Avast, which owns AVG, released a new virus engine update that completely disabled Firefox HTTPS filtering in Avast and AVG products. HTTPS filtering remains enabled on other browsers.

Apple said Friday morning that it had a fix for a bug discovered in Apple's video and audio chat service FaceTime this week, which had allowed callers to access the microphone and front-facing video camera of the person they were calling, even if that person hadn't picked up. The security issue is fixed on its servers, the company said, but the iPhone software update to re-enable the feature for users won't be rolled out until next week. From a report: "We have fixed the Group FaceTime security bug on Apple's servers and we will issue a software update to re-enable the feature for users next week," Apple said in an emailed statement to BuzzFeed News. "We thank the Thompson family for reporting the bug. We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone's patience as we complete this process."

A lawyer in Houston has filed a lawsuit against Apple over a security vulnerability that let people eavesdrop on iPhones using FaceTime. "His lawsuit, filed Monday in Harris County, Texas, alleges that Apple 'failed to exercise reasonable care' and that Apple 'knew, or should have known, that its Product would cause unsolicited privacy breaches and eavesdropping,'" reports CNBC. "It alleged Apple did not adequately test its software and that Apple was 'aware there was a high probability at least some consumers would suffer harm.'" From the report: The suit says that Williams was "undergoing a private deposition with a client when this defective product breached allowed for the recording" of the conversation. Williams claimed this caused "sustained permanent and continuous injuries, pain and suffering and emotional trauma that will continue into the future" and that Williams "lost ability to earn a living and will continued to be so in the future." The lawsuit also says that iOS 12.1, the latest major release of the iPhone operating system, was defective and "unreasonable dangerous" and that Apple "failed to provide adequate warnings to avoid the substantial danger" posed by the security flaw. Williams is seeking compensatory and punitive damages as a result of the exploit.

An anonymous reader quotes a report from Android Police: Google announced its plans to sunset its Google+ social media network for consumers on a sour note in October. The platform, which has a small but dedicated user-base, decided to shut down following Google's acknowledgement of a data exposure that affected up to 500,000 Google+ profiles. Shortly after, in December, the shutdown timeline was expedited due to another, larger bug that had the potential to reveal private user information and impacted approximately 52.5 million users. Now, the company has detailed its shutdown timeline for the consumer version of Google+ -- and it's not wasting any time.

The shutdown timeline is as follows:
- As early as February 4th, you will no longer be able to create new Google+ profiles, pages, communities, or events.
- The Google+ feature for website comments will be removed by Blogger by February 4th and other sites by March 7th. All Google+ comments on all sites will be deleted starting April 2nd.
- Google+ sign-in buttons will stop working in the coming weeks, but in some cases will be replaced by a Google sign-in button.
- Google+ Community owners and moderators who are downloading data from their Community will gain additional data for download starting early March 2019. That includes author, body, and photos for every community post in a public community.
-On April 2nd, all Google+ accounts and pages will be shut down and Google will begin deleting content from consumer Google+ accounts. Photos and videos from Google+ in users' Album Archive and Google+ pages will also be deleted. Photos and videos backed up in Google Photos will not be deleted.

An anonymous reader writes: Twitter user MGT7500 tagged the official Apple Support account in a January 20 tweet claiming that her 14-year-old son discovered a "major security flaw" that allowed him to "listen in to your iPhone/iPad without your approval." The user also tagged Tim Cook on the issue in a follow-up tweet on January 21."

Once the bug started making headlines on Monday, the Twitter user then shared additional tweets claiming that they had also emailed Apple's product security team over a week ago. A screenshot of the email was shared, and it appears the team did respond, but what they said is not visible in the screenshot. [...] All in all, there is evidence that Apple Support was tagged about an eavesdropping bug eight days before it made headlines, and if the rest of the tweets are truthful, the company was also alerted about the bug via several other avenues. The original story has been updated to include another example of a user -- John Meyer -- who has shared a video about the FaceTime bug that he says was recorded and sent to Apple on January 23.

Social media sites lit up today with anxious Apple users after a strange glitch in iPhone's FaceTime app became apparent. The issue: It turns out that an iPhone user can call another iPhone user and listen in on -- and access live video feed of -- that person's conversations through the device's microphone and camera -- even if the recipient does not answer the call. In a statement, Apple said it was aware of the bug and was working to release a fix later this week. In the meanwhile, the company has disabled Group calling functionality on FaceTime app. From a report: The issue was so serious that Twitter CEO Jack Dorsey, and even Andrew Cuomo, governor of the state of New York, weighed in and urged their followers to disable FaceTime. [...] That's bad news for a company that's been vocal about privacy and customer data protection lately. The timing couldn't be worse, given that Apple is set to host its earnings call for the October-December quarter of 2018 in just a matter of hours.

