President Biden on Monday signed the SHARE IT Act (H.R. 9566) into law, mandating federal agencies share custom-developed code with each other to prevent duplicative software development contracts and reduce the $12 billion annual government software expenditure. The law requires agencies to publicly list metadata about custom code, establish sharing policies, and align development with best practices while exempting classified, national security, and privacy-sensitive code. FedScoop reports: Under the law, agency chief information officers are required to develop policies within 180 days of enactment that implement the act. Those policies need to ensure that custom-developed code aligns with best practices, establish a process for making the metadata for custom code publicly available, and outline a standardized reporting process. Per the new law, metadata includes information about whether custom code was developed under a contract or shared in a repository, the contract number, and a hyperlink to the repository where the code was shared. The legislation also has industry support. Stan Shepard, Atlassian's general counsel, said that the company shares "the belief that greater collaboration and sharing of custom code will promote openness, efficiency, and innovation across the federal enterprise."

A ninth U.S. telecommunications company has been compromised in a Chinese espionage campaign that targeted private communications, particularly around Washington D.C., White House Deputy National Security Adviser Anne Neuberger said Friday.

The intrusion, part of the "Salt Typhoon" operation that previously hit eight telecom firms, allowed hackers to access customer call records and private messages. While the total number of affected Americans remains unclear, many targets were government officials and political figures in the Washington-Virginia area.

Microsoft is warning that Windows 11 installations using USB or CD media created with October or November 2024 security updates may be unable to receive future security patches.

The bug affects version 24H2 installations made between October 8 and November 12, but does not impact systems updated through Windows Update or the Microsoft Update Catalog. Microsoft advised users to rebuild installation media using December 2024 patches while it works on a permanent fix for the issue, which primarily affects business and education environments.

The annual defense policy bill signed by President Joe Biden Monday evening allocates $3 billion to help telecom firms remove and replace insecure equipment in response to recent incursions by Chinese-linked hackers. From a report: The fiscal 2025 National Defense Authorization Act outlines Pentagon policy and military budget priorities for the year and also includes non-defense measures added as Congress wrapped up its work in December. The $895 billion spending blueprint passed the Senate and House with broad bipartisan support.

The $3 billion would go to a Federal Communications Commission program, commonly called "rip and replace," to get rid of Chinese networking equipment due to national security concerns. The effort was created in 2020 to junk equipment made by telecom giant Huawei. It had an initial investment of $1.9 billion, roughly $3 billion shy of what experts said was needed to cauterize the potential vulnerability.

Calls to replenish the fund have increased recently in the wake of two hacking campaigns by China, dubbed Volt Typhoon and Salt Typhoon, that saw hackers insert malicious code in U.S. infrastructure and break into at least eight telecom firms. The bill also includes a watered down requirement for the Defense Department to tap an independent third-party to study the feasibility of creating a U.S. Cyber Force, along with an "evaluation of alternative organizational models for the cyber forces" of the military branches.

An anonymous reader quotes a report from the Boston Globe: Every weekday morning at 8:30, Preston Thorpe makes himself a cup of instant coffee and opens his laptop to find the coding tasks awaiting his seven-person team at Unlocked Labs. Like many remote workers, Thorpe, the nonprofit's principal engineer, works out in the middle of the day and often stays at his computer late into the night. But outside Thorpe's window, there's a soaring chain-link fence topped with coiled barbed wire. And at noon and 4 p.m. every day, a prison guard peers into his room to make sure he's where he's supposed to be at the Mountain View Correctional Facility in Charleston, Maine, where he's serving his 12th year for two drug-related convictions in New Hampshire, including intent to distribute synthetic opioids.

Remote work has spread far and wide since the pandemic spurred a work-from-home revolution of sorts, but perhaps no place more unexpectedly than behind prison walls. Thorpe is one of more than 40 people incarcerated in Maine's state prison system who have landed internships and jobs with outside companies over the past two years -- some of whom work full time from their cells and earn more than the correctional officers who guard them. A handful of other states have also started allowing remote work in recent years, but none have gone as far as Maine, according to the Alliance for Higher Education in Prison, the nonprofit leading the effort.

