Hackers linked to the Chinese government have broken into a handful of U.S. internet-service providers in recent months in pursuit of sensitive information, WSJ reported Wednesday, citing people familiar with the matter. From the report: The hacking campaign, called Salt Typhoon by investigators, hasn't previously been publicly disclosed and is the latest in a series of incursions that U.S. investigators have linked to China in recent years. The intrusion is a sign of the stealthy success Beijing's massive digital army of cyberspies has had breaking into valuable computer networks in the U.S. and around the globe.

In Salt Typhoon, the actors linked to China burrowed into America's broadband networks. In this type of intrusion, bad actors aim to establish a foothold within the infrastructure of cable and broadband providers that would allow them to access data stored by telecommunications companies or launch a damaging cyberattack. Last week, U.S. officials said they had disrupted a network of more than 200,000 routers, cameras and other internet-connected consumer devices that served as an entry point into U.S. networks for a China-based hacking group called Flax Typhoon. And in January, federal officials disrupted Volt Typhoon, yet another China-linked campaign that has sought to quietly infiltrate a swath of U.S. critical infrastructure.

"The cyber threat posed by the Chinese government is massive," said Christopher Wray, the Federal Bureau of Investigation's director, speaking earlier this year at a security conference in Germany. "China's hacking program is larger than that of every other major nation, combined." U.S. security officials allege that Beijing has tried and at times succeeded in burrowing deep into U.S. critical infrastructure networks ranging from water-treatment systems to airports and oil and gas pipelines. Top Biden administration officials have issued public warnings over the past year that China's actions could threaten American lives and are intended to cause societal panic. The hackers could also disrupt the U.S.'s ability to mobilize support for Taiwan in the event that Chinese leader Xi Jinping orders his military to invade the island.

A small city in Kansas switched was forced to switch its water treatment facility to manual operations after a suspected cyberattack was discovered on September 22. The precautionary measure was taken "to ensure plant operations remained secure," the city said. It reassured residents that the drinking water is safe and the water supply remains unaffected. SecurityWeek.com reports: Arkansas City says it has notified the relevant authorities of the incident and that they are working with cybersecurity experts to address the issue and return the facility's operations to normal. "Enhanced security measures are currently in place to protect the water supply, and no changes to water quality or service are expected for residents," the city said. While the city's notification does not share further details on the incident, it appears that the water treatment plant might have fallen victim to a ransomware attack. Switching to manual operations suggests that systems were shut down to contain the attack, which is the typical response to incidents involving ransomware.

wiredmikey writes: CrowdStrike says it has revamped several testing, validation, and update rollout processes to prevent a repeat of the embarrassing July outage that caused widespread disruption on Windows systems around the world.

In testimony before the House Subcommittee on Cybersecurity, CrowdStrike vice president Adam Meyers outlined a new set of protocols that include carefully controlled rollouts of software updates, better validation of code inputs, and new testing procedures to cover a broader array of problematic scenarios.

An anonymous reader shares a report: The Pacific country of Kiribati might be surrounded by water, but on land its population is running dry. The ocean around them is steadily encroaching, contaminating underground wells and leeching salt into the soil. "Our waters have been infected," climate activist and law student Christine Tekanene says. "Those who are affected, they now can't survive with the water that changed after sea level rise." The freshwater crisis is just one of the many threats driven by rising seas in Kiribati. Its people live on a series of atolls, peaking barely a couple of metres above a sprawling tract of the Pacific Ocean. As global temperatures rise and ice sheets melt, Kiribati -- and other low-lying nations like it -- are experiencing extreme and regular flooding, frequent coastal erosion and persistent food and water insecurity.

This week the United Nations general assembly will hold a high-level meeting to address the existential threats posed by sea level rise as the issue climbs the international agenda; last year the UN security council debated it for the first time. Wednesday's meeting aims to build political consensus on action to address the widespread social, economic and legal consequences of rising seas. Samoa's UN representative, Fatumanava Dr Pa'olelei Luteru, says the upcoming UN meeting is long overdue and "extremely important" for island nations. "Economically, militarily, we're not powerful," says Luteru, who also serves as the current chair of the Alliance of Small Island States (AOSIS). "At least within the context of the UN and the multilateral system we have the possibility and the opportunity to engage and achieve some of the things that are a priority for us."