"Time and again, security experts and vendors alike will recommend to organizations and end users to keep software and systems updated with the latest patches," reports eWeek. "But what happens when the application infrastructure that is supposed to deliver those patches itself is at risk?" That's what open-source and Linux users were faced with this past week with a pair of projects reporting vulnerabilities. On January 22, the Debian Linux distribution reported a vulnerability in its APT package manager that is used by end users and organizations to get application updates. That disclosure was followed a day later, on January 23, with the PHP PEAR (PHP Extension and Application Repository) shutting down its primary website, warning that it was the victim of a data breach. PHP PEAR is a package manager that is included with many Linux distributions as part of the open-source PHP programming language binaries....

In the Debian APT case, a security researcher found a flaw, reported it, and the open-source project community responded rapidly, fixing the issue. With PHP PEAR issue, researchers with the Paranoids FIRE (Forensics, Incident Response and Engineering) Team reported that they discovered a tainted file on the primary PEAR website... Both PHP PEAR and Debian have issued updates fixing their respective issues. While both projects are undoubtably redoubling their efforts now with different security technologies and techniques, the simple fact is that the two issues highlight a risk with users trusting updating tools and package management systems.

France's defence secretary Florence Parly had a declaration to make this week: "Cyber war has begun." And she said the Euro nation's military will use its "cyber arms as all other traditional weapons... to respond and attack," as well as setting up a military bug bounty program. From a report: Parly made her pledges during a speech to the Forum International de Cybersecurite (FIC) in the northern French town of Lille. Her speech was on a topic that most Western countries shy away from addressing directly in public. "The cyber weapon is not only for our enemies," said France's defence secretary this afternoon, speaking through a translator. "No. It's also, in France, a tool to defend ourselves. To respond and attack." Her remarks will be seen as moving the debate about offensive cyber capabilities -- not just so-called "active defence" but using infosec techniques as another weapon in the arsenal of state-on-state warfare -- to a new level.

"Google engineers have proposed changes to the open-source Chromium browser that will break content-blocking extensions, including various ad blockers," reports The Register. "The drafted changes will also limit the capabilities available to extension developers, ostensibly for the sake of speed and safety. Chromium forms the central core of Google Chrome, and, soon, Microsoft Edge." From the report: In a note posted Tuesday to the Chromium bug tracker, Raymond Hill, the developer behind uBlock Origin and uMatrix, said the changes contemplated by the Manifest v3 proposal will ruin his ad and content blocking extensions, and take control of content away from users. Manifest v3 refers to the specification for browser extension manifest files, which enumerate the resources and capabilities available to browser extensions. Google's stated rationale for making the proposed changes is to improve security, privacy and performance, and supposedly to enhance user control.

But one way Google would like to achieve these goals involves replacing the webRequest API with a new one, declarativeNetRequest. The webRequest API allows extensions to intercept network requests, so they can be blocked, modified, or redirected. This can cause delays in web page loading because Chrome has to wait for the extension. In the future, webRequest will only be able to read network requests, not modify them. The declarativeNetRequest allows Chrome (rather than the extension itself) to decide how to handle network requests, thereby removing a possible source of bottlenecks and a potentially useful mechanism for changing browser behavior. The report notes that Adblock Plus "should still be available" since "Google and other internet advertising networks apparently pay Adblock Plus to whitelist their online adverts."

Apple today pushed software updates for a range of its computing platforms. They are all minor releases that simply offer a few bug fixes and security updates, with no new features -- and there are no new features in any of the beta releases for these versions of the operating systems, either. From a report: iOS 12.1.3 fixes a scrolling bug in Messages, an iPad Pro-specific audio bug, and a graphical error in some photos, and it addresses some CarPlay disconnects experienced by owners of the three new iPhone models released in late 2018. It also fixes two minor bugs related to the company's HomePod smart speaker.

