An anonymous reader quotes a report from Ars Technica: Almost exactly a year ago, security researchers uncovered one of the worst data breaches in modern history, if not ever: a Kremlin-backed hacking campaign that compromised the servers of network management provider SolarWinds and, from there, the networks of 100 of its highest-profile customers, including nine US federal agencies. Nobelium -- the name Microsoft gave to the intruders -- was eventually expelled, but the group never gave up and arguably has only become more brazen and adept at hacking large numbers of targets in a single stroke. The latest reminder of the group's proficiency comes from security firm Mandiant, which on Monday published research detailing Nobelium's numerous feats -- and a few mistakes -- as it continued to breach the networks of some of its highest-value targets.

Mandiant's report shows that Nobelium's ingenuity hasn't wavered. Since last year, company researchers say the two hacking groups linked to the SolarWinds hack -- one called UNC3004 and the other UNC2652 -- have continued to devise new ways to compromise large numbers of targets in an efficient manner. Instead of poisoning the supply chain of SolarWinds, the groups compromised the networks of cloud solution providers and managed service providers, or CSPs, which are outsourced third-party companies that many large companies rely on for a wide range of IT services. The hackers then found clever ways to use those compromised providers to intrude upon their customers. The advanced tradecraft didn't stop there. According to Mandiant, other advanced tactics and ingenuities included:

• Use of credentials stolen by financially motivated hackers using malware such as Cryptbot (PDF), an information stealer that harvests system and web browser credentials and cryptocurrency wallets. The assistance from these hackers allowed the UNC3004 and UNC2652 to compromise targets even when they didn't use a hacked service provider.
• Once the hacker groups were inside a network, they compromised enterprise spam filters or other software with "application impersonation privileges," which have the ability to access email or other types of data from any other account in the compromised network. Hacking this single account saved the hassle of having to break into each account individually.
• The abuse of legitimate residential proxy services or geo-located cloud providers such as Azure to connect to end targets. When admins of the hacked companies reviewed access logs, they saw connections coming from local ISPs with good reputations or cloud providers that were in the same geography as the companies. This helped disguise the intrusions, since nation-sponsored hackers frequently use dedicated IP addresses that arouse suspicions.
• Clever ways to bypass security restrictions, such as extracting virtual machines to determine internal routing configurations of the networks they wanted to hack.
• Gaining access to an active directory stored in a target's Azure account and using this all-powerful administration tool to steal cryptographic keys that would generate tokens that could bypass two-factor authentication protections. This technique gave the intruders what's known as a Golden SAML, which is akin to a skeleton key that unlocks every service that uses the Security Assertion Markup Language, which is the protocol that makes single sign-on, 2FA, and other security mechanisms work.
• Use of a custom downloader dubbed Ceeloader.

An anonymous reader quotes a report from BleepingComputer: Eurostar is testing a new biometric facial recognition technology on passengers traveling from London's St Pancras International station to continental Europe. The passengers will be given the opportunity to complete their pre-departure ticket and passport checks via the new biometric system, called the "SmartCheck" lane. Those who take this option will be allowed to board the train without going through the typically tedious ID verification procedures. The system will involve two facial scans, one at the ticket gate to verify the ticket check and one at the UK Exit Checkpoint, to confirm that the passport information is valid.

The goal, according to Eurostar, is to eliminate queues and expedite the boarding process, not only improving customer satisfaction but also minimizing the chances for viral transmission. The system will be trialed with a limited number of invited passengers and won't involve the UK's or Schengen entry controls. Eurostar announced its intention to introduce a facial recognition system to replace physical tickets and passport checks last year, and facial recognition company iProov helped them build it. iProov is a proponent of what they call "passive authentication", which is facial recognition without the user having to do anything. The user consents to the platform by visiting an online portal to register with their information and takes an image of their face with the smartphone or webcam. When they reach a physical checkpoint, they simply look at the camera, and the system authenticates them effortlessly.

Verizon might be collecting information about your browsing history, location, apps, and your contacts, all in the name of helping the company "understand your interests," first spotted by Input. The Verge reports: The program, which Verizon appears to automatically opt customers into, is called Verizon Custom Experience and its controls lay buried in the privacy settings on the My Verizon app. The program introduces two different options that appear in the app, Custom Experience and Custom Experience Plus, each of which varies in terms of invasiveness. Verizon provides additional information about both settings within the app, as well as on a FAQ page on its website. It appears that the Custom Experience option is a stripped-down version of Custom Experience Plus, and as Verizon states directly in the app, it helps Verizon "personalize" its "communication with you" and "give you more relevant product and service recommendations" by using "information about websites you visit and apps you use on your mobile device."