Ars Technica's Dan Goodin reports: Five years ago, researchers made a grim discovery -- a legitimate Android app in the Google Play market that was surreptitiously made malicious by a library the developers used to earn advertising revenue. With that, the app was infected with code that caused 100 million infected devices to connect to attacker-controlled servers and download secret payloads. Now, history is repeating itself. Researchers from the same Moscow, Russia-based security firm reported Monday that they found two new apps, downloaded from Play 11 million times, that were infected with the same malware family. The researchers, from Kaspersky, believe a malicious software developer kit for integrating advertising capabilities is once again responsible. [...]

The researchers found Necro in two Google Play apps. One was Wuta Camera, an app with 10 million downloads to date. Wuta Camera versions 6.3.2.148 through 6.3.6.148 contained the malicious SDK that infects apps. The app has since been updated to remove the malicious component. A separate app with roughly 1 million downloads -- known as Max Browser -- was also infected. That app is no longer available in Google Play. The researchers also found Necro infecting a variety of Android apps available in alternative marketplaces. Those apps typically billed themselves as modified versions of legitimate apps such as Spotify, Minecraft, WhatsApp, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox. People who are concerned they may be infected by Necro should check their devices for the presence of indicators of compromise listed at the end of this writeup.

Microsoft unveiled detailed security reforms Monday, five months after CEO Satya Nadella pledged to prioritize cybersecurity following major breaches. The 25-page Secure Future Initiative report [PDF] outlines technical and governance changes addressing criticisms in an April 2024 Cyber Safety Review Board report that deemed Microsoft's security culture "inadequate."

Microsoft said it implemented significant security upgrades to its Entra ID and Microsoft Account systems, introducing Azure-managed hardware security modules for access token signing keys. The company has also purged 5.75 million inactive tenants to minimize potential attack vectors and adopted a new testing system with secure defaults to prevent legacy-related security issues. Concurrently, Microsoft has enhanced its network tracking capabilities, now monitoring over 99 percent of its physical network through a centralized inventory system, which aids in firmware compliance and logging.

Internal security measures have been tightened, with engineering teams facing stricter access controls. Personal access tokens are now limited to seven days, SSH access has been disabled for internal engineering repositories, and access to critical engineering systems has been restricted to fewer groups. Additionally, Microsoft has extended its audit log retention period to a minimum of two years, bolstering its ability to investigate and respond to potential security incidents.

Sonos launched a disastrous app update in May, prompting CEO Patrick Spence to commission an internal investigation led by chief counsel Eddie Lazarus. The software release, plagued with missing features and bugs, has sparked widespread customer outrage and led to a $200 million revenue shortfall. Sonos shares have plummeted 25% this year. Lazarus interviewed about two dozen employees and reviewed meeting recordings before presenting his findings to the board in late July. Bloomberg: What has happened to Sonos is at its heart a cautionary tale of company leadership ignoring the perils of "technical debt," the term used by software engineers to describe the compounding threat of outdated code and infrastructure on security, usability and stability.

For two decades, Sonos had allowed its tech debt to pile high. When it undertook in earnest its effort to revamp its app in mid-2022, the company knew it was sitting on infrastructure and code written in languages that were pretty much obsolete. The Sonos app had been adapted and spliced and tinkered with so often, the vast majority of work being performed for the new app was less about introducing new functionality than sorting out the existing mess.

The company could have tackled its tech debt sooner but appears to have lacked a crucial element: urgency. It finally came in the form of the Sonos Ace headphones, the first product in the Sonos range to be fully mobile rather than using home or office Wi-Fi. The app needed to be rebuilt, as did the cloud computing setup underpinning it.

Ace is a critical product for Sonos. Now that Sonos' pandemic sales boom has subsided, Wall Street has started to question where revenue growth will come from. Sonos Ace is a big part of the answer. Despite the company's lofty and well-earned reputation, Sonos' share of the $100 billion audio market is only around 2% because it has not gone toe-to-toe in the headphones category with Apple, Sennheiser, Bose and the rest.

The US Commerce Department on Monday will propose a ban on the sale or import of smart vehicles that use specific Chinese or Russian technology because of national security concerns, according to US officials. From a report: A US government investigation that began in February found a range of national security risks from embedded software and hardware from China and Russia in US vehicles, including the possibility of remote sabotage by hacking and the collection of personal data on drivers, Secretary of Commerce Gina Raimondo told reporters Sunday in a conference call.