Unlike incarcerated residents with jobs in the kitchen or woodshop who earn just a few hundred dollars a month, remote workers make fair-market wages, allowing them to pay victim restitution fees and legal costs, provide child support, and contribute to Social Security and other retirement funds. Like inmates in work-release programs who have jobs out in the community, 10 percent of remote workers' wages go to the state to offset the cost of room and board. All Maine DOC residents get re-entry support for housing and job searches before they're released, and remote workers leave with even more: up-to-date resumes, a nest egg -- and the hope that they're less likely to need food or housing assistance, or resort to crime to get by.

In 2024, North Korean state-sponsored hackers stole $1.34 billion in cryptocurrency across 47 attacks, marking a 102.88% increase from 2023 and accounting for 61% of global crypto theft. BleepingComputer reports: Although the total number of incidents in 2024 reached a record-breaking 303, the total losses figure isn't unprecedented, as 2022 remains the most damaging year with $3.7 billion. Chainalysis says most of the incidents this year occurred between January and July, during which 72% of the total amount for 2024 was stolen. The report highlights the DMM Bitcoin hack from May, where over $305 million was lost, and the WazirX cyberheist from July, which resulted in the loss of $235 million.

As for what types of platforms suffered the most damage, DeFi platforms were followed by centralized services. Regarding the means, the analysts report that private key compromises accounted for 44% of the losses, while exploitation of security flaws corresponded to just 6.3% of stolen cryptocurrency. This is a sign that security audits have a significant effect on reducing exploitable flaws on the platforms. However, stricter security practices in the handling of private keys need to be implemented.

ASUS computer owners have been reporting widespread alarm after a Christmas-themed banner suddenly appeared on their Windows 11 screens, accompanied by a suspicious "Christmas.exe" process in Task Manager.

The promotional campaign, first reported by WindowsLatest, was delivered through ASUS' pre-installed Armoury Crate software. It displays a large wreath banner that covers one-third of users' screens. The unbranded holiday display, which can interrupt gaming sessions and occasionally crashes applications, has triggered security concerns among users who initially mistook it for malware.

An anonymous reader quotes a report from The Verge: The Consumer Financial Protection Bureau (CFPB) is suing Walmart and payroll service provider Branch Messenger for alleged illegal payment practices for gig workers. The bureau says Walmart was opening direct deposit accounts using Spark delivery drivers' social security numbers without their consent. The accounts also can come with intense fees that, according to the complaint, would add either 2 percent or $2.99 per transaction, whichever is higher. It also says Walmart repeatedly promised to provide drivers with same-day payments through the platform starting in July 2021 but never delivered on that.

The Bureau alleges that for approximately two years starting around June 2021, defendants engaged in unfair, abusive, and deceptive practices in violation of the Consumer Financial Protection Act of 2010, including by requiring Spark Drivers to receive their compensation in Branch Accounts, opening Branch Accounts for Spark Drivers without their informed consent or, in many instances, on an unauthorized basis, and making deceptive statements about Branch to Spark Drivers. Spark delivery workers have been complaining about Walmart's Branch Messenger account requirements for years, which forced workers to use these accounts with no option to direct deposit to a preferred credit union or local bank. Walmart allegedly told workers they'd be terminated if they didn't accept the Branch accounts.

Vietnam's Decree 147 mandates social media users on platforms like Facebook and TikTok to verify their identities and requires tech companies to store and share user data with authorities upon request, sparking concerns over increased censorship, self-censorship, and threats to free expression. Furthermore, the decree imposes restrictions on gaming time for minors and limits livestreaming to verified accounts. It becomes effective on Christmas Day. The Guardian reports: Decree 147, as it is known, builds on a 2018 cybersecurity law that was sharply criticized by the US, EU and internet freedom advocates who said it mimics China's repressive internet censorship. [...] Critics say that decree 147 will also expose dissidents who post anonymously to the risk of arrest. "Many people work quietly but effectively in advancing the universal values of human rights," Ho Chi Minh City-based blogger and rights activist Nguyen Hoang Vi told AFP.