Many organizations may find they're better off hiring pen testers and in-house security researchers directly than running bug bounty programs, according to new MIT research. From a report: The New Solutions for Cybersecurity paper features a surprising analysis of bug bounty programs in the chapter, Fixing a Hole: The Labor Market for Bugs. It studied 61 HackerOne bounty programs over 23 months -- including those run for Twitter, Coinbase, Square and other big names -- and one Facebook program over 45 months. It claimed that, contrary to industry hype, organizations running these programs don't benefit from a large pool of white hats probing their products. Instead, an elite few produce the biggest volume and highest quality of bug reports across multiple products, earning the biggest slice of available rewards. It's also claimed that even these elite "top 1%" ethical hackers can't make a decent wage by Western standards.

Embedi security researcher Denis Selianin has discovered a vulnerability affecting the firmware of a popular Wi-Fi chipset deployed in a wide range of devices, such as laptops, smartphones, gaming rigs, routers, and Internet of Things (IoT) devices. According to Selianin, the vulnerability impacts ThreadX, a real-time operating system that is used as firmware for billions of devices. ZDNet reports: In a report published today, Selianin described how someone could exploit the ThreadX firmware installed on a Marvell Avastar 88W8897 wireless chipset to execute malicious code without any user interaction. The researcher chose this WiFi SoC (system-on-a-chip) because this is one of the most popular WiFi chipsets on the market, being deployed with devices such as Sony PlayStation 4, Xbox One, Microsoft Surface laptops, Samsung Chromebooks, Samsung Galaxy J1 smartphones, and Valve SteamLink cast devices, just to name a few.

"I've managed to identify ~4 total memory corruption issues in some parts of the firmware," said Selianin. "One of the discovered vulnerabilities was a special case of ThreadX block pool overflow. This vulnerability can be triggered without user interaction during the scanning for available networks." The researcher says the firmware function to scan for new WiFi networks launches automatically every five minutes, making exploitation trivial. All an attacker has to do is send malformed WiFi packets to any device with a Marvell Avastar WiFi chipset and wait until the function launches, to execute malicious code and take over the device. Selianin says he also "identified two methods of exploiting this technique, one that is specific to Marvell's own implementation of the ThreadX firmware, and one that is generic and can be applied to any ThreadX-based firmware, which, according to the ThreatX homepage, could impact as much as 6.2 billion devices," the report says. Patches are reportedly being worked on.

Kevin C. Tofel, writing for About Chromebooks: I've been following the bug report that tracks progress on adding GPU acceleration for the Linux container in Chrome OS and there's good news today. The first two Chrome OS boards should now, or very soon, be able to try GPU hardware acceleration with the new startup parameter found last month. The bug report says the -enable-gpu argument was added to the Eve and Nami boards.

There's only one Eve and that's the Pixelbook. Nami is used on a number of newer devices, including: Dell Inspiron 14, Lenovo Yoga Chromebook C630, Acer Chromebook 13, Acer Chromebook Spin 13, and HP X360 Chromebook 14.

Twitter disclosed on its Help Center page today that some Android users had their private tweets revealed for years due to a security flaw. "The issue caused the Twitter for Android app to disable the 'Protect your Tweets' setting for some Android users who made changes to their account settings, such as changing the email address associated with their account, between November 3rd, 2014 and January 14th, 2019," reports The Verge. From the report: Though the company says the issue was fixed earlier this week and that iOS or web users weren't affected, it doesn't yet know how many Android accounts were affected. Twitter says it's reached out to affected users and turned the setting back on for them, but it still recommends that users review their privacy settings to make sure it reflects their desired preferences.

Researchers at cybersecurity firm Check Point say three vulnerabilities chained together could have allowed hackers to take control of any of Fortnite's 200 million players. "The flaws, if exploited, would have stolen the account access token set on the gamer's device once they entered their password," reports TechCrunch. "Once stolen, that token could be used to impersonate the gamer and log in as if they were the account holder, without needing their password." From the report: The researchers say that the flaw lies in how Epic Games, the maker of Fortnite, handles login requests. Researchers said they could send any user a crafted link that appears to come from Epic Games' own domain and steal an access token needed to break into an account.

Here's how it works: The user clicks on a link, which points to an epicgames.com subdomain, which the hacker embeds a link to malicious code on their own server by exploiting a cross-site weakness in the subdomain. Once the malicious script loads, unbeknownst to the Fortnite player, it steals their account token and sends it back to the hacker. "If the victim user is not logged into the game, he or she would have to log in first," a researcher said. "Once that person is logged in, the account can be stolen." Epic Games has since fixed the vulnerability.