"In extreme situations, a foreign adversary could shut down or take control of all their vehicles operating in the United States, all at the same time, causing crashes (or) blocking roads," she said. The rule would not apply to cars already on the road in the US that already have Chinese software installed, a senior administration official told CNN. The software ban would take effect for vehicles for "model year" 2027 and the hardware ban for "model year" 2030, according to the Commerce Department. The proposed regulatory action is part of a much broader struggle between the United States and China, the world's two biggest economies, to secure the supply chains of the key computing technology of the future, from semiconductors to AI software. China, in particular, has invested heavily in the connected car market, and inroads made by Chinese manufacturers in Europe have worried US officials.

First released on July 11th, the Firefox-based Zen browser is "taking a different approach to the user interface," according to the blog It's FOSS.

The Register says the project "reminds us strongly of Arc, a radical Chromium-based web browser... to modernize the standard web browser UI by revising some fundamental assumptions." [Arc] removes the URL bar from front and center, gets rid of the simple flat list of tabs, and so on. Zen is trying to do some similar things, but in a slightly more moderate way — and it's doing it on the basis of Mozilla's Firefox codebase... Instead of the tired old horizontal tab bar you'll see in both Firefox and Chrome, Zen implements its own tab bar... By default, this tab bar is narrow and just shows page icons — but there are some extra controls at the bottom of the sidebar, one of which expands the sidebar to show page titles too. For us, it worked better than Vivaldi's fancier sidebar.
The article concludes it's "a new effort to modernize web browsing by bringing tiling, workspaces, and so on — and it's blissfully free of Google code." One Reddit comment swooned over Zen's "extraordinary" implementation of a distraction-free "Compact Mode" (hiding things like the sidebar and top bar). And It's Foss described it as a "tranquil," browser, "written using CSS, C++, JavaScript, and a few other programming languages, with a community of over 30 people contributing to it." The layout of the interface felt quite clean to me; there were handy buttons on the top to control the webpage, manage extensions, and a menu with additional options... The split-view functionality allows you to open up two different tabs on the same screen, allowing for easy multitasking when working across different webpages... I split two tabs, but in my testing, I could split over 10+ tabs... If you have a larger monitor, then you are in for a treat...

The Zen Sidebar feature... can run web apps alongside any open tabs. This can be helpful in situations where you need to quickly access a service like a note-taking app, Wikipedia, Telegram, and others.

On the customization side of things, you will find that Zen Browser supports everything that Firefox does, be it the settings, adding new extensions/themes/plugins, etc.
The Register points out it's easy to give it a try. "Being based on Firefox means that as well as running existing extensions, it can connect to Mozilla's Sync service and pick up not just your bookmarks, but also your tabs from other instances."

And beyond all that, "There's just something satisfying about switching browsers every now and again..." argues the tech site Pocket-Lint: Zen Browser's vertical tabs layout is superb and feels much better than anything available in standard Firefox. [Firefox recently offered vertical tabs and a new sidebar experience in Nightly/Firefox Labs 131.] The tab bar can be set to automatically hide and show up whenever you hover near it, and it also contains quick access buttons to bookmarks, settings, and browsing history. The tab bar also contains a profile switcher...

One of the greatest parts of the Zen Browser is the community that has popped up around it. At its heart, Zen Browser is a community-driven project... Zen Browser themes are aesthetic and functional tweaks to the UI. While there aren't a ton available right now, the ones that are show a lot of promise for the browser's future... I've personally gotten great use out of the Super URL Bar theme, which makes your URL bar expand and become the focus of your screen while typing in it... There's a lot you can do to make Zen Browser feel nearly exactly like what you want it to feel like.
The "Business Standard calls it "an open-source alternative to Chromium-based browsers," adding "Where Zen truly shines is it offers a range of customisation, tab management, and workspace management..." Their theme store offers a range of options, including modifications to the bookmark toolbar, a floating URL bar, private mode theming, and removal of browser padding. In addition to these, users can also choose from custom colour schemes and built-in theming options... The Sidebar is another neat feature which allows you to open tabs in a smaller, smartphone-sized window. You can view websites in mobile layout by using this panel.
It's "focused on being always at the latest version of Firefox," according to its official site, noting that Firefox is known for its security features. But then, "We also have additional security features like https only built into Zen Browser to help keep you safe online." And it also promises automated Releases "to ensure security."

It's FOSS adds that you can get Zen Browser for Linux, Windows, and macOS from its official website (adding "They also offer it on the Flathub store for further accessibility on Linux.")

And its source code is available on GitHub.