She warned that the new decree "may encourage self-censorship, where people avoid expressing dissenting views to protect their safety -- ultimately harming the overall development of democratic values" in the country. Le Quang Tu Do, of the ministry of information and communications (MIC), told state media that decree 147 would "regulate behavior in order to maintain social order, national security, and national sovereignty in cyberspace." [...]

Human Rights Watch is calling on the government to repeal the "draconian" new decree. "Vietnam's new Decree 147 and its other cybersecurity laws neither protect the public from any genuine security concerns nor respect fundamental human rights," said Patricia Gossman, HRW's associate Asia director. "Because the Vietnamese police treat any criticism of the Communist party of Vietnam as a national security matter, this decree will provide them with yet another tool to suppress dissent."

An anonymous reader quotes a report from Ars Technica: Health care company Ascension lost sensitive data for nearly 5.6 million individuals in a cyberattack that was attributed to a notorious ransomware gang, according to documents filed with the attorney general of Maine. Ascension owns 140 hospitals and scores of assisted living facilities. In May, the organization was hit with an attack that caused mass disruptions as staff was forced to move to manual processes that caused errors, delayed or lost lab results, and diversions of ambulances to other hospitals. Ascension managed to restore most services by mid-June. At the time, the company said the attackers had stolen protected health information and personally identifiable information for an undisclosed number of people.

A filing Ascension made earlier in December revealed that nearly 5.6 million people were affected by the breach. Data stolen depended on the particular person but included individuals' names and medical information (e.g., medical record numbers, dates of service, types of lab tests, or procedure codes), payment information (e.g., credit card information or bank account numbers), insurance information (e.g., Medicaid/Medicare ID, policy number, or insurance claim), government identification (e.g., Social Security numbers, tax identification numbers, driver's license numbers, or passport numbers), and other personal information (such as date of birth or address). Ascension is now in the process of notifying affected individuals. The organization is also offering two years of credit and fraud monitoring, a $1 million insurance reimbursement policy, and managed ID theft recovery services. The services became effective last Thursday. Further reading: Black Basta Ransomware Attack Brought Down Ascension IT Systems, Report Finds

Since 2021, Apple has been sending threat notifications to certain users, informing them that they may have been individually targeted by mercenary spyware attacks. When victims of spyware reach out to Apple for help, TechCrunch reports, "Apple doesn't tell the targets to get in touch with its own security engineers." Instead, Apple directs them to the nonprofit security lab Access Now, "which runs a digital helpline for people in civil society who suspect they have been targets of government spyware."

While some view this as Apple sidestepping responsibility, cybersecurity experts agree that Apple's approach -- alerting victims, directing them to specialized support, and recommending tools like Lockdown Mode -- has been a game changer in combating mercenary spyware threats. From the report: For people who investigate spyware, Apple sharing spyware notifications with victims represented a turning point. Before the notifications, "We were just like in the dark, not knowing who to check," according to Access Now's legal counsel Natalia Krapiva. "I think it's one of the greatest things that's happened in the sphere of this kind of forensic investigations and hunting of sophisticated spyware," Krapiva told TechCrunch.

Now, when someone or a group of people get a notification from Apple, they are warned that something potentially anomalous is happening with their device, that someone is targeting them, and that they need to get help. And Apple tells them exactly where to get it, according to Scott-Railton, who said Access Now's helpline is the right place to go because "the helpline is able to do good, systematic triage work and support." Krapiva said that the helpline is staffed by more than 30 people, supported by others who work in other departments of the nonprofit. So far in 2024, Krapiva said Access Now received 4,337 tickets through the helpline.