Meanwhile, Custom Experience Plus has the same stated purpose -- to help Verizon provide you with a more "personalized" experience. However, it not only uses information about the websites and apps you use on your mobile device, but it also says it uses your "device location," along with "phone numbers you call or that call you" to help Verizon "better understand your interests." This also includes your CPNI, which tracks the times and duration of your calls, and because Verizon is your wireless network provider, it can track your location even if you've turned off location services on your phone. As Verizon explains on its site, it might use your information to, say, present you with an offer that includes music content, or give you a music-related option in its Verizon Up reward program if it knows you like music. Verizon explicitly states that for the more invasive Customer Experience Plus tracking, you "must opt-in to participate and you can change your choice at any time." Signing up for those Up Rewards, or other promotions with consequences buried in the fine print may have opted customers in unknowingly. How to opt-out: "[...] open your My Verizon app, and then hit the gear icon in the top-right corner of the screen. Scroll down and select 'Manage privacy settings' beneath the 'Preferences' heading. On the next page, toggle off 'Custom Experience' and 'Custom Experience Plus.' To erase the information that Verizon has already collected about you through the program, tap 'Custom Experience Settings,' and hit 'Reset.'"

An anonymous reader quotes a report from Bloomberg: The Australian computer scientist who claims he invented Bitcoin was told by a U.S. jury to pay $100 million in damages over claims that he cheated a deceased friend over intellectual property for the cryptocurrency. Jurors in Miami federal court took about a week to reach Monday's verdict, following about three weeks of trial. The jury rejected most claims against Craig Wright and the outcome probably won't resolve the debate over whether Wright is the mythical creator of the peer-to-peer currency, Satoshi Nakamoto.

The brother of Dave Kleiman, a computer security expert who died in 2013, alleged that the late Florida man worked with Wright to create and mine Bitcoin in its early years. As a result, the plaintiffs claimed the estate was entitled to half of a cache of as many as 1.1 million Bitcoins worth some $70 billion, which are thought to be held by Satoshi. Some cryptocurrency investors see Wright as a fake, and years-long litigation in Florida has done little to quiet the skeptics. Wright has declared many times in court that he invented Bitcoin, as he has previously in news interviews. Had the jury's verdict gone against Wright, that would have forced to him to produce the Satoshi fortune. To some observers, that would have been the true test.

"Many years ago, Craig Wright told the Kleiman family that he and Dave Kleiman developed revolutionary Bitcoin based intellectual property," he said in a statement. "Despite those admissions, Wright refused to give the Kleimans their fair share of what Dave helped create." The jury found Wright liable for conversion -- the illegal taking of property -- and awarded damages to W&K Info Defense Research LLC, the entity through which Kleiman and Wright are supposed to have done work together. In closing arguments to the jury, Freedman said Wright schemed and connived to "steal from his dead best friend with forgery and lies." The estate claimed that in addition to the Bitcoin mining the friends did together, Kleiman helped Wright create the intellectual property behind early blockchain technology worth $252 billion. Wright contended that the claims by Dave Kleiman's brother, Ira, were fabricated. He testified that his friend didn't help him launch the cryptocurrency and argued there was no paper trail showing that they had a partnership.

Life360, a popular family safety app used by 33 million people worldwide, has been marketed as a great way for parents to track their children's movements using their cellphones. The Markup has learned, however, that the app is selling data on kids' and families' whereabouts to approximately a dozen data brokers who have sold data to virtually anyone who wants to buy it. From the report: Through interviews with two former employees of the company, along with two individuals who formerly worked at location data brokers Cuebiq and X-Mode, The Markup discovered that the app acts as a firehose of data for a controversial industry that has operated in the shadows with few safeguards to prevent the misuse of this sensitive information. The former employees spoke with The Markup on the condition that we not use their names, as they are all still employed in the data industry. They said they agreed to talk because of concerns with the location data industry's security and privacy and a desire to shed more light on the opaque location data economy. All of them described Life360 as one of the largest sources of data for the industry.