German law enforcement seized 47 cryptocurrency exchange services "that facilitated illegal money laundering activities for cybercriminals," according to BleepingComputer, "including ransomware gangs."

Long-time Slashdot reader Arrogant-Bastard shares their report: The platforms allowed users to exchange cryptocurrencies without following applicable "Know Your Customer" regulations, meaning that users remained completely anonymous when making transactions. This created a low-risk environment for cybercriminals to launder their proceeds without fearing prosecution or being tracked. "Exchange services that enable such anonymous financial transactions and thus money laundering represent one of the most relevant building blocks in the criminal value chain of the cybercrime phenomenon," reads a Federal Criminal Police Office (BKA) announcement... When visiting any of the seized exchanges, you are now redirected to a warning page titled "Operation Final Exchange," which warns visitors that they have been deceived by the promises of anonymity by the operators of these platforms.
The new site notes years-long promises from the exchanges "that their hosting cannot be found, that they do not store any customer data and that all data is deleted immediately after the transaction...

"We have found their servers and seized them — development servers, production servers, backup servers. We have their data — and therefore we have your data. Transactions, registration data, IP addresses.

"Our search for traces begins. See you soon."

"Many GitHub users this week received a novel phishing email warning of critical security holes in their code," reports Krebs on Security — citing an email shared by one of his readers: "Hey there! We have detected a security vulnerability in your repository. Please contact us at https://github-scanner[.]com to get more information on how to fix this issue...." Clicking the "I'm not a robot" button generates a pop-up message asking the user to take three sequential steps to prove their humanity. Step 1 involves simultaneously pressing the keyboard key with the Windows icon and the letter "R," which opens a Windows "Run" prompt that will execute any specified program that is already installed on the system.

Step 2 asks the user to press the "CTRL" key and the letter "V" at the same time, which pastes malicious code from the site's virtual clipboard. Step 3 — pressing the "Enter" key — causes Windows to launch a PowerShell command, and then fetch and execute a malicious file from github-scanner[.]com called "l6e.exe...." According to an analysis at the malware scanning service Virustotal.com, the malicious file downloaded by the pasted text is called Lumma Stealer, and it's designed to snarf any credentials stored on the victim's PC.
Even though this might fool some users, Krebs points out that Microsoft "strongly advises against nixing PowerShell because some core system processes and tasks may not function properly without it. What's more, doing so requires tinkering with sensitive settings in the Windows registry..."

Thanks to long-time Slashdot reader sinij for sharing the article.

Software developers who ship buggy, insecure code are the true baddies in the cyber crime story, Jen Easterly, boss of the US government's Cybersecurity and Infrastructure Security Agency, has argued. From a report: "The truth is: Technology vendors are the characters who are building problems" into their products, which then "open the doors for villains to attack their victims," declared Easterly during a Wednesday keynote address at Mandiant's mWise conference. Easterly also implored the audience to stop "glamorizing" crime gangs with fancy poetic names. How about "Scrawny Nuisance" or "Evil Ferret," Easterly suggested.

Even calling security holes "software vulnerabilities" is too lenient, she added. This phrase "really diffuses responsibility. We should call them 'product defects,'" Easterly said. And instead of automatically blaming victims for failing to patch their products quickly enough, "why don't we ask: Why does software require so many urgent patches? The truth is: We need to demand more of technology vendors."

Deadly attacks using booby-trapped pagers and walkie-talkies in Lebanon has revealed significant vulnerabilities in the supply chains for older electronic devices. The incident, which killed 37 people and injured about 3,000, has sparked investigations across Europe into the origins of the weaponized gadgets.

Taiwan-based Gold Apollo blamed a European licensee for the compromised pagers, while Japan's Icom could not verify the authenticity of the walkie-talkies bearing its name. Both companies denied manufacturing the deadly components in their home countries. Industry executives say older electronics from Asia often lack the tight supply chain controls of newer products, making it difficult to trace their origins. Counterfeiting, surplus inventories, and complex manufacturing deals further complicate the issue.

Ukraine has banned use of Telegram on official devices used by state officials, military personnel and critical workers because it believes its enemy Russia can spy on both messages and users, a top security body said on Friday. Reuters: The National Security and Defence Council announced the restrictions after Kyrylo Budanov, head of Ukraine's GUR military intelligence agency, presented the Council with evidence of Russian special services' ability to snoop on the platform, it said in a statement. But Andriy Kovalenko, head of the security council's centre on countering disinformation, posted on Telegram that the restrictions apply only to official devices, not personal phones.