For anyone alerted by a notification, Apple tells those targets and victims of spyware to update their iOS software and all their apps. Apple also suggests the user switches on Lockdown Mode, an opt-in iOS security feature that has stopped spyware attacks in the past by limiting device features that are often exploited to plant spyware. Apple said last year that it is not aware of any successful spyware infection against someone who used Lockdown Mode.

The Biden administration has launched a Section 301 investigation into China's semiconductor industry, citing concerns over non-market practices, supply chain dependencies, and national security risks. The Hill reports: In a fact sheet, the White House said China "routinely engages in non-market policies and practices, as well as industrial targeting, of the semiconductor industry" that harms competition and creates "dangerous supply chain dependencies."

The Biden administration said the Office of the United States Trade Representative would launch a Section 301 investigation to examine China's targeting of semiconductor chips for dominance, an effort to see whether the practices are unfairly hurting U.S. trade and take potential action. The investigation will broadly probe Chinese nonmarket practices and policies related to semiconductors and look at how the products are incorporated into industries for defense, auto, aerospace, medical, telecommunications and power. It will also examine production of silicon carbide substrates or other wafers used as inputs for semiconductors. The probe launches four weeks before President-elect Donald Trump takes office. "The effort could offer Trump a ready avenue to begin imposing some of the hefty 60% tariffs he has threatened on Chinese imports," notes Reuters.

"Departing President Joe Biden has already imposed a 50% U.S. tariff on Chinese semiconductors that starts on Jan. 1. His administration also has tightened export curbs on advanced artificial intelligence and memory chips and chipmaking equipment."

A series of drone sightings over U.S. military bases "has renewed concerns that the U.S. doesn't have clear government-wide policy for how to deal with unauthorized incursions that could potentially pose a national security threat," reports CNN: "We're one year past Langley drone incursions and almost two years past the PRC spy balloon. Why don't we have a single [point of contact] who is responsible for coordination across all organizations in the government to address this?" the recently retired head of US Northern Command and NORAD, Gen. Glen VanHerck, told CNN. "Instead, everybody's pointing their fingers at each other saying it's not our responsibility...." Over a period of six days earlier this month, there were six instances of unmanned aerial systems, or drones, entering the airspace of the Marine Corps base Camp Pendleton in California, a spokesperson confirmed to CNN, adding that they posed "no threat to installation operations and no impact to air and ground operations." There have also been incidents in the last month at Wright-Patterson Air Force Base, Ohio; Picatinny Arsenal, New Jersey; Naval Weapons Station Earle, New Jersey; and Vandenberg Space Force Base, California. A Chinese citizen, who is a lawful permanent resident of the US, was recently arrested in connection to the California incident.

The drone incidents are "a problem that has been brewing for over a decade and we have basically failed to address it," said retired Air Force Brig. Gen. Rob Spalding, who previously served as the chief China strategist for the Joint Chiefs of Staff and senior director for strategic planning on the National Security Council. It's unclear what specifically the drones could be doing — the intent could be anything from attempting to gather intelligence on the base or testing its defenses and response time, to gaining a better understanding of how the bases work, or they could simply be harmless hobbyists flying drones too close to restricted areas... Despite the incursions and the risk they could pose, officials say there is no coordinated policy to determine what agency leads the response to such activity, or how to determine where the drones originate.

CNN reported this week that government agencies have struggled to keep pace with the development of drones and drone technology, particularly by adversaries like China, though legislation is being discussed and the Pentagon just recently released its strategy for countering unmanned systems... The two heads of the Senate Armed Services Committee, Sens. Jack Reed and Roger Wicker, sounded the alarm in a Washington Post op-ed at the beginning of 2024 that the US "lacks adequate drone detection capability" and that agencies "lack clear lines of authority about which agency is responsible for stopping these incursions."