Since at least 2017, a mysterious threat actor has run thousands of malicious servers in entry, middle, and exit positions of the Tor network in what a security researcher has described as an attempt to deanonymize Tor users. The Record: Tracked as KAX17, the threat actor ran at its peak more than 900 malicious servers part of the Tor network, which typically tends to hover around a daily total of up to 9,000-10,000. Some of these servers work as entry points (guards), others as middle relays, and others as exit points from the Tor network.

Their role is to encrypt and anonymize user traffic as it enters and leaves the Tor network, creating a giant mesh of proxy servers that bounce connections between each other and provide the much-needed privacy that Tor users come for. Servers added to the Tor network typically must have contact information included in their setup, such as an email address, so Tor network administrators and law enforcement can contact server operators in the case of a misconfiguration or file an abuse report. However, despite this rule, servers with no contact information are often added to the Tor network, which is not strictly policed, mainly to ensure there's always a sufficiently large number of nodes to bounce and hide user traffic.

Mozilla has announced through its Mozilla Hacks blog that it plans to ship a 'novel sandboxing technology' called RLBox with Firefox 95 which it has been developing alongside researchers from the University of California San Diego and the University of Texas. From a report: It said RLBox makes it easier to isolate subcomponents of the browser efficiently and gives Mozilla more options than traditional sandboxing granted it. Mozilla said this new method of sandboxing, which uses WebAssembly to isolate potentially-buggy code, builds on a prototype that was shipped in Firefox 74 and Firefox 75 to Linux and Mac users respectively. With Firefox 95, RLBox will be deployed on all supported Firefox platforms including desktop and mobile to isolate three different modules: Graphite, Hunspell, and Ogg. With Firefox 96, two more modules, Expat and Woff2, will also be isolated.

The co-founder of a company that has been trusted by technology giants including Google and Twitter to deliver sensitive passwords to millions of their customers also operated a service that ultimately helped governments secretly surveil and track mobile phones, Bloomberg reported Monday, citing former employees and clients. From the report: Since it started in 2013, Mitto AG has established itself as a provider of automated text messages for such things as sales promotions, appointment reminders and security codes needed to log in to online accounts, telling customers that text messages are more likely to be read and engaged with than emails as part of their marketing efforts. Mitto, a closely held company with headquarters in Zug, Switzerland, has grown its business by establishing relationships with telecom operators in more than 100 countries. It has brokered deals that gave it the ability to deliver text messages to billions of phones in most corners of the world, including countries that are otherwise difficult for Western companies to penetrate, such as Iran and Afghanistan. Mitto has attracted major technology giants as customers, including Google, Twitter, WhatsApp, Microsoft's LinkedIn and messaging app Telegram, in addition to China's TikTok, Tencent and Alibaba, according to Mitto documents and former employees.

But a Bloomberg News investigation, carried out in collaboration with the London-based Bureau of Investigative Journalism, indicates that the company's co-founder and chief operating officer, Ilja Gorelik, was also providing another service: selling access to Mitto's networks to secretly locate people via their mobile phones. That Mitto's networks were also being used for surveillance work wasn't shared with the company's technology clients or the mobile operators Mitto works with to spread its text messages and other communications, according to four former Mitto employees. The existence of the alternate service was known only to a small number of people within the company, these people said. Gorelik sold the service to surveillance-technology companies which in turn contracted with government agencies, according to the employees.

Concerned about America's cybersecurity preparedness, the White House "is accelerating efforts to fill nearly 600,000 vacant cybersecurity positions in the public and private sectors bogging down efforts to protect digital infrastructure," reports Axios: Following a deluge of ransomware attacks targeting critical government and corporate infrastructure this year, clogs in the talent pipeline are leaving federal, cash-strapped local governments and Big Business even more susceptible to hacking. The issue has emerged repeatedly in Senate and House hearings but received little public attention until recently...

Microsoft...has pitched in by providing free cybersecurity curriculum to every public community college. A nonprofit, Public Infrastructure Security Cyber Education Systems, provides university students hands-on experience: monitoring real-time data on local government networks...

A job-tracking database funded by the Commerce Department shows there are nearly 600,000 U.S. cyber job openings nationwide.

The Department of Homeland Security recently launched a federal recruiting tool aimed at courting young, diverse talent. DHS currently has about 1,500 cybersecurity-related vacancies, affecting the agency's efforts to protect the homeland. A Senate audit found key agencies across the federal government continue to fail to meet basic cybersecurity standards, with eight of them earning a C- in the report.

Historically, local and federal government entities have struggled to compete with private sector companies, where bidding wars for talent are commonplace.