Telegram is heavily used in both Ukraine and Russia and has become a critical source of information since the Russian invasion of Ukraine in February 2022. But Ukrainian security officials had repeatedly voiced concerns about its use during the war. Based in Dubai, Telegram was founded by Russian-born Pavel Durov, who left Russia in 2014 after refusing to comply with demands to shut down opposition communities on his social media platform VKontakte, which he has sold.

Disney plans to transition away from using Slack as its companywide collaboration tool after a hacking group leaked over a terabyte of data from the platform. Many teams at Disney have already begun moving to other enterprise-wide tools, with the full transition expected later this year. Reuters reports: Hacking group NullBulge had published data from thousands of Slack channels at the entertainment giant, including computer code and details about unreleased projects, the Journal reported in July. The data spans more than 44 million messages from Disney's Slack workplace communications tool, WSJ reported earlier this month. The company had said in August it was investigating an unauthorized release of over a terabyte of data from one of its communication systems.

Residents of California can now store their driver's license or state ID in Apple or Google Wallet, according to an announcement today. Apple also shared the news. TechCrunch reports: Californians with an ID in the Apple Wallet or Google Wallet app can use their mobile devices to present their ID in person at select TSA security checkpoints and businesses. They can also use the app to verify their age or identity in select apps. Other states that already support digital driver's licenses and state IDs include Arizona, Colorado, Georgia, Maryland, and Ohio.

An anonymous reader quotes a report from The Register: Germany's Federal Office for Information Security (BSI) says one in ten organizations in the country affected by CrowdStrike's outage in July are dropping their current vendor's products. Four percent of organizations have already abandoned their existing solutions, while a further 6 percent plan to do so in the near future. It wasn't explicitly said whether this referred to CrowdStrike's Falcon product specifically or was a knee-jerk reaction to security vendors generally. One in five will also change the selection criteria when it comes to reviewing which security vendor gets their business. The whole fiasco doesn't seem to have hurt the company much though, at least not yet.

The findings come from a report examining the experiences of 311 affected organizations in Germany, published today. Of those affected in one way or another, most said they first heard about the issues from social media (23 percent) rather than CrowdStrike itself (22 percent). The report also revealed that half of the 311 surveyed orgs had to halt operations -- 48 percent experienced temporary downtime. Ten hours, on average. Aside from the obvious business continuity impacts, this led to various issues with customers too. Forty percent said their collaboration with customers was damaged because they couldn't provide their usual services, while more than one in ten organizations didn't even want to address the topic. The majority of respondents (66 percent) said they will improve their incident response plans in light of what happened, or have done so already, despite largely considering events like these as unavoidable. The report highlights a curious finding that over half of CrowdStrike customers wanted to install updates more regularly, even though that would have been worse for an organization.

"Regardless, with the number of urgent patch warnings we and the infosec community dish out every week, it's probably a net positive, even if it's slightly misguided," concludes The Register.

Apple's latest macOS 15 "Sequoia" update, released earlier this week, has disrupted security tools from major providers including CrowdStrike, SentinelOne, and Microsoft, according to reports. The extent and cause of the disruption remain unclear.

Google is updating its Password Manager to allow users to sync passkeys across multiple devices, including Windows, macOS, Linux, and Android, with iOS and ChromeOS support coming soon. Engadget reports: Once saved, the passkey automatically syncs across other devices using Google Password Manager. The company says this data is end-to-end encrypted, so it'll be pretty tough for someone to go in and steal credentials. [...] Today's update also brings another layer of security to passkeys on Google Password Manager. The company has introduced a six-digit PIN that will be required when using passkeys on a new device. This would likely stop nefarious actors from logging into an account even if they've somehow gotten ahold of the digital credentials. Just don't leave the PIN number laying on a sheet of paper directly next to the computer.

U.S. tech giant Cisco has let go of thousands of employees following its second layoff of 2024. From a report: The technology and networking company announced in August that it would reduce its headcount by 7%, or around 5,600 employees, following an earlier layoff in February, in which the company let go of about 4,000 employees. As TechCrunch previously reported, Cisco employees said that the company refused to say who was affected by the layoffs until September 16. Cisco did not give a reason for the month-long delay in notifying affected staff. One employee told TechCrunch at the time that Cisco's workplace had become the "most toxic environment" they had worked in. TechCrunch has learned that the layoffs also affect Talos Security, the company's threat intelligence and security research unit.