Military installations have the authority to protect themselves and respond to threats, but a former senior military official said that if the drone enters the airspace and subsequently leaves, determining where the drone originated from and what it was doing can be difficult. Military law enforcement typically coordinates with civilian law enforcement off base in that instance, the former official said, but are often limited in what they can do given laws that restrict intelligence collection within US borders. But sources also said the lack of ability to do more also stems at times from a failure to prioritize defense against this kind of activity within the US. The topic is "such a relatively new phenomenon that the law has not caught up and the agencies have not adapted quickly enough," [said one Senate aide familiar with discussions on drone defense and policy].
"The need for Congressional action was made clear in a joint statement this week from the Department of Defense, Department of Homeland Security, Federal Bureau of Investigations and Federal Aviation Administration," according to the article.

"The agencies said they 'urge Congress to enact counter-UAS legislation when it reconvenes that would extend and expand existing counter-drone authorities to identify and mitigate any threat that may emerge.'"

On Thursday New Jersey lawmakers passed a resolution "calling on the federal government to conduct a 'rigorous and ongoing' investigation into the drone sightings in the state," reports the Associated Press: Meanwhile, federal and local authorities are warning against pointing lasers at suspected drones, because aircraft pilots are being hit in the eyes more often. Authorities also said they are concerned people might fire weapons at manned aircraft that they have mistaken for drones...

White House national security spokesperson John Kirby said Monday that the federal government has yet to identify any public safety or national security risks. "There are more than 1 million drones that are lawfully registered with the Federal Aviation Administration here in the United States," Kirby said. "And there are thousands of commercial, hobbyist and law enforcement drones that are lawfully in the sky on any given day. That is the ecosystem that we are dealing with." The federal government has deployed personnel and advanced technology to investigate the reports in New Jersey and other states, and is evaluating each tip reported by citizens, he said. About 100 of the more than 5,000 drone sightings reported to the FBI in recent weeks were deemed credible enough to warrant more investigation, according to a joint statement by the Department of Homeland Security, FBI, Federal Aviation Administration and Department of Defense.

Speculation has raged online, with some expressing concerns the drones could be part of a nefarious plot by foreign agents or clandestine operations by the U.S. government. Pentagon spokesperson Maj. Gen. Pat Ryder said it's unlikely the drones are engaged in intelligence gathering, given how loud and bright they are. He repeated Tuesday that the drones being reported are not being operated by the Department of Defense. Asked whether military contractors might be operating drones in the New Jersey area, Ryder rebuffed the notion, saying there are "no military operations, no military drone or experiment operations in this corridor." Ryder said additional drone-detecting technology was being moved to some military installations, including the Picatinny Arsenal...

U.S. Sen. Andy Kim, a New Jersey Democrat, said he has heard nothing to support the notion that the government is hiding anything. He said a lack of faith in institutions is playing a key part in the saga.

The EU is pushing Apple to make iOS more interoperable with other platforms, requiring features like AirDrop and AirPlay to work seamlessly with Android and third-party devices, while also enabling background app functionality and cross-platform notifications. 9to5Google reports: A new document released (PDF) by the European Commission this week reveals a number of ways the EU wants Apple to change iOS and its features to be more interoperable with other platforms. There are some changes to iOS itself, such as opening up notifications to work on third-party smartwatches as they do with the Apple Watch. Similarly, the EU wants Apple to let iOS apps work in the background as Apple's first-party apps do, as this is a struggle of some apps, especially companion apps for accessories such as smartwatches (other than the Apple Watch, of course). But there are also some iOS features that the EU directly wants Apple to open up to other platforms, including Android. [...]

As our sister site 9to5Mac points out, Apple has responded (PDF) to this EU document, prominently criticizing the EU for putting out a mandate that "could expose your private information." Apple's document primarily focuses in on Meta, which the company says has made "more interoperability requests" than anyone else. Apple says that opening AirPlay to Meta would "[create] a new class of privacy and security issues, while giving them data about users homes." The EU is taking consultation on this case until January 9, 2025, and if Apple doesn't comply when the order is eventually put into effect, it could result in heavy fines.

A bipartisan group of senators is calling out the auto industry for its "hypocritical, profit-driven" opposition to national right-to-repair legislation, while also selling customer data to insurance companies and other third-party interests. From a report: In a letter sent to the CEOs of the top automakers, the trio of legislators -- Sens. Elizabeth Warren (D-MA), Jeff Merkley (D-OR), and Josh Hawley (R-MO) -- urge them to better protect customer privacy, while also dropping their opposition to state and national right-to-repair efforts.

"Right-to-repair laws support consumer choice and prevent automakers from using restrictive repair laws to their financial advantage," the senators write. "It is clear that the motivation behind automotive companies' avoidance of complying with right-to-repair laws is not due to a concern for consumer security or privacy, but instead a hypocritical, profit-driven reaction."

Teenagers using Meta's virtual reality headsets to cheat at the popular game Gorilla Tag are unknowingly selling access to their home internet connections to potential cybercriminals, cybersecurity researchers found. The players have been side-loading Big Mama VPN, a free Android app, onto their VR headsets to create lag that makes it easier to win the tag-based game. However, the app simultaneously operates as a residential proxy service, selling access to users' IP addresses on a marketplace frequented by cybercriminals.

Cybersecurity firm Trend Micro discovered VR headsets were the third most common devices using Big Mama VPN, after Samsung and Xiaomi devices. The company's proxy services have been promoted on cybercrime forums and were linked to at least one cyberattack, according to research from security firms Trend Micro and Kela.

An anonymous reader quotes a report from Gizmodo: Hackers aligned with the Chinese government have infiltrated U.S. telecommunications infrastructure so deeply that it allowed the interception of unencrypted communications on a number of people, according to reports that first emerged in October. The operation, dubbed Salt Typhoon, apparently allowed hackers to listen to phone calls and nab text messages, and the penetration has been so extensive they haven't even been booted from the telecom networks yet. The Cybersecurity and Infrastructure Security Agency (CISA) issued guidance this week on best practices for protecting "highly targeted individuals," which includes a new warning (PDF) about text messages.

"Do not use SMS as a second factor for authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication provider's network who intercepts these messages can read them. SMS MFA is not phishing-resistant and is therefore not strong authentication for accounts of highly targeted individuals," the guidance, which has been posted online, reads. Not every service even allows for multi-factor authentication and sometimes text messages are the only option. But when you have a choice, it's better to use phishing-resistant methods like passkeys or authenticator apps. CISA prefaces its guidance by insisting it's only really speaking about high-value targets. The telecommunications hack mentioned above has been called the "worst hack in our nation's history," according to Sen. Mark Warner (D-VA).

Microsoft has lauded the success of its efforts to convince customers to use passkeys instead of passwords, without actually quantifying that success. From a report: The software megalith credits passkey adoption to its enrolment user experience, or UX, which owes its unspecified uptake to unavoidable passkey solicitations -- sometimes referred to as "nudges."

"We're implementing logic that determines how often to show a nudge so as not to overwhelm users, but we don't let them permanently opt out of passkey invitations," explained Sangeeta Ranjit, group product manager, and Scott Bingham, principal product manager, in a blog post. The corporation's onboarding strategy seems to suit its corporate address: One Microsoft Way.

Ranjit and Bingham describe that strategy in a post titled "Convincing a billion users to love passkeys: UX design insights from Microsoft to boost adoption and security." But they don't disclose how many customers love passkeys enough to actually use them.

The Federal Aviation Administration has issued a monthlong ban on drone flights over a large swath of New Jersey, the first broad prohibition of its kind since the authorities began investigating a spate of sightings last month that set off fear and speculation. From a report: The ban began late on Wednesday and will continue through Jan. 17, according to an F.A.A. alert. The notification cited "special security reasons" for prohibiting flights in airspace near 22 New Jersey communities, including three of the state's largest cities, Camden, Elizabeth and Jersey City. The F.A.A. said it had temporarily restricted drone flights over "critical New Jersey infrastructure" at the request of what it described as federal security